The Risk Factor

The BBC reported last week that the decision to move forward in 2002 with the UK National Health Service's electronic health record's National Programme for IT (NPfIT) took place after a ten-minute presentation to then Prime Minister Tony Blair. The cost estimate for NPfIT - done basically on the back of an envelop - was for £2.4bn over three years, to which Blair basically said, "Go for it."

Surprise, surprise, NPfIT is currently projected to cost £12.4bn over ten years, and even that estimate is likely severely optimistic. Tony Collins over at ComputerWeekly who has been following the NPfIT situation for years has all the gory details. Collins has been trying to get the minutes of the meeting released, which the government refuses to do, despite being directed to do so by the Information Commissioner.

The NHS has recently stated that regardless of the many problems the NPfIT has faced, it is highly successful, and that it is "so well advanced that the health service 'could no longer function' without it."

This is kind of like Homer Simpson saying,“I think Smithers picked me because of my motivational skills. Everyone says they have to work a lot harder when I’m around.”

As reported in the Palm Beach Post, the Palm Beach County courts are trying to determine whether they should scrap their computer system that had a $13.6 million upgrade last year. The upgrade got them off their old mainframe onto a newer platform, and it was slated to give the court some functional upgrades as well.

Unfortunately, things haven't turned out too well. For example, when the court's computer system electronically alerts the Florida Department of Motor Vehicles of license suspensions, court staff have to telephone the DMV to ensure the information was not only received but received correctly. Another example was that before sending out 40,000 letters ordering people who owed the court money for unpaid fines, court staff had to manually check to ensure that they were mailing letters to the people who actually owed the court money and that the amounts stated in the letters were correct.

As a result of the problems, the courts have had to hire an additional 29 staff at a cost of $1.4 million per annum to try to keep the court system operating to some level of normality.

The upgrade, which was originally estimated to take six months to a year to convert all the data stored in the mainframe into the new system actually took 3 1/2 years. When the initial schedule estimate was made, court officials figured they would encounter three or four different methods of inputting data into the system. However, over a 150 different were actually being used.

No one seemed to checked this "minor" assumption before the contract was let. It gets better.

ComputerWorld reports that a survey commissioned by the Information Systems Audit and Control Association (ISACA) found that 15% of respondents admitted logging onto peer-to-peer file sharing networks from work computers despite security warnings to the contrary. A further 74% of the survey respondents said they don't believe that downloading unauthorized content or software to work PCs creates a business risk.

I wonder what these 74% do consider a business risk.

Today was payday once again for employees of the LA Unified School District (LAUSD). As you may have been following here, LAUSD implemented a new payroll system that has not exactly worked as planned.

In a story in today's LA Times, the problems supposedly now have been solved or at least most of them. According to LAUSD's spokesperson Binti Harvey, "employees' paychecks may be different, (but they are) more likely to be correct." She didn't specify a probability figure related to that likelihood, however.

Furthermore, Harvey says data shows that, "82.4% of all system defects have been fixed, and another 10.4% will be fixed" by the December payday. I guess using the decimal point means that 824 or 8240 defects have been fixed, and that either another 104 or 1040 still remain.

That of course assumes that current fixes don't create new defects. Also, the way Harvey said it, there seems to be an implication that all system defects are created equal. Either assumption is highly dubious.

Of course, given that many LAUSD employees have received over-payments as well as under-payments for months now, I don't envy them at all when they try figuring out whether today's paycheck is actually correct. I would hate to be in their shoes at the end of this year when they have to determine whether their total pay for 2007 is right or not. They might end up paying a whole lot more in taxes they did not expect.

As the Times story notes:

"With 2007 coming to a close, income tax forms present an additional worry, said A.J. Duffy, president of United Teachers Los Angeles. 'Our members are very concerned about their taxes,' Duffy wrote in a statement. 'LAUSD has told us that they may not be able to meet with all UTLA members before the end of the calendar year. Our members are concerned that their payroll issues will be resolved way too late.' "

What fun. I'll be back in December with another update.

MIT filed a negligence lawsuit against architect Frank Gehry and construction company Skanska USA Building Inc, claiming “design and construction failures” exist in its $300 million Stata Center that was opened in 2004, according to stories in the Boston Globe and New York Times. The Center opened to widespread praise by MIT.

Gehry has described as looking like "a party of drunken robots got together to celebrate," claims the issues are "fairly minor" and should be expected "in the design of complex buildings."

"These things are complicated and they involved a lot of people, and you never quite know where they went wrong. A building goes together with seven billion pieces of connective tissue. The chances of it getting done ever without something colliding or some misstep are small."

The executive vice president and area general manager of Skanska USA however, said that, "This is not a construction issue. Never has been." He claims that Gehry had rejected Skanska’s formal request to change the design of the outdoor amphitheater, a source of the many of the problems; "We were told to proceed with the original design."

Gehry in turn, blamed cost-cutting by MIT: "There are things that were left out of the design.The client chose not to put certain devices on the roofs, to save money."

Doesn't this just sound like the aftermath of an IT project gone bad?

The London Stock Exchange suffered disruptions for the last 40 minutes of the trading day due to a computer problem which resulted in incorrect share prices being displayed. The trading day was extended for another 90 minutes to make up for the problems traders were having.

The last major disruption at the LSE occurred in the first week of April 2000. That week also saw computer problems hit the Nasdaq and Toronto Stock Exchange as well. That week reaffirmed the old maxim that bad news comes in three.

Is it time for a repeat?

Today's San Jose Mercury News has published Part 1 (registration may be required) of a three-part series on organized cybercrime, often based in Russia, and the widespread use of botnets to steal your identity and money. It also has an engaging slide show on internet crime, along with an interview with Dave DeWalt, the new CEO of McAfee.

The series coincides with the news reported today at the Dark Reading website that a "New York grand jury has indicted 17 people and a corporation on charges of identity theft, worldwide trafficking in stolen credit card numbers, and other crimes committed using the Internet." Those indicted, several with apparent ties to Russia, are said to have trafficked in more than 95,000 stolen credit card numbers and caused more than $4 million in credit card fraud

For those who are interested in this subject, as part of the article I wrote in this month's IEEE Spectrum on Open-Source Warfare, I interviewed Tom Kellermann on how terrorists are using the Internet for money laundering, fundraising, and identify theft. Kellermann was a member of the Treasury Security Team at the World Bank, where he advised central banks on monitoring illicit online activity. He’s currently vice president of security awareness at Core Security Technologies, in Boston.

Tom pointed out, as did Mercury News story, that there is this large and growing underground economy where you essentially can hire software mercenaries to build code to attack a targeted system and to data mine that system for your own use. In this community, a perverse "Robin Hood" mentality prevails: steal and take what you can or barter what you find so that you can support your efforts in the real world.

Reading the Mercury News article and Tom's interview can be disconcerting to say the least. If you wish to stay worried or become slightly paranoid, do a daily read of the Dark Reading website. After about a week, it makes you wonder why anyone, including yourself, ever signs onto the net.

Now that the LA Unified School District (LAUSD) has supposedly "solved" its on-going payroll problem, it wants all 36,000 of its employees who have been "over-paid" to a tune of $53 million by mistake to pony up the money - like yesterday.

In a story by the LA Times, this "request" has placed employees in a bit of a conundrum:

"The move to recover the money is placing teachers and other staff in the Los Angeles Unified School District in an unpalatable position. They must either trust the district's claim that they were overpaid and repay the money or dispute the calculations and face further chaos come tax season."

So who do you fight: the LAUSD or the IRS and California state tax folks or all three? Nice choice, eh?

The LA Times reported yesterday that John Kenneth Schiefer, a 26-year-old computer security consultant from LA, admitted to hacking into a host of personal computers "to create a rogue network of as many as a quarter-million PCs, which he used to steal money and identities."

Schiefer used botnets to steal "user names and passwords for EBay Inc.'s PayPal online payment service to make unauthorized purchases. He also passed the stolen account information on to others." He faces up to 60 years in prison and a $1.75-million fine.

It is bad enough that one has to guard against outside hackers - having to worry about IT security folks burning you from the inside just adds to irritation. If we need to hire someone to watch over the IT security personnel, do we need someone to watch over this person as well? And how many watch-watchers are sufficient?

Hmm, sounds like it may be time to revisit the classic cat and rat problem.

A story in the Wall Street Journal last week describes a highly sophisticated scam making the rounds of corporate executive offices.

Using information apparently found on Linked-in, Facebook or other websites where detailed personal information can be found, scammers are sending highly personalized and convincing phishing emails to senior company executives, saying for instance, that there has been a Better Business Bureau or Equal Employment Opportunity Commission complaint (along with a case number) filed against their company, and asking the executive to respond to it. Once they do by clicking on the convenient link provided, the executive's computer is immediately compromised with software that logs all activity and send the information to the scammer. More than one executive has been torched.

I guess that we are still a ways away from 2006, you know, the year that Bill Gates said,"Spam will be solved.” I wonder if someone has tried to spoof him recently.

Anyway, Part 2 of the San Jose Mercury News series on hacking is now available. The article starts off with the stats that 50% of the IRS employees who received phone calls in an audit test earlier this year, purportedly from the computer help desk, requesting their user names and suggesting they adopt a new password, provided the requested information. This was up from the 35% who did so in a similar test in 2004, and down from the 71% who did so in 2001.

The Principal Deputy Director of National Intelligence, Dr. Donald Kerr, thinks, "Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture."

That's apparently no longer a valid or reasonable idea. "In our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past. ... Protecting anonymity isn’t a fight that can be won."

In addition, "We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment...Instead, privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured."

So privacy means faith in government bureaucracy.

Except, of course, when these privacy laws, rules and customs get in the way of safety. Then privacy must give way.

But not to worry for, "Our commitment to safety and privacy are nothing new to us and they are values that we must continue to protect as we learn to do our intelligence job better."

In other words, the intelligence community is committed to protecting us and our way of life - which just needs to change to make it easier for them to get information on us to protect us from - us?

Sounds logical to me.

More on this can be read here.

Australian pals of mine clued me in on the latest program problems with the Australian Department of Defence's Super Seasprite upgrade program. Begun in 1997, the program was meant to upgrade the electronics and some other bits of 11 of these 1960s-era helicopters (Defence calls them "mature helicopters") over five years for an original cost of AU$745 million; the cost to complete is now estimated to range around AU$1.5 billion. Up until a few weeks ago, the Australian Defence Department said their Super Seasprites would become operational in 2008, but that date has now been slipped to 2011.

Software problems related to the Seasprite's avionics and flight control software have been at the root of many of the delays and cost overruns. The problems have been so severe that last year the helo was grounded because, according to Defence Minister Brendan Nelson, "You could not have 100 per cent confidence in the software program that supports the pilot flying the helicopter to 100 per cent safety."

According to Department of Defence's Portfolio Budget Statement 2007-2008, "The main sustainment risks to the Super Seasprite include the automatic flight control system issue, mission computer shortcomings, and a lack of customer confidence in the platform brought about by the extended flight suspension and ongoing technical issues." Oh, that's all?

The latest schedule slip was due to software testing and integration problems to the helo's mission system software. IT mercy rule, anyone?

I don't recall any other defense program of any nation being delivered 9 years late due mostly to software problems (other than maybe the Strategic Defense Initiative). Anyone have some other candidates?

The British press (here and here) is reporting on Gordon Brown's government desire for building "Fortress Britain" after it "unveiled a succession of security measures at airports, railway stations, sports venues and other public places."

By summer 2009, the UK government wants every person entering or leaving Britain to provide 53 pieces of travel information, including credit card information, travel contact numbers of where you are staying, travel plans, email addresses, car registrations being used in travel, the number of pieces of luggage taken, baggage tag numbers, all changes to the travel itinerary, etc.

Furthermore, passengers will have the privilege of paying a fee to the travel organizations who are going to collect and send all of this information to the UK government, and a UK government surtax to pay for its use and storage. But what price is your security, eh?

The UK government hasn't decided (yet) to require that the travel information be provided three days before the intended date of travel, like the US is contemplating. It does appear, however, that both the US and Britain are in a competition to discouraging foreigners from visiting and their own citizens from leaving.

Given the amount of information planned to be captured and stored indefinitely via this scheme and all the others in Big Brother Britain, maybe the smart thing to do is to start buying stock in database, data storage, and business continuity management companies.

If you haven't seen them yet, the Japan Aerospace Exploration Agency (JAXA) released some great HD pictures of earth rise and earth set as seen from the moon.

The final part of the three part series called Ghosts in the Browser published by the San Jose Mercury News is available here. The final article focuses on the lagging governmental response to cyber crime.There is also a link to a real time monitor of bot activity.

A Lebanese-born CIA officer and former FBI agent Nada Nadim Prouty pleaded guilty this week to charges that, among other things (like submitting forged documents to obtain American citizenship) she illegally sought classified information from FBI computers in September 2002 and June 2003 concerning the Islamic group Hezbollah.

According to the New York Times, the agent's sister and brother-in-law "attended a fund-raising event in Lebanon in August 2002 at which the keynote speaker was Sheikh Muhammed Hussein Fadlallah, the spiritual leader of Hezbollah. Sheikh Fadlallah has been designated by the United States government as a terrorist leader." She checked the FBI computers to see what information law enforcement had on relatives, as well as herself.

It is interesting to speculate whether Prouty would have dared to check the FBI files in June 2003 if the Virtual Case File was visibly on track to be completed on-time (December 2003 or June 2004, take your pick), and or whether her 2002 or 2003 snooping would have also been discovered in 2004 before she went to the CIA, not 2007.

A small news item appeared in the London Guardian this past week about how Cambridge University in England is desperate for computer science applicants. Cambridge is receiving only 40% as many applicants that it did in 2000. Professors there blame the drop on the perception that computer science students are "geeky" and that the best jobs are being outsourced to India and China.

Air Canada said there was a communications error between the airline's central reservation and check-in system affecting airports across Canada beginning at 0430 Friday morning. The system-wide problem affected both international and domestic flights with the worst delays experienced during the peak morning travel hours.

The delays weren't as bad as the recent problems at LAX.

Over the weekend, the New Yorks Times ran an article on a potential IT security problem posed by errors in microprocessor chips such as the Intel Pentium error of a few years back or the recent Microsoft Excel spreadsheet bug.

Adi Shamir, a professor at the Weizmann Institute of Science in Israel and one of the three designers of the RSA public key algorithm, circulated a research note about how an attacker could exploit an undetected subtle math error and make breaking public key cryptography possible.

The Times article notes that Mr. Shamir believes that "if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be 'trivially broken with a single chosen message.' Executing the attack would require only knowledge of the math flaw and the ability to send a 'poisoned' encrypted message to a protected computer. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, 'millions of PC’s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually.' "

It isn't believed that this technique is being used - yet. It still seems easier to poison PC components themselves like hard drives at the factory, which recently happened to Seagate Maxtor drives made in Thailand and which were pre-loaded with password stealing Trojan horses.

The annual report by the Department of Justice's Office of the Inspector General (OIG) on the state of IT in the DOJ says that the FBI has made progress in implementing its Sentinel system. The report notes that, "Over the past several years, the FBI has instituted better IT management processes and controls through its Life Cycle Management Directive. Continuity in both the FBI’s CIO position and its project management staff — a huge problem in failed previous efforts — also has stabilized. In addition, all of the FBI’s IT activities have been centralized under the FBI CIO, who now controls all agency IT spending.”

However, the IG goes on to note: "The Department also faces the challenge of assuring that the more than $2 billion it receives annually for the Department’s IT systems is being spent effectively. A June 2007 OIG report examined the Department’s inventory of IT systems and identified 38 major IT systems estimated by system mangers to cost over $15 billion through 2012. The OIG’s audit found that the cost information the Department provides on its IT systems to Congress, OMB, and senior management within the Department is unreliable. Specifically, IT system cost reporting within the Department is fragmented, uses inconsistent methodologies, and lacks control procedures necessary to ensure that cost data for IT systems is accurate and complete."

Government Computer News reported that recent intrusions into NASA's Earth Observing System’s networks “cost NASA $1.5 million for incident mitigation and cleanup costs alone,” according to NASA's inspector general, Robert Cobb, in a memo issued Nov. 13.

According to Cobb, these costs were above the operational costs NASA sustained by the loss of systems availability. Cobb noted further that, "We have again included IT Security as a most serious management and performance challenge because our work and that of the Agency continues to report that significant weaknesses persist and many IT security challenges remain. Significant management and operational and technical control weaknesses continue to impact the Agency’s IT Security Program and threaten the confidentiality, integrity, and availability of NASA information and its systems. That threat is tangible in that the Agency continues to be a target for criminal computer intrusions."

This past week a $31 million property tax refund scam conducted by members of the Washington DC Office of Tax and Revenue was revealed by the FBI. The scam has been running for at least the past seven years, and allegedly involved two tax office employees (so far) and their families. The perpetrators were so unconcerned about getting caught, they sent a phony $346,700 check to a fictitious company named "Bilkemor LLC."

The employees were able to get away with the scam because their activities weren't supervised, nor extensively if at all audited. A "breakdown of internal controls" were blamed by DC officials - something that Sarbanes-Oxley reviews of computer system controls would have made much more difficult. The District's CFO hasn't resigned, and has indicated that he sees no reason to do so. Basically, he stated that it wasn't his fault, that he has already fired the wayward employees' managers, and that it wasn't a big deal anyway, since it didn't materially affect the District's finances: "It is important to emphasize that this unfortunate incident does not compromise the financial stability and viability of the District."

Public corporations would love to operate under that definition of materiality. If the CFO or CEO were in the same position of utter and absolute ignorance of their company's finances, they would be fired, sued by shareholders, and face possible criminal charges. I guess shareholder money is more important to protect than that of taxpayers.

This week, the Security and Exchange Commission (SEC) also admitted once again that it still couldn't meet Sarbanes-Oxley requirements either - more than a bit ironic for the agency whose job is to administer it to public companies and punish those who transgress its requirements. No one at the SEC is losing their job because of material weaknesses found there either, it appears.

Reuters is reporting that the UK government Chancellor of the Exchequer Alistair Darling informed parliament that "two discs containing information on 25 million Britons had disappeared after being sent through HMRC's courier, Dutch mail and parcel company TNT NV, and a police investigation was underway."

"The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families," according to Darling. It was a "serious failure" he said - no kidding?

Hmm, let's see. The UK government desires every citizens' and travelers' DNA, every person's travel related details, has created a national registry of all children under 18, is developing a national ID card, etc., etc., and yet it can't guarantee basic protection to any of the information it collects.

Nice, very nice.

Details are now emerging on the lost confidential details of 25 million UK citizens. It appears that HM Revenue and Customs had established a practice of sending unencrypted data to the National Audit Office since March of 2007 to support its independent checks on the child benefit data, and would have likely continued if the CDs containing the information hadn't been lost in the mail last month.

Of course, the UK government is blaming the whole sorry affair on a "junior person" for not following procedures, that it wasn't an indication of a systemic failure (even though the same governmental agency had very similar security violations earlier this year), that an urgent review was being conducted to make sure it wouldn't happen again, that no one should panic (but do keep an eye on your bank account), yadda, yadda, yadda.

Prime Minister Gordon Brown told Parliament that, "I profoundly regret and apologise for the inconvenience caused"; the Chancellor of the Exchequer Alistair Darling said the episode was "catastrophic", "unprecedented" and "unforgiveable"; while the chairman of HM Revenue and Customs Paul Gray resigned, saying it was "a substantial operational failure." I do love British understatement, don't you?

Just to increase the sense of peace of mind of UK citizens, Richard Jeavons, director of IT implementation at the Department of Health admitted, when asked this week by a Commons Home Affairs Committee member about the security of the NHS Care Records Service database, i.e., "How confident are you that there won't be problems over [NHS] data and privacy?" responded that "You cannot stop the wicked doing wicked things with information and patient data..."

As a footnote, the UK government denied requests just last week from the Commons Health Select Committee to make information about NHS data security breaches public, saying that the information would, "add no value to the public understanding." I bet it wouldn't.

David Brewer, superintendent of the L.A. Unified School District, gave an interview to the LA Times in which he gave his reasons as to why the LAUSD payroll system blew up:

"The failure was this: That first of all there was no contractor oversight. That there was no real person in charge of this thing, at least the person who was in charge of it was not technically smart enough to know how to work the system. There was no separate chief information/technology officer dedicated to this. That was the first thing. We were depending on people who frankly speaking did not know how to interpret the problems that the system had technically."

I wonder why the project risk assessment didn't catch those pretty glaring risks/problems - wait, maybe there was no risk assessment. Does anyone out there in cyberspace know if there was any risk assessment done for this project?

Also, Brewer added in the interview that the payroll system "cannot account for about 500 people inside of the system who do not work to a standard calendar, even though we were told that we could. And now my contractor oversight says if that doesn't happen, they can't get paid." Two weeks ago, Brewer claimed that the payroll system was essentially fixed - I guess it isn't, after all, is it?

In regard to the massive loss of personal data by the UK government earlier this week, it has emerged that senior UK government officials had been repeatedly warned that sensitive data was at risk of being compromised months ago because of slack security procedures. However, even after being told this, officials insisted that the data protection approached being used were "fit for purpose" - i.e., acceptable. Shoe Number 1.

An almost exact replica of this problem happened in 2005 involving HM Revenue and Customs and UBS customers. At the time, HMRC said, "This is a one off incident in a single office which receives thousands of pieces of post per week. We are urgently reviewing our procedures to make sure this does not happen again." Yeah, right. Shoe Number 2.

Seems that senior officials at HM Revenue and Customs knowingly refused taking even minimum security measures to protect the data being sent to the NAO because it was seen as being too expensive to do so