The Risk Factor

The US Senate’s Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security heard testimony yesterday on what its describes as the “Dismal State of Information Technology Planning in the Federal Government.”

And dismal it is.

According to the US Government Accountability Office, "OMB (Office of Management and Budget) and federal agencies have identified approximately 413 IT projects--totaling at least $25.2 billion in expenditures for fiscal year 2008--as being poorly planned, poorly performing, or both. Specifically, through the Management Watch List process, OMB determined that 352 projects (totaling about $23.4 billion) are poorly planned. In addition, agencies reported that 87 of their high risk projects (totaling about $4.8 billion) were poorly performing. Twenty-six projects (totaling about $3 billion) are considered both poorly planned and poorly performing.”

In addition, the GAO noted, that “48 percent of the federal government's major IT projects have been rebaselined for several reasons, including changes in project goals and changes in funding. Of those rebaselined projects, 51 percent were rebaselined at least twice and about 11 percent were rebaselined 4 times or more.”

Rebaselining a project is an old trick to make projects appear in better shape than they really are.

Why the government continues to fund poorly planned and poorly performing projects instead of calling on the IT mercy rule is beyond me.

Government Executive magazine has three stories (here, here and here) on what transpired at the hearing in more detail for those you with a strong stomach.

There was a story today in the Washington Post about how health and insurance companies are creating "health credit reports" from databases that contain millions of records of patient prescription drug information.

The "credit report" is used to judge the risks and potential costs of a person applying for health or life insurance.

According to the Post, an insurer can get a risk profile analysis in minutes from a data aggregation - mining company like Ingenix and Milliman which can access the previous five years of prescription data for an applicant applying for insurance (assuming the applicant has been taking prescriptions over that time frame).

A "health credit score" is given for the applicant - the higher the score, the higher the risk of future medical bills.

The scoring analysis also can be used to verify an applicant's medical history - according to the Post, 10% of the time the analysis shows that something has been left out.

Insurance rates (or even the ability to get coverage) are in part set by your score.

As a Tim Sparapani, senior legislative counsel at the American Civil Liberties Union, said in the Post story this is just the start of the "commodification" of electronic medical records by third parties.

This is a bit off point, but it appears that some Circuit City stores removed the August issue of Mad Magazine that had a parody of it.

I was surprised when I read the story in the Chicago Tribune about it since, although a young, avid reader of Mad (I still have my copies from 1967 when it sold for 35 cents - cheap), I vaguely had thought it had ceased publication some time ago.

Even more surprising is that Circuit City sold Mad at its store (the story indicates that Mad editors were surprised by that too!).

And to top it off, I haven't heard of a magazine being removed from a store for an unflattering story in a long time, since the on-line revolution has hit publishing. With blogs and the like, I would have thought stores would have given up on that tactic. And to pick on Mad? That only served to increase their sales, which I am sure they just loved.

Anyway, the long and the short of it is that Circuit City reversed course and apologized.

According to the story, City City spokesman Jim Babb, said in an email, "We apologize for the knee-jerk reaction, and have issued a retraction order; the affected stores are being directed to put the magazines back on sale. The parody of our newspaper ad in the August MAD was very clever. Most of us at Circuit City share a rich sense of humor and irony ... but there are occasional temporary lapses."

Babb also said he sent a note to Mad's editors offering a $20 gift card toward the purchase of a Wii.

I wonder if I make fun of Circuit City, will they send me a gift card too?

The LA Times is reporting this morning that even after staff were warned that the hospital would be cracking down on unauthorized access to patient (especially celebrity) electronic health records (EHRs), two nurses and an emergency room technician did so anyway at UCLA Medical Center.

California Department of Public Health also reported that twice the number of employees (127) were involved in improper access of EHRs at UCLA Medical Center between January 2004 and June 2006 than it had admitted to previously.

Guess peeking into celebrity records is just too hard to resist for some folks.

The US Department of Justice (DOJ) announced yesterday the arrest of 11 people allegedly involved in the hacking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card numbers.

According to the DOJ, "three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from the People’s Republic of China and one is from Belarus"

"The 11 obtained the credit and debit card numbers by "wardriving" and hacking into the wireless computer networks of major retailers — including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Once inside the networks, they installed "sniffer" programs that would capture card numbers, as well as password and account information, as they moved through the retailers’ credit and debit processing networks."

More information on the TJX hack can be found here and here.

The DOJ statement goes on to say, "The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that they controlled in Eastern Europe and the United States. They allegedly sold some of the credit and debit card numbers, via the Internet, to other criminals in the United States and Eastern Europe. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs."

In addition, three of those arrested were "engaged in a sophisticated scheme to hack into computer networks run by the Dave & Buster’s restaurant chain, and stole credit and debit card numbers from at least 11 locations. Specifically, the indictment alleges that the defendants gained unauthorized access to the cash register terminals and installed at each restaurant a "packet sniffer," a computer code designed to capture communications on a computer network. The packet sniffer was configured to capture credit and debit card numbers as this information was processed by the restaurants. At one restaurant location, the packet sniffer captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards."

The Pentagon unveiled a new unmanned spokesperson, called the Spokesdrone, recently. Check it out ;)

Pentagon's Unmanned Spokesdrone Completes First Press Conference Mission

(PS - in case you haven't figured it out, this is a satirical spoof created by the website Onion.)

The Boston Globe ran a story today on how a Boston area Dunkin' Donuts was scammed for over $100,000 by a small group using stolen credit card numbers they purchased over the Internet for 20 cents a pop.

Seems that the group would buy a $5 Dunkin' Donut gift card, and using the stolen credit card information, max out the gift card to its $200 limit. The group would then go into a local Dunkin' Donuts shop, claim to be event organizers, and then proceed to purchase soda and coffee products by the pallet load using the gift cards. They then would turn around and sell the merchandise to local independent stores (who I guess didn't ask too many questions, like, why does this coffee taste just like that sold at Dunkin' Donuts?).

The scheme came apart when Dunkin' Donuts executives grew suspicious of the high number of gift card purchases being made at a Brighton Dunkin' Donut shop.

I don't the next set of scammers will be so dumb.

The Massachusetts Bay Transportation Authority (MBTA) has been granted a 10-day injunction against three MIT students who said they planned to reveal potential security flaws in the CharlieCard and Charlie-Ticket systems at a DEFCON security conference in Las Vegas this weekend, according to the Boston Globe.

The Globe story says that MBTA alleged that the MIT students "claimed to have circumvented the security protocols of the electronic ticketing system. The suit alleges the students publicly offered 'free subway rides for life' to people over the Internet, and planned to show others how to duplicate their methods" during their conference presentation.

The story quoted Eric Johanson, a computer security expert, who said that "prohibition of open discussion of security vulnerabilities greatly harms the ability of researchers to function and has a chilling effect not only on publication, but on whether some important research is done in the first place, greatly stifling scientific advancement."

This is the second time in recent weeks that researchers have been sued over potentially disclosing system hacks. According to reports, the company NPX Semiconductor tried to get an injunction against researchers at the Dutch University of Nijmegen to keep them from revealing flaws in the "Mifare Classic, an RFID chip developed by NXP that is used in many countries' transport system, including London Oyster travel card."

The judge declined to grant the injunction, saying that freedom of speech outweighed NPX's commercial interests.

According to the story, the judge released a press release saying, "This requires a balancing of interests... It should be considered that the publication of scientific studies carries a lot of weight in a democratic society, as does informing society about serious issues in the chip, because it allows for mitigating of the risks."

NPX disagreed, and countered that it was only trying to protect its customers.

Swansea Council in Wales was supposed to get a new payroll system in 2006 for £819,000. However, problems kept cropping up, until the Council decided in June to cancel the project. However, according to news reports, the potential bill from the contractor for all the work done amounts to more than £8 million.

The contractor, Cap Gemini, disputes this amount, saying no final bill has been submitted.

However, the Swansea Council's executive director was quoted as saying saying that the £8 million figure was made up of "invoices that have been submitted by Cap Gemini to be paid, contractual claims and a series of sums of money which they believe the council would be due to pay."

At last report, Cap Gemini and Swansea Council are in negotiations to determine a mutually acceptable termination fee - likely to be less than £8 million, but I bet it is going to be pretty hefty nevertheless.

There is an interesting brouhaha brewing in California. California is facing a massive 15.2 billion budget deficit, and needs to raise taxes, cut services or both to close the gap. These alternatives, of course, have caused massive political infighting over what to do (i.e, whose ox is going to be gored), resulting in the lack of an agreed state budget for the next fiscal year, which started 1 July.

To help force the issue, Republican California Gov. Arnold Schwarzenegger signed an executive order to pay about 180,000 California state workers only the federal minimum wage until a state budget is enacted. Once the budget was enacted, the employees would then be paid their back pay.

No can do, says Democrat California state Controller John Chiang.

Why?

According to the Sacramento Bee, Chiang says "it would take at least six months to reconfigure the state's payroll system to issue blanket checks at the federal minimum wage of $6.55 per hour."

Then Chiang stated that "it would take an additional nine to 10 months to issue back pay to employees when the budget is approved."

You see, the payroll system is an old COBOL-based system that is hard to change. And, according to the Bee, $177 million is needed to upgrade the payroll system into something more modern - an amount California legislators don't want to spend.

As a result, today's LA Times has a story in it about Gov. Schwarzenegger suing Controller Chiang to force compliance with his executive order.

Both sides expect to win in court.

Only in California.

The Washington Post has a story today about a number of Internet and broadband companies such as Knology and Cable One, that admit to using targeted-advertising technology without explicitly informing their customers.

This information was disclosed yesterday by the US House Energy and Commerce Committee. The Committee has been looking into issues of comsumer privacy on the Internet, and whether new on-line privacy laws are required.

The House Committee queried 33 companies about their targeted-advertising practices, and 25 responded.

The Post story highlighted that there seemed some apparently discrepancy in the responses the House Committee received from the companies and what they were advertising to potential ad customers.

For instance, Comcast said in its letter that "Comcast has not used, nor authorized others to use, its facilities as an Internet provider to tailor or facilitate the tailoring of Internet advertising to its Comcast High-Speed Internet customers."

Yet, the Post points out that, "On Comcast's site promoting 'interactive advertising,' for instance, the company promotes its ability to receive users' monthly data: 'over 3 billion page views, 15 million unique users . . . and over 60 million video streams.' "

Comcast declined to comment to the Post about the apparent differences.

I wonder why?

The New York Times has a story today on a software glitch that "allowed vending machines on the Long Island Rail Road and Metro-North Railroad to dispense free tickets on some debit card transactions." Hundreds of riders apparently benefited, most without realizing it, the story says.

The Times story also reports that 3 people were arrested on charges that they knowingly exploited the problem to buy and sell up to $800,000 worth of the tickets.

The software problem was discovered in May, but that the problem probably extends back to 2001 when the vending machines were installed.

The reason why the problem was discovered?

According to the Times, technicians were testing out a planned software upgrade to the vending machines. "A credit card processing company had provided some credit and debit cards for the test, and technicians discovered that it was possible to buy tickets using one of the debit cards even if there was not enough money in the account to cover the cost of the transaction."

That led to a further investigation and the discovery of the fraud.

Also, the Times said the problem went undetected so long because there was apparently "a flaw" in the system the railroad used to make weekly checks of its vending machine sales. Now vending machine sales are checked daily.

What looks like happened is that the alleged fraudsters had managed to stay under the radar of suspicious transactions amounts, unlike those I have reported on earlier (here and here).

There has been a lot of press about a "cyber war" being waged between Georgia and Russia in conjunction with the real warfare that has been taking place over the past week between the two countries. Both Georgian and Russian governments are accusing each other of trying to shut down their country's websites and other IT infrastructure systems.

While it is clear that hacking of each country's IT systems has been going on, it is unclear whether it is government inspired or nationalistic hackers. It is going to take some time before the electrons clear and the question is resolved, if it can be.

More interesting, there is a story in the Wall Street Journal today that explored once again the question of whether a massive cyberattack on a country constitutes an act of war. No one seems really sure.

As noted in the story, "The Pentagon doesn't have a policy on whether a cyberattack can be an act of war, said Pentagon spokesman Lt. Col. Eric Butterbaugh, adding, 'it's ultimately the perception of the country under attack as to whether an act of war was committed.' The Pentagon has, however, assigned its [USAF] Strategic Command to head up cyberprotection and cybercounter-attack operations.' "

As far as that second statement, Government Executive reported yesterday that the USAF has temporarily halted its plans to be cyber command central. According to the Air Force, this action was planned all along, although it took many people by surprise, since 1 October was the planned start date of Cyber Command operations.

"The Secretary and Chief of Staff of the Air Force have considered delaying currently planned actions on Air Force Cyber Command to allow ample time for a comprehensive assessment of all AFCYBER requirements and to synchronize the AFCYBER mission with other key Air Force initiatives," an Air Force spokesperson said.

The Government Executive story says more likely the other military services (especially the Navy) felt left out, and wanted to slow the Air Force down before it could solidify its position as lead service in the cyber warfare mission.

Reuters is reporting that Netflix has suffered its second major outage of the year. According to the story, an undefined technical problem (different from the one that caused the outage in March) has kept the company from sending out any DVDs on Tuesday, only some on Wednesday, and none so far today.

Netflix spokesman Steve Swasey said, "This time, the site's been up but our shipping system is down. It's worse than it was in March. We're really backlogged."

Update Friday morning: Apparently Netflix is starting to ship out DVDs again, although there also appears to be a large backlog. Netflix is also refusing to say exactly what went wrong, saying that "We're not real big on pointing fingers or attaching blame or airing this out in public."

Yesterday afternoon around 1630, a computer problem at London Heathrow's Terminal 3 caused problems with the check-in and baggage systems, affecting over 6,000 travelers, the BBC reported. The problem caused all the flight information displays to go dark.

According to one report, "Officials closed all check-in desks while they tried to locate the source of the fault and people were told to queue up outside."

The BBC is reporting this morning that things are apparently back to normal, but that some 2,000 bags (others report 3,000) did not not travel with their owners.

It will be a most interesting day indeed when two terminal computer systems go out simultaneously at Heathrow .

There was an article in the London Telegraph over the weekend about supposedly secret trials being planned in Britain for 2010 to test out a national road-pricing scheme. According to the story, if the scheme is eventually approved, drivers in Britain could pay up to £1.30 a mile to travel on the busiest highways.

How would the government collect the money?

As explained in the story, one way would be for each car to be required to have a satellite tracking system installed. The car's owner would then be billed each week depending on when and where the car traveled.

The Telegraph says that the government is currently figuring out the feasibility of both the technology as well as the collection infrastructure (especially, I assume, how to uncover cheating).

With the AA reporting that today's UK national average price of petrol is112.9 p/litre and 124.9 p/litre for diesel, I am sure British motorists are thrilled to death about both the possibility of paying even more for the luxury of driving and increasing the government's surveillance of them even more.

If this scheme came into existence, I wonder how long it would be before the British police would want details of every driver's movements.

Or at the very least, parents of teenage drivers?

Update: For those of you living in or traveling to Britain, you may want to check out Frixo, which is a road / motorway traffic reporting site. It gives users up to date information as the site gets updated every 3 minutes via feeds from various sources including the British government's official Highways Agency site.

The New York Times this morning reports that the test-preparatory company The Princeton Review accidentally published students' personal data and standardized test scores on its website. Information on at least 34,000 Florida students and 74,000 Virginia students was supposedly readily available to anyone accessing the company's website.

The information, which had been up for at least seven weeks, was found by a firm doing competitive research on The Princeton Review. It told the New York Times, who then contacted The Princeton Review, who immediately cut off access.

It appears that a site configuration flaw allowed "access to hundreds of files on the company’s computer network, including educational materials and internal communications," according to the Times.

The Times said, "In addition to the information on students, the site contained the Princeton Review’s educational materials for the LSAT, PSAT and SAT exams, course schedules, an internal analysis of the effectiveness of the company’s instructors, and the entire texts of some Princeton Review books, like the 2008 edition of 'Cracking the LSAT.' "

I wonder how much information was downloaded by the firm doing competitive analysis before it informed the Times about the security hole. I also wonder if any students found the hole, and also helped themselves to old exams and study guides.

There is a story in New Zealand's Nelson Mail about physicians "accidentally ordering life-threatening doses of drugs using the computer-generated prescriptions."

According to the story, if a doctor using the computerized physician order entry (CPOE) system "didn't fill out a dose or indicate how often the medicine should be taken, a default amount - such as '5ml' or 'twice daily' - appeared on the prescription."

From the Mail story, it appears that pharmacists encounter similar problems a few times a day, but most are caught. However, one pharmacists says that he knows of at least one case where a patient died as a result of receiving an improper dosage.

Also, the story notes that the legal onus is on pharmacists to detect any doctors' omissions - with or without the use of computers.

Unfortunately, the Mail story did not say which computerized order entry systems were causing the problems.

There was a paper a few years ago in the Journal of the American Medical Association on errors related to CPOE's, but I don't recall such blatant design flaws being mentioned in it.

The last paragraph of the story was also tantalizing.

"Nelson Bays Primary Health Organisation general practice programme coordinator Margaret Gibbs said she was unaware of the problem. She was working with pharmacists, GPs and the local health board on other problems with computer systems."

I wonder what these "other problems" are?

U.S. District Judge George O'Toole Jr. in Boston lifted the temporary injunction granted to the Massachusetts Bay Transportation Authority (MBTA) against three MIT students who had said they planned to reveal potential security flaws in the CharlieCard and Charlie-Ticket systems at the DEFCON security conference in Las Vegas.

According to a c/net story, "Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: that the students' presentation was likely a violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses."

The story then notes, that, "On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."

No First Amendment issues were cited by the judge, as many thought there would be.

Ohio Secretary of State Jennifer Brunner announced earlier this week that poll workers won't be able to bring voting machines home for "safekeeping" before November's presidential election, according to news reports.

The practice - which has been standard operating procedure in 24 of Ohio's 88 counties for years - is quaintly called "sleepovers."

In acknowledgment to the blindingly obvious, Brunner said the practice would no longer be allowed because of a fear of voter machine tampering.

I, for one, never heard of such a thing before. Does anyone know of other states that allow such voting machine sleepovers?

According to reports, a Federal Emergency Management Agency (FEMA) telephone system at its National Emergency Training Center in Emmitsburg, Maryland was hacked into over the weekend and 400 calls worth some $12,000 were made to the Middle East and Asia.

The hacker apparently found a hole in a new voice mail system - a hole that the Department of Homeland Security warned about in 2003. FEMA is now part of DHS.

FEMA is investigating why the security hole was left open, but it is currently blaming the contractor who installed the system.

My friend Allan Holmes at Government Executive Magazine posted an interesting blog entry today.

Allan writes that according to a July 9th group e-mail sent by the security department at the Executive Office for U.S. Attorneys in Washington, two "stray" thumb drives were found on the ninth floor of the Bicentennial Building on E Street in downtown Washington DC, where the U.S. Attorneys Executive Office operates. The drives, one found in the men's restroom and another on a facsimile machine, would, once attached to a computer, secretly steal "certain system information" off the computer and transmit it out of the Justice Department. The e-mail read:

"Please be advised that two USB thumb drives were discovered on the 9th Floor of the Bicentennial Building. One was discovered in the Men's restroom yesterday afternoon. Another was found this morning on a facsimile machine. The drives contain malicious code that automatically and silently executes when the drive is plugged into a system. The code captures certain system information and transmits it out of DOJ."

As Allan and others point out, what a tempting way to break through security - brilliant in the simplicity of its seduction.

How tempted would you be if you saw an 8GB drive apparently lost by someone to find out what was on it?

Makes you wonder how easy it would be for someone to just seed a bunch of infected thumb drives around company or government office buildings, or say at restaurants or bars where employees gather. Just think of the damage you could do around a university - do you believe students would think twice? How about department stores as well? Conferences and trade shows hand out thumb drives all the time - think of the damage that could be done there.

Allan told me that another way would be to just drop of some nondescript drive on someone's desk - they would probably just assume it was theirs.

A contractor, PA Consulting, working for the UK's Home Office lost a memory stick that contained the unencrypted confidential records of 130,000 UK criminals.

According to the London Telegraph, "A full investigation is now underway to find the memory stick – containing information on all 84,000 prisoners in England and Wales, including some release dates, plus details of 43,000 most serious and persistent offenders ..."

There is a distinct possibility, according to reports, that if the information is not found, the UK government could "face a multi-million pound compensation bill from criminals whose safety may have been compromised and police informants who could be at risk of reprisals."

After a spate of high profile data losses over the past 18 months, the UK government ordered a tightening of security rules and practices. It doesn't appear to have done much good, though.

No doubt the UK government will once again call for increased IT security vigilance and awareness.

Any bets on how long before the next major loss of UK government data occurs?

This story is the other side to yesterday's that was about rogue data sticks containing malicious code.

Update:

The UK Home Office has over the weekend decided to suspend the contract with PA Consulting. No word on how long the suspension will last, or whether the contract will be terminated.

Last Friday, there was a story in the Sydney Morning Herald that quoted the Nigerian High Commissioner Sunday Olu Agbi saying that people who were ripped off by alledged Nigerian scam artists were just as guilty as the scammers and should be jailed.

According to the story, the High Commissioner said "victims" of the scammers were greedy.

"People who send their money are as guilty as those who are asking them to send the money," Agbi is quoted as saying.

Of course, if we started jailing people for their own stupidity, there soon wouldn't be enough people left to pay for all the jails required.

The British press is reporting this morning that a computer purchased for £35 on eBAY contained the personal records of some 1 million customers of