The RISKS Digest
Volume 25 Issue 09

Thursday, 27th March 2008

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Billion-dollar IT failure at Census Bureau
eekid via David Farber
A Heart Device Is Found Vulnerable to Hacker Attacks
Barnaby Feder via Monty Solomon
FL power outage NERC updates
Catherine M Horiuchi
Vandals halt some hybrid buses using external 'off' switch
Rick Damiani
Flight Service Software Crashes; Pilot Briefings Delayed
Gabe Goldberg
Substantial supermarket breach affects millions
Robert Heuman
Man arrested by mistake over phone system bug
Rick Damiani
Hoax on Craiglist causes duped victims to steal property
Mark Brader
Payment by fingerprint disappears
Jon Van and Becky Yerak via Paul Saffo
Cute e-mail leak
Steve Summit
Search engine bait?
Steve Schafer
Info on RISKS (comp.risks)

Billion-dollar IT failure at Census Bureau (eekid via IP)

David Farber <dave@farber.net>
Mon, 24 Mar 2008 17:50:06 -0700
Why is anyone surprised. I spent many years on NRC (National Research
Council) study groups looking at Social Security, IRS, FAA and various DoD
software procurements. They were all in serious troubles usually due to very
poor procurement processes; endlessly changing requirements; poor software
management etc.  BUT it still goes on and on and on.  Try reading some of
the NRC reports.  They are informative and sad.  DF

From: eekid@aol.com [eekid@aol.com]
Sent: Monday, March 24, 2008 5:03 PM
Subject: Billion-dollar IT failure at Census Bureau

Billion-dollar IT failure at Census Bureau
Posted by Michael Krigsman @ 7:51 pm
http://blogs.zdnet.com/projectfailures/?p=660

US Census Bureau faces cost overruns up to $2 billion on an IT initiative
replacing paper-based data collection methods with specialized handheld
devices for the upcoming 2010 census. The Bureau has not implemented
longstanding Government Accountability Office (GAO) recommendations and may
therefore be forced to scrap the program. Harris Corp., the contractor
associated with this incompetently managed initiative, was awarded a $600
million contract to develop the handhelds and related software.

In March 5, 2008 testimony before the Senate, Commerce Secretary Carlos
M. Gutierrez said: "There is no question that both the Census Bureau and
Harris could have done things differently and better over the past couple of
years."

On the same date, Census Bureau Director, Steve H. Murdock, added:

I cannot over-emphasize the seriousness of this problem. My colleagues and I
recognize that we must move quickly to address this problem, and implement
solutions. While we still have an enormous challenge in front of us, I am
confident that we are close to defining and implementing a strategy that
will ensure a successful 2010 Census.

The GAO characterized the handheld initiative, known as the Field Data
Collection Automation (FDCA) program, as follows:

Of the $11 billion total estimated cost of the 2010 Census, the Census
Bureau planned (as of 2007) to spend about $3 billion on automation and
information technology in order to improve census coverage, accuracy, and
efficiency. Among other things, the Bureau is planning to automate many of
its planned field data collection activities as a way to reduce costs and
improve data quality and operational efficiency.

The GAO report, dated March 8, 2008, added:

In October 2007, GAO concluded that without effective management of key
risks, the Field Data Collection Automation (FDCA) program responsible for
the devices faced an increased probability that the system would not be
delivered on schedule and within budget or perform as expected. The
magnitude of these problems is not clear.  [T]he Bureau has not performed
recommended analysis or provided sufficient information to provide a level
of confidence in its $11.5 billion life-cycle cost estimate of the decennial
census. The Bureau has not itemized the estimated costs of each component
operation, conducted sensitivity analysis on cost drivers, or provided an
explanation of significant changes in the assumptions on which these costs
are based. Together, these weaknesses and actions raise serious questions
about the Bureau's preparations for conducting the 2010 Census.

Computer World blogger, Frank Hayes, summarized the situation succinctly,
"The fancy custom handhelds might work. But if they don't, the Census Bureau
will use paper instead."

THE IT PROJECT FAILURES ANALYSIS

Managing an $11 billion initiative is a daunting task and unforeseen
problems are inevitable. Nonetheless, the GAO, going back to January, 2005,
repeatedly identified significant procurement, management, and operational
risks associated with this project. For reasons unknown, the Census Bureau
chose not to follow these recommendations.

The following table summarizes significant project issues identified by the
GAO:

Billion dollar IT mismanagement at Census Bureau

How does a failure of this magnitude arise? Clearly, Census Bureau
management is ineffective at properly and efficiently executing the
organization's basic mandate. A detailed analysis would probably reveal
hidden agendas; conflicts of interest; good intentions gone bad;
inexperienced, lazy, and incompetent management; lack of controls; and plain
old poor judgment. I believe these deeply ingrained issues are symptomatic
of fundamental problems shared by both Bureau leadership and line
management.

My recommendation: The GAO must conduct a formal inquiry into two specific
areas:

1. It should investigate and analyze the management policies and procedures
that allowed this situation to develop and persist over the course of
several years. We must understand why program controls didn't prevent this
huge waste of dollars.

2. It should perform a detailed (and I mean exhaustive) investigation of
Harris Corp.'s role. Let an unbiased panel determine what percentage of the
billion-dollar waste Harris caused and force the company to pay direct
restitution for that amount.

Until the government holds contractors and their agency sponsors accountable, massive failures will continue and more money will be flushed down the drain.

Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/


A Heart Device Is Found Vulnerable to Hacker Attacks

Monty Solomon <monty@roscom.com>
Sat, 15 Mar 2008 00:58:46 -0400
Barnaby J. Feder, *The New York Times*, 12 Mar 2008
http://www.nytimes.com/2008/03/12/business/12heart-web.html?ex=1363060800&en=ccf7bc417ed75bfb&ei=5090

To the long list of objects vulnerable to attack by computer hackers, add
the human heart.  The threat seems largely theoretical. But a team of
computer security researchers plans to report Wednesday that it had been
able to gain wireless access to a combination heart defibrillator and
pacemaker.  They were able to reprogram it to shut down and to deliver jolts
of electricity that would potentially be fatal - if the device had been in a
person. In this case, the researcher were hacking into a device in a
laboratory.  The researchers said they had also been able to glean personal
patient data by eavesdropping on signals from the tiny wireless radio that
Medtronic, the device's maker, had embedded in the implant as a way to let
doctors monitor and adjust it without surgery.

The report, to published at www.secure-medicine.org, makes clear that the
hundreds of thousands of people in this country with implanted
defibrillators or pacemakers to regulate their damaged hearts - they include
Vice President Dick Cheney - have no need yet to fear hackers. The
experiment required more than $30,000 worth of lab equipment and a sustained
effort by a team of specialists from the University of Washington and the
University of Massachusetts to interpret the data gathered from the
implant's signals. And the device the researchers tested, a combination
defibrillator and pacemaker called the Maximo, was placed within two inches
of the test gear.  ...


FL power outage NERC updates

Catherine M Horiuchi <cmhoriuchi@usfca.edu>
Mon, 03 Mar 2008 01:10:31 -0800
Five days before the Florida outage, the North American Electric Reliability
Corporation (the electric industry's "self-regulatory" watchdog) issued a
press release reporting its CEO's address to the National Transmission
Delivery Forum. He stated: "We are operating the grid closer to the edge
than ever before." This in context of need to improve the transmission
system to support initiatives for more wind power (intermittent load) and
micro-generation (distributed load)
http://www.nerc.com/~filez/pressreleases.html

The preliminary cause of the 02/26/2008 disturbance has been categorized as
human error: a single mistake by a single worker at a single substation.
Florida Power & Light President Olivera said, "We don't know why the
employee took it upon himself to disable both sets of relays."
http://www.cnn.com/2008/US/02/29/florida.outage/index.html

This type of systemic problem due to tight coupling and lack of resilience
we've seen in other high-reliability, highly-engineered systems (TMI; two
shuttle losses; arguably, the 17th Street Canal failure during Hurricane
Katrina and even the recent beef recall.)  Yet it appears difficult for some
engineers/managers to publicly acknowledge that humans are guaranteed to
make mistakes, and computers are also guaranteed to fail, given enough
potential instants in which to fail.  Or, to advocating systems with less
potential for these failures.

In Florida, "Changes to safeguard against future human error already have
been implemented."
http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20080301/NEWS01/803010334/1006/news01

So, almost before the NERC investigation is started, the "fix" is already in
place.  How likely is it that these changes will have their own unintended
consequences? (Something as simple as, say, errors due to worker fatigue, if
whatever shortcuts workers were taking to complete tasks in alloted time are
no longer available.)

Note strong similarities between the Florida disturbance and the 12/08/1998
power outage in San Francisco (RISKS-20.11) affecting 456,000 customers,
also a "human error" causality, where two worker events "directly"
precipitated the outage:

1) A transmission construction crew working on the #2 115kV bus, Section D
at the San Mateo substation, failed to remove protective grounds that had
been installed as a safety measure while the crew was working on the bus
section.

2) Before energizing the bus section at the conclusion of this construction
work, a PG&E transmission substation operator failed to engage the
protective relays.
www.cpuc.ca.gov/Published/Graphics/24197.PDF

An inability to perfectly correct operations is illustrated by PG&E's
subsequent outages in 2005 and 2007.  Commented PG&E spokesperson Darlene
Chiu after the July 2007 outage: "The problem began when breakers in the
utility's transmission service opened for an unknown reason. Every time
workers attempted to close those breakers to restore service, it caused
voltage fluctuations."
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/24/BAG9NR67253.DTL&tsp=1

Workers tried doing what they expected to work, but it didn't. Even after
the power was back on, the spokesperson reported the breakers opened "for an
unknown reason."  That is, it may be impossible to figure out why automated
systems are acting in a particular manner within the very small space of
time before automated systems take further pre-programmed actions, thereby
enlarging a power outage.  This impossibility can be characterized as "human
error."

Transmission grid operations are increasingly complex and at the same time
increasingly interconnected, suggesting systemic failure and "normal"
accidents will continue to occur at regular intervals. Plan accordingly.

Cathy Horiuchi, University of San Francisco
(formerly of the Sacramento Municipal Utility District)


Vandals halt some hybrid buses using external 'off' switch

"Rick Damiani" <rick@patongroup.com>
Sat, 15 Mar 2008 21:45:34 -0700
"Muni drivers have reported over the last couple of weeks that people have
been shutting down the power on their buses by flipping a switch that can be
accessed easily through an unlocked panel on the outside of the bus.  When
that happens, the drivers can't accelerate, they lose radio contact with
dispatchers and the interior lights on the buses go out. The power loss does
not affect the brakes."

Details here:

http://www.sfgate.com/cgi-bin/article.cgi?f=3D/c/a/2008/03/07/BAOKVF1E8.DTL&amp;tsp=1SF

An external power switch like this is a good thing if the bus is
involved in a serious collision. Rescue workers would naturally be leery
of approaching a severely damaged vehicle equipped with batteries big
enough to move a bus. Sounds like they made it a bit too easy to get to.

Rick Damiani, Applications Engineer, The Paton Group California: (310)429-7095


Flight Service Software Crashes; Pilot Briefings Delayed

Gabe Goldberg <gabe@gabegold.com>
Tue, 18 Mar 2008 14:51:39 -0400
Lockheed Martin computer programmers are trying to figure out why a planned
software upgrade to FS21 caused the system to crash late Tuesday
night. /AVweb/ received a tip from a former briefer in Michigan that the
system went down at about 0100Z. A spokeswoman for Lockheed Martin told
/AVweb/ that when they realized the FS21 upgrade was "unstable," they
reverted to the backup system known as AISR (Aeronautical Information System
Replacement).  "It provides the same type of information as FS21 but it's in
disparate sources so it takes a little longer for the briefing.  In the
morning, queue times were several minutes, but by around 11 a.m. they were
in the single digits."

Lockheed Martin posted an alert on its *Web site* <http://www.afss.com/>
indicating that calls to 800-WX-BRIEF may be delayed until the problem is
resolved. A notice posted to the Web site on March 9 indicated that the
software upgrade was being done to "provide improvements to the service we
provide especially in PIREP processing with a more efficient mask for
obtaining the data from the pilot, among other items."  The FAA has agreed
to provide Congress with a *status report*
http://www.avweb.com/avwebflash/news/FAA_to_Congress_FSS_Needs_Work_197253-1.html
every 90 days on Lockheed Martin's performance in managing the FSS
contract. The next one is expected to be delivered at the end of April.

Gabriel Goldberg, Computers and Publishing, Inc.          (703) 204-0433
3401 Silver Maple Place, Falls Church, VA 22042        gabe@gabegold.com


Substantial supermarket breach affects millions

RsH <robert.heuman@alumni.monmouth.edu>
Tue, 18 Mar 2008 18:00:15 -0400
Once more with feeling. A lack of precise information, but again an
exposure that need not have happened.

On Tue, 18 Mar 2008 15:18:20 GMT, "Security Wire Daily"
<SearchSecurity@lists.techtarget.com> wrote:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
SearchSecurity.com: Security Wire Daily
Breaking security news, the latest industry developments and trends
March 18, 2008
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

HANNAFORD BREACH ILLUSTRATES NEED TO HAVE A SURVIVAL PLAN
Bill Brenner, Senior News Writer

A serious data breach at the Hannaford Bros. Co. supermarket chain exposed
as many as 4.2 million credit and debit card numbers to identity fraud.

In a statement released Monday on the Maine-based Hannaford website,
President and CEO Ronald Hodge said the company had contained an intrusion
of its computer network that resulted in the theft of customer credit and
debit card numbers.  http://go.techtarget.com/r/3288677/1421272

R. S. (Bob) Heuman  <robert.heuman@alumni.monmouth.edu>


Man arrested by mistake over phone system bug

"Rick Damiani" <rick@patongroup.com>
Fri, 14 Mar 2008 20:51:20 -0700
An interesting take on the risk of believing what 'the computer says'
without doing any additional investigation is here:
  http://thedailywtf.com/Articles/Youll-Need-to-Come-Downtown.aspx

Short summary:

Homicide detectives, looking at the incoming calls to a murder victim (a
drug dealer), find many of them are coming from '520-833-0000'. Steve
McDowan pays the bill for that number, so naturally the detectives really
want to talk to Steve. When they pick him up at work, Steve tells them that
the number is his son's number. The detectives tell Steve about the murdered
drug dealer on their way to pick up his son.  Everybody goes downtown.
Steve's son denies making the calls, and finally gets the police to let him
look up his call record at the phone company web site. Not seeing the
outgoing calls there, the detectives call the phone company. From the
original article:

"They called customer service, got transferred around several times,
waited the requisite forty minutes on hold, and finally a tier-3 tech
support technician answered the phone.

"Yes," the younger officer said into the speakerphone, "I'm investigating a
homicide here and need to know, why are some outgoing calls not recorded for
520-833-0000? We have a record of the incoming calls from that
number... could someone be hacking into your computers or something"

"Ha," the technician snorted, "no. This happens sometimes. If the
calling party blocks their caller ID, it'll show up as 520-833-0000
instead of ten-zeros. We're working on it!"

The two detectives glared at each other, flabbergasted. "We're uhh," the
older officer stumbled, "we'd like to thank you for coming down, and
apologize for any, umm, inconvenience." The ride back was much less
awkward... at least, for Steve and his son."

It's interesting how over-reliance on computers caused the problem
(detectives chasing the wrong person), but using them correctly (Steve's son
and the phone company technician) saves the day.

Rick Damiani, Applications Engineer, The Paton Group California: (310)429-7095


Hoax on Craiglist causes duped victims to steal property

Mark Brader
Mon, 24 Mar 2008 16:22:49 -0400 (EDT)
  [To make a long story short, two bogus ads offered a horse and other
  belongings of Robert Salisbury, a contractor in Jacksonvile, Oregon, to
  anyone who would take them.  Unsuspectingly, he returned home to find many
  people carting off his stuff.  *Seattle Times*, 24 Mar 2008; PGN-ed]

http://seattletimes.nwsource.com/html/localnews/2004302237_webhoax24m.html


Payment by fingerprint disappears

Paul Saffo <paul@saffo.com>
Fri, 21 Mar 2008 08:40:59 -0700
Jon Van and Becky Yerak, Troubled biometrics firm disables scanners at Jewel
*Chicago Tribune*, 21 Mar 2008 [PGN-ed]
www.chicagotribune.com/business/chi-fri-pay-by-touch-mar21,0,1005086.story

Jan Bledsoe was shocked Thursday to learn she can no longer just swipe her
finger across a screen at the local Jewel store to buy her groceries because
the bankrupt company behind the technology no longer will process such
transactions.  Solidus Networks Inc., a provider of payment processing, is
no longer operating its biometrics unit. The firm's failure prompted some
financial analysts to question whether technology that relies on biological
information to identify a customer is ready for the market's mainstream.

"Commercial biometrics is inevitable," said Paul Saffo, a Silicon
Valley-based trend forecaster. "There are huge risks, but it's just so cheap
and convenient, people won't be able to resist it. Whenever Americans face a
choice between privacy and convenience, they always choose convenience."

jonvand2@gmail.com
byerak@tribune.com
Copyright 2008, Chicago Tribune


Cute e-mail leak

Steve Summit <scs@eskimo.com>
Mon, 24 Mar 2008 00:32:05 -0400
Companies unclear on the concept of reciprocity love to use the convenience
of e-mail to send you and me messages but then deny us the convenience of
replying, often insisting we use some web-based form instead.  To drive home
the message, the one-way mail will often come from (or have replies directed
to) a bogus address in a domain name such as "donotreply.com".

Since 2000, the domain name "donotreply.com" has been owned by a guy named
Chet Faliszek.  You can just imagine the kind of mail he gets there.

Details at <http://blog.washingtonpost.com/securityfix/2008/03/they_told_you_not_to_reply.html>.

Choice excerpts:

  "...many of the misdirected e-mails amount to serious security and privacy
  violations.  In February, Faliszek began receiving e-mails sent by [a bank
  in] New Jersey.  Included in the message were PDF documents detailing
  every computer the bank owned that was not currently patched against the
  latest security vulnerabilities."

  "With the exception of extreme cases... Faliszek says he long ago stopped
  trying to alert companies about the e-mails he was receiving.  It's just
  not worth it: Faliszek said he is constantly threatened with lawsuits from
  companies who for one reason or another have a difficult time grasping why
  he is in possession of their internal documents and e-mails."

  [Also noted by Jim Reisert, with additional quotes.  PGN]


Search engine bait?

Steve Schafer <steve@fenestra.com>
Sat, 08 Mar 2008 22:35:10 -0500
Go to one of these web sites:

 http://www.inpcars.com
 http://www.healthek.com
 http://www.toolsmet.com

Choose one of the displayed categories at random and click the link.  (Some
of the categories are empty, so you may need to try more than one.)

Read the descriptions of the products.

At first glance, it appears that the descriptions are very poor English
translations (of who knows what source language). But a closer look reveals
that that's not what's happening, and that they are in fact crafted by
taking a genuine English description (from a manufacturer's site, perhaps?)
and then applying a randomized thesaurus-based word replacement algorithm.

For example, I found a product where it was clear that the original
adjective used in the descriptions of a pair of related products was
"quiet." It had been replaced in one case by "reserved," and in the other by
"taciturn."

In one description, the word "bulb" (as in "light bulb"--the product was a
lamp) had been replaced by "scaly bud"; in another, the word "mouth" was
replaced by "oral fissure."

This is similar to the paraphrasing and euphemisms that you sometimes see in
spam email offers for various drugs, etc., but I've never seen a spam email
take it to the level of these sites.

So what's going on? If you click one of the "More Info" links, you first
have to pass through a captcha barrier, and then you are taken to a page
with links to eBay and Amazon.com, and occasionally some other sites.  The
links are typically only vaguely (if at all) related to the item you've
requested "more info" about.

Who is this company that's gaming the eBay Affiliates and Amazon.com
Associates programs? That's a difficult question to answer. The pages
themselves are completely devoid of any kind of identifying information.  A
WHOIS search on the domain names reveals that the domain owners are hiding
behind an anonymizer service based in the Netherlands.

Why the weird parallel-universe descriptions? It's obviously search engine
bait (after all, that's how I found the sites in the first place). But why
go to so much trouble? I don't know if there's something special about the
replacement words and phrases that makes them rank highly, or it's just a
tactic to avoid copyright issues.

Please report problems with the web pages to the maintainer

x
Top