Risk Factor

It has been a busy week in cybercrime. The FBI says it arrested fourteen individuals and charged them with bank fraud and conspiracy to commit bank fraud in the alleged theft of over US $1 million from Citibank using cash advance kiosks at casinos located in Southern California and Nevada. The individuals found and then exploited a security flaw in in Citibank’s electronic transaction security protocols.

The gist of the scheme was that the perpetrators would open multiple Citibank checking accounts.  Next, they would make successive withdrawals—that combined were several times the amounts that had been deposited in the accounts—from the casino’s cash advance kiosks. They had to make these withdrawals in less than 60 seconds to exploit the flaw. The FBI stated that the individuals “were also careful to keep both their deposits and withdrawals under $10 000 in order to avoid federal transaction reporting requirements.”

How the flaw, which netted the group over $1 million, was initially discovered was not disclosed by the FBI. Did they just figure this flaw out over a couple of beers, or did one or more of the fourteen have some inside knowledge of Citibank’s ATM security process?

Next, the first lawsuit was filed against South Carolina’s Department of Revenue and Governor Nikki Haley for failing to protect taxpayers from a massive security breach involving some 3.6 million taxpayer Social Security numbers , 387 000 credit and debit cards, and information on over 657 000 South Carolina businesses. The breach occurred in September, and affects anyone filing tax returns in South Carolina going back to 1998.

According to WSAV-TV in Columbia, S.C., a cybercriminal was able to obtain the credentials of a tax collection agency employee to gain complete access to South Carolina’s tax database. State officials are refusing to say how this occurred—which is no big surprise.

Gov. Haley created a stir earlier this week when she insisted South Carolina’s government information security practices were adequate, and stated that the reason taxpayer Social Security numbers were not encrypted was because it was “cumbersome” and “there's a lot of numbers involved.” Not content to stop there, she dug her “I don’t have a clue” hole deeper by saying that, “The industry standard is that most SSNs are not encrypted,” and that lots of “agencies that you think might encrypt Social Security numbers actually don't.” More than a few IT security experts have already disagreed with the governor’s take on adequate cybersecurity practices.

Of course the real economic calculus behind Haley’s blasé attitude might hinge on the fact that the state’s liability for negligence in a breach such as this is likely limited to $600 000, while the cost to encrypt South Carolina’s sensitive taxpayer data is probably a lot higher than that. South Carolina is providing taxpayers one year of free credit monitoring service at Experian, which is the least the state can do. Literally.

Georgia (the country, not South Carolina’s neighbor) decided that it had had-enough from a Russian cybercriminal who “waged a persistent, months-long campaign that stole confidential information from Georgian government ministries, parliament, banks and NGOs,” ComputerWorld reported Tuesday. So the government’s Computer Emergency Response Team (CERT) set up a cyber document honey-trap that fooled the cybercriminal into downloading a file he thought contained sensitive government information but instead was spyware. With it, CERT was able to download documents from his computer—and even turn on the cybercriminal’s webcam for about 10 minutes and take his picture. The documents downloaded allegedly show that he did work for Russian security agencies.

Every year, Verizon, in cooperation with authorities in Australia, Ireland, the Netherlands, and the United States, compiles global security statistics. Verizon released its 2012 Data Breach Investigations Report (pdf) this week which showed that there were at least 855 incidents involving 174 million compromised records in 2011. The 77-page report indicated that, “2011 boasts the second-highest data loss total since [Verizon] started keeping track in 2004.”

The report went on to say that, “Mainline cybercriminals continued to automate and streamline their method du jour of high-volume, low-risk attacks against weaker targets. Much less frequent, but arguably more damaging, were continued attacks targeting trade secrets, classified information, and other intellectual property.”

Government agencies and businesses aren’t the only target of cybercriminals, however. According to a study (pdf) released this week by California-based Kindsight Security Labs, 13 percent of home networks are infected with malware. Furthermore, the report states that 6.5 percent of broadband customers are infected with high-level threats such as a bots, root-kits, and banking Trojans, and over 2 million infected users  systems worldwide  (685 000 in the United States alone) are infected with the botnet ZeroAccess. I would have guessed more given the amount of spam I receive on a daily basis.

Finally, returning to the good news, US cellphone companies have started as of Wednesday to rollout a database that will serve as a stolen cellphone blacklist repository, something they have long resisted doing. A story in ComputerWorld says that carriers AT&T and T-Mobile will offer a joint database that blocks a phone’s International Mobile Equipment Identity (IMEI) number, which is used to verify that it is a valid device when accessing a carrier’s network. Verizon and Sprint will be offering their own database soon.

By November 2013, the four carriers will combine their databases as well as link to those maintained overseas to prevent stolen phones that are locked out in the U.S. from being sold overseas. Nearly half the robberies in San Francisco this year were cellphone related.

We start off this week’s review of IT-related “ooftas” with what will likely be a very big story next week: glitches related to voting in Tuesday’s U.S. presidential election. In fact, why wait? Already, thousands of absentee-ballot requests have been erroneously rejected across Ohio because of a “data-sharing” glitch, as reported in the Columbus Dispatch last week. Apparently, a “software glitch” at the Ohio Bureau of Motor Vehicles “caused about 100 000 change-of-address notifications made on the bureau’s website not to be sent to the secretary of state’s office,”  which is then supposed to send the updated registered voter address information to local boards of election.  Thus when local boards checked the address of those voters requesting absentee-ballots, the addresses did not match, causing the ballot requests to be rejected.

The Columbus Dispatch states that as many as “4500 registered voters will not receive absentee ballots they requested” and as many as “6000 provisional ballots cast by registered voters could [also] go uncounted.”

Ohio’s 20 electoral college votes are critical for both parties, and although in 2008 263 000 votes separated the two major candidates, this year the polls show the two presidential candidates in a virtual tie there.

As well, already, there have been news reports from several states claiming that electronic voting machines used in early voting showed the wrong candidate as the one the voter selected. E-voting accuracy is likely to be a big news issue next week as well.

This week’s hiccups aren’t limited to voting, nor to the United States.

As I mentioned last week, a promotional computer glitch at the UK retailer Tesco changed the price of twin-packs of 350g Cathedral City Mature Cheddars from £6.55 to £1, which led to a run on cheese. This week, another Tesco software promotional pricing glitch has allowed “six bottles of wine normally costing £59.94 [to] be bought for £9.01, less than the usual cost of one bottle,” the London Telegraph reports.  You can guess what happened once word hit the social media sites.

Interestingly, in the cheese incident, Tesco refused to admit to the glitch, and just let its stocks of cheese be bought out at the mistaken price. However, Tesco moved immediately in the case of the wine to fix the error.

No doubt lots of folks in the U.K. are scouring Tesco’s promotions for other glitches. Presumably they’ll first check the cracker prices.

This week Consumer Reports listed Ford virtually at the bottom of its 2012 vehicle reliability ratings, reports the Detroit Free Press. Only three years ago, Consumer Reports had listed Ford as having “world class reliability.” Why the change? Continuing problems being reported by drivers to Consumer Reports with their Ford’s MyFord Touch and MyLincoln Touch infotainment systems and the hand-free Sync communication system.  Earlier this year, Ford sent out major software upgrades to owners of these systems in attempt to overcome known bugs and interface issues. It looks, however, as though the upgrade hasn’t made much of a difference.  Some 16 percent of Ford Explorer owners are still reporting issues with their vehicle’s sync system.

A Ford spokesperson said that the Consumer Reports finding “lines up with what our data is showing. We're well aware they are the areas we need to improve.” That statement also lines up with what Ford said last year and the year before as well. I wonder if Ford is aware of that, too.

There was also news this week that French troops, many serving in Afghanistan, will finally get the 30 million euros in back wages owed to them since September last year when a new military pay system was went live. Over 75 different pay errors were discovered, including one where repayments for advances were deducted three times and pay stoppages were also put into placed all on the same wage slip, RFI reported. Defense Minister Jean-Yves Le Drian, who is said to be furious over the pay system’s software problems, is insisting that all soldier pay issues be resolved before Christmas.  He further ordered that the use of the pay system by the Air Force and Gendarmerie in March 2013 and September 2013 respectively be postponed until the system is thoroughly tested. RFI reported that the pay system was rushed into service without being fully vetted.

Finally, an unknown “computer glitch” is being blamed for a number of tsunami warning sirens failing to go off in Hilo, Hawaii last Saturday night in the wake of the magnitude 7.7 earthquake that struck British Columbia, the Hawaii Tribune-Herald reported.  Fortunately, there was time to manually activate the silent sirens, and even more fortunately, the resulting tsunamis were small enough to do no damage to the Hawaiian Islands.

In the wake of 9/11, Hurricane Katrina, and last year’s Japanese Fukushima nuclear disaster, numerous stories were soon written about how important it was for organizations to check the ability of their computer back-up systems to continue to operate in the face of a major disaster. Then came Hurricane Irene, whose storm surge almost flooded Lower Manhattan late August last year, along with warnings that it wasn’t whether Lower Manhattan would ever flood, but only when. These same stories dutifully appeared yet again.

It only took a year for that prediction to come true. Hurricane Sandy storm surge, did in fact flood Lower Manhattan. And, as endlessly forewarned, the New York region is already drowning in stories of organizations that had inadequate IT contingency management plans. 

For instance, several major websites, such as Gizmodo and the Huffington Post, went offline Monday night. According to the New York Times and the Wall Street Journal, those two sites, which are associated with Gawker Media, shared a common ISP located in Lower Manhattan by the name of Datagram. When the local utility's transformers blew up (check out the spectacular video of it, beginning at 0:20) and took out the power to Lower Manhattan Monday evening, Datagram’s backup generators were supposed to switch on and continue to provide power to its servers. However, as the NY Times noted, “Although Datagram uses backup electricity generators in the event of a storm, its offices were flooded, knocking those machines out as well.” The WSJ also pointed out that Datagram’s basement flooded and damaged the building’s electrical system.

After Hurricane Katrina, the potential flooding of hospital basements where paper medical records are typically stored was touted as a good reason for moving to electronic health records. However, using EHR systems create a different risk than ruined medical records caused by flood waters: what happens when there is a loss of power? Losing electricity has been a hot EHR-related topic recently, especially in the aftermath of the Cerner EHR remote-hosting service outage in July. 

As noted in an LA Times story on the Cerner outage, “Federal law requires medical providers and their vendors to have contingency plans for when systems go down.” However, Federal law doesn’t require the contingency plans to be thoroughly vetted, apparently.

There's perhaps no clearer example of this than the loss of power at 705-bed New York University Langone Medical Center also in Lower Manhattan, which took out its EPIC electronic health record system, and subsequently (in conjunction with rising water) caused the hospital to evacuate its patients during the height of hurricane.  There are conflicting reports as to what happened, but according to news reports, after the hospital lost power due to the aforementioned transformer disruption, the hospital’s primary backup electrical generator failed as did the backup to the backup generator. A CBS News story says that flooding in the hospital's basement overwhelmed the primary backup generator. The other generator, which is on the roof, then also failed, CBS News said because “the pump that supplies fuel to that generator is on a lower floor and was [also] flooded.”

A story at the Huffington Post, which did eventually come back online, reports that a NYU hospital spokesperson vigorously defended the adequacy (and architecture) of the hospital’s backup power system, stating that, “Our generators are fully compliant with all state and federal regulations and, using good prudence, we test them all the time as we have to do anyway.”

What is a bit puzzling is that the hospital, which is in the Lower Manhattan hurricane evacuation zone, was closed last year on the orders of Mayor Bloomberg before Hurricane Irene, but was kept open as Sandy approached, even though the prediction was for a higher storm surge to come ashore this time around. The hospital claimed, according to the Guardian, that it did not anticipate Hurricane Sandy  causing heavy flooding. Mayor Bloomberg, when questioned about why he didn’t order the hospital closed as before, claimed the hospital told him it could handle the risks posed by Sandy.

Ensuring the controversy will live for a while longer, the mayor's own Bloomberg News reported that the hospital knew full-well that the generators were vulnerable. It quoted a hospital trustee as saying that the hospital’s board “knew the facilities’ generators were outdated and at risk” and that the back-up generators “are not state of the art and not in the most state-of-the-art location.”

Other reliable sources indicate that the NYU hospital basement is prone to flooding during heavy rains, and that it wasn't unusual for the backup generator to go off-line as a result.

Another Bloomberg story notes that New York’s Staten Island University Hospital “started flooding Oct 29, shutting down the computers and electronic medical records and forcing workers to use paper records.” Patients were evacuated from the hospital before the hurricane arrived, however.

Here's one storm prediction you can take to the bank: More stories of poor IT contingency management will soon appear. The lessons to be learned from them will be written and soon then forgotten, at least until after the next disaster strikes.

“If the computer industry got a do-over, what should it do differently?”

That is the subject of a feature article in today’s New York Times that profiles my long-time friend and mentor, Dr. Peter Neumann, who is the Principal Scientist at the Computer Science Lab of SRI International.  Peter may now be chronologically 80 years old, but he still manages to combine his 60 years of computing experience with the stamina of a 25 year old.

One—and I emphasize one—of Peter’s latest endeavors is working with DARPA’s Information Innovation Office on “CRASH,” or the Clean-slate design of Resilient, Adaptive, Secure Hosts. The DARPA web site describes CRASH as pursuing “innovative research into the design of new computer systems that are highly resistant to cyber-attack, can adapt after a successful attack to continue rendering useful services, learn from previous attacks how to guard against and cope with future attacks, and can repair themselves after attacks have succeeded.”

“Because the industry is now in a fundamental transition from desktop to mobile systems," says DARPA's program manager Howard Shrobe, "it is a good time to completely rethink computing,” especially in regard to improving computer security.

While it may appear that the research is a bit Don Quixote in nature, Peter points out in the article that, "We have not fundamentally redesigned our networks for 45 years. Sure, it would cost an enormous amount to re-architect, but let’s start it and see if it works better and let the marketplace decide.”

Tackling big computer problems that few want to take on has been a hallmark of Peter's career throughout, but improving computer security has been a special interest of his—and, for many in the computing industry, a highly irritating Hyde-park soapbox one as well. Peter has been warning, mostly in vain until recently, that the industry did not pay enough attention to the computer security threats posed by poor computer system and software design.

And, Peter has long said, the longer the industry ignored them, the larger those threats would grow. Nor can you design computer security in after the fact, a warning that industry may finally be willing to listen to as IT systems are being broken into on a regular basis. Just this week it was disclosed that someone had broken into South Carolina’s Department of Revenue and accessed as many as 3.6 million residents' Social Security numbers and 387 000 credit and debit card numbers.

Another of Peter’s long time interests has been what I call the risk ecology of computing, namely, the business, technological, social, political and personal risks that computing has created along with its tremendous benefits in each of those spheres. Since 1985, Peter has moderated the ACM Risk Digest (aka Forum On Risks to the Public in Computers and Related Systems), which has been a home for open discussions among academics, practitioners, and kibitzers alike on the who, what, where, when, why and how different computer-related risks have turned into sometimes pernicious problems. One of the more frustrating things, he told the Times, is that many of these computing risks, such as the security risk posed by buffer overflow possibilities (pdf), have been known for decades but are still routinely ignored.

You can listen to Peter, Steve Bellovin, Matt Blaze and myself discuss some of the recurring risks that turned into a plague of problems for the FBI’s Virtual Case File system development during an IEEE Spectrum Radio roundtable from a few years back.

Finally, the Times ran a concurrent piece on the beginnings of computer hacking—when hacking wasn’t a pejorative word—and Peter’s role in it. I think you’ll find both Times articles interesting, and offer a bit more insight into one of the great thinkers of the computer field.

Book Buyers Ripped Off by Crime Novel Come to Life

On 24 October, bookseller Barnes & Noble issued a press release revealing that PIN pad devices at cash registers (also known as point-of-sale or POS terminals) in 63 stores had been tampered with. According to the release, the book chain, “upon detecting evidence of tampering, which was limited to one compromised PIN pad in each of the affected stores…discontinued use of all PIN pads in its nearly 700 stores nationwide.” A Wired article reports that Barnes & Noble discovered on or about 14 September that the card readers had been implanted with malware that allowed a group of cyberthieves to intercept credit and debit card data. The company kept the attack a secret at the urging of the FBI, which was investigating. Neither the company press release nor the Wired article indicate exactly how the hackers managed to infiltrate the bookseller’s payment system. But the Wired story points to a July presentation at the Black Hat security conference in Las Vegas, where researchers demonstrated one of several methods for installing malware onto POS terminals; the researchers exploited a vulnerability that would allow a hacker to surreptitiously change applications on the device or install new ones in order to capture card data. While Barnes & Noble is fixing the security hole, it is advising customers to let cashiers scan their cards using the ostensibly more secure readers embedded in the cash registers.

Apps Give Away the Keys to the Kingdom

If a chain is only as strong as its weakest link, then Google’s popular Android mobile gadgets can trace their susceptibility to manipulation by hackers to a significant vulnerability in a startling number of apps available from the Google Play app store. According to TechNewsWorld, researchers at the Leibniz University of Hannover and Philipps University of Marburg downloaded 13 500 popular free apps from Google Play in order to see just how many made proper use of the SSL or Transport Layer Security protocols. Of these, 1074 had SSL implementation flaws that that could be exploited via so-called man-in-the-Middle attacks. The researchers say they chose 100 of the problematic apps for more detailed exploration; for 41 of them, SSL setup problems let the team capture credit card and bank account information, as well as login credentials for Facebook, Twitter, Google, Yahoo, Microsoft Live ID, and e-mail accounts. According to TechNewsWorld, the vulnerable apps have been installed in 39.5 and 185 million phones and tablets. "For SSL/TLS to work properly, every component must be used the way it is designed," Chet Wisniewski, senior security advisor at SophosLabs, told LinuxInsider. "The flaws pointed out in this research result from application developers turning off or ignoring one part of the TLS specification. It turns out this is quite easy to do as an Android developer, and Google does not have a human review process for every application like Apple does for its App Store."

A Wolf In Google’s Clothing?

Wait. Before you reply to that e-mail or click any of the links contained in it, are you sure that it came from the person or the company noted in the message’s header? ZDNet reports that Google, Yahoo and Microsoft have all recently fixed a vulnerability in their email-signing mechanisms that made it possible for people to spoof messages using those companies’ domain names. The vulnerability, which related to the firms using RSA keys for e-mail that were shorter than 1024 bits long, was first discovered by mathematician Zachary Harris. According to Harris’ own account in Wired, he discovered the flaw after receiving a job offer from someone purporting to be a headhunter with Google. Harris, suspicious that the e-mail might have been a phishing expedition, dug into its header information. He noticed that the DomainKeys Identified Mail (DKIM) key that Google used was generating 512-bit keys. Harris told Wired that he thought the email was an elaborate pre-employment test to see if he would notice—and how he would react to—the security flaw. So he promptly cracked the key and sent e-mails to Google co-founders Sergey Brin and Larry Page, posing as each other, that directed them to Harris’ website. Harris says he never received a reply from them, but within 2 days, Google had bolstered its cryptographic key to 2048 bits. Harris told Wired that he noticed the same problem (512- or 768-bit lengths) with the DKIM keys used by PayPal, Yahoo, Amazon, eBay, Apple, Dell, LinkedIn, Twitter, SBCGlobal, US Bank, HP, Match.com and HSBC. Cybercriminals’ phishing schemes would be greatly enhanced if they were able to use these sites’ e-mail addresses in come-ons geared to getting people who aren’t as wary or as tech savvy as Harris to navigate to a site containing malicious code or to divulge personal information.

Phishing Using a Government Guise

In a separate but closely related story, ZDNet reports that for nearly a week, cybertricksters were able to send e-mails using addresses with the .gov top-level domain fraudulently affixed.  They were able to make their come-ons appear legitimate after they exploited a vulnerability in a service provided to Internet users by the U.S. government. The US General Services Administration (GSA) administers a URL shortener so that US government, military, and other official links can be shortened to something ending in “1.USA.gov” or “Go.USA.gov.” The latter of these is available only to users an official government email address. But anyone can send e-mails with links, shortened by Bit.ly, to something in the style of 1.USA.gov. Though the shortened links only point to official U.S. government websites, some of those sites had been tampered with so that they automatically redirect the user to malicious sites without warning. After having been notified of the exploit, Bit.ly changed its policy with regard to U.S. government links: Even links to official US sites will get bit.ly addresses instead of 1.USA.gov addresses if they appear to be linking to an open redirect. Furthermore, says ZDNet, Bit.ly will warn users if the link appears suspicious.

We start off this week’s review of IT-related “ooftas” with Italian airline Alitalia deciding to honor most of the tickets that were mistakenly sold at a heavier than planned discount.  As described by ABC News, Alitalia was offering a limited-time world-wide 25 percent ticket discount, but for “technical reasons” the airline had to create a “unique E-Coupon worth 25,000 yen (approximately 250 euro) to be used exclusively for the purchase of flights from Tokyo or Osaka.”

However, a “system malfunction” occurred that allowed the E-Coupon to be used on all of Alitalia’s routes. As a result, the coupon made the cost of flying on some Alitalia flights like that from Rome to Milan, which normally costs 115 euros, effectively “free.”  As expected, word of the “bargain” spread like wildfire over social media networks.

At first, Alitalia said it would not honor the E-Coupon discounts outside of Japan, but later changed its tune saying that it would honor all tickets that cost at least one euro cent after the coupon discount was taken. “Free flights” ticket holders were out of luck. No word on how many travelers scored €0.01 tickets, how many lost out altogether, and how much this is going to end up costing Alitalia.

In another airline ticket pricing glitch, Scottish paper The Courier reported that on the commuter airline CityJet’s London to Dundee flights (the only direct service between the two cities), the online cost of booking a return ticket during late- November had jumped from an average £168 to £535. CityJet didn’t notice the increase until customers called up and complained about the massive price spike.

The airline soon fixed the glitch, and apologized to customers who might have decided to not book a flight because of the mistake. It's unclear if anyone actually paid the mistaken higher ticket price, and subsequently received a refund for the corrected fare. 

If you like cheddar cheese and live in the UK, you were in luck this week because of a pricing glitch at Tesco super markets.  A computer error transformed what was supposed to be a £1 off deal on the sale of twin-packs of 350g Cathedral City Mature Cheddars (normally selling for £6.55) instead into a total price of £1 for the twin-pack of cheese, the Daily Mail reported.  Well, faster than Wallace telling Gromit to grab the crackers, cheddar cheese lovers descended on Tesco stores and bought as many twin-packs as they could.

Tesco put a brave face on the fiasco, insisting that it wasn’t a glitch at all, saying instead that, “Our popular offer continues while stocks last.”

You may recall a similar Tesco pricing error caused a beer and cider stampede last year.

There were also car-related software glitches, one in the GM Volt and the other in BMW 7-Series cars, that surfaced this week.  The New York Times reported that GM was going to upgrade the software in about 4,000 2013 plug-in hybrid Chevrolet Volt cars because a “software anomaly”  associated with the vehicle's delayed time and rate charge mode could cause the electric motor to shut off while the vehicle is being driven. GM is telling owners to turn off the mode, which “allows owners to preselect a convenient time to charge the Volt’s batteries,” until the software is patched by a dealer.

The Detroit News reported that BMW is recalling 7,485 2005-07 7-Series for a software problem that “may allow the doors to inadvertently open when they appear closed.”  BMW states in a letter to the National Highway Traffics Safety Administration (pdf) that, “The door may unexpectedly open due to road or driving conditions or occupant contact with the door. The sudden opening may result in occupant ejection or increase the risk of injury in the event of a crash.”

While no crashes or injuries have been reported as a result of the bug, there have been at least two complaints of inadvertent door openings, the Detroit News article stated. Safety regulators have known about the bug for five years, although I suspect very few BMW 7-series owners have even heard about it until now. Apparently, BMW and the NHTSA have been in long-time discussions over whether the issue warranted a recall or not. BMW says it thinks 70 to 80 percent of the affected vehicles have already received the software fix through the normal vehicle maintenance cycle.

Finally, on Monday the Amazon Cloud suffered yet another outage.  About 1038 PDT, problems started to appear in Amazon's Northern Virginia data center, which lasted for some twelve hours. Dozens of web sites, including Airbnb, Flipboard and Reddit, were affected as a result. Amazon’s Cloud suffered problems back in June, as well as just a few weeks ago.

Bookseller Barnes & Noble announced today that 63 of its stores in 9 states have been found to have had their PIN pad devices tampered with. The list of affected stores went coast to coast: California (20), Connecticut (3), Florida (11), Illinois (7), Massachusetts (3), New Jersey (4), New York (10), Pennsylvania (2), and Rhode Island (3).

According to the B&N press release, there was only one compromised PIN pad per affected store. The compromised pads, the first of which was apparently discovered on the 14 September, according to the New York Times, were found to contain a “bug” that allowed for the capture of information from credit cards as well as debit cards and their PIN numbers.  B&N stated that it has disconnected the PIN pads from all 700 stores nation-wide, and that “customers can securely shop with credit cards through the company's cash registers.”

According to press reports, B&N doesn’t know how many customers were affected, but is working with credit card companies and the banks to identify any possible credit card fraud that may have occurred. It is also telling customers who may have shopped at the 63 stores to change their debit card PIN numbers and check their credit card account statements carefully. 

The New York Times report also stated that B&N didn’t immediately inform customers of the PIN pad hack because law enforcement told it not to do so while the incident was being investigated, and furthermore, that B&N didn’t have to inform customers until 24 December. That would have been a happy holiday present.

The Times story doesn’t say why B&N chose now to announce the incident, other than to imply that word of it was becoming public, and B&N wanted to get ahead of the story.

The sophistication and geographic span of the tampering  is reminiscent of the Michaels Store PIN pad tampering discovered in May 2011, which affected 80 stores in 20 states, and last December's compromise of self-checkout terminals at 23 California-based Lucky Supermarket stores.

Back in 2009, iconic motorcycle company Harley Davidson began a painful restructuring of its manufacturing operations and work force in the face of weak consumer demand and nagging quality issues. One major element of its restructuring plan was a massive transformation of its York, Pennsylvania facility to increase its “factory customization, enable more flexible production and provide end-to-end supply chain integration.” 

The effort was described CEO Keith Wandell in April  2011 as including the “retraining our entire workforce on a new operating system, outsourcing nearly 2000 non-core parts and subassemblies, moving and reconfiguring production lines, implementing a new ERP [enterprise resource planning] system and redefining our vehicle delivery process. The restructuring of our York facility is expected to be largely complete in the first half of next year [2012]. Through the next several quarters, we continue to expect York deficiencies will be adversely impacted by restructuring activities.”

The company had hoped to launch the ERP system in the early spring of this year, but in testing the system, Harley said it found “opportunities to improve the design of the system and reduce downtime during launch,” according to a Central Penn Business Journal story. In other words, it didn’t work as expected. The launch date was pushed back into July, a delay that was somewhat fortuitous because it meant that the ERP launch was not going to take place during the height of this spring’s selling season, and instead would support the company’s transition to the 2013 model year, albeit that delay would affect bike production as well.

Yesterday, Harley Davidson announced that it had earned $134 million for the quarter ending Sept. 30, down from $183.6 million for the same quarter last year, due to the York ERP launch over the summer. However, the launch was successful, the company said, although it will likely take the next several months to fully optimize the system. The news, along with an increase in Harley international sales, sent the company stock up some 7.6 percent while the rest of the market took a beating.

Elsewhere in the automotive industry, however, the news is bleaker. Manganese Bronze, the maker of the iconic London black taxi, announced this week that it was going into administration—normally the U.K. version of U.S. bankruptcy law's Chapter 11, but in this case, probably its death knell. As I noted a few months ago, a new accounting system installed in 2010 missed some key transactions during the cut-over and led to an understatement of £3.9 million in historical losses, which weren’t discovered until recently. The company, which has been under strong competitive pressure, saw a massive sell-off of its already weakened stock.

Then a few weeks ago, the company announced a recall of 400 of its latest TX4 model taxis due to a steering box defect. The announcement forced the company to suspend trading in its shares.

Unless a deep-pocketed buyer emerges, the 64-year old company will be no more.

I, for one, hope that a prize of $50 000 is sufficient to entice someone to offer a practical solution to the ever increasing scourge of illegal robocalling (pdf) here in the US.

Last week, the U.S. Federal Trade Commission announced that as part of its ongoing campaign against illegal, pre-recorded telemarketing calls it was going to conduct an online contest beginning this week called the FTC Robocall Challenge to find the best technical or functional solutions and proofs of concept to block these calls on both landlines and mobile phones, if possible 

The FTC is offering $50 000 for the “best overall solution” which is determined using the following criteria:

•     Does it work? (50 percent)
   
•     Is it easy to use? (25 percent)
   
•     Can it be rolled out? (25 percent)

The cash prize, however, will be awarded only to an individual, team or to a firm employing fewer than 10 people. Larger organizations may compete for the FTC’s Technology Achievement Award, but no moeny will be awarded.

The FTC apparently has decided to go the public challenge route because while it has been “working with industry insiders and other experts to identify potential solutions,” the solutions being offered haven’t proven to be effective.

For those interested, you can go to the following links to see the FTC challenge rules, FAQ pages, evaluation criteria details, FTC robocall complaint data and other resources, and what information needs to be submitted. For instance, you don’t need to offer a solution to block both landline and mobile robocalls, although you will be scored lower if you don’t offer a comprehensive solution.

In addition, on Thursday of this week which is when the contest officially begins, the FTC will host two live social media chats for 60 minutes each to answer questions about the challenge. Last week, the FTC hosted an FTC Robocall Summit that also has information on the problems of robocalling, the current state of blocking technology, and the challenge itself.

What I would really like to see in addition to this effort is a decision to stop legal robocalling by political parties and charities.  These are now as bad as the illegal calls.

All challenge proposals must be submitted by 17January 2013. The winners will be announced around 1 April 2013.

Could a Hacker Make Thousands ‘Ineligible’ to Vote?

The Washington Post reports that a flaw in the implementation of the state of Maryland’s online voter registration process could have allowed widescale tampering with voters’ records. Researchers at the University of Michigan, the Lawrence Livermore National Laboratory and a former president of the Association for Computing Machinery wrote to members of the Maryland State Board of Elections in late September warning that anyone with access to a Maryland voter’s full name and date of birth could easily change the voter’s address or other information and possibly make him or her have to use a provisional ballot to vote on Election Day. What’s more, said the researchers, is that a simple software program could have launched a computer attack that changed the voter registration files of thousands of Maryland residents—without any of them or the Board of Elections noticing the problem until 6 November. According to the Washington Post, a few members of State Board of Elections wanted to respond to the researchers’ warning. But they were overruled by a faction that judged the researchers’ hacking scenario to be highly unlikely.

More than 100 000 voter files were changed before Maryland’s voter registration period closed at 9 p.m. ET on 15 October. “The board could not readily say how that number compared with similar periods before prior presidential elections, but they said it probably represented a significant increase,” the Washington Post reports.

Medical Devices Under Cyberattack

Panelists at an 11 October medical-device session at a meeting of the National Institute of Standards and Technology’s Information Security & Privacy Advisory Board noted that computerized hospital equipment is increasingly vulnerable to malware infections. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems,” Kevin Fu, a leading expert on medical-device security who is a member of the board, told Technology Review. “There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches," Fu says. A Technology Review article reporting on the meeting quotes Fu providing a typical example:

“At Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufacturers will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews.”

Mark Olson, chief information security officer at Beth Israel, told the panel that these computers are infected with malware so frequently that one or two have to be taken offline each week to have the harmful software removed. Olson noted infections have stricken many kinds of equipment, from fetal monitors to $500 000 MRI machines. It’s a wonder that there have been no reports that someone died in a hospital bed with doctors and nurses completely unaware because a machine overwhelmed with malicious code was taking errant readings.

Newer, More Targeted Version of Flame Discovered

Security researchers at Kaspersky Lab reported this week that they have identified a new variant of the Flame malware used to conduct cyberespionage. The malicious code, called "miniFlame," creates a backdoor in machines that can then be used by attackers to get in and write files to, steal files from, or capture images of what appears on the display of the compromised computer. Kaspersky says that, similarities to Flame and Gauss aside, miniFlame has a different purpose. The Internet security firm estimates that Flame and Gauss have infected thousands of systems; miniFlame, on the other hand, has infected only a few dozen. "This indicates that [miniFlame] is a tool used for highly targeted attacks, and has probably been used only against very specific targets that have the greatest significance and pose the greatest interest to the attackers," Kaspersky Lab told TechNewsWorld. Kaspersky says it has yet to identify who has been targeted, but notes that the nature of miniFlame provides further evidence in support of its belief that Flame and Gauss were created by the same group.

Google’s New Defense Against Malware-Infected Apps

Online news site Android Police has reported that Google may be implementing a new malware scanner in its Google Play Android app store. The scanner has two functions. The first is an "App Check" service that scans a handset to ensure that none of the applications already installed on the device are harmful. The other part is what Android Police describes as a "doorman-style app blocker" that delivers a warning such as “Installing this app may harm your device” if the user is about to download software that has been flagged as suspicious. ZDNet is speculating that the malware blocker is the creation of VirusTotal, a firm that makes a free online malware scanning utility. Google acquired the company in September.