Finally, something that warrants blogging about!  You’ve heard about the WannaCry ransomware attack.  To refresh your memory, it was international, attacked hospitals, governments, business both large and small, and, of course, individuals.  The attack exploited a known vulnerability in Windows XP!!!

The ransomware consisted of a sophisticated worm that travels from computer to computer and is based on code-breaking programs stolen from the NSA, and a far-less spohisticated effort to extort funds if payment in bitcoins was not provided by a certain date in order to remove unwanted encryption from your computer unless you paid in Bitcoins.  Since there were two parts to the ransomware attack, there are two issues that must be addressed by you, and by any organization that was either attacked or vulnerable.

The effort to extort funds is the easiest to defend against and so I’ll discuss it first.  It’s simple – back up your data, either remotely on a cloud server or locally.  This removes the potential loss of all your precious data.  I use Apple Airport Extreme and the Apple Time Machine utility for local backups, but there are many alternatives for Apple Macintoshes, Windows PCs, and Linux computers.  At worst, your system is down for an hour or so while you reinstall software and download your own saved data.  That time lag is a disaster for a hospital, but they shouldn’t be running any form of Windows XP and should be under careful cyber management.

Why don’t people or organizations update their old computer’s operating system software automatically?  Here are a few reasons:

  1. Laziness
  2. Cost
  3. Loss of productive working time
  4. Upgraded operating systems may not work well, or even not at all, with specialized software.

The worm is the scarier of the two.  It was stopped by a single cyber security expert who noticed that the worm checked on a specific URL.  If the worm got a response from that URL when it “pinged” with an “are you there” message, the worm’s software acted as if it could go on to infect other computers, because the worm was free to act and not confined to a “sandbox.”  The specific URL was not registered with one of the major reputable registration services; instead it was a set of four integers in the range 0 to 255 that was a valid Internet address not associated with a legitimate site.  By simply registering that dark web site, a small amount of programming allowed the worm to be confined to its current set of infected computers and not spread.

This type of worm is likely to recur.  Let’s hope that cyber security experts can stop it next time.  It is highly unlikely that ransomware was the main goal of this attack.  It is far more likely that the goal was to infect millions of computers, waiting for the next time.  Infected computers, or zombies, are often used as hosts for future distributed denial-of-service attacks.

Here are your action items:

  • Update your operating system.
  • If no updates are generally available, replace the OS, even if you have to buy a more powerful computer.
  • Back up your data at least daily.
  • Have your organization have better, much better, security practices.
  • Watch what you download, watch what you click on.
  • Don’t assume that computers running Microsoft Windows are the only ones vulnerable.  All operating  have known vulnerabilities.

More on what to watch out for systems that are too complex

The results are in and the Delta Airlines problems are winding down. Finally. The problem took much longer to fix than anyone would have expected, since there was only a single power outage blamed for a system-wide problem.
The lesson is that software problems can cascade and the systems are too hard to fix.
What does this suggest to you if you are a victim of this type of problem and don’t want to compromise your identity further?
Don’t put more of your data at risk. In particular, only use the single credit card and email address you used originally for your flight. Who knows what new problems have occurred in the Delta software? I don’t, and neither do most customer service personnel at Delta.

The Baltimore Ravens’s email system for its season ticket holders malfunctioned a few days ago, with 38 copies of the same message being sent.  The next day there was a mea culpa, with a statement that the two people responsible for the mail software would be busy fixing it.  The fix seems to have worked – no repetition of the same problems yet.  How could something so seemingly simple go so bad?  Systems that are too complex!

Years ago, I could see that the the entire system’s combination of simple, published user-IDs and very short, insecure passwords meant that there was no serious security.  I will use their system to sell unwanted tickets, but funds go directly in my season ticket holder’s account, which has absolutely no links to a credit card or bank account.  Always best to avoid getting into potentially weak systems with confidential information.  (Having the team do so poorly last year also reduced the possibility of any type of theft!)
Next post: A classic example of problems in systems not communicating properly.

Watch out for systems that are too complex

Today I experienced a problem at a bank while trying to withdraw more cash than an ATM would ordinarily allow.  It has a lot in common with today’s failure of Delta Airlines entire software system, and a similar failure at Southwest last week.  The Delta problem was believed to have started with an electrical power failure in Atlanta, which shut the entire system down.  It was widely reported that much of the online flight information data or what was posted on airport monitors was incorrect for a period of many hours.  A similar system-wide failure occurred at Southwest.  How much of the problem still persists in the form of incorrect billing for changed flights, corrupted credit card information, and other security  issues?  In each case, tech support staff worked hard to get the systems up and running.  Much of my research in the last 30+ years has focused on the engineering of complex software systems, so none of the technical issues surprise me.

(If you want to learn more about the technical details of how such complex things can be engineered, buy the second edition of my Introduction to Software Engineering book.  Both my publisher, Chapman and Hall, and I will appreciate the $99 you spend.  Thank you.)

Here’s what happened at my bank.  None of the tellers at the bank branch could get access to the bank’s computer system.  It took about five minutes for the system to come up.  The ATMs outside the bank seemed to have problems, also.

So, what’s the issue?  The problem from a consumer perspective is that any consumer transaction or data might have been corrupted, or even intercepted.  In this case, the tellers simply waited, and their system became available.  Not much tech support seemed to be needed at this bank branch today.

Did the Delta or Southwest tech support completely solve the problems?  Perhaps.  Did the bank’s software problem solve itself?  Perhaps.  We will never know.

What we do know is that, in each case, a system did not behave the way it should and, in the case of the airlines, the problems cascaded.  Not surprisingly, the problems of complex software systems tend to increase greatly when they are under heavy load.

What this means for you is that you should avoid being at the mercy of such failures, so your data is correct and you have evidence of what transactions you made.  Keep in mind that complex systems fail often, and you should avoid unsafe practices.  Here are some unsafe practices.

  1. Deposit cash through an ATM?  Do you have any recourse if a problem occurs?
  2. Deposit a check through your smartphone?  Only if you keep the physical check and have a nearby location where you can talk to a person who can fix any problem that occurs.
  3. Rely only on data stored on a smartphone for airline reservation information, without either a paper copy or a way to print a hard copy? Remember, your copy of an electronic reservation data may be out of date if a system failure occurs.
  4. Use free wifi to log in in an airport?  The wifi may be overloaded, so whatever limited protection of your private is sometimes available may not be present at all.

What they didn’t say, and what they did

I was one of many volunteers at a local branch of a nonprofit where I had volunteered for years.  The nonprofit, concerned about abuses that seemed to be everywhere in the “helping world,” decided to begin doing background checks on its volunteers.  A meeting was called and about thirty of the volunteers at that location were present.  There were several hundred volunteers combined at all locations.

A representative of the company doing the background checks gave a presentation.  Of course, the company wanted Social Security Numbers, and, of course, many long-term volunteers were concerned.  The company representative told us that the computerized records would be in an encrypted database.

It is well-known that many identity thefts and identity breaches are inside jobs, often made easier by poor security practices within companies possessing confidential data.  In this case, I was concerned about both what the company representative didn’t say.  Here’s what I expected him to describe:

  • How would they handle the paper forms filled out and turned in at the presentation meeting?
  • Would the forms be copied and, of so, where would the copies be kept?
  • Who would have access to the paper forms and/or copies?
  • Would there be a digital record of the information, in the form of a spreadsheet or a database?  (More on this particular issue later in this post.)
  • If there was a digital record, would it be stored in a laptop or portable device, potentially accessible to thieves?
  • Who would have access to this?

The company representative didn’t say anything about this, leading me to believe he hadn’t thought the issues out, or didn’t think his audience was deserving of at least a short discussion of them.

What the company representative did say was even worse.  He described the form the volunteers were asked to fill out and began by indicating that they were to enter the last four digits of their Social Security Number in a box on the first page and their full Social Security Numbers later in the form.  This made no sense to most of the audience.  They questioned the representative and he said that the numbers would be used as identifiers.  Really?  Identifiers into what?  A database?  A spreadsheet?  Something else?

Here’s the first issue.  Any competently designed database using identifiers as primary keys would make sure that different records each have different primary keys.  At first glance, it would seem highly unlikely that any of the 30 volunteers at this location would have the same last four digits of their SSN.  To quote from Porgy and Bess, “It ain’t necessarily so!”  You may want to read up on the “Birthday Problem” at the URL https://en.wikipedia.org/wiki/Birthday_problem before reading the mathematics in the next paragraph.

The reason there may be duplicate primary keys is that there are 10,000 possibilities for four digits.  This means 10,000 possibilities for the first person, 9,999 possibilities for the second person not to match the first, 9,998 possibilities for the third person not to match either of the first two, and so on.  I ran a small Excel spreadsheet using the Fill command to enter the series of numbers from 1 to 10,000 in a column.  I then created a Product of the numbers from 9,970 (10,000 – 30) with each number divided by 10,000.  A probability greater than zero indicates that probability of a duplicate.  Clearly the “database” wasn’t a database, but was, in fact, a spreadsheet.  A spreadsheet probably doesn’t have the protections to restrict access to fields that should be kept private from as many employees as possible.

The second issue is that knowing the last four digits of a Social Security Number and having an idea of where a person was born can easily lead to determining the person’s full SSN.  Look at the webpage by http://stevemorse.org/ssn/ssn.html by the famous genealogist Stephen P. Morse; his webpages are a must for any genealogist.  Try to see if you can find your own SSN easily from the four digits and area of birth.

What did I do?  I debated raising the issues described in this post, but decided that I was not the focus of the discussion.  Instead, I turned in my ID badge and access card, ending my volunteer work digitizing microfilmed records that had deteriorated.

Do you think I made the right choice?


About this blog

We’ll discuss current issues in identity theft in this blog.  The goal is to educate the readers and provide timely information about identity theft without being a computer scientist (which I was before I retired) or an identity theft expert, lecturer, and consultant (all of which I have been and still am) or an author of identity theft books (of which I am the author of four, with another one in the works).

You might read Identity Theft in the Cyber Age, Twelve and One Half Steps to Avoid Identity Theft, Recovering from Identity Theft, or The Bible as a Manual for Identity Theft.

Watch this space for timely information.