precedence: bulk Subject: Risks Digest 25.09 RISKS-LIST: Risks-Forum Digest Thursday 27 March 2008 Volume 25 : Issue 09 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Billion-dollar IT failure at Census Bureau (eekid via David Farber) A Heart Device Is Found Vulnerable to Hacker Attacks (Barnaby Feder via Monty Solomon) FL power outage NERC updates (Catherine M Horiuchi) Vandals halt some hybrid buses using external 'off' switch (Rick Damiani) Flight Service Software Crashes; Pilot Briefings Delayed (Gabe Goldberg) Substantial supermarket breach affects millions (Robert Heuman) Man arrested by mistake over phone system bug (Rick Damiani) Hoax on Craiglist causes duped victims to steal property (Mark Brader) Payment by fingerprint disappears (Jon Van and Becky Yerak via Paul Saffo) Cute e-mail leak (Steve Summit) Search engine bait? (Steve Schafer) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 24 Mar 2008 17:50:06 -0700 From: David Farber Subject: Billion-dollar IT failure at Census Bureau (eekid via IP) Why is anyone surprised. I spent many years on NRC (National Research Council) study groups looking at Social Security, IRS, FAA and various DoD software procurements. They were all in serious troubles usually due to very poor procurement processes; endlessly changing requirements; poor software management etc. BUT it still goes on and on and on. Try reading some of the NRC reports. They are informative and sad. DF From: eekid@aol.com [eekid@aol.com] Sent: Monday, March 24, 2008 5:03 PM Subject: Billion-dollar IT failure at Census Bureau Billion-dollar IT failure at Census Bureau Posted by Michael Krigsman @ 7:51 pm http://blogs.zdnet.com/projectfailures/?p=660 US Census Bureau faces cost overruns up to $2 billion on an IT initiative replacing paper-based data collection methods with specialized handheld devices for the upcoming 2010 census. The Bureau has not implemented longstanding Government Accountability Office (GAO) recommendations and may therefore be forced to scrap the program. Harris Corp., the contractor associated with this incompetently managed initiative, was awarded a $600 million contract to develop the handhelds and related software. In March 5, 2008 testimony before the Senate, Commerce Secretary Carlos M. Gutierrez said: "There is no question that both the Census Bureau and Harris could have done things differently and better over the past couple of years." On the same date, Census Bureau Director, Steve H. Murdock, added: I cannot over-emphasize the seriousness of this problem. My colleagues and I recognize that we must move quickly to address this problem, and implement solutions. While we still have an enormous challenge in front of us, I am confident that we are close to defining and implementing a strategy that will ensure a successful 2010 Census. The GAO characterized the handheld initiative, known as the Field Data Collection Automation (FDCA) program, as follows: Of the $11 billion total estimated cost of the 2010 Census, the Census Bureau planned (as of 2007) to spend about $3 billion on automation and information technology in order to improve census coverage, accuracy, and efficiency. Among other things, the Bureau is planning to automate many of its planned field data collection activities as a way to reduce costs and improve data quality and operational efficiency. The GAO report, dated March 8, 2008, added: In October 2007, GAO concluded that without effective management of key risks, the Field Data Collection Automation (FDCA) program responsible for the devices faced an increased probability that the system would not be delivered on schedule and within budget or perform as expected. The magnitude of these problems is not clear. [T]he Bureau has not performed recommended analysis or provided sufficient information to provide a level of confidence in its $11.5 billion life-cycle cost estimate of the decennial census. The Bureau has not itemized the estimated costs of each component operation, conducted sensitivity analysis on cost drivers, or provided an explanation of significant changes in the assumptions on which these costs are based. Together, these weaknesses and actions raise serious questions about the Bureau's preparations for conducting the 2010 Census. Computer World blogger, Frank Hayes, summarized the situation succinctly, "The fancy custom handhelds might work. But if they don't, the Census Bureau will use paper instead." THE IT PROJECT FAILURES ANALYSIS Managing an $11 billion initiative is a daunting task and unforeseen problems are inevitable. Nonetheless, the GAO, going back to January, 2005, repeatedly identified significant procurement, management, and operational risks associated with this project. For reasons unknown, the Census Bureau chose not to follow these recommendations. The following table summarizes significant project issues identified by the GAO: Billion dollar IT mismanagement at Census Bureau How does a failure of this magnitude arise? Clearly, Census Bureau management is ineffective at properly and efficiently executing the organization's basic mandate. A detailed analysis would probably reveal hidden agendas; conflicts of interest; good intentions gone bad; inexperienced, lazy, and incompetent management; lack of controls; and plain old poor judgment. I believe these deeply ingrained issues are symptomatic of fundamental problems shared by both Bureau leadership and line management. My recommendation: The GAO must conduct a formal inquiry into two specific areas: 1. It should investigate and analyze the management policies and procedures that allowed this situation to develop and persist over the course of several years. We must understand why program controls didn't prevent this huge waste of dollars. 2. It should perform a detailed (and I mean exhaustive) investigation of Harris Corp.'s role. Let an unbiased panel determine what percentage of the billion-dollar waste Harris caused and force the company to pay direct restitution for that amount. Until the government holds contractors and their agency sponsors accountable, massive failures will continue and more money will be flushed down the drain. Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ ------------------------------ Date: Sat, 15 Mar 2008 00:58:46 -0400 From: Monty Solomon Subject: A Heart Device Is Found Vulnerable to Hacker Attacks Barnaby J. Feder, *The New York Times*, 12 Mar 2008 http://www.nytimes.com/2008/03/12/business/12heart-web.html?ex=1363060800&en=ccf7bc417ed75bfb&ei=5090 To the long list of objects vulnerable to attack by computer hackers, add the human heart. The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal - if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory. The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio that Medtronic, the device's maker, had embedded in the implant as a way to let doctors monitor and adjust it without surgery. The report, to published at www.secure-medicine.org, makes clear that the hundreds of thousands of people in this country with implanted defibrillators or pacemakers to regulate their damaged hearts - they include Vice President Dick Cheney - have no need yet to fear hackers. The experiment required more than $30,000 worth of lab equipment and a sustained effort by a team of specialists from the University of Washington and the University of Massachusetts to interpret the data gathered from the implant's signals. And the device the researchers tested, a combination defibrillator and pacemaker called the Maximo, was placed within two inches of the test gear. ... ------------------------------ Date: Mon, 03 Mar 2008 01:10:31 -0800 From: Catherine M Horiuchi Subject: FL power outage NERC updates Five days before the Florida outage, the North American Electric Reliability Corporation (the electric industry's "self-regulatory" watchdog) issued a press release reporting its CEO's address to the National Transmission Delivery Forum. He stated: "We are operating the grid closer to the edge than ever before." This in context of need to improve the transmission system to support initiatives for more wind power (intermittent load) and micro-generation (distributed load) http://www.nerc.com/~filez/pressreleases.html The preliminary cause of the 02/26/2008 disturbance has been categorized as human error: a single mistake by a single worker at a single substation. Florida Power & Light President Olivera said, "We don't know why the employee took it upon himself to disable both sets of relays." http://www.cnn.com/2008/US/02/29/florida.outage/index.html This type of systemic problem due to tight coupling and lack of resilience we've seen in other high-reliability, highly-engineered systems (TMI; two shuttle losses; arguably, the 17th Street Canal failure during Hurricane Katrina and even the recent beef recall.) Yet it appears difficult for some engineers/managers to publicly acknowledge that humans are guaranteed to make mistakes, and computers are also guaranteed to fail, given enough potential instants in which to fail. Or, to advocating systems with less potential for these failures. In Florida, "Changes to safeguard against future human error already have been implemented." http://www.floridatoday.com/apps/pbcs.dll/article?AID=/20080301/NEWS01/803010334/1006/news01 So, almost before the NERC investigation is started, the "fix" is already in place. How likely is it that these changes will have their own unintended consequences? (Something as simple as, say, errors due to worker fatigue, if whatever shortcuts workers were taking to complete tasks in alloted time are no longer available.) Note strong similarities between the Florida disturbance and the 12/08/1998 power outage in San Francisco (RISKS-20.11) affecting 456,000 customers, also a "human error" causality, where two worker events "directly" precipitated the outage: 1) A transmission construction crew working on the #2 115kV bus, Section D at the San Mateo substation, failed to remove protective grounds that had been installed as a safety measure while the crew was working on the bus section. 2) Before energizing the bus section at the conclusion of this construction work, a PG&E transmission substation operator failed to engage the protective relays. www.cpuc.ca.gov/Published/Graphics/24197.PDF An inability to perfectly correct operations is illustrated by PG&E's subsequent outages in 2005 and 2007. Commented PG&E spokesperson Darlene Chiu after the July 2007 outage: "The problem began when breakers in the utility's transmission service opened for an unknown reason. Every time workers attempted to close those breakers to restore service, it caused voltage fluctuations." http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/24/BAG9NR67253.DTL&tsp=1 Workers tried doing what they expected to work, but it didn't. Even after the power was back on, the spokesperson reported the breakers opened "for an unknown reason." That is, it may be impossible to figure out why automated systems are acting in a particular manner within the very small space of time before automated systems take further pre-programmed actions, thereby enlarging a power outage. This impossibility can be characterized as "human error." Transmission grid operations are increasingly complex and at the same time increasingly interconnected, suggesting systemic failure and "normal" accidents will continue to occur at regular intervals. Plan accordingly. Cathy Horiuchi, University of San Francisco (formerly of the Sacramento Municipal Utility District) ------------------------------ Date: Sat, 15 Mar 2008 21:45:34 -0700 From: "Rick Damiani" Subject: Vandals halt some hybrid buses using external 'off' switch "Muni drivers have reported over the last couple of weeks that people have been shutting down the power on their buses by flipping a switch that can be accessed easily through an unlocked panel on the outside of the bus. When that happens, the drivers can't accelerate, they lose radio contact with dispatchers and the interior lights on the buses go out. The power loss does not affect the brakes." Details here: http://www.sfgate.com/cgi-bin/article.cgi?f=3D/c/a/2008/03/07/BAOKVF1E8.DTL&tsp=1SF An external power switch like this is a good thing if the bus is involved in a serious collision. Rescue workers would naturally be leery of approaching a severely damaged vehicle equipped with batteries big enough to move a bus. Sounds like they made it a bit too easy to get to. Rick Damiani, Applications Engineer, The Paton Group California: (310)429-7095 ------------------------------ Date: Tue, 18 Mar 2008 14:51:39 -0400 From: Gabe Goldberg Subject: Flight Service Software Crashes; Pilot Briefings Delayed Lockheed Martin computer programmers are trying to figure out why a planned software upgrade to FS21 caused the system to crash late Tuesday night. /AVweb/ received a tip from a former briefer in Michigan that the system went down at about 0100Z. A spokeswoman for Lockheed Martin told /AVweb/ that when they realized the FS21 upgrade was "unstable," they reverted to the backup system known as AISR (Aeronautical Information System Replacement). "It provides the same type of information as FS21 but it's in disparate sources so it takes a little longer for the briefing. In the morning, queue times were several minutes, but by around 11 a.m. they were in the single digits." Lockheed Martin posted an alert on its *Web site* indicating that calls to 800-WX-BRIEF may be delayed until the problem is resolved. A notice posted to the Web site on March 9 indicated that the software upgrade was being done to "provide improvements to the service we provide especially in PIREP processing with a more efficient mask for obtaining the data from the pilot, among other items." The FAA has agreed to provide Congress with a *status report* http://www.avweb.com/avwebflash/news/FAA_to_Congress_FSS_Needs_Work_197253-1.html every 90 days on Lockheed Martin's performance in managing the FSS contract. The next one is expected to be delivered at the end of April. Gabriel Goldberg, Computers and Publishing, Inc. (703) 204-0433 3401 Silver Maple Place, Falls Church, VA 22042 gabe@gabegold.com ------------------------------ Date: Tue, 18 Mar 2008 18:00:15 -0400 From: RsH Subject: Substantial supermarket breach affects millions Once more with feeling. A lack of precise information, but again an exposure that need not have happened. On Tue, 18 Mar 2008 15:18:20 GMT, "Security Wire Daily" wrote: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: SearchSecurity.com: Security Wire Daily Breaking security news, the latest industry developments and trends March 18, 2008 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: HANNAFORD BREACH ILLUSTRATES NEED TO HAVE A SURVIVAL PLAN Bill Brenner, Senior News Writer A serious data breach at the Hannaford Bros. Co. supermarket chain exposed as many as 4.2 million credit and debit card numbers to identity fraud. In a statement released Monday on the Maine-based Hannaford website, President and CEO Ronald Hodge said the company had contained an intrusion of its computer network that resulted in the theft of customer credit and debit card numbers. http://go.techtarget.com/r/3288677/1421272 R. S. (Bob) Heuman ------------------------------ Date: Fri, 14 Mar 2008 20:51:20 -0700 From: "Rick Damiani" Subject: Man arrested by mistake over phone system bug An interesting take on the risk of believing what 'the computer says' without doing any additional investigation is here: http://thedailywtf.com/Articles/Youll-Need-to-Come-Downtown.aspx Short summary: Homicide detectives, looking at the incoming calls to a murder victim (a drug dealer), find many of them are coming from '520-833-0000'. Steve McDowan pays the bill for that number, so naturally the detectives really want to talk to Steve. When they pick him up at work, Steve tells them that the number is his son's number. The detectives tell Steve about the murdered drug dealer on their way to pick up his son. Everybody goes downtown. Steve's son denies making the calls, and finally gets the police to let him look up his call record at the phone company web site. Not seeing the outgoing calls there, the detectives call the phone company. From the original article: "They called customer service, got transferred around several times, waited the requisite forty minutes on hold, and finally a tier-3 tech support technician answered the phone. "Yes," the younger officer said into the speakerphone, "I'm investigating a homicide here and need to know, why are some outgoing calls not recorded for 520-833-0000? We have a record of the incoming calls from that number... could someone be hacking into your computers or something" "Ha," the technician snorted, "no. This happens sometimes. If the calling party blocks their caller ID, it'll show up as 520-833-0000 instead of ten-zeros. We're working on it!" The two detectives glared at each other, flabbergasted. "We're uhh," the older officer stumbled, "we'd like to thank you for coming down, and apologize for any, umm, inconvenience." The ride back was much less awkward... at least, for Steve and his son." It's interesting how over-reliance on computers caused the problem (detectives chasing the wrong person), but using them correctly (Steve's son and the phone company technician) saves the day. Rick Damiani, Applications Engineer, The Paton Group California: (310)429-7095 ------------------------------ Date: Mon, 24 Mar 2008 16:22:49 -0400 (EDT) From: msb@vex.net (Mark Brader) Subject: Hoax on Craiglist causes duped victims to steal property [To make a long story short, two bogus ads offered a horse and other belongings of Robert Salisbury, a contractor in Jacksonvile, Oregon, to anyone who would take them. Unsuspectingly, he returned home to find many people carting off his stuff. *Seattle Times*, 24 Mar 2008; PGN-ed] http://seattletimes.nwsource.com/html/localnews/2004302237_webhoax24m.html ------------------------------ Date: Fri, 21 Mar 2008 08:40:59 -0700 From: Paul Saffo Subject: Payment by fingerprint disappears Jon Van and Becky Yerak, Troubled biometrics firm disables scanners at Jewel *Chicago Tribune*, 21 Mar 2008 [PGN-ed] www.chicagotribune.com/business/chi-fri-pay-by-touch-mar21,0,1005086.story Jan Bledsoe was shocked Thursday to learn she can no longer just swipe her finger across a screen at the local Jewel store to buy her groceries because the bankrupt company behind the technology no longer will process such transactions. Solidus Networks Inc., a provider of payment processing, is no longer operating its biometrics unit. The firm's failure prompted some financial analysts to question whether technology that relies on biological information to identify a customer is ready for the market's mainstream. "Commercial biometrics is inevitable," said Paul Saffo, a Silicon Valley-based trend forecaster. "There are huge risks, but it's just so cheap and convenient, people won't be able to resist it. Whenever Americans face a choice between privacy and convenience, they always choose convenience." jonvand2@gmail.com byerak@tribune.com Copyright 2008, Chicago Tribune ------------------------------ Date: Mon, 24 Mar 2008 00:32:05 -0400 From: Steve Summit Subject: Cute e-mail leak Companies unclear on the concept of reciprocity love to use the convenience of e-mail to send you and me messages but then deny us the convenience of replying, often insisting we use some web-based form instead. To drive home the message, the one-way mail will often come from (or have replies directed to) a bogus address in a domain name such as "donotreply.com". Since 2000, the domain name "donotreply.com" has been owned by a guy named Chet Faliszek. You can just imagine the kind of mail he gets there. Details at . Choice excerpts: "...many of the misdirected e-mails amount to serious security and privacy violations. In February, Faliszek began receiving e-mails sent by [a bank in] New Jersey. Included in the message were PDF documents detailing every computer the bank owned that was not currently patched against the latest security vulnerabilities." "With the exception of extreme cases... Faliszek says he long ago stopped trying to alert companies about the e-mails he was receiving. It's just not worth it: Faliszek said he is constantly threatened with lawsuits from companies who for one reason or another have a difficult time grasping why he is in possession of their internal documents and e-mails." [Also noted by Jim Reisert, with additional quotes. PGN] ------------------------------ Date: Sat, 08 Mar 2008 22:35:10 -0500 From: Steve Schafer Subject: Search engine bait? Go to one of these web sites: http://www.inpcars.com http://www.healthek.com http://www.toolsmet.com Choose one of the displayed categories at random and click the link. (Some of the categories are empty, so you may need to try more than one.) Read the descriptions of the products. At first glance, it appears that the descriptions are very poor English translations (of who knows what source language). But a closer look reveals that that's not what's happening, and that they are in fact crafted by taking a genuine English description (from a manufacturer's site, perhaps?) and then applying a randomized thesaurus-based word replacement algorithm. For example, I found a product where it was clear that the original adjective used in the descriptions of a pair of related products was "quiet." It had been replaced in one case by "reserved," and in the other by "taciturn." In one description, the word "bulb" (as in "light bulb"--the product was a lamp) had been replaced by "scaly bud"; in another, the word "mouth" was replaced by "oral fissure." This is similar to the paraphrasing and euphemisms that you sometimes see in spam email offers for various drugs, etc., but I've never seen a spam email take it to the level of these sites. So what's going on? If you click one of the "More Info" links, you first have to pass through a captcha barrier, and then you are taken to a page with links to eBay and Amazon.com, and occasionally some other sites. The links are typically only vaguely (if at all) related to the item you've requested "more info" about. Who is this company that's gaming the eBay Affiliates and Amazon.com Associates programs? That's a difficult question to answer. The pages themselves are completely devoid of any kind of identifying information. A WHOIS search on the domain names reveals that the domain owners are hiding behind an anonymizer service based in the Netherlands. Why the weird parallel-universe descriptions? It's obviously search engine bait (after all, that's how I found the sites in the first place). But why go to so much trouble? I don't know if there's something special about the replacement words and phrases that makes them rank highly, or it's just a tactic to avoid copyright issues. ------------------------------ Date: 17 Oct 2007 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 25.09 ************************