|Read the Digest in
You need the free
In this issue:
Browse through our useful links.
See our article archive for complete articles.
Sign up for your free subscription.
Visit our Continuous Availability Forum.
Check out our seminars.
Check out our writing services.
Communication Without Hesitation
eBay was hacked this month. The personal information of 145 million users was stolen, but eBay kept its corporate mouth shut. It took two weeks for eBay to post an informationless advisory on its home page for all users to change their passwords. No reason was given. That is when the press picked up the story, and the true details blasted into sight.
We have written frequently on the importance of communication when a site goes down or when a company is hacked. Amazon and Google are particularly good at keeping their users informed during an outage. Following the discovery of its recent massive attack, Target did a magnificent job at keeping customers informed and helping them to determine their exposure and to contain the damage. eBay failed miserably.
Crises happen to all companies. Keeping the wraps on information to your users or customers about the status of a crisis is never of any help. Keeping them posted and up-to-date on the status of an outage or breach can only breed appreciation and loyalty. This is a lesson learned by many and is a major subject in our seminars on High- and Continuous Availability.
Dr. Bill Highleyman, Managing Editor
On April 30, 2014, the air-traffic control computers at the busy Los Angeles, California, Air Route Traffic Control Center (ARTCC) suddenly went down, paralyzing air traffic across the U.S. Southwest. The U.S. Federal Aviation Administration (FAA) admitted that a U-2 spy plane operating over the area at high altitude caused a software problem that took down the computers. It took almost an hour to restore the computers to service and several hours to clear up backlogged traffic.
The failure of the Los Angeles ARTCC due to the U-2 overflight was caused by a software error. Software bugs such as this are an indication of inadequate testing of the software during its development. This conclusion is supported by facts set forth in an FAA Inspector General’s report. Software bugs are a leading factor in the multiyear schedule slip of the new ARTCC system.
This incident also raises the ugly specter of hackers gaining access to the U.S. air-traffic control system. Experts say that such a hack would be extremely complex and highly unlikely. However, the FAA is planning to set up a center in Maryland for sharing information on detected and possible threats.
Security firm FireEye has recently discovered a zero-day vulnerability in Microsoft’s Internet Explorer web browser. A zero-day vulnerability is one in which the first attack is made before the developer has become aware of the vulnerability. As yet unnamed, the vulnerability was reported by both FireEye and Microsoft on April 26, 2014.
The vulnerability affects IE6 through IE11. This is significant because these browsers represent 55% of all browsers worldwide.
This zero-day vulnerability is still being actively exploited. Successful attackers can take over your system with your user privileges and can do arbitrary damage, especially if you are logged on as an administrator. Not only can the attacker steal or damage your data, but he also can run arbitrary applications on your PC.
There are some straightforward steps that you can take to prevent attacks; and Microsoft, CERT, and the Department of Homeland Security suggest that you take action to protect your system until you have installed Microsoft’s corrective patch. If you are an XP user, there will be no corrective patch from Microsoft. Microsoft has terminated support of XP as of April 8, 2014.
Heartbleed is a notorious Internet vulnerability introduced in 2012, but it only came to light recently. It allows a malicious attacker to steal data from a device in an undetectable way as the device’s browser is used.
Heartbleed has received tremendous media exposure, and many people now know about it. Most servers by now have been upgraded. If you are one of those who have taken the precaution of upgrading your browser and changing all your passwords, you may think that you are now safe.
However, if you are an Android user, think again. There is a long way to go to make Android devices safe from Heartbleed. Millions of Android phones are still vulnerable to data loss from malicious servers because the Heartbleed flaw is contained in thousands of Android apps. It may take a long time to correct all of these apps and to render the phones invulnerable to Heartbleed. Some vulnerable apps may never be detected or corrected.
Apple states that it does not use the vulnerable version of OpenSSL in its iPhones or iPads. Microsoft says that its Windows Phones and its Windows operating system are not affected.
Flash Boys: A Wall Street Revolt describes how the U.S. financial markets, once stable and predictable, have grown predatory. The book tells the story of how a group of dedicated individuals set out to correct the situation.
Traders at the Royal Bank of Canada (RBC) noticed that their trading terminals were no longer reliable. When they tried to execute orders against the market shown on their terminals, their orders would not be executed; and the market would suddenly move against them.
The traders discovered that they were being victimized by a practice known as front-running, caused by an order arriving at different exchanges at different times. This allowed high-frequency traders to trade against the order for their own benefits. A team left RBC and created a new exchange, IEX, that solved the problem with a dedicated fiber network.
“Flash Boys” exposes a myriad of other predatory financial marketplace practices, their impacts on investors, and what IEX is doing to hopefully curb these practices.
IEX’s growth is on a path to make it an important exchange in the financial marketplace. It remains to be seen if IEX’s efforts to create a fair marketplace will succeed, or if greed will triumph.
A challenge every issue for the Availability Digest is to determine which of the many availability topics out there win coveted status as Digest articles. We always regret not focusing our attention on the topics we bypass.
With our new Twitter presence, we don’t have to feel guilty. This article highlights some of the @availabilitydig tweets that made headlines in recent days.
Sign up for your free subscription at http://www.availabilitydigest.com/signups.htm
Would You Like to Sign Up for the Free Digest by Fax?
Simply print out the following form, fill it in, and fax it to:
+1 908 459 5543
The Availability Digest is published monthly. It may be distributed freely. Please pass it on to an associate.
Managing Editor - Dr. Bill Highleyman firstname.lastname@example.org.
© 2014 Sombers Associates, Inc., and W. H. Highleyman