Risk Factor iconRisk Factor

NSA Spies Who Purchased This Snooping Device Also Bought…

This Week in Cybercrime We were already aware of the existence of illicit marketplaces teeming with tools for cybercriminals looking to subvert the security of online networks. But one of the latest revelations from the cache of documents stolen by NSA whistleblower Edward Snowden is the fact that NSA hackers have access to a spy catalog from which they can buy gadgets and malware that make the idea of online security virtually meaningless. According to der Spiegel, the newly disclosed documents reveal that specialists in the NSA’s Tailored Access Operations division manage to access data that is supposedly inaccessible even by tapping undersea cables or by strong arming companies such as Google, AT&T, and Yahoo. Their bag of tricks, which includes mapping and monitoring networks and rerouting and modifying data, comes largely from a 50-page catalog produced by another NSA Division.

“For nearly every lock, ANT seems to have a key in its toolbox,” der Spiegel writes. “And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.”

The 2008 catalog features items ranging in price from free to US $250 000. They include a $30 pack of rigged monitor cables that let the NSA see whatever the user sees, a $40 000 GSM base station that spoofs a mobile phone tower so that it receives signals from nearby handsets, and a digital lock pick for firewalls made by Juniper Networks that keeps the backdoor open even after reboots and software upgrades. Worse, the Snowden documents reveal, is that the catalog contains malware capable of infecting a machine’s BIOS so that it continues to compromise the device’s security even after the most drastic measures—wiping the hard drive clean and reinstalling the operating system.

PINs Compromised in Target Hack

Target’s troubles are mounting. The retailer, whose systems were hacked at the height of the holiday shopping season, has confirmed that the cybercrooks were able to access a listing of customer debit card PINs. The company had earlier said that the PINs weren’t taken in the data breach. Now Target is insisting that customers are safe and that the hackers won’t be able to turn the data into easy cash by making spoofed debit cards that let them take money out of ATMs. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement posted on its website on Friday.

Target didn’t reveal how much PIN data was divulged.

Despite the retailer’s insistence that “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” company officials may be the only people shocked when the other shoe drops and we find out that the hackers have managed to find the keys to decrypt it.

Snapchat Hacked

It was supposed to be simple. And easy. And safe. Just send someone a pic on Snapchat and, poof—it would disappear from the recipient’s device before it could come back to haunt you. But now there’s reason for worry. Snapchat has been hacked. Though no one’s heard of any funny business with images being diverted, the usernames and phone numbers of 4.6 million alleged Snapchat users were posted online this week. The posting, on a website called SnapchatDB.info, came a few days after an outfit called Gibson Security publicly reported a vulnerability in the social sharing service it said would allow that very thing to occur. (According to Computer World the site has been taken down by its hosting service, but a cached version can still be viewed.)

Gibson says it first made Snapchat aware of the vulnerability in August, but the service didn’t respond. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it," Gibson said in a statement.

In Other Cybercrime News…

  • FireEye, a major cybersecurity company, announced the purchase of Mandiant, a privately-held cyber forensics firm, for roughly US $990 million. FireEye, a leading seller of security services designed to identify and combat cybercrime via the Internet, e-mail, and mobile devices, has previously collaborated with Mandiant to stave off attacks. The purchase, FireEye said in a statement, will improve its ability “to stop advanced attacks at the earliest phases of the attack life cycle.”
  • This week, A U.S. federal court upheld a government policy allowing law enforcement officers at or near U.S. borders to seize and search electronic devices for any reason. The decision [pdf] by U.S. District Judge Edward Korman in New York is the result of a case brought by the American Civil Liberties Union (ACLU), which argued that U.S. border officials shouldn’t be able to conduct searches of gadgets without reasonable suspicion that a crime has been committed. But the judge held that the so-called “border exemption,” which gives the government the right to warrantless and suspicionless searches within 160 kilometers of the border, applies to data and the devices that contain it.

Photo: iStockphoto

Target Hack Stole Millions of Credit and Debit Cards

Hello, Target shoppers. Just in time for the holidays, your credit card data has been compromised. And according to Brian Krebs, the purloined information has been “flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card.” Krebs, who broke the story on his blog, Krebs On Security, on Wednesday, says that:

“[A bank, having been notified that a “card shop” with a reputation as a reliable source for stolen credit and debit cards] had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store…browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.”

But here’s the kicker:

“When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop,” says Krebs, “it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.”

The day after Krebs’ revelation, the retailer issued a statement confirming that the customer information for roughly 40 million credit and debit cards swiped at Target stores between 27 November and 15 December had been, well, swiped. The company initially thought that the period over which the breach yielded stolen payment card information ended on 6 December, but as the investigation into the break-in continued, those hopes were dashed.

The team looking into the breach says it has found nothing to indicate that Target’s online customers were affected. What’s not known at this time is whether the hackers were able to gather PIN information for debit transactions. If they did, it would be possible to make phony cards that could empty bank accounts by withdrawing cash from ATMs.

Why the bricks-and-mortar and not the e-commerce customers? Though nothing has been confirmed, computer security experts suspect that the attackers went for the retailer’s point-of-sale (POS) system, the point of entry seen as the weakest link. The vulnerability of point-of-sale systems lies in the fact that they’re “usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider,” Mark Bower, vice president of product management at Voltage Security, said in a statement. “In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable,” says Bower. 

Target will get a chance to explain exactly how it happened in court. A Bloomberg Businessweek article says that a California resident affected by the data breach has already filed a lawsuit against the company. The complaint asserts that, “Target failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach.” The plaintiff, says the article, is looking to make it into a class-action suit.

Furthering the indignity, the retailer's online systems and call centers have been overwhelmed by a torrent of customers trying to find out more about the attack and to determine whether they had been affected, according to the StarTribune—the hometown newspaper of Minneapolis, Minnesota,-based Target.

North Carolina Continues to Wrestle with Wayward IT Projects

North Carolina is famous for its high-tech Research Triangle, but lately it seems that state government IT projects are bound for IT’s equivalent of the Bermuda Triangle.

As you may remember from an earlier Risk Factor story on state government IT project snafus, North Carolina rolled out two new major systems, one called NCFast and the other NCTracks. NCFast (North Carolina Families Accessing Services through Technology) is the N.C. Department of Health and Human Services (DHSS) computer system aimed at streamlining the work activities and business processes of the department and county social services agencies so that more time can be spent on helping those requiring public assistance and less on bureaucratic tasks. NCFast was “soft-launched” in mid-July (the system is not scheduled to be completely finished until 2017).

However, since the launch of NCFast, there have been ongoing issues with the US $48 million system that have caused many families on food-assistance to go without their benefits for months at a time. This has, unfortunately, given those families a new perspective of what the “fast” in NCFast means.  Within six weeks of the system’s launch, almost 70 000—or nearly 9 percent—of North Carolina’s food-assistance recipients were not receiving their benefits. In response to political uproar created by the rapidly rising number of hungry families who were straining local food-banks, DHHS quickly placed the blame for the lack of benefits squarely on the county social services agencies, pointing specifically to what DHHS claimed was inadequate training on how to use the NCFast system. The county agencies fired back, accusing the state of rolling out a slow and bug-filled case management system that was prone to freezing up or crashing without warning.

About a week ago, it emerged that the county social service agencies had every right to blame the NCFast system for the growing backlog of food-assistance recipients. What's more, the state DHSS department knew NCFast was at fault, too, but decided to keep quiet about it. According to a report by Raleigh TV news station WRAL, while DHSS was publicly blaming the counties for not training their staff on how to use NCFast correctly, its own internal assessment of the situation was contradicting that assertion. The WRAL story states that the DHSS internal assessment showed “only a small minority of counties faced problems with training, staffing, and technical infrastructure.”

In addition, WRAL reports, DHSS eventually discovered what it called a “simple browser compatibility issue” in late August that turned out to be the root cause of many of NCFast’s operational issues. But that discovery was made only after several county agencies reported that NCFast seemed to work better when interfacing to the system with Google Chrome than with Internet Explorer, a fact that DHSS evidently did not investigate on its own.

Since the browser fix has been made, NCFast’s operations have markedly improved, but it has still taken months—along with the hiring of over a 150 temporary workers—to whittle down the backlog of the tens of thousands of families awaiting their food assistance benefit. However, reports of families not properly receiving food-assistance are still being made, albeit not to the magnitude experienced in August or into September.  A story this week at the Times-News in Burlington, North Carolina, for instance, reports that the local county social services agency still says “it’s a daily struggle” working with NCFast.

The WRAL story indicates that, even now, North Carolina DHSS officials continue to point to a lack of user training at the county health services agencies rather than software problems in NCFast for initially creating the majority of the family food-assistance backlog. You might at first be surprised by the state’s health services department blatant attempt at shifting the blame away from itself in the face of contrary facts. But the fact that DHSS has an even bigger IT debacle than NCFast on its hands, makes it less surprising.

You see, at the beginning of July, the North Carolina’s DHSS also decided to launch its highly controversial $484 million NCTracks Medicaid claims processing and management system. The agency did this despite a May state audit [pdf] that cast doubt on whether the system—which was $200 million over budget and two years late—was ready to go live. The audit cited, among other issues, the lack of testing or independent verification and validation of key system elements, as well as unresolved privacy and security concerns. For instance, out of a scheduled 834 “critical” priority tests, the audit stated that 123 failed and 285 tests were not even performed.

The DHSS, however, insisted that there was nothing major to worry about, regardless of what the audit reported. The department conceded that there might be an “initial rough patch of 30 to 90 days as providers get used to using the new system,” but that there should be smooth sailing after that. Well, here it is nearly 180 days on, and NCTracks is still desperately trying to smooth out that “rough patch.”

Statistics from November, for example, indicated that NCTracks was still performing at a worse rate than the 25-year old system it had replaced. Furthermore, the Medicaid claims of many of the state’s 77 000 Medicaid providers were still not being paid promptly, or they were being rejected at a rate in some cases 4 times higher than in the past. This was causing financial hardship for countless health care providers, leading some to decide, reluctantly, to quit providing care to Medicaid recipients. The problems with NCTracks has, not unexpectedly, also generated a lot of political heat.

Adding to the political fire last week was the release of another state audit  [pdf] showing that some 3200 defects with NCTracks were discovered since it went live in July, and that more than 600 defects were still to be fixed as of 5 November.  DHSS recently admitted that most of those defects remain unfixed, but claimed that they don’t affect “most” Medicaid providers. The department wouldn’t, however, give an estimate of how many providers the defects did affect. 

The state’s audit also reported that DHSS management still did not have a master plan to track problems or their corrections; DHSS has since promised one would be ready beginning January 2014.

Furthermore, the audit noted that 12 of the 14 critical changes mandated by the state legislature or by the Federal government were not in place by their specified dates. DHHS management promised that the 12 changes will be implemented by 1 March 2014, although one should view that promise with more than a few grains of salt.

Finally, the audit indicated that North Carolina’s financial analysts aren’t sure what the state is spending on Medicaid since NCTracks still can’t account for what the state still owes its 77 000 Medicaid providers.

However, since the day NCTracks has been rolled out and despite all its well-documented problems, DHSS management has continually pushed the optimistic message that “NCTracks is on track” since the system is able to pay at least some number of submitted claims. And like those in charge of NCFast, NCTracks management has continually downplayed NCTracks’ IT problems while—surprise, surprise—insisting that most of the issues being reported are caused by a lack of training at the state’s Medicaid providers. In fact, last week, even as the state audit report was detailing the multitude of problems in NCTracks that should have been addressed before the system was allowed to go live, the state's manager in charge of NCTracks computer systems development congratulated his staff on the “successful launch” of the system.

One would hate to see what an unsuccessful IT project launch looks like in North Carolina.

Well, luckily for us, according to another North Carolina state audit from earlier in the year, there are plenty of opportunities to find out because many, if not most, of the other 82 state IT projects are in questionable shape. Given, too, that the audit stated that “state agency managers are not required to manage IT projects so that the projects meet the initial cost or schedule estimates that are submitted to ITS [Office of Information Technology Services],” NCFast and NCTracks might have plenty company on their voyages into the IT Bermuda Triangle.

Toyota Enters into Settlement Talks over Sudden Unintended Acceleration

IT Hiccups of the WeekThis week’s edition of IT hiccups, snarls, and general foul-ups begins with the surprising announcement last Thursday by U.S. District Judge James V. Selna who, according to Bloomberg News, issued an order stopping lawsuits into claims of sudden unintended accelerations in vehicles manufactured by Toyota. The reason: to give time requested by both Toyota and plaintiff lawyers to find a way to settle claims against the car manufacturer.

As long time readers of the Risk Factor may recall, the issue of sudden unintended acceleration (SUA) really came to the fore in 2009 when Toyota issued an initial recall of 3.8 million vehicles over the possibility that floor mats were jamming accelerator pedals, keeping them in the full open position. A fatal crash in California the same year took the life of a veteran California Highway Patrol Officer (along with his wife, teenage daughter and brother-in-law) who could not find a way to stop a runaway 2009 Lexus ES 350. That incident helped highlight claims of additional sources of SUA problems with Toyotas such as software/hardware-related defects inadvertently affecting Toyota’s electronic throttle control system. These claims (along with Congressional pressure) forced the National Highway Traffic Safety Administration to conduct an investigation which reported no such defects could be uncovered. Toyota had long insisted that most cases of SUA were the result of driver error and not electronic-related, and used to the NHTSA investigation to bolster its argument.

Even though the NHTSA couldn't uncover anything wrong with Toyota's electronic throttle system, that finding didn’t stop SUA lawsuits from being filed against the company, which were to date unsuccessful at showing anything other than possible floor mats or driver error being responsible for SUA. In early October, for example, the NBC News reported that Toyota yet again prevailed in an SUA lawsuit against it.

However, later that same month, the LA Times reported that an Oklahoma jury found that electronic defects were indeed responsible for causing SUA in a 2005 Toyota Camry which “caused it to accelerate out of control and crash into a wall, killing a passenger and seriously injuring the driver.” The jury found that Toyota was guilty of “reckless disregard” in the case after defense software forensic experts convinced it that there were indeed, as the EE Times stated, fatal flaws in Toyota’s electronic throttle source code.

Toyota, stunned by the $3 million verdict and its implications, moved quickly to settle the case. Toyota continued to strongly argue—at least publicly—that SUA was not caused by electronic issues; but privately, the company must have worried that the jury verdict was the proverbial straw that broke the camel’s back. As a result, Toyota apparently decided that it had more to lose by going through hundreds of trials than in reaching a broad settlement agreement. Already, Toyota has reached a settlement in another lawsuit in West Virginia. I’ll continue to report on the proposed settlement as it becomes public, and especially whether Toyota now admits that there were software defects in its electronic throttle control software after all.

In other IT snafu news, Yahoo Mail experienced outages for days last week due to a hardware problem in one of Yahoo’s storage systems beginning Monday night. Yahoo, after steadfastly refusing to say how many of its 100 million daily users were affected,  finally conceded at the end of the week that about a million users were affected—although I doubt anyone believes that number is really representative, given breadth and depth of the user complaints voiced.

Last week also saw continued problems with Florida’s new US $63 million unemployment system that was launched in mid-October. While the state government insists that the system is generally working successfully, news stories including one at the Miami Herald continue to report thousands of user complaints that paint a portrait of a dysfunctional system. The technical problems are now morphing into a political headache for Gov. Rick Scott, as politicians of all stripes continue their call for an investigation into what went wrong and why it is taking much longer to fix than the state promised.

Finally, IT issues with the Affordable Care Act website, which was rebooted 16 days ago, continue to be reported. The Washington Post reported over the weekend that thousands of people who thought they had enrolled for insurance actually weren’t because their enrollment records were never transmitted to insurers. The Obama Administration insists that problems with enrollments are being quickly solved, but the New York Times says insurers beg to disagree. In addition, several states continue to report trouble with their health insurance website implementations, with Oregon’s being termed an absolute fiasco. Past history gives me great confidence that additional IT-related problems will surface well into the foreseeable future.

Toyota Decides to Cut Its Losses over Sudden Unintended Acceleration Lawsuits

Toyota Cars, Coding and Carelessness

After Four Years, Toyota Enters Settlement Talks

Toyota Seeks Settlement Over Sudden Acceleration Cases

Toyota Suddenly Flies White Flag in Sudden Acceleration Lawsuits

Toyota SUA Settlement Options Explained

Yahoo Apologizes for Embarrassing Email Outage

Yahoo Outage Hits 70% of Messages

Yahoo Silent over Outage

Yahoo Mail Outage Enters Fifth Day

Marissa Mayer Apologizes for Yahoo Mail Outage

Florida’s New Unemployment System Woes Now Becomes a Political Issue

Florida’s Unemployment System Payments Remain Tied Up

Gov. Scott Brushes Off New Unemployment System Complaints

Unemployment System Woes Becoming a Florida Campaign Issue

Florida Fines Deloitte US$1.5 million over Unemployment System Problems

Of Other Interest …

New Zealand Novopay Snafus Persist a Year On

UK Waitrose Supermarket Suffers Online Delivery Glitch

Data Issue Affects Melbourne Australia Air Traffic Control System

Electronic Benefits Transfer Card Glitch Affects Massachusetts Assistance Recipients

Billing System Problems Hits Johannesburg's Finances

Cable Theft Causes Three-day Broadband Blackout in West London

Image: Mixmike/iStockPhoto

Financial Exchanges Close Ranks to Fight Off Cybercrime

Following a string of confidence-shaking cyberattacks on stock exchanges across the globe that affected their operations, 57 stock, futures, and options exchanges have come together to collaborate on cybersecurity best practices. I guess they've come to the same conclusion expressed in a coinage attributed to Benjamin Franklin: "We must, indeed, all hang together, or assuredly we shall all hang separately."

A hair-raising example of how vulnerable the exchanges are came in August when NASDAQ’s systems were besieged by more than double the amount of data they could process. The data torrent, abetted by a software design flaw, caused a three-hour stoppage in trading for thousands of U.S. stocks. Though the culprit was eventually revealed to be human error instead of a cyberattacker, the event revealed one avenue that a crafty hacker could exploit.

The new group, a committee established under the aegis of the World Federation of Exchanges, will try to figure out how to best share information on attackers, their tools, and attack trends, as well as techniques and technologies for fighting off attacks. It’s easier said than done, explains Mark Graff, NASDAQ's chief information security officer and chairman of the new working group. “When I took the job at NASDAQ, I found it was easy to connect with people within the [U.S.] financial community,” Graff told Computer World. “But I just couldn't see who my opposite numbers were in exchanges overseas,” he said.

G-20 Governments in Hackers’ Crosshairs

Researchers at online security firm FireEye say that In the month leading up to the G-20 Summit in September, hackers they presumed to be Chinese nationals broke into the computer networks of five European foreign affairs ministries.  FireEye was temporarily able to monitor the activity of the attack, which it calls Ke3chang, via one of the command-and-control (CnC) servers the hackers used. The campaign began with a series of spear-phishing e-mails laced with a malicious attachment called US_military_options_in_Syria.zip. The attackers knew that the targets would go for the bait because in the run up to the G-20 meeting, the world’s attention was focused on the Syrian civil war and whether the United States would intervene in response to the use of chemical weapons.

For a few days, FireEye researchers were able to snoop on one of the at least 23 different CnC servers the hackers used. They saw 21 compromised computers connect to that server.

In Other Cybercrime News…

  • A hacker who tried to make money by selling access to several corporate, university, and government computer networks—including two supercomputers at the Lawrence Livermore National Laboratory—fell into a familiar trap. It just so happened that the person on the other end of a US $50 000 transaction that would have given the buyer access to the Lawrence Livermore machines was an undercover FBI agent. This week, 24-year-old Andrew Miller, hacker and police-procedural TV show stereotype, was sentenced to 18 months in prison.
  • The makers of a popular Android flashlight application apparently kept users in the dark about its money-making side business: covertly tracking the locations of  “Brightest Flashlight Free” users and selling that information to advertising firms. The company, Goldenshore Technologies, reached a settlement this week with the U.S. Federal Trade Commission, which threatened to come down hard on the app maker.  
  • AT&T cares about you. So much, in fact, that the company refuses to issue a transparency report providing details regarding what data it has turned over to the U.S. National Security Agency. In a letter to the Securities and Exchange Commission, AT&T says that telling the world about the extent to which it divulged information about its customers would upset its efforts to protect its customers’ privacy. You can’t make this stuff up.
  • Eight of the world’s leading tech companies—Facebook, Apple, and Google among them—have created a new coalition whose aim is to provide pushback on U.S. surveillance practices. The group, Reform Government Surveillance, says that tactics such as National Security Letters, which demand that a company turn over data about customers and keep quiet about it, undermine trust in the companies and in the Internet as a dependable medium for communication and commerce.
  • Kaspersky Lab’s ThreatPost reports that Open WhisperSystems’ TextSecure protocol has been integrated into an app that will bring end-to-end encrypted text messaging to 10 million Android users.

Photo: vladru/iStockPhoto

IBM Sued Over Queensland Health Payroll System Debacle

It hasn’t been a good few weeks for IBM. You may recall, recently Bridgestone Tire filed a US $600 million lawsuit against IBM alleging fraud over an SAP-based invoicing, accounting, and product delivery system went that went live in January 2012 but didn’t operate as Bridgestone expected to say the least. Now news has come out that IBM is being sued by Australia’s Queensland government over its role in the disastrous Queensland Health payroll system implementation. The government wants compensation from IBM, but it did not disclosed the amount it is seeking.

As you may also remember from my years of covering this debacle, IBM was the lead contractor on the effort to replace Queensland Health’s legacy payroll system at an expected cost of A$6.19 million (fixed price) that turned into one that will cost an estimated A$1.2 billion to develop and operate properly when all is said and done. A formal commission of inquiry into the payroll system acquisition and development characterized it in its 264-page report [pdf] that was released in July as being one that must take place in the front rank of failures in public administration in this country. It may be the worst.”

Read More

UK Air Traffic Control Problem Snarls Flights over Weekend

IT Hiccups of the Week Trainspotting is still a popular hobby in UK; spotting computer-related foul-ups may soon become as popular, for last week UK residents (and many visitors) experienced a full train-yard-worth of computer woes.

We start off this week’s review of IT hiccups with the UK National Air Traffic Services (NATS) nighttime to daytime operations switchover that didn’t happen as scheduled at 0600 London time Saturday morning. As a result of the failure, which affected controller communications, hundreds of domestic and international flights into and out of the UK and Ireland were delayed and many cancelled. NATS went to its back-up system, which allowed it to operate at about 80 percent of capacity; full operations were not restored until 1900 Saturday night. The effects of the problems were felt well into Sunday.  

Early last Monday evening, the Royal Bank of Scotland Group's computer systems, which support RBS along with the two other banks (NatWest and Ulster Bank), went down for three hours, halting all three banks' financial transactions. The banks’ 15.7 million customers were not amused, it being Cyber Monday, one of the busiest shopping days of the year.  As you may recall, the RBS Group suffered a massive computer system meltdown in June 2012 that lasted nearly two months before it was fully straightened out. That snafu was preceded by a major outage in November 2011. Bank CEO Ross McEwan apologized for the latest cock-up, blaming it on RBS failing to “invest properly” in its IT systems “for decades.”  I am sure that apology was just the tonic to mollify customer anger. Just to add to the fun, on Wednesday, the three banks’ online systems were unavailable for about an hour because of a denial of service attack.

Also last week, the German-owned gas and electricity supplier Npower sent out letters to its 3.4 million English and Welsh customers apologizing for  “service issues resulting from the installation of a new billing system and a promise that customers will not lose out financially as a direct result of these issues.” It is estimated that over a million Npower customers either owe money or are owed money because of problems with the £200 million billing system that was installed in 2011. At the time, Npower was bragging that because of its deliberate approach, it wasn’t expecting any problems with its roll out.

Lest we forget, the Affordable Care Act website that was rebooted 10 days ago hasn’t fully escaped the IT-related problem orbit. The good news is that people are increasingly able to enroll for health insurance through the federal website, with more enrollments in two days after the reboot than all of October, when it was first launched. The bad news is that, of the 127 000 people who enrolled through the website in October and November, roughly one-fourth of their applications contained errors. The result: enrollees may not have insurance even though they think they do. The reboot has reduced the error rate to “only” 10 percent, the Obama Administration says, but with many more folks being able to sign up, that may not be exactly positive news. In addition, the Administration is now trying to discourage the use of paper ACA applications “because of concerns those applications would not be processed in time.”

State health insurance exchanges in Maryland and Oregon continue to have problems, while in California, the exchange secretly sent the names, addresses, phone numbers and addresses of tens of thousands to insurance agents of anyone who started a health insurance application, even if they didn’t complete it. That news hasn’t gone over well, even though California says that what it did is perfectly legal.

Finally, today is Grace Hopper’s 107th birthday, appropriately marked by a Google Doodle. I was privileged to meet her twice when I worked as an electronic engineer for the Department of the Navy in the 1970s; she was truly a remarkable person.

UK National Air Traffic Services Night to Day Switchover Doesn’t

UK Air Traffic Control Outage Causes Flying Misery

Computer Issue Hits UK National Air Traffic Control

NATS Apologizes for Flight Disruptions

Ryanair Rages at NATS over Outage

NATS Says Outage a “Just a One-off”

Royal Bank of Scotland Irritates Millions of Customers Once More

RBS Suffers Third IT Meltdown in 18 Months

Customers Furious with RBS over Latest Fiasco

Customers Skeptical of RBS Promises of Compensation

IT Cost Cutting Blamed for Problems

RBS CEO Apologizes For Latest IT Failure

Npower Apologies to English and Welsh Customers over Unacceptable Computer Billing Errors

Electricity and Gas Supplier Npower Apologizes to Customers

Npower Says “Sorry” for Those Billing Foul-ups

Npower Customers Angry at Incorrect Bills

Customer Service to be Outsourced to India Npower Announces

Of Other Interest …

Key West Flights Affected by Computer Problems

US Veterans Administration Claims System “Spontaneously” Shuts Down

UAE and Gulf HSBC Bank Customers Angry over Glitch

First Niagara Bank Customers Can’t Access Online Accounts

US Treasury Delays Securities Sale Due to Glitch

Arizona’s Motor Vehicle Department Computers Crash

Florida’s Unemployment Department Sends Tens of Identical Letters to Thousands

Photo: Steve Parsons/AP Photo

Treaty Limiting Weapons Exports Updated to Include Cyberweapons

Diplomats representing several Western governments are huddling in Vienna this week in the hopes of finalizing new, Internet-related additions to the Wassenaar Arrangement. That pact—under which the United States, Russia, Japan, France, Germany and dozens of other signatories agree to strictly limit exports of certain weapons—is being updated in order to control access to complex surveillance and hacking software and cryptography. These countries hope to keep sophisticated cyberweapons out of what they consider to be the wrong hands despite explosive growth (pun intended) in the cybersnooping market.

An example of the technology the signatories hope to keep inside the group’s proverbial fence is “deep package inspection.” According to a Financial Times article, “Western intelligence agencies are particularly concerned [about restricting access to such advances]” because they don’t want their enemies to “foil cyber attacks or gain an intimate understanding of Western screening systems and their fallibilities.” A spokesperson for the UK’s Department for Business, which deals with the Britain's export license regime, told FT that: “The government agrees that further regulation is necessary. These products have legitimate uses in defending networks and tracking and disrupting criminals but we recognize that they may also be used to conduct espionage.”

No Such Thing As a Completely Isolated Computer

Researchers at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Germany have just published a paper describing how they created a wireless mesh network capable of sending short bits of code to or intercepting data from air-gapped machines.

How does it work? Audio signals in the low ultrasonic frequency range (around 20 kilohertz) were transmitted from one machine to another over a maximum distance of about 20 meters. According to a Computer World article,

The data was transmitted using two different acoustical modem software applications called Minimodem and Adaptive Communication System (ACS) modem, the latter delivering the best results. On the network layer, the researchers used an ad-hoc routing protocol called GUWMANET (Gossiping in Underwater Mobile Ad-hoc Networks) that was developed by FKIE for underwater communication.

The nodes on the network, in this case laptop computers, have to be in direct line of sight, but the researchers note that it’s not unusual to find computers in such an arrangement in labs and open-plan offices.

Though the network—a dream come true for cybercrooks including nation states looking to engage in espionage or sabotage—currently limits data transmission to about 20 bits per second, that’s still enough to snatch login credentials and encryption keys or relay an attacker’s commands.

In Other Cybercrime News…

Image: Getty Images

The U.S. Air Force Explains its $1 Billion ECSS Bonfire

“We learn from failure, not from success!”

Well, if we apply Dracula author Bram Stoker's maxim to the U.S. Air Force, it could make the case that it has learned the most of all the U.S. military services.

A few weeks ago, the Air Force finally released the executive summary [pdf] of its investigation into its Expeditionary Combat Support System (ECSS). The system was a development blunder that the service mercifully terminated last year after spending US $1.03 billion over seven years and producing a system—if you can even call it that—without “any significant military capability.”   The  ECSS project  began in 2004 as an ambitious and risky effort to replace some 240 outdated Air Force computer systems with a single integrated enterprise resource planning  (ERP) system aimed at modernizing the service's global supply chain. It was also meant to help provide the core financial information required to meet a Congressional mandate that demanded an auditable set of books by 2017.

Read More

Los Angeles Department of Water and Power Scrambles to Fix Billing System Mess

IT Hiccups of the WeekAs it has the previous few weeks, news about the reboot of the Affordable Care Act website again overflowed the IT-related problem space last week, for the final time Obama Administration officials hope.

Obamacare website 2.0 was launched over the weekend, with the Administration claiming that the updated site is superbly better than when it was first rolled out on 1 October. For instance, according to a new Center for Medicare and Medicaid Services progress and performance report (pdf), the website's response time is now less than 1 second instead of the previous 8 seconds, the per page system times out are now only 1 percent of the time instead of over 6 percent, and some 50 000 concurrent users can now access the site, instead of the measly 500 or less on 1 October.

However, Health and Human Services Secretary Kathleen Sebelius, even as she was touting the ACA website’s “dramatic improvement,” also urged potential users to visit the ACA website during “off-peak hours when there is less traffic — mornings, evenings, or on weekends” or to “sign up for coverage… by phone, in person, and by mail. In many cases, you can also directly enroll through an insurance company.” That is probably good advice, for news reports from yesterday indicate that instead of the website being able to support 50 000 concurrent users, about 35 000 concurrent users is actually the reality.

Insurers have been less than impressed with the new and improved website, though. According to the New York Times, customers may be able to sign up for insurance, but that doesn’t necessarily mean that they actually been enrolled for insurance because sign-up information isn’t reaching the insurers or the information sent contains corrupted or incomplete data. As a result, the Times reports, insurers are saying “they had received calls from consumers requesting insurance cards because they thought they had enrolled in a health plan through the federal website, but the insurers said they had not been notified.”

Insurers were also unhappy last week when the Administration announced that the back-end system needed to pay insurers was being delayed from being finished in January to a date not yet specified. The insurers have been told they now need estimate what they are owed, and then they and the government can reconcile the differences.  Small businesses also joined the unhappiness queue last week, as the Administration delayed the small business health insurance exchange by a year.  Also in line are Oregonians, who have seen that state’s exchange fall into a technological abyss compounded by admissions of multiple security breaches.

Despite all of this disquieting news, there is hope on the horizon, the Administration says. For according to the CMS progress and performance report, the team that is working on ACA website and back office systems “is operating with private sector velocity and effectiveness, and will continue their work to improve and enhance the website in the weeks and months ahead.” In fact, the team is making such good progress, that former Obama senior adviser David Plouffe was moved to optimistically predict on Sunday that the ACA will “work really well” by 2017. Plouffe didn’t hazard an estimate of how much getting to that state of ACA nirvana will ultimately cost in both financial and personal terms, however.

The other IT-related impediments, deficiencies and malfunctions of the week centered on the teeth-gnashing issues involving the Los Angeles Department of Water and Power (DWP) new $162 million customer billing system. News reports state that over 70 000  faulty bills have been issued by its new customer information and billing system that was rolled out in September (pdf), which has led in some cases to DWP customers having their utilities incorrectly shut off. And in another bit of embarrassment for the DWP, it was scrambling to explain to LA taxpayers last week why it hid the fact that the true cost of the new billing system is nearly three times higher than what it had been previously publicly proclaiming.

Finally, last week’s IT hiccup news included various financially-related IT irritations to consumers during the annual period of U.S. shopping madness disguised as the Thanksgiving holiday, as well as hardware and software problems that accompanied the launches of the new Sony PlayStation 4 and Microsoft Xbox One consoles.

Los Angeles Department of Water and Power Scrambles to Fix Billing System Mess

Over 70 000 Faulty Bills Sent out By LA Department of Water and Power

LA City Council Unanimously Votes To Halt DWP Utility Shutoffs

DWP Agrees To Halt Utility Shutoffs Until End of the Year

LA DWP Admits Major  Billing  Problems Won’t be Fixed Until Spring 2014

Shoppers Experience Holiday Buying Frustrations

WalMart’s Black Friday One-hour Guarantee That Wasn’t

WalMart Suffers Another Online Pricing “Technical Glitch”

SunBank’s Multiple Transaction Error Hits Shoppers across the Country

Academy Bank “Glitch” Multiplies and Declines Customers’ Purchase Transactions

Hiccups Mar New Sony and Microsoft Consoles Launches

Sony to Replace PlayStation Consoles Suffering “Blue Light of Death”

PlayStation Network in Europe Struggling with Launch of PlayStation 4

Some Microsoft’s Xbox One Consoles Have “Disk Drive of Doom”

Of Other Interest …

Florida’s New Unemployment System Continues to Frustrate Unemployed Workers

Hardware Failure Takes Out FirstLight Federal Credit Union Online Banking

Ford Recalling 7 100 2013-2014 Model Year Lincoln MKZ Hybrids to Fix Transmission Software

Software Problem Affects Issuance of Disability Certificates in India

New Speed Camera Issues Ticket to Parked Car in Chicago

Reebok Trainers Are “Free” Thanks to Online Sales Error


Photo: Nick Ut/AP Photo


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City
Load More