Risk Factor iconRisk Factor

Which Retailers Besides Target and Neiman Marcus Have Been Hacked?

This Week in Cybercrime We learned this week that the upscale retailer Neiman Marcus suffered basically the same security breach as the one that affected Target during the height of the holiday shopping season. Malware installed on its networks infected its point-of-sale system; the malicious code collected payment card data, including PINs, for 1.1 million customers.

While Neiman Marcus and Target—whose security lapse left credit card data for 70 million of its customers in the hands of cybercriminals—have been in the news, they’re not the only ones who've had their digital pockets picked. According to researchers at IntelCrawler, an online intelligence-gathering service that helps firms spot cyberthreats, chatter on forums where cybercriminals ply their trade has revealed that as many as six other retailers have also had their systems—and their customers’ information—compromised. IntelCrawler is not naming names, but says it is providing technical information related to the breaches to the appropriate authorities.

NSA Phone Snooping Illegal and Ineffective, Says Review Board

The U.S. government’s Privacy and Civil Liberties Oversight Board released a 238-page report [pdf] this week calling the National Security Agency’s collection of metadata related to U.S. residents’ phone calls illegal and recommending that the practice be ended. The panel concluded that the program not only “lacks a viable legal foundation under Section 215 [of the U.S. Patriot Act]” but has also been largely ineffective.

“We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack,” said the board’s members. “And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect.”

Fill-Up Fraudsters Nabbed

A team of fraudsters who installed Bluetooth-enabled skimmers on the credit card readers at refueling stations across Texas, Georgia, and South Carolina were indicted this week. The thirteen defendants allegedly stole more than US $2 million from customers who filled their tanks at Raceway and RaceTrac stations between March 2012 and March 2013. Because the skimmers communicated via Bluetooth, the thieves could surreptitiously download the data without ever rousing suspicion. According to the criminal complaint, the gang used the stolen credit card information to produce phony cards that they subsequently used to withdraw cash and spread it across 70 different accounts in an effort to launder the money.

In Other Cybercrime News…

Image: Getty Images

Cybercrooks Score: Half of All South Koreans’ Credit Card Data

If you didn’t know, now you know: there probably shouldn’t be any expectation that credit card information—or any personal details stored in digital form—is completely safe from hackers. Just as shoppers in the United States were grappling with the theft of 70 million credit card accounts from Target, comes word that credit card data for nearly half of all South Koreans has been purloined. More than 20 million South Korean credit card accounts, including those belonging to President Park Geun-hye and United Nations Secretary-General Ban Ki-moon, were part of the trove plundered in the cyberheist.

Read More

Feds Come to Help Florida Sort Out Unemployment System Woes

IT Hiccups of the WeekLast week was an unusually quiet week in the land of IT-related snafus. Most of the snarls reported concerned existing tech issues that continue to fester without resolution. For example, late last week, Florida decided to pay unemployment claims that have been on hold for more than seven days in an attempt to relieve the financial pressure on at least 60 000 unemployed workers. They hadn’t been paid in a timely manner because of ongoing problems with the implementation of the state’s $63 million CONNECT unemployment insurance system which was rolled out in October. The Sun-Sentinel reports that the difficulties still being encountered three months after the system went live, “range from inaccurate information being provided to claimants and the state, non‐functional fraud protections, and even the inability to use bar‐coding software for paper claims.”

Despite the Florida Labor Department's announcement that it is hiring 500 new workers to help resolve new and outstanding unemployment claims, the U.S. Department of Labor is sending experts to help Florida unravel its technological mess. Deloitte Consulting, the system’s prime contractor, is also reportedly adding more technical personnel to try to get to the bottom of the ongoing problems, even as it publicly says that Florida is at fault for causing them in the first place.

As you may recall, Florida has begun assessing penalties on Deloitte: It has withheld $3.5 million dollars in progress payments, and is fining the company $15 000 per day until the system is fixed. In hearings last week, Florida again put all the blame for the fiasco on Deloitte, which Deloitte heatedly contests. News reports state that at least one Florida lawmaker is suggesting that Deloitte be barred from future Florida contracts, something that Australia’s Queensland government has done to IBM as a result of Big Blue's role in the Queensland Health payroll debacle.

The Florida unemployment fiasco has turned into a major political issue for Governor Rick Scott, who is facing reelection this November. Gov. Scott has remained studiously silent about the whole affair, no doubt hoping it all blows over well before voting day.

Problems Continue to Plague Maryland’s Health Insurance Exchange

Last week also saw more IT problems associated with several states’ implementation of the Affordable Care Act (ACA). Maryland’s difficulties seem to have been the most significant. First, there were legislative hearings early in the week looking into why Maryland’s health insurance exchange was so messed up. The bottom line was that no one was in charge, vendors and the state did not get along, the vendors themselves did not get along, no one wanted to hear about the myriad significant technical risks, and political motivations dominated decision making. In other words, all the makings of an all-too-typical government IT project.

Then, on Saturday, there was word that Maryland's healthcare exchange website incorrectly listed the Seattle Pottery Supply company’s telephone number as the one that individuals seeking help in signing up for health insurance should call. The pottery company is understandably unamused. Then it was reported late Sunday night that Medicaid enrollment applications involving over one thousand individuals were sent to the wrong address by Noridian, the exchange’s prime contractor. Maryland officials insist the error isn’t a data breach, since the information did not contain Social Security numbers, “just” a person’s name, date of birth, and Medicaid ID number.    

OfficeMax Needs to Seriously Check its Rented Mail List

Finally, there was an unfortunate and disturbing mailing glitch reported by the Chicago Tribune. Apparently, OfficeMax sent some advertising material addressed to “Mike Seay, Daughter Killed In Car Crash, or Current Business.”

The Tribune reported that Mike Seay’s daughter Ashley, 17 years old, was indeed killed in a car crash last year along with her boyfriend, but an angry Seay wanted to know how OfficeMax knew that information, too, and how and most importantly, why, that information came to be placed on his address label.

OfficeMax, which wasn’t forthcoming with any explanation to Seay’s questions before the press got involved, said it had rented the e-mail list from a third-party company which it refused to identify.  OfficeMax, while offering through a press release the standard apology to the Seay family, has not, as of yet, directly apologized to Mike Seay and his wife, who are still naturally upset about the mailing.

The case raises some thought-provoking issues with data mining and privacy. I will let you know if OfficeMax decides to offer a more in-depth explanation of how this sad incident came to be.

Florida’s New CONNECT Unemployment System Still Disconnecting

Florida Lawmaker’s Press Labor Department Officials over Ongoing CONNECT Problems

Thousands of Unemployed Floridians Will Finally Receive Unemployment Checks

Florida Blames Vendor for Unemployment System as Feds Ride to Rescue

Passing the Buck Over Unemployment System Debacle

Gov. Scott Impersonates Where’s Waldo in Regard to Unemployment Fiasco

Maryland’s Health Exchange Bad Week

Maryland Healthcare Officials’ Website Wishful Thinking

Maryland Healthcare Officials Have Few Credible Answers to Legislators’ Questions

Seattle Pottery Company Receives Maryland Health Exchange Help Inquiries

Maryland Health Exchange Sends Medicaid Applications to Wrong Individuals

Father Receives OfficeMax Ad Additionally Addressed with “Daughter Killed In Car Crash”

Dad gets OfficeMax mail addressed 'Daughter Killed In Car Crash'

OfficeMax Apologizes for Address Error

Will OfficeMax Letter Spur Data Mining Backlash?

Of Other Interest …

Number of UK Cattle Herds with TB Likely Overstated

North Carolina Computer Issue Affects Online Final Exams

North Carolina NCFast Computer Problems May Be Fixed by April

North Carolina Healthcare Providers Sue State over NCTracks Billing Snafus

Tulsa Fire Dispatch System Not Completely Fixed After All

5000 New Workers All Appear At Once for Mandatory Medical Exam in Qatar Due to Online Booking Error

Jersey Telecom’s New Billing System Spurs Barrage of Complaints

Image: iStockphoto

GM Recalls 370 000 Pickup Trucks for Software Update to Reduce Fire Risk

IT Hiccups of the WeekThere were a wide-variety of errors, faults, and general IT-related ooftas to choose from last week. But GM’s recall of 370 000 of its 2014 model year Chevrolet Silverado and GMC Sierra full-size pickup trucks, in order to update their software and reduce the likelihood that their exhaust systems will overheat and catch fire, caught our eye. According to the Detroit News, “When [a] truck idles, it should use two cylinders…but because of a software glitch, the recalled trucks idle with most of the cylinders. That causes the vehicles to overheat and leads to the fires.” So far, there have been eight reported fires, but no injuries.

All of the affected trucks have V-8 engines, but the recall is also being extended to trucks with V-6 engines. Owners should be on the watch for a continuously yellow “check engine light” and an “engine power reduced” message on the vehicle’s information center, the News reported. GM is also telling truck owners not to leave their trucks to idle unattended, which they may do especially in colder climates while warming them up.

The recall is a bit of an embarrassment for GM, because the Silverado, a highly popular and profitable product for GM, is also one of three finalists for the North American Truck of the Year award that is to be announced later today. [Update: the Silverado did win Truck of the Year.] Owners of the affected vehicles will be notified later this week about when they can come in for the software update. The procedure should only take 20 minutes or so to complete.

Your Flight Will Take Off When We Locate the Crew

The recent cold and wintery weather has made flying in the U.S. and Canada a most unpleasant experience for many travelers. While the weather has been responsible for over 20 000 canceled flights and 40 000 delays since the first of the year, Bloomberg News reported that problems with United Airlines’ Crew Communication System (CCS), which is used to communicate schedules and other information to its onboard personnel, has added to the woes. According to Bloomberg, on 30 December 2013, all 10 200 of the airline’s pilots were shifted to the crew communication system previously used only by Continental Airlines pilots.  You may recall that United and Continental merged in 2010, and that the merger of their automated reservation systems wasn’t the smoothest on record. Further complicating the transition was a CCS software update designed to comply with a new federal requirement, which came into effect on 4 January, that limits the number of consecutive hours a given pilot can be on duty.

However, Bloomberg reports, since the shift, the CCS has been prone to crashing and displaying out of date crew scheduling information. As a result, the system has lost track of crews' whereabouts, left them stranded, or made them late for flights, leading to both flight cancellations and delays, Bloomberg claims. United acknowledges there have been some technical issues with the CSS, but denies it has lost or stranded crews. United told Reuters that most of the reported crew problems were due to weather, not CCS, issues.

In other air travel news, a software problem with check-in counters coupled with bad weather meant hours of delays and several flight cancellations over the weekend at Toronto’s Pearson International Airport. The cause of the software issue, which was cleared up early Sunday morning, was not given by the airport's spokesperson.

Stock Market IT Reliability Not Trending Upward

Stock traders had hoped that 2014 would bring fewer of the exchange and other stock-related “glitches” that plagued them throughout 2013. Alas, last week saw fresh problems reported with the NASDAQ Options Market, as well as online brokerage firm E*Trade. While the former lasted for less than 30 minutes, the E*Trade outage lasted for nearly 5 hours. The causes of both outages are reportedly still under investigation.

Finally, the implementation of the Affordable Care Act (ACA) website and supporting systems continues to make news. According to the Washington Post, the ACA website development and support contract for prime contractor CGI will not be renewed. Instead, the maintenance contract will be given to Accenture under a sole-source contract. CGI insists it was not fired; let's just say it wasn't rehired due to the underwhelming quality of its work.

GM Issues Software Update to Reduce Fire Risks to Pickup Trucks

GM Recalls 370 000 Trucks for Fire Risks

GM Recalls Chevy, GMC Pickups

GM Recalling Majority of 2014 Pickups Due to Fire Risk

United Airlines Has Problems with its Crew Communication System

Crew Communication Systems Problems Lead to Flight Cancellations, Crews Being Stranded

United Says Bloomberg Wrong about Pilots Stranded by CCC Issues

Software Problem at Toronto’s Pearson International Airport Said to be Fixed

NASDAQ and E*Trade Suffer Outages

NASDAQ Options Market Issue Resolved

E*Trade Suffers Disruption To Website and Mobile Trading Platforms

Of Other Interest …

Alaskan Airlines Online System Offers New but Already Expired Promotional Deals

Software Crash Takes out Ohio’s Bureau of Motor Vehicles

Computer Failure Leads to Burst Water Pipe, Water Outage in West Memphis, Arkansas

Dropbox Says Outage Caused by Maintenance Issue, Not Hackers

Google Apologizes for Berlin Map with Nazi-Era Street Name

Marks & Spencer Advertises £700 Chairs for 50p Online

Tulsa, Oklahoma’s Malfunctioning Fire Dispatch System Now Working Correctly

Photo: GM

Australian Agency Calls Cops on Teenage Do-Gooder Who Reports Website Vulnerability

This Week in Cybercrime Pessimists are fond of saying that no good deed goes unpunished. An Australian teenager who reported a security vulnerability in a government website and now faces legal troubles probably agrees. Joshua Rogers, a 16-year-old Victoria native, discovered a security hole that gave him access to a database containing the full names, addresses, home and mobile phone numbers, e-mail addresses, dates of birth, and nine of the 16-digit credit card numbers for about 600 000 commuters who paid for fares via the Metlink website run by the Transport Department.  When he stepped forward in late December to tell the site’s operators about the vulnerability, they never bothered to respond. Two weeks later, Rogers told his story to The Age; when the newspaper asked the Transportation Department about it, officials there reported Rogers to the police.

“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told The Age. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”

I guess the Transportation Department, knowing that it will face scrutiny over leaving its customers’ data so open to misappropriation, is trying to appear serious about security by taking a preemptive strike—albeit against someone who attempted to notify them of the hole instead of exploiting it.

Target's Data Breach Diagnosis Off Target

I’m shocked—shocked!—to find out that Target wildly underestimated the number of people whose personal data was stolen in a data breach that occurred between 27 November and 15 December. Target came out today and retracted the 42 million figure it had been sticking to since news of the breach broke on 19 December. The retailer announced today that names, mailing addresses, phone numbers, and e-mail addresses of roughly 70 million people fell into the hands of cybercriminals. Much of the data newly identified as having been accessed by the hackers was supposedly stored on a separate part of the company’s internal networks from the one Target knew was hacked.

Few Plaudits for Yahoo's Belated Security Update

Yahoo finally made HTTPS the default setting for its e-mail service this week, years after rivals such as Google made the move. But if it was expecting handshakes and pats on the back, it has another thing coming. Security experts say that after Yahoo finished inexplicably dragging its feet, it has come up with a scheme that is not likely to keep users’ communications away from prying eyes. The “new configuration leaves a lot to be desired,” Ivan Ristic, director of application security research at security firm Qualys, told Security Watch. Ristic and other observers are scratching their heads about Yahoo’s decision not to support Perfect Forward Secrecy, which ensures that communications are secured by randomly generated ephemeral public keys. “Without Forward Secrecy, even encrypted data is feasibly at risk from private key compromise,” Ristic warns.

In Other Cybercrime News

  • RSA is facing a backlash over reports that it entered into a secret contract with the U.S. National Security Agency that called for the company to use a random number generator known to be flawed in its encryption tools. A growing number of security experts have withdrawn papers from an upcoming RSA conference in protest. In late December, Josh Thomas of Altredis announced that he had changed his mind about delivering a talk at the conference. The very next day, Mikko Hyponnen of F-Secure posted an open letter to RSA saying he was also canceling his talk on government-sponsored malware. At least a half dozen other people expected to be in the conference’s lineup have sent their regrets.
  • Researchers from Carleton University in Ottawa, have proposed a way to create a user- and machine-generated narrative, based on the user’s recent activity on a computer, which would serve as a device’s authentication mechanism instead of a password. They reason that a familiar narrative will be easy for the authorized user to remember but exceedingly difficult for a hacker to crack. “Allow the system to have a dialogue and prove that you are you and tell it things you know,” says one of the authors of the paper (“Towards Narrative Authentication; or Against Boring Authentication”).
  • Researchers have discovered vulnerabilities in industrial Ethernet switches manufactured by Siemens that could let attackers hijack Web sessions and perform unauthorized admin tasks on the switches.
  • As cars get smarter and increasingly Internet connected, privacy issues regarding the flood of data a vehicle generates have come to the fore.
  • Security firm Invincea reported this week that the video-sharing site DailyMotion, which attracts 17 million visitors a month, has been plagued by an attack that redirects users to a scam. Kaspersky Lab’s Threatpost explains the threat thusly: “When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. The victim is then presented with a dialog box that offers to clean the computer of the problem. If the user agrees, they’re asked to run a file which is the malicious executable.

Photo: Getty Images

Healthcare.gov Operating Without a Safety Net

IT Hiccups of the WeekIt may be a new year, but the past few weeks of IT snarls, snafus and general mayhem look a lot like last year’s (or last century’s (pdf), for that matter). We start off the 2014 Risk Factor edition of IT Hiccups with yet another wrinkle in the 2013 IT horror story of the year—namely the chaotic implementation of the Affordable Care Act (ACA) website and supporting back-office systems. I didn’t think I could be surprised by any more news about how unprofessional the Healthcare.gov implementation has been, but I must admit that the Wall Street Journal story last Friday reporting that the site was operating without a back-up system in place still managed to startle me. Not to worry, though. Officials at the Centers for Medicare and Medicaid Services (CMS), which manages the website, reassured the WSJ that “redundancy is a critical part of our planning.”  In other words, they'll get around to it, eventually. Talk about living dangerously.

Also disclosed on the CMS Healthcare.gov planning “to do list” is the capability to go on line and make basic changes to health insurance coverage, like adding a new child, reporting a marriage, divorce or death, or other “change in circumstance” events. That capability was supposed to be there from the day the system went live in October, but it was postponed amid the flurry of fixes meant to provide even more basic website functionality, like not crashing. Whether the ability to change one’s insurance status will be available by mid-January, right along with other promised ACA back-office functions such as making payments to insurers for the coverage they are offering, remains to be seen. Few outside of CMS hold out much hope that deadline will be met, however; the agency is currently scrambling to get the tens of thousands of individuals who thought they had signed up for health insurance or Medicaid, but don't actually have coverage because of Healthcare.gov system issues, to sign up again.

Several states also report continued difficulties with their ACA system implementations. Oregon’s implementation is probably in the worst shape, but Maryland’s, Massachusetts', Minnesota’s, and Vermont’s aren’t that much better. The latter two states have decided to follow Oregon’s lead and withhold money from the prime contractors responsible for the botched IT implementations until the systems are fixed.  Oregon is withholding US $20 million from Oracle, while Massachusetts and Vermont are withholding some $58 million and $6 million, respectively, from CGI. CGI, you may recall, is the prime contractor for the mismanaged Healthcare.gov implementation.

Florida has also decided to withhold funds from its IT vendor, Deloitte Consulting, but in this case, for mishandling the implementation of the state’s new $63 million unemployment insurance system which was rolled out in October. Florida says that Deloitte has failed to meet its contractual obligations, which Deloitte vehemently denies. Florida officials have hit Deloitte with penalties of $15 000 a day since 23 December 2013 (which is in addition to $3 million in payments already being withheld, a separate $1.5 million penalty imposed last month, and a $4.5 million penalty imposed on Deloitte by the state in 2012). If things keep going, Deloitte will end up paying Florida for the privilege of building the unemployment system.

Finally, there were a number of banking and credit card systems that experienced a variety of problems during the holiday season, including those at Allied Irish Banks, NatWest and RBS in the UK, and PNC bank in the U.S. All apologized to their customers for the inconvenience, of course—which I doubt did much to sooth the consumers' anger when they found they couldn’t pay for their holiday purchases.

Healthcare.gov Saga Continues Unabated

Healthcare.gov Operating without Back-up System in Place

Making Changes to Healthcare.gov-bought Plan Difficult

More than 100 000 Enrolled Through Healthcare.gov Need to Enroll Again

For What It's Worth: Healthcare.gov Prime Contractor Has Top Software Process Credentials

Congress to Consider Healthcare.gov Security Legislation

Florida’s New Connect Unemployment Insurance System Becomes Deloitte Debacle

Florida Fines Deloitte Over Unemployment Insurance System Mess

Deloitte Defends its Work On CONNECT Unemployment System

Florida and Deloitte Claim Alternative Realities in Unemployment System Fiasco

Florida Doubles Personnel to Handle Unemployment System Problems

Florida’s Unemployment Number Misleading Because of Unreliable System

Bank and Credit Card Systems Say Not Today

Allied Irish Banks Suffer ATM Glitch

AIB Says It Has Fixed ATM Problems

NatWest Online Banking Down Due to DOS Attack

Tesco Petrol Payment Issue Freezes NatWest and RBS Credit Cards

PNC Bank Customers Find Their Money Missing After Computer “Glitch”

UAE Bank Cards Fail to Work

Of Other Interest …

EBay Overcharges Some Buyers

Australian Myer Department Store Resolves Online Problems

Malfunctioning Issues Reported With Nest Thermostat

BNC Bankcorp Website “Glitch” Creates Problems for Rival Bank

Microsoft Promising Surface Pro 2 Firmware Fix Soon

Delta Honors Glitch Fare Pricing

Glitches Galore Delight Online UK Holiday Shoppers

Photo: Joe Raedle/Getty Images

NSA Spies Who Purchased This Snooping Device Also Bought…

This Week in Cybercrime We were already aware of the existence of illicit marketplaces teeming with tools for cybercriminals looking to subvert the security of online networks. But one of the latest revelations from the cache of documents stolen by NSA whistleblower Edward Snowden is the fact that NSA hackers have access to a spy catalog from which they can buy gadgets and malware that make the idea of online security virtually meaningless. According to der Spiegel, the newly disclosed documents reveal that specialists in the NSA’s Tailored Access Operations division manage to access data that is supposedly inaccessible even by tapping undersea cables or by strong arming companies such as Google, AT&T, and Yahoo. Their bag of tricks, which includes mapping and monitoring networks and rerouting and modifying data, comes largely from a 50-page catalog produced by another NSA Division.

“For nearly every lock, ANT seems to have a key in its toolbox,” der Spiegel writes. “And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.”

The 2008 catalog features items ranging in price from free to US $250 000. They include a $30 pack of rigged monitor cables that let the NSA see whatever the user sees, a $40 000 GSM base station that spoofs a mobile phone tower so that it receives signals from nearby handsets, and a digital lock pick for firewalls made by Juniper Networks that keeps the backdoor open even after reboots and software upgrades. Worse, the Snowden documents reveal, is that the catalog contains malware capable of infecting a machine’s BIOS so that it continues to compromise the device’s security even after the most drastic measures—wiping the hard drive clean and reinstalling the operating system.

PINs Compromised in Target Hack

Target’s troubles are mounting. The retailer, whose systems were hacked at the height of the holiday shopping season, has confirmed that the cybercrooks were able to access a listing of customer debit card PINs. The company had earlier said that the PINs weren’t taken in the data breach. Now Target is insisting that customers are safe and that the hackers won’t be able to turn the data into easy cash by making spoofed debit cards that let them take money out of ATMs. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement posted on its website on Friday.

Target didn’t reveal how much PIN data was divulged.

Despite the retailer’s insistence that “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” company officials may be the only people shocked when the other shoe drops and we find out that the hackers have managed to find the keys to decrypt it.

Snapchat Hacked

It was supposed to be simple. And easy. And safe. Just send someone a pic on Snapchat and, poof—it would disappear from the recipient’s device before it could come back to haunt you. But now there’s reason for worry. Snapchat has been hacked. Though no one’s heard of any funny business with images being diverted, the usernames and phone numbers of 4.6 million alleged Snapchat users were posted online this week. The posting, on a website called SnapchatDB.info, came a few days after an outfit called Gibson Security publicly reported a vulnerability in the social sharing service it said would allow that very thing to occur. (According to Computer World the site has been taken down by its hosting service, but a cached version can still be viewed.)

Gibson says it first made Snapchat aware of the vulnerability in August, but the service didn’t respond. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it," Gibson said in a statement.

In Other Cybercrime News…

  • FireEye, a major cybersecurity company, announced the purchase of Mandiant, a privately-held cyber forensics firm, for roughly US $990 million. FireEye, a leading seller of security services designed to identify and combat cybercrime via the Internet, e-mail, and mobile devices, has previously collaborated with Mandiant to stave off attacks. The purchase, FireEye said in a statement, will improve its ability “to stop advanced attacks at the earliest phases of the attack life cycle.”
  • This week, A U.S. federal court upheld a government policy allowing law enforcement officers at or near U.S. borders to seize and search electronic devices for any reason. The decision [pdf] by U.S. District Judge Edward Korman in New York is the result of a case brought by the American Civil Liberties Union (ACLU), which argued that U.S. border officials shouldn’t be able to conduct searches of gadgets without reasonable suspicion that a crime has been committed. But the judge held that the so-called “border exemption,” which gives the government the right to warrantless and suspicionless searches within 160 kilometers of the border, applies to data and the devices that contain it.

Photo: iStockphoto

Target Hack Stole Millions of Credit and Debit Cards

Hello, Target shoppers. Just in time for the holidays, your credit card data has been compromised. And according to Brian Krebs, the purloined information has been “flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.” Krebs, who broke the story on his blog, Krebs On Security, on Wednesday, says that:

“[A bank, having been notified that a “card shop” with a reputation as a reliable source for stolen credit and debit cards] had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store…browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.”

But here’s the kicker:

“When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop,” says Krebs, “it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.”

The day after Krebs’ revelation, the retailer issued a statement confirming that the customer information for roughly 40 million credit and debit cards swiped at Target stores between 27 November and 15 December had been, well, swiped. The company initially thought that the period over which the breach yielded stolen payment card information ended on 6 December, but as the investigation into the break-in continued, those hopes were dashed.

The team looking into the breach says it has found nothing to indicate that Target’s online customers were affected. What’s not known at this time is whether the hackers were able to gather PIN information for debit transactions. If they did, it would be possible to make phony cards that could empty bank accounts by withdrawing cash from ATMs.

Why the bricks-and-mortar and not the e-commerce customers? Though nothing has been confirmed, computer security experts suspect that the attackers went for the retailer’s point-of-sale (POS) system, the point of entry seen as the weakest link. The vulnerability of point-of-sale systems lies in the fact that they’re “usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider,” Mark Bower, vice president of product management at Voltage Security, said in a statement. “In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable,” says Bower. 

Target will get a chance to explain exactly how it happened in court. A Bloomberg Businessweek article says that a California resident affected by the data breach has already filed a lawsuit against the company. The complaint asserts that, “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” The plaintiff, says the article, is looking to make it into a class-action suit.

Furthering the indignity, the retailer's online systems and call centers have been overwhelmed by a torrent of customers trying to find out more about the attack and to determine whether they had been affected, according to the StarTribune—the hometown newspaper of Minneapolis, Minnesota,-based Target.

North Carolina Continues to Wrestle with Wayward IT Projects

North Carolina is famous for its high-tech Research Triangle, but lately it seems that state government IT projects are bound for IT’s equivalent of the Bermuda Triangle.

As you may remember from an earlier Risk Factor story on state government IT project snafus, North Carolina rolled out two new major systems, one called NCFast and the other NCTracks. NCFast (North Carolina Families Accessing Services through Technology) is the N.C. Department of Health and Human Services (DHSS) computer system aimed at streamlining the work activities and business processes of the department and county social services agencies so that more time can be spent on helping those requiring public assistance and less on bureaucratic tasks. NCFast was “soft-launched” in mid-July (the system is not scheduled to be completely finished until 2017).

However, since the launch of NCFast, there have been ongoing issues with the US $48 million system that have caused many families on food-assistance to go without their benefits for months at a time. This has, unfortunately, given those families a new perspective of what the “fast” in NCFast means.  Within six weeks of the system’s launch, almost 70 000—or nearly 9 percent—of North Carolina’s food-assistance recipients were not receiving their benefits. In response to political uproar created by the rapidly rising number of hungry families who were straining local food-banks, DHHS quickly placed the blame for the lack of benefits squarely on the county social services agencies, pointing specifically to what DHHS claimed was inadequate training on how to use the NCFast system. The county agencies fired back, accusing the state of rolling out a slow and bug-filled case management system that was prone to freezing up or crashing without warning.

About a week ago, it emerged that the county social service agencies had every right to blame the NCFast system for the growing backlog of food-assistance recipients. What's more, the state DHSS department knew NCFast was at fault, too, but decided to keep quiet about it. According to a report by Raleigh TV news station WRAL, while DHSS was publicly blaming the counties for not training their staff on how to use NCFast correctly, its own internal assessment of the situation was contradicting that assertion. The WRAL story states that the DHSS internal assessment showed “only a small minority of counties faced problems with training, staffing, and technical infrastructure.”

In addition, WRAL reports, DHSS eventually discovered what it called a “simple browser compatibility issue” in late August that turned out to be the root cause of many of NCFast’s operational issues. But that discovery was made only after several county agencies reported that NCFast seemed to work better when interfacing to the system with Google Chrome than with Internet Explorer, a fact that DHSS evidently did not investigate on its own.

Since the browser fix has been made, NCFast’s operations have markedly improved, but it has still taken months—along with the hiring of over a 150 temporary workers—to whittle down the backlog of the tens of thousands of families awaiting their food assistance benefit. However, reports of families not properly receiving food-assistance are still being made, albeit not to the magnitude experienced in August or into September.  A story this week at the Times-News in Burlington, North Carolina, for instance, reports that the local county social services agency still says “it’s a daily struggle” working with NCFast.

The WRAL story indicates that, even now, North Carolina DHSS officials continue to point to a lack of user training at the county health services agencies rather than software problems in NCFast for initially creating the majority of the family food-assistance backlog. You might at first be surprised by the state’s health services department blatant attempt at shifting the blame away from itself in the face of contrary facts. But the fact that DHSS has an even bigger IT debacle than NCFast on its hands, makes it less surprising.

You see, at the beginning of July, the North Carolina’s DHSS also decided to launch its highly controversial $484 million NCTracks Medicaid claims processing and management system. The agency did this despite a May state audit [pdf] that cast doubt on whether the system—which was $200 million over budget and two years late—was ready to go live. The audit cited, among other issues, the lack of testing or independent verification and validation of key system elements, as well as unresolved privacy and security concerns. For instance, out of a scheduled 834 “critical” priority tests, the audit stated that 123 failed and 285 tests were not even performed.

The DHSS, however, insisted that there was nothing major to worry about, regardless of what the audit reported. The department conceded that there might be an “initial rough patch of 30 to 90 days as providers get used to using the new system,” but that there should be smooth sailing after that. Well, here it is nearly 180 days on, and NCTracks is still desperately trying to smooth out that “rough patch.”

Statistics from November, for example, indicated that NCTracks was still performing at a worse rate than the 25-year old system it had replaced. Furthermore, the Medicaid claims of many of the state’s 77 000 Medicaid providers were still not being paid promptly, or they were being rejected at a rate in some cases 4 times higher than in the past. This was causing financial hardship for countless health care providers, leading some to decide, reluctantly, to quit providing care to Medicaid recipients. The problems with NCTracks has, not unexpectedly, also generated a lot of political heat.

Adding to the political fire last week was the release of another state audit  [pdf] showing that some 3200 defects with NCTracks were discovered since it went live in July, and that more than 600 defects were still to be fixed as of 5 November.  DHSS recently admitted that most of those defects remain unfixed, but claimed that they don’t affect “most” Medicaid providers. The department wouldn’t, however, give an estimate of how many providers the defects did affect. 

The state’s audit also reported that DHSS management still did not have a master plan to track problems or their corrections; DHSS has since promised one would be ready beginning January 2014.

Furthermore, the audit noted that 12 of the 14 critical changes mandated by the state legislature or by the Federal government were not in place by their specified dates. DHHS management promised that the 12 changes will be implemented by 1 March 2014, although one should view that promise with more than a few grains of salt.

Finally, the audit indicated that North Carolina’s financial analysts aren’t sure what the state is spending on Medicaid since NCTracks still can’t account for what the state still owes its 77 000 Medicaid providers.

However, since the day NCTracks has been rolled out and despite all its well-documented problems, DHSS management has continually pushed the optimistic message that “NCTracks is on track” since the system is able to pay at least some number of submitted claims. And like those in charge of NCFast, NCTracks management has continually downplayed NCTracks’ IT problems while—surprise, surprise—insisting that most of the issues being reported are caused by a lack of training at the state’s Medicaid providers. In fact, last week, even as the state audit report was detailing the multitude of problems in NCTracks that should have been addressed before the system was allowed to go live, the state's manager in charge of NCTracks computer systems development congratulated his staff on the “successful launch” of the system.

One would hate to see what an unsuccessful IT project launch looks like in North Carolina.

Well, luckily for us, according to another North Carolina state audit from earlier in the year, there are plenty of opportunities to find out because many, if not most, of the other 82 state IT projects are in questionable shape. Given, too, that the audit stated that “state agency managers are not required to manage IT projects so that the projects meet the initial cost or schedule estimates that are submitted to ITS [Office of Information Technology Services],” NCFast and NCTracks might have plenty company on their voyages into the IT Bermuda Triangle.

Toyota Enters into Settlement Talks over Sudden Unintended Acceleration

IT Hiccups of the WeekThis week’s edition of IT hiccups, snarls, and general foul-ups begins with the surprising announcement last Thursday by U.S. District Judge James V. Selna who, according to Bloomberg News, issued an order stopping lawsuits into claims of sudden unintended accelerations in vehicles manufactured by Toyota. The reason: to give time requested by both Toyota and plaintiff lawyers to find a way to settle claims against the car manufacturer.

As long time readers of the Risk Factor may recall, the issue of sudden unintended acceleration (SUA) really came to the fore in 2009 when Toyota issued an initial recall of 3.8 million vehicles over the possibility that floor mats were jamming accelerator pedals, keeping them in the full open position. A fatal crash in California the same year took the life of a veteran California Highway Patrol Officer (along with his wife, teenage daughter and brother-in-law) who could not find a way to stop a runaway 2009 Lexus ES 350. That incident helped highlight claims of additional sources of SUA problems with Toyotas such as software/hardware-related defects inadvertently affecting Toyota’s electronic throttle control system. These claims (along with Congressional pressure) forced the National Highway Traffic Safety Administration to conduct an investigation which reported no such defects could be uncovered. Toyota had long insisted that most cases of SUA were the result of driver error and not electronic-related, and used to the NHTSA investigation to bolster its argument.

Even though the NHTSA couldn't uncover anything wrong with Toyota's electronic throttle system, that finding didn’t stop SUA lawsuits from being filed against the company, which were to date unsuccessful at showing anything other than possible floor mats or driver error being responsible for SUA. In early October, for example, the NBC News reported that Toyota yet again prevailed in an SUA lawsuit against it.

However, later that same month, the LA Times reported that an Oklahoma jury found that electronic defects were indeed responsible for causing SUA in a 2005 Toyota Camry which “caused it to accelerate out of control and crash into a wall, killing a passenger and seriously injuring the driver.” The jury found that Toyota was guilty of “reckless disregard” in the case after defense software forensic experts convinced it that there were indeed, as the EE Times stated, fatal flaws in Toyota’s electronic throttle source code.

Toyota, stunned by the $3 million verdict and its implications, moved quickly to settle the case. Toyota continued to strongly argue—at least publicly—that SUA was not caused by electronic issues; but privately, the company must have worried that the jury verdict was the proverbial straw that broke the camel’s back. As a result, Toyota apparently decided that it had more to lose by going through hundreds of trials than in reaching a broad settlement agreement. Already, Toyota has reached a settlement in another lawsuit in West Virginia. I’ll continue to report on the proposed settlement as it becomes public, and especially whether Toyota now admits that there were software defects in its electronic throttle control software after all.

In other IT snafu news, Yahoo Mail experienced outages for days last week due to a hardware problem in one of Yahoo’s storage systems beginning Monday night. Yahoo, after steadfastly refusing to say how many of its 100 million daily users were affected,  finally conceded at the end of the week that about a million users were affected—although I doubt anyone believes that number is really representative, given breadth and depth of the user complaints voiced.

Last week also saw continued problems with Florida’s new US $63 million unemployment system that was launched in mid-October. While the state government insists that the system is generally working successfully, news stories including one at the Miami Herald continue to report thousands of user complaints that paint a portrait of a dysfunctional system. The technical problems are now morphing into a political headache for Gov. Rick Scott, as politicians of all stripes continue their call for an investigation into what went wrong and why it is taking much longer to fix than the state promised.

Finally, IT issues with the Affordable Care Act website, which was rebooted 16 days ago, continue to be reported. The Washington Post reported over the weekend that thousands of people who thought they had enrolled for insurance actually weren’t because their enrollment records were never transmitted to insurers. The Obama Administration insists that problems with enrollments are being quickly solved, but the New York Times says insurers beg to disagree. In addition, several states continue to report trouble with their health insurance website implementations, with Oregon’s being termed an absolute fiasco. Past history gives me great confidence that additional IT-related problems will surface well into the foreseeable future.

Toyota Decides to Cut Its Losses over Sudden Unintended Acceleration Lawsuits

Toyota Cars, Coding and Carelessness

After Four Years, Toyota Enters Settlement Talks

Toyota Seeks Settlement Over Sudden Acceleration Cases

Toyota Suddenly Flies White Flag in Sudden Acceleration Lawsuits

Toyota SUA Settlement Options Explained

Yahoo Apologizes for Embarrassing Email Outage

Yahoo Outage Hits 70% of Messages

Yahoo Silent over Outage

Yahoo Mail Outage Enters Fifth Day

Marissa Mayer Apologizes for Yahoo Mail Outage

Florida’s New Unemployment System Woes Now Becomes a Political Issue

Florida’s Unemployment System Payments Remain Tied Up

Gov. Scott Brushes Off New Unemployment System Complaints

Unemployment System Woes Becoming a Florida Campaign Issue

Florida Fines Deloitte US$1.5 million over Unemployment System Problems

Of Other Interest …

New Zealand Novopay Snafus Persist a Year On

UK Waitrose Supermarket Suffers Online Delivery Glitch

Data Issue Affects Melbourne Australia Air Traffic Control System

Electronic Benefits Transfer Card Glitch Affects Massachusetts Assistance Recipients

Billing System Problems Hits Johannesburg's Finances

Cable Theft Causes Three-day Broadband Blackout in West London

Image: Mixmike/iStockPhoto


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Willie D. Jones
Load More