Risk Factor iconRisk Factor

Virtru Crafts Countermeasures to Combat E-mail Snooping

This Week in Cybercrime Anyone who still thinks that e-mail is a secure method for sending and receiving information, raise your hand. Well, it isn’t. Now, put your hands down and pay attention. When e-mail was first created, security was an afterthought. But in the wake of revelations about spying the United States, China, and others, companies are attempting to remedy that by introducing new methods for encrypting messages.

One such company, a startup called Virtru, was founded by a former NSA data security researcher named Will Ackerly. He says the company’s secret sauce is in a browser extension that handles the encryption and decryption of content right on the device. It allows computer users to send secure messages through Gmail, Outlook, and Yahoo webmail interfaces without an external client. The software instantly encrypts whatever the user types in the body of an e-mail. The result: even the Web mail provider only sees encrypted content. Messages are encrypted in the Trusted Data Format (TDF). Ackerly knows quite a bit about TDF; he helped create the open-source security format in 2008 while still in the employ of the NSA.

Ackerly took the additional step of featuring elliptic curve Diffie-Hellman ephemeral key exchange, which means that Virtru generates a new Secure Sockets Layer, or SSL, key for every new e-mail session. Old ones are discarded. So if a hacker somehow gains access to a key or a government agency demands that it be turned over, its value is limited because it wouldn’t decrypt messages sent or received in previous sessions. This is meant to prevent a repeat of what happened to Lavabit, Edward Snowden’s former e-mail service provider. Lavabit fought, but ultimately lost, a court battle over whether it had to turn its SSL key over to the U.S. government, giving the Feds the ability to read all of its customers’ messages.

Virtru is also thinking about letting its customers manage their own keys. This would give a Virtru user the ability to limit access in terms of who can see a message and for how long. A sender could revoke a key and block access to a message, or rig it to expire at a preset time. Forwarded messages would remain encrypted and unreadable unless the new recipient receives authorization from the original sender.  

Ackerly says Virtru plans to offer the service, including all the aforementioned features, for free. According to a Computer World article, the company will generate revenue by “licensing its key management software to businesses, as well as offering other management and access visualization tools for encrypted email. Mobile clients are in the works as well, for Android and iOS.”

Target (and Its Customers) the Victim of Lax Network Security

Investigators are learning more about the data breach that let cybercriminals walk away with the credit and debit card information of tens of millions of Target customers over the holiday shopping season. And what they’re finding is troubling. The upshot: It’s becoming abundantly clear that the incident was not as much due to the genius of the hackers as it was to Target’s poor security controls.

Security blogger Brian Krebs, who originally broke the story of the Target breach, revealed on his blog that hackers gained access to Target’s network using login credentials they had stolen from a heating, ventilation, and air conditioning company. That vendor, Fazio Mechanical Services, was given access to Target’s network so that it could perform tasks such as remotely monitoring stores’ temperature and energy consumption. But it seems the retailer neglected to wall off the parts of its network containing sensitive payment card data.

Krebs says that according to sources close to the investigation, Target’s insistence that the company was the victim of a sophisticated cybercriminal campaign is purely make-believe. Once the hackers got their hands on Fazio’s username and password, they probed the network undetected, tested their malware on a few of Target’s point-of-sale devices, and eventually uploaded the malware to most of the cash registers connected to the network. The operation did not require the services of a criminal mastermind.

But it should have. The Payment Card Industry Data Security Standard, which companies like Target are required to follow, specifically says that companies should segment their networks and isolate sensitive cardholder data.

Facebook Domain Takeover Thwarted

Facebook celebrated its 10th birthday this week. The Syrian Electronic Army (SEA), decided to crash the party by attempting to hijack the social media site’s domain name and reroute it to a server under the hacker group’s control. The cybercriminals managed to get as far as modifying the WHOIS information for facebook.com, so that the domain's listed contact address was in Damascus, Syria. But they were thwarted in the more crucial step of pointing the website to one of their own servers because Facebook’s domain name registrar, VeriSign, has a registry lock feature requiring additional verification before making such a change.

You would think that requiring additional verification would be de rigueur, but the SEA has gained wide notoriety for successfully taking over domain names such as nytimes.com, sharethis.com, huffingtonpost.co.uk, and twitter.co.uk. (For a detailed account of such a domain name theft, read Steven Cherry's 2005 account of the attack on New York City ISP Panix.) In this instance, just as with the hacker group’s previous takeover campaigns, they attacked the target via a third party. The cybercriminals managed to gain some level of admin control at MarkMonitor, a domain name management company. The MarkMonitor hack was what allowed the SEA to change facebook.com’s WHOIS address.

In Other Cybercrime News…


F-35 Software: DoD's Chief Tester Remains Unimpressed

IT Hiccups of the WeekLast week was a very quiet week in regard to reported IT-related system snarls, snags and snafus. With yesterday being ground-hog day here in the U.S., and in keeping with the spirit of the movie of the same name, I have decided to return once more to F-35 Joint Strike Fighter and its continuing software “challenges.”  

Last week, the Department of Defense's Director of Operational Test and Evaluation (DOT&E), J. Michael Gilmore, publicly released his annual report on major U.S. defense acquisitions. Gilmore reiterated his frustration with the lack of reliability and supportability of software in major defense support and weapon system programs. While Gilmore’s report highlighted many defense programs' software problems, those related to the F-35 continue to hold center stage.

For instance, in October 2013, a new increment of Block 2B software—the block that provides initial combat capability—that was supposed to include many fixes to previously identified deficiencies, began flight testing, the report says. However, the DOT&E report goes on to say:

“Initial results with the new increment of Block 2B software indicate deficiencies still exist in fusion, radar, electronic warfare, navigation, EOTS, Distributed Aperture System (DAS), Helmet‑Mounted Display System (HMDS), and datalink. These deficiencies block the ability of the test team to complete baseline Block 2B test points, including weapons integration.”

Although plans call for the military to “complete Block 2B fight testing in October 2014...there is no margin for additional growth to meet that date,” the DOT&E report found. “Projections for completing Block 2B fight testing using the historical rate of continued growth ... show that Block 2B developmental testing will complete about 13 months later, in November 2015, and delay the associated fleet release to July of 2016.”

In addition, the DOT&E report notes that there are still problems with the F-35's Block 2A software, i.e., the block that is “designed to provide enhanced training capabilities to the Integrated Training Center at Eglin AFB, Florida, and to the first operational units.”

The F-35 test teams found:

“deficiencies in the aircraft sensor operations, particularly the Electro-Optical Targeting System (EOTS), aircraft communications capabilities, pilot electronic interfaces, and the aircraft Caution, Advisory, and Warning System. Although the software was intended to provide more mission systems capability, poor sensor performance and stability, excessive nuisance warnings, and disproportionate pilot workload required for workarounds and system resets made the software of limited utility for training. In any type of operational mission scenario, the performance of the software would be unacceptable.”

These and other software issues, e.g., related to the F-35's Autonomic Logistics Information System (ALIS)—as well as non-software related problems—notwithstanding, neither the U.S. military's nor its international partners’ enthusiasm for the F-35 has diminished. The Marine Corps, for instance, insists it's still planning for a 2015 IOC (initial operating capability) for its F35B version, while the U.K. says it is close to placing its first order and South Korea is expected to do so later this year.

The F-35 Program Office complained that while Gilmore’s report “was factually accurate” it “did not reflect concerted efforts under way by this office and industry to address software, reliability and maintenance issues,” Reuters reported. “Of course, we recognize risks still exist in the program, but they are understood and manageable,” the Program Office insisted.

Gilmore may need to remind the F-35 Program Office (again) that the DOT&E office deals with facts, not promises.

Gmail Glitch May Have Deleted Emails

I noted in last week’s IT Hiccups that Gmail and many other Google online applications including Calendar, Talk, Drive, Docs, Sites, Groups, Voice and Google+ Hangouts suffered an outage on Friday, 24 January that lasted a little more than an hour.  While Google says that the outage—caused a “software bug” that resulted in a misconfiguration of its systems—was quickly fixed, apparently there was some collateral damage that wasn’t immediately discovered.

As reported by the Verge, some Gmail users received a message early last week that stated, “You may have been impacted by a recent issue in Gmail that inadvertently caused some actions (e.g. delete, report spam) taken while viewing a message to be applied to a different message. The issue occurred between January 15 and January 22 and is now fixed. We encourage you to check your Trash and Spam folders before February 14, 2014 for any items you did not intend to delete or mark as spam and move them back to your inbox. We apologize for any inconvenience.”

It is not clear the exact number of Gmail users that were affected (Google indicates no more than 0.2 percent of its users), since only some platforms (e.g., Google’s iOS app, on mobile browsers, and the offline version of Gmail) and only some users of those platforms were affected.

Aspiring Drivers in Ahmedabad, India Frustrated by Transport Office Server Problems

There are some universal experiences that bond all humans together, like the enjoyment of good food, hearing good music, and wasting one’s time waiting at a department of motor vehicle office.  As reported by the Ahmedabad Mirror, we can all no doubt empathize with the 800 Amdavadis who had booked in advance a time to come in and apply for their learner’s license but “were forced to cool their heels for hours at Ahmedabad Regional Transport Office near Subhash Bridge” because of a server problem.

The Mirror story stated that the server problem occurred last Thursday morning, and officials at the RTO had hoped to resolve the problem by noon. However, this didn’t happen; the problem wasn’t fixed until late Friday. Meanwhile, RTO officials told the disappointed applicants who had waited right through the time the office closed on Thursday afternoon to come back and wait again this week.

F-35 Joint Strike Fighter Software Problems Linger On

F-35 Software Remains Seriously Flawed

Software Issues May Affected Marine F-35 Planned IOC

What’s Likely Behind F-35 Software Issues?

F-35 Program Office Says Its “Laser-focused” on Software Problems

Some Gmail Users May Have Had Email Accidentally Deleted

Gmail Bug Deletes Some Users’ Emails

Gmail Glitch Affects Emails

Only 0.2 Percent of Gmail Users Likely Had Emails Deleted

Aspiring Drivers in Ahmedabad, India Told To Come Back After Server Shuts Down Testing

RTO Server Crash Frustrates Learner’s Driving License Applicants

Of Other Interest …

Software Problems Distorting UK Further Education and Skills Statistics

Problems Plague Boston’s New MBTA Rail Cars

Citibank Payment Problems Affect UK Tax Filings

Successful State Health Exchanges Worry over ACA Flaws

Multi-Year NHS Glitch Causes £3.4 million in Over-payments to Scottish Dentists

Computer Issue Causes Urgent Jury Summons in Delaware

Photo: U.S. Air Force

App Proves Adage: Just Because I’m Paranoid Doesn’t Mean They’re Not Watching Me

This Week in Cybercrime A team of researchers at Rutgers University in Piscataway, N.J., has developed an Android app designed to heighten awareness of just how frequently cellphone users’ location information is accessed by apps and other software. "All apps that access location need to request permission from the Android platform," Janne Lindqvist, who led the research project, told Computerworld. "The problem is that people don't pay attention to these default disclosures."

The team noted that although Android phones feature GPS indicator that flashes on and off when an app is trying to access the user's location, most people never notice it or simply misunderstand the message being conveyed by the icon.

Their app—which they tested on several Android devices running apps including Firefox and Tunein Radio—bridges that communication gap by flashing a message across the handset’s screen: "Your location is being accessed by [app name]."

The idea is to get consumers thinking about why apps such as Angry Birds and Dictionary.com collect location and device ID information and to find out whether awareness of this data collection will affect users' attitudes towards apps. As expected, participants in the study [pdf] featuring the app were surprised at how often some apps accessed their location, and that some other apps accessed their location at all.

The team says it is putting the finishing touches on its app (currently known as the RutgersPrivacyApp) so they can make it available at the Play Store.

Which Retail Stores Haven’t Been Hacked?

Last week, we asked which chains, other than Target and Neiman Marcus, had seen their point-of-sale systems give away the store with respect to their customers’ credit card information. We noted that security researchers had already uncovered evidence that half a dozen more companies had had their digital pockets picked. But apparently that was the tip of the iceberg. It was revealed this week that payment card information has been stolen from several dozen retailers’ networks since the end of October. The culprit in the overwhelming majority of those cases was a memory-scraping malware program called ChewBacca. The program—so named because the Star Wars character appears prominently on the login page for the server that collected data from infected machines—also has a keylogger and installs an executable file that lets it survive system reboots.

Though ChewBacca was first identified by researchers at Kaspersky Lab in a December blog post, much of what we’ve learned about it since has been uncovered by antifraud researchers at RSA. After analyzing the malicious code and its command-and-control infrastructure, RSA figured out that 32 of the 45 affected retailers are based in the United States; others are in Russia, Canada, and Australia. The researchers wouldn’t reveal the identities of the compromised retailers, saying only that they have advised the companies to report everything they know to the proper authorities.

Hackers R Us

An international law enforcement operation has netted the low-hanging fruit on the tree of online criminal activity. Officials proudly announced that they’ve snatched up 11 people in the United States, India, China, and Romania and have charged them with crimes based on their alleged involvement with websites offering e-mail hackers for hire. Authorities say the suspects—who were the operators of websites such as needapassword.com—or the sites’ clients were responsible for hacking into fewer than 10 000 e-mail accounts. Meanwhile, the cybercriminals that run phishing schemes aimed at gaining access to tens of thousands of inboxes at a clip go on unmolested.

Oracle’s Jedi Mind Trick: This Is Not a Security Flaw; It's a Configuration Error

Bad: Two vulnerabilities in Oracle’s older database packages allow hackers to access a remote server, view the server’s file system, and dump files—all without a password. Worse: More than two years after security researcher Dana Taylor reported the flaws, Oracle has yet to release a patch for one of them, and, according to Taylor, the patch belatedly created for the other didn’t actually fix the vulnerability. Worst—for Oracle, anyway—Taylor kept detailed notes on her interactions with the company.

3VILDATA Blogger Discovers Key to Making Good Modems Go Bad

Security researcher and blogger Andreas Lindh reported this week that hackers can take advantage of security holes in some USB modems and force the machines to send malware-laced text messages to any phone number or act as staging areas for spear-phishing attacks. Lindh declined to identify the manufacturer of the device upon which he carried out the exploit because he had yet to notify the vendor.

In Other Cybercrime News…

Aleksandr Andreevich Panin, a Co-Creator of the SpyEye Banking Trojan, Pleads Guilty

VPN Bypass Bug Recently Found to Affect Android Jelly Bean 4.3 Now Identified as a Problem for Android KitKat 4.4.

Gag Orders Related to U.S. Government Demands for Data from Telecom Companies Under the Foreign Intelligence Surveillance Act Have Been Partially Relaxed

Senators Question Intelligence Officials About Snowden, Domestic Surveillance

Issa, Five Other Congressmen Call For DNI Clapper’s Removal


How a Misplaced Decimal Point Led to €188 Million in Unintended Gov't Largesse

IT Hiccups of the WeekLast week was an unusually busy week across the global landscape of IT-related snafus, snarls and peculiar system interruptions. For instance, last Wednesday, quick-drying cement from a nearby construction site accidentally flowed into the London Underground’s Victoria line signal control room, significantly disrupting Central London Tube service for the day. Then, on Thursday, a human error during system maintenance caused a power outage that took out the automated train signaling system for three of New York City’s Metro-North lines, stranding thousands of the city’s train commuters for a good part of the evening. In light of these two events, I decided to start this week’s IT Hiccups with a software-cum-human error that occurred late last year, but only lately has been explained.

In mid-December, the Amsterdam Herald reported that Amsterdam’s tax office was trying to figure out how €188 million was mistakenly paid out in annual government rent subsidies to some 10 000 people instead of the expected €2 million or so. In some cases, people received as much as €34 000 in housing subsidies.

What made the error more disconcerting was that no one in Amsterdam’s tax office seemed to have noticed. The Amsterdam Herald quoted City alderman Pieter Hilhorst as saying, “How can it be that no alarms went off? ... It seems we’re able to pay out €188 million without realizing it.”

The investigation into the error ordered by Hilhorst recently disclosed that the software used by the Amsterdam government “calculates payments in cents rather than euros” and no one in the finance office seemed to have noticed the slight discrepancy. A story at Dutch News states that “all but €2.4m of the €188m in wrongful payments” has been recovered (while half of the remaining amount probably will never be paid back). Furthermore, says the Dutch News story, the city spent some €300 000 trying to understand and fix the situation. Other news reports state that the Amsterdam city council is putting more controls over its finance office to keep such an error from happening again.

It could have been worse: Amsterdam could have been launching a $125 million Mars Climate Orbiter and lost it because of a failure to convert from English to metric units.

China Suffers Web Outage It Blames on Hackers; Others Say it Was Self-inflicted

Last Tuesday, the New York Times and others reported that up to two-thirds of Internet traffic in China—text, audio, and video sent by hundreds of millions of people—was disrupted by what the Chinese government said was the work of hackers associated with the Falun Gong movement. The Times stated that, “The China Internet Network Information Center wrote on its official Weibo account that the outage was caused by a glitch in the Domain Name System servers that convert alphabetical website addresses into the numerical addresses of computers on the Internet. Instead of matching the names of popular Chinese sites with their proper addresses, the DNS servers instead redirected users to an address associated with the homepage of United States-based Dynamic Internet Technology.”

DIT, the Times states, “is best known for a software tool called Freegate that helps Internet users in China circumvent the government’s pervasive system of online censorship and filters.”

DIT denied any involvement in the outage, and said that it was more likely caused by a “misconfiguration” in China’s own Great Firewall Internet censorship program. DIT's contention was supported by Greatfire.org, which collects information pertaining to Internet censorship in China.

As of now, China is still claiming to be a hacking victim, although the government apparently is softening its accusations by saying it isn’t sure who is responsible.  

Gmail and other Services Experience Outage

On Friday, Gmail and many other Google online applications including Calendar, Talk, Drive, Docs, Sites, Groups, Voice and Google+ Hangouts went down at about 1410 EST and didn’t return until 1520 EST, Computerworld reported. Google, says Computerworld, stated that for about 25 minutes, “most” users of its online services were unable to access them, thereby potentially affecting hundreds of millions of users around the world.

 Google apologized for the outage, saying that “an internal system that generates configurations—essentially, information that tells other systems how to behave—encountered a software bug and generated an incorrect configuration. The incorrect configuration was sent to live services over the next 15 minutes, caused users’ requests for their data to be ignored, and those services, in turn, generated errors.”

On the same day, a different and pretty bizarre Google-related hiccup caused David S. Peck of Fresno, California, to receive thousands of no-subject, blank e-mails. According to this story at Time, “users who searched [in Google search on Friday for] ‘Gmail’ were led to a results page with a link that said ‘Email.’ Clicking that link created a new email with Peck’s address—dsp559@hotmail.com—already filled in.”

Tech Crunch, which first reported the story, has some interesting screenshots and other background information on the weird error.

Google, which fixed the problem by late Friday night, has apologized to Peck “for any inconvenience caused.”

Amsterdam Pays Out 100 Times More in Rent Subsidies Than Planned

Amsterdam Investigates Error that Causes €188 Million Benefits Overpayment

Software and Staff Blamed for Amsterdam Benefit Error

Amsterdam Error Caused by Software and Poor Staff Oversight

Two-Thirds of China's Internet Disrupted

China Blames Hackers for Internet Problems

China Internet Outage May be From Censorship Changes

Unclear What Caused China Internet Outage

Gmail, Other Google Services Experience Outage

Gmail and Other Services Go Down for Over an Hour

Google Apologizes and Explains Reasons for the Outage

Bizarre Google Bug Sends Unwanted E-mails to Hotmail Account

Google Glitch Sends Thousands of E-mails to One Man’s Hotmail Account

Of Other Interest …

Commuter Chaos as Quick-Drying Cement Fills Victoria Station Control Room

Human Error Blamed for Metro-North Train Delays

Auto Credit Cars Inadvertently Disabled by Software Problems

Telecommunications Services of Trinidad and Tobago Paychecks Delayed by Technical Error

Arkansas State Workers Receive Paychecks Early Due to Software Error

Russia’s Avia Center Refunds 800 Customers for Plane Ticket Glitch

Lloyds Banking Group Technical Issues Affect ATMs and Debit Cards Across UK

Apple Will Fix iOS 7 Random Reboot Issue

UK Screwfix.com Screw-up Gives Scrooge-Approved Bargains

Millions in Switzerland Charged Twice for Debit/Credit Card Purchases

Tech Problem Duplicates Visa Debit Payments at Bank of Ireland

Maine’s Unemployment System Payment Glitch Fixed

Software Issue Shuts Down Melbourne's Docklands Observation Wheel

Taiwan Demonstrators Protest Persistent Problems with eTag System

Illustration: Bjarn Kindler/Getty Images

Which Retailers Besides Target and Neiman Marcus Have Been Hacked?

This Week in Cybercrime We learned this week that the upscale retailer Neiman Marcus suffered basically the same security breach as the one that affected Target during the height of the holiday shopping season. Malware installed on its networks infected its point-of-sale system; the malicious code collected payment card data, including PINs, for 1.1 million customers.

While Neiman Marcus and Target—whose security lapse left credit card data for 70 million of its customers in the hands of cybercriminals—have been in the news, they’re not the only ones who've had their digital pockets picked. According to researchers at IntelCrawler, an online intelligence-gathering service that helps firms spot cyberthreats, chatter on forums where cybercriminals ply their trade has revealed that as many as six other retailers have also had their systems—and their customers’ information—compromised. IntelCrawler is not naming names, but says it is providing technical information related to the breaches to the appropriate authorities.

NSA Phone Snooping Illegal and Ineffective, Says Review Board

The U.S. government’s Privacy and Civil Liberties Oversight Board released a 238-page report [pdf] this week calling the National Security Agency’s collection of metadata related to U.S. residents’ phone calls illegal and recommending that the practice be ended. The panel concluded that the program not only “lacks a viable legal foundation under Section 215 [of the U.S. Patriot Act]” but has also been largely ineffective.

“We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack,” said the board’s members. “And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect.”

Fill-Up Fraudsters Nabbed

A team of fraudsters who installed Bluetooth-enabled skimmers on the credit card readers at refueling stations across Texas, Georgia, and South Carolina were indicted this week. The thirteen defendants allegedly stole more than US $2 million from customers who filled their tanks at Raceway and RaceTrac stations between March 2012 and March 2013. Because the skimmers communicated via Bluetooth, the thieves could surreptitiously download the data without ever rousing suspicion. According to the criminal complaint, the gang used the stolen credit card information to produce phony cards that they subsequently used to withdraw cash and spread it across 70 different accounts in an effort to launder the money.

In Other Cybercrime News…

Image: Getty Images

Cybercrooks Score: Half of All South Koreans’ Credit Card Data

If you didn’t know, now you know: there probably shouldn’t be any expectation that credit card information—or any personal details stored in digital form—is completely safe from hackers. Just as shoppers in the United States were grappling with the theft of 70 million credit card accounts from Target, comes word that credit card data for nearly half of all South Koreans has been purloined. More than 20 million South Korean credit card accounts, including those belonging to President Park Geun-hye and United Nations Secretary-General Ban Ki-moon, were part of the trove plundered in the cyberheist.

Read More

Feds Come to Help Florida Sort Out Unemployment System Woes

IT Hiccups of the WeekLast week was an unusually quiet week in the land of IT-related snafus. Most of the snarls reported concerned existing tech issues that continue to fester without resolution. For example, late last week, Florida decided to pay unemployment claims that have been on hold for more than seven days in an attempt to relieve the financial pressure on at least 60 000 unemployed workers. They hadn’t been paid in a timely manner because of ongoing problems with the implementation of the state’s $63 million CONNECT unemployment insurance system which was rolled out in October. The Sun-Sentinel reports that the difficulties still being encountered three months after the system went live, “range from inaccurate information being provided to claimants and the state, non‐functional fraud protections, and even the inability to use bar‐coding software for paper claims.”

Despite the Florida Labor Department's announcement that it is hiring 500 new workers to help resolve new and outstanding unemployment claims, the U.S. Department of Labor is sending experts to help Florida unravel its technological mess. Deloitte Consulting, the system’s prime contractor, is also reportedly adding more technical personnel to try to get to the bottom of the ongoing problems, even as it publicly says that Florida is at fault for causing them in the first place.

As you may recall, Florida has begun assessing penalties on Deloitte: It has withheld $3.5 million dollars in progress payments, and is fining the company $15 000 per day until the system is fixed. In hearings last week, Florida again put all the blame for the fiasco on Deloitte, which Deloitte heatedly contests. News reports state that at least one Florida lawmaker is suggesting that Deloitte be barred from future Florida contracts, something that Australia’s Queensland government has done to IBM as a result of Big Blue's role in the Queensland Health payroll debacle.

The Florida unemployment fiasco has turned into a major political issue for Governor Rick Scott, who is facing reelection this November. Gov. Scott has remained studiously silent about the whole affair, no doubt hoping it all blows over well before voting day.

Problems Continue to Plague Maryland’s Health Insurance Exchange

Last week also saw more IT problems associated with several states’ implementation of the Affordable Care Act (ACA). Maryland’s difficulties seem to have been the most significant. First, there were legislative hearings early in the week looking into why Maryland’s health insurance exchange was so messed up. The bottom line was that no one was in charge, vendors and the state did not get along, the vendors themselves did not get along, no one wanted to hear about the myriad significant technical risks, and political motivations dominated decision making. In other words, all the makings of an all-too-typical government IT project.

Then, on Saturday, there was word that Maryland's healthcare exchange website incorrectly listed the Seattle Pottery Supply company’s telephone number as the one that individuals seeking help in signing up for health insurance should call. The pottery company is understandably unamused. Then it was reported late Sunday night that Medicaid enrollment applications involving over one thousand individuals were sent to the wrong address by Noridian, the exchange’s prime contractor. Maryland officials insist the error isn’t a data breach, since the information did not contain Social Security numbers, “just” a person’s name, date of birth, and Medicaid ID number.    

OfficeMax Needs to Seriously Check its Rented Mail List

Finally, there was an unfortunate and disturbing mailing glitch reported by the Chicago Tribune. Apparently, OfficeMax sent some advertising material addressed to “Mike Seay, Daughter Killed In Car Crash, or Current Business.”

The Tribune reported that Mike Seay’s daughter Ashley, 17 years old, was indeed killed in a car crash last year along with her boyfriend, but an angry Seay wanted to know how OfficeMax knew that information, too, and how and most importantly, why, that information came to be placed on his address label.

OfficeMax, which wasn’t forthcoming with any explanation to Seay’s questions before the press got involved, said it had rented the e-mail list from a third-party company which it refused to identify.  OfficeMax, while offering through a press release the standard apology to the Seay family, has not, as of yet, directly apologized to Mike Seay and his wife, who are still naturally upset about the mailing.

The case raises some thought-provoking issues with data mining and privacy. I will let you know if OfficeMax decides to offer a more in-depth explanation of how this sad incident came to be.

Florida’s New CONNECT Unemployment System Still Disconnecting

Florida Lawmaker’s Press Labor Department Officials over Ongoing CONNECT Problems

Thousands of Unemployed Floridians Will Finally Receive Unemployment Checks

Florida Blames Vendor for Unemployment System as Feds Ride to Rescue

Passing the Buck Over Unemployment System Debacle

Gov. Scott Impersonates Where’s Waldo in Regard to Unemployment Fiasco

Maryland’s Health Exchange Bad Week

Maryland Healthcare Officials’ Website Wishful Thinking

Maryland Healthcare Officials Have Few Credible Answers to Legislators’ Questions

Seattle Pottery Company Receives Maryland Health Exchange Help Inquiries

Maryland Health Exchange Sends Medicaid Applications to Wrong Individuals

Father Receives OfficeMax Ad Additionally Addressed with “Daughter Killed In Car Crash”

Dad gets OfficeMax mail addressed 'Daughter Killed In Car Crash'

OfficeMax Apologizes for Address Error

Will OfficeMax Letter Spur Data Mining Backlash?

Of Other Interest …

Number of UK Cattle Herds with TB Likely Overstated

North Carolina Computer Issue Affects Online Final Exams

North Carolina NCFast Computer Problems May Be Fixed by April

North Carolina Healthcare Providers Sue State over NCTracks Billing Snafus

Tulsa Fire Dispatch System Not Completely Fixed After All

5000 New Workers All Appear At Once for Mandatory Medical Exam in Qatar Due to Online Booking Error

Jersey Telecom’s New Billing System Spurs Barrage of Complaints

Image: iStockphoto

GM Recalls 370 000 Pickup Trucks for Software Update to Reduce Fire Risk

IT Hiccups of the WeekThere were a wide-variety of errors, faults, and general IT-related ooftas to choose from last week. But GM’s recall of 370 000 of its 2014 model year Chevrolet Silverado and GMC Sierra full-size pickup trucks, in order to update their software and reduce the likelihood that their exhaust systems will overheat and catch fire, caught our eye. According to the Detroit News, “When [a] truck idles, it should use two cylinders…but because of a software glitch, the recalled trucks idle with most of the cylinders. That causes the vehicles to overheat and leads to the fires.” So far, there have been eight reported fires, but no injuries.

All of the affected trucks have V-8 engines, but the recall is also being extended to trucks with V-6 engines. Owners should be on the watch for a continuously yellow “check engine light” and an “engine power reduced” message on the vehicle’s information center, the News reported. GM is also telling truck owners not to leave their trucks to idle unattended, which they may do especially in colder climates while warming them up.

The recall is a bit of an embarrassment for GM, because the Silverado, a highly popular and profitable product for GM, is also one of three finalists for the North American Truck of the Year award that is to be announced later today. [Update: the Silverado did win Truck of the Year.] Owners of the affected vehicles will be notified later this week about when they can come in for the software update. The procedure should only take 20 minutes or so to complete.

Your Flight Will Take Off When We Locate the Crew

The recent cold and wintery weather has made flying in the U.S. and Canada a most unpleasant experience for many travelers. While the weather has been responsible for over 20 000 canceled flights and 40 000 delays since the first of the year, Bloomberg News reported that problems with United Airlines’ Crew Communication System (CCS), which is used to communicate schedules and other information to its onboard personnel, has added to the woes. According to Bloomberg, on 30 December 2013, all 10 200 of the airline’s pilots were shifted to the crew communication system previously used only by Continental Airlines pilots.  You may recall that United and Continental merged in 2010, and that the merger of their automated reservation systems wasn’t the smoothest on record. Further complicating the transition was a CCS software update designed to comply with a new federal requirement, which came into effect on 4 January, that limits the number of consecutive hours a given pilot can be on duty.

However, Bloomberg reports, since the shift, the CCS has been prone to crashing and displaying out of date crew scheduling information. As a result, the system has lost track of crews' whereabouts, left them stranded, or made them late for flights, leading to both flight cancellations and delays, Bloomberg claims. United acknowledges there have been some technical issues with the CSS, but denies it has lost or stranded crews. United told Reuters that most of the reported crew problems were due to weather, not CCS, issues.

In other air travel news, a software problem with check-in counters coupled with bad weather meant hours of delays and several flight cancellations over the weekend at Toronto’s Pearson International Airport. The cause of the software issue, which was cleared up early Sunday morning, was not given by the airport's spokesperson.

Stock Market IT Reliability Not Trending Upward

Stock traders had hoped that 2014 would bring fewer of the exchange and other stock-related “glitches” that plagued them throughout 2013. Alas, last week saw fresh problems reported with the NASDAQ Options Market, as well as online brokerage firm E*Trade. While the former lasted for less than 30 minutes, the E*Trade outage lasted for nearly 5 hours. The causes of both outages are reportedly still under investigation.

Finally, the implementation of the Affordable Care Act (ACA) website and supporting systems continues to make news. According to the Washington Post, the ACA website development and support contract for prime contractor CGI will not be renewed. Instead, the maintenance contract will be given to Accenture under a sole-source contract. CGI insists it was not fired; let's just say it wasn't rehired due to the underwhelming quality of its work.

GM Issues Software Update to Reduce Fire Risks to Pickup Trucks

GM Recalls 370 000 Trucks for Fire Risks

GM Recalls Chevy, GMC Pickups

GM Recalling Majority of 2014 Pickups Due to Fire Risk

United Airlines Has Problems with its Crew Communication System

Crew Communication Systems Problems Lead to Flight Cancellations, Crews Being Stranded

United Says Bloomberg Wrong about Pilots Stranded by CCC Issues

Software Problem at Toronto’s Pearson International Airport Said to be Fixed

NASDAQ and E*Trade Suffer Outages

NASDAQ Options Market Issue Resolved

E*Trade Suffers Disruption To Website and Mobile Trading Platforms

Of Other Interest …

Alaskan Airlines Online System Offers New but Already Expired Promotional Deals

Software Crash Takes out Ohio’s Bureau of Motor Vehicles

Computer Failure Leads to Burst Water Pipe, Water Outage in West Memphis, Arkansas

Dropbox Says Outage Caused by Maintenance Issue, Not Hackers

Google Apologizes for Berlin Map with Nazi-Era Street Name

Marks & Spencer Advertises £700 Chairs for 50p Online

Tulsa, Oklahoma’s Malfunctioning Fire Dispatch System Now Working Correctly

Photo: GM

Australian Agency Calls Cops on Teenage Do-Gooder Who Reports Website Vulnerability

This Week in Cybercrime Pessimists are fond of saying that no good deed goes unpunished. An Australian teenager who reported a security vulnerability in a government website and now faces legal troubles probably agrees. Joshua Rogers, a 16-year-old Victoria native, discovered a security hole that gave him access to a database containing the full names, addresses, home and mobile phone numbers, e-mail addresses, dates of birth, and nine of the 16-digit credit card numbers for about 600 000 commuters who paid for fares via the Metlink website run by the Transport Department.  When he stepped forward in late December to tell the site’s operators about the vulnerability, they never bothered to respond. Two weeks later, Rogers told his story to The Age; when the newspaper asked the Transportation Department about it, officials there reported Rogers to the police.

“It’s truly disappointing that a government agency has developed a website which has these sorts of flaws,” Phil Kernick, of cyber security consultancy CQR, told The Age. “So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.”

I guess the Transportation Department, knowing that it will face scrutiny over leaving its customers’ data so open to misappropriation, is trying to appear serious about security by taking a preemptive strike—albeit against someone who attempted to notify them of the hole instead of exploiting it.

Target's Data Breach Diagnosis Off Target

I’m shocked—shocked!—to find out that Target wildly underestimated the number of people whose personal data was stolen in a data breach that occurred between 27 November and 15 December. Target came out today and retracted the 42 million figure it had been sticking to since news of the breach broke on 19 December. The retailer announced today that names, mailing addresses, phone numbers, and e-mail addresses of roughly 70 million people fell into the hands of cybercriminals. Much of the data newly identified as having been accessed by the hackers was supposedly stored on a separate part of the company’s internal networks from the one Target knew was hacked.

Few Plaudits for Yahoo's Belated Security Update

Yahoo finally made HTTPS the default setting for its e-mail service this week, years after rivals such as Google made the move. But if it was expecting handshakes and pats on the back, it has another thing coming. Security experts say that after Yahoo finished inexplicably dragging its feet, it has come up with a scheme that is not likely to keep users’ communications away from prying eyes. The “new configuration leaves a lot to be desired,” Ivan Ristic, director of application security research at security firm Qualys, told Security Watch. Ristic and other observers are scratching their heads about Yahoo’s decision not to support Perfect Forward Secrecy, which ensures that communications are secured by randomly generated ephemeral public keys. “Without Forward Secrecy, even encrypted data is feasibly at risk from private key compromise,” Ristic warns.

In Other Cybercrime News

  • RSA is facing a backlash over reports that it entered into a secret contract with the U.S. National Security Agency that called for the company to use a random number generator known to be flawed in its encryption tools. A growing number of security experts have withdrawn papers from an upcoming RSA conference in protest. In late December, Josh Thomas of Altredis announced that he had changed his mind about delivering a talk at the conference. The very next day, Mikko Hyponnen of F-Secure posted an open letter to RSA saying he was also canceling his talk on government-sponsored malware. At least a half dozen other people expected to be in the conference’s lineup have sent their regrets.
  • Researchers from Carleton University in Ottawa, have proposed a way to create a user- and machine-generated narrative, based on the user’s recent activity on a computer, which would serve as a device’s authentication mechanism instead of a password. They reason that a familiar narrative will be easy for the authorized user to remember but exceedingly difficult for a hacker to crack. “Allow the system to have a dialogue and prove that you are you and tell it things you know,” says one of the authors of the paper (“Towards Narrative Authentication; or Against Boring Authentication”).
  • Researchers have discovered vulnerabilities in industrial Ethernet switches manufactured by Siemens that could let attackers hijack Web sessions and perform unauthorized admin tasks on the switches.
  • As cars get smarter and increasingly Internet connected, privacy issues regarding the flood of data a vehicle generates have come to the fore.
  • Security firm Invincea reported this week that the video-sharing site DailyMotion, which attracts 17 million visitors a month, has been plagued by an attack that redirects users to a scam. Kaspersky Lab’s Threatpost explains the threat thusly: “When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. The victim is then presented with a dialog box that offers to clean the computer of the problem. If the user agrees, they’re asked to run a file which is the malicious executable.

Photo: Getty Images

Healthcare.gov Operating Without a Safety Net

IT Hiccups of the WeekIt may be a new year, but the past few weeks of IT snarls, snafus and general mayhem look a lot like last year’s (or last century’s (pdf), for that matter). We start off the 2014 Risk Factor edition of IT Hiccups with yet another wrinkle in the 2013 IT horror story of the year—namely the chaotic implementation of the Affordable Care Act (ACA) website and supporting back-office systems. I didn’t think I could be surprised by any more news about how unprofessional the Healthcare.gov implementation has been, but I must admit that the Wall Street Journal story last Friday reporting that the site was operating without a back-up system in place still managed to startle me. Not to worry, though. Officials at the Centers for Medicare and Medicaid Services (CMS), which manages the website, reassured the WSJ that “redundancy is a critical part of our planning.”  In other words, they'll get around to it, eventually. Talk about living dangerously.

Also disclosed on the CMS Healthcare.gov planning “to do list” is the capability to go on line and make basic changes to health insurance coverage, like adding a new child, reporting a marriage, divorce or death, or other “change in circumstance” events. That capability was supposed to be there from the day the system went live in October, but it was postponed amid the flurry of fixes meant to provide even more basic website functionality, like not crashing. Whether the ability to change one’s insurance status will be available by mid-January, right along with other promised ACA back-office functions such as making payments to insurers for the coverage they are offering, remains to be seen. Few outside of CMS hold out much hope that deadline will be met, however; the agency is currently scrambling to get the tens of thousands of individuals who thought they had signed up for health insurance or Medicaid, but don't actually have coverage because of Healthcare.gov system issues, to sign up again.

Several states also report continued difficulties with their ACA system implementations. Oregon’s implementation is probably in the worst shape, but Maryland’s, Massachusetts', Minnesota’s, and Vermont’s aren’t that much better. The latter two states have decided to follow Oregon’s lead and withhold money from the prime contractors responsible for the botched IT implementations until the systems are fixed.  Oregon is withholding US $20 million from Oracle, while Massachusetts and Vermont are withholding some $58 million and $6 million, respectively, from CGI. CGI, you may recall, is the prime contractor for the mismanaged Healthcare.gov implementation.

Florida has also decided to withhold funds from its IT vendor, Deloitte Consulting, but in this case, for mishandling the implementation of the state’s new $63 million unemployment insurance system which was rolled out in October. Florida says that Deloitte has failed to meet its contractual obligations, which Deloitte vehemently denies. Florida officials have hit Deloitte with penalties of $15 000 a day since 23 December 2013 (which is in addition to $3 million in payments already being withheld, a separate $1.5 million penalty imposed last month, and a $4.5 million penalty imposed on Deloitte by the state in 2012). If things keep going, Deloitte will end up paying Florida for the privilege of building the unemployment system.

Finally, there were a number of banking and credit card systems that experienced a variety of problems during the holiday season, including those at Allied Irish Banks, NatWest and RBS in the UK, and PNC bank in the U.S. All apologized to their customers for the inconvenience, of course—which I doubt did much to sooth the consumers' anger when they found they couldn’t pay for their holiday purchases.

Healthcare.gov Saga Continues Unabated

Healthcare.gov Operating without Back-up System in Place

Making Changes to Healthcare.gov-bought Plan Difficult

More than 100 000 Enrolled Through Healthcare.gov Need to Enroll Again

For What It's Worth: Healthcare.gov Prime Contractor Has Top Software Process Credentials

Congress to Consider Healthcare.gov Security Legislation

Florida’s New Connect Unemployment Insurance System Becomes Deloitte Debacle

Florida Fines Deloitte Over Unemployment Insurance System Mess

Deloitte Defends its Work On CONNECT Unemployment System

Florida and Deloitte Claim Alternative Realities in Unemployment System Fiasco

Florida Doubles Personnel to Handle Unemployment System Problems

Florida’s Unemployment Number Misleading Because of Unreliable System

Bank and Credit Card Systems Say Not Today

Allied Irish Banks Suffer ATM Glitch

AIB Says It Has Fixed ATM Problems

NatWest Online Banking Down Due to DOS Attack

Tesco Petrol Payment Issue Freezes NatWest and RBS Credit Cards

PNC Bank Customers Find Their Money Missing After Computer “Glitch”

UAE Bank Cards Fail to Work

Of Other Interest …

EBay Overcharges Some Buyers

Australian Myer Department Store Resolves Online Problems

Malfunctioning Issues Reported With Nest Thermostat

BNC Bankcorp Website “Glitch” Creates Problems for Rival Bank

Microsoft Promising Surface Pro 2 Firmware Fix Soon

Delta Honors Glitch Fare Pricing

Glitches Galore Delight Online UK Holiday Shoppers

Photo: Joe Raedle/Getty Images


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More