The CyberWire Daily Briefing 01.04.13

Cyber Trends

Forrester: SaaS And Data-Driven 'Smart' Apps Fueling Worldwide Software Growth (TechCrunch) Forrester Research is citing SaaS and data-driven smart apps as the major growth engines for the worldwide software market. The SaaS software market will increase 25 percent in 2013 to $59 billion, a 25 percent increase. In 2014, the market is expected to total $75 billion. Forrester uses the term "smart computing" to define apps that, for instance, provide direct access to data for

Worldwide IT spending to reach $3.7 trillion in 2013 (Help Net Security) Worldwide IT spending is projected to total $3.7 trillion in 2013, a 4.2 percent increase from 2012 spending of $3.6 trillion, according to the latest forecast by Gartner. The 2013 outlook for IT spending

Rapid-fire changes to information security strategies (Help Net Security) RSA released a special report from the Security for Business Innovation Council (SBIC) that assesses how disruptive innovations such as Big Data analytics, cloud computing, enterprise mobility and social media

Legislation, Policy and Regulation

White House takes small step toward sharing cyberattack data (CSO) The White House has issued a framework for government departments and agencies to follow in sharing information, including data that would help bolster defenses against state-sponsored hackers and other criminals. The National Strategy for Information Sharing and Safeguarding is seen as a small step, albeit an important one, as lawmakers struggle with much broader regulations governing data sharing between government and private industry

Sina Weibo Accounts Of Prominent Bloggers, Journalists and Activists Shuttered As China Clamps Down On Internet Users (TechCrunch) The last week has been a troubling one for observers of Internet censorship in China, and things just got worse as several bloggers and activists had their Sina Weibo accounts shut down over the past few days, the Washington Post reports

Arizona set to make online impersonation a felony (Ars Technica) Fake John McCain may be worried parody accounts won't be protected

Products, Services, and Solutions

'Dementia' Wipes Out Attacker Footprints In Memory (Dark Reading) New tool exposes weak links in forensic tools that inspect Windows memory for attack intelligence. Forensics increasingly encompasses the analysis of potentially valuable clues and intelligence in the physical memory of an infected machine. But like anything in infosec, it's a constant cat-and-mouse game, with attackers finding new ways to hide their tracks in memory from incident response handlers trying to get to the bottom of a breach

Google Quietly Removes Censorship Warning Feature For Search Users In China (TechCrunch) Google has quietly disabled a feature that notified users of its search service in China when a keyword had been censored by the Chinese government's internet controls, according to censorship monitoring blog GreatFire.org. The blog reports that the change was made sometime between December 5 and December 8 2012, with no official statement from Google to announce or explain its removal

Bad Data Handbook (Help Net Security) What is bad data? Some people consider it a technical phenomenon, like missing values or malformed records, but bad data includes a lot more. In the Bad Data Handbook, data expert Q. Ethan McCallum has gathered 19 colleagues from every corner of the data arena to reveal how they've recovered from nasty data problems

Video surveillance for critical IT systems (Help Net Security) NetWrix has announced its new User Activity Video Reporter tool that acts like a surveillance camera for critical servers and other IT systems by recording user activity for security, compliance, auditing

Prolexic Releases Threat Advisory to Detail Massive DDoS Threat From Itsoknoproblembro (MarketWatch) Multi-Tiered DDoS Toolkit Leveraged in Synchronized Attacks Against Banking, Hosting and Energy Industries. Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, today released a suite of detection and mitigation rules, a log analysis tool and a comprehensive threat advisory on the itsoknoproblembro DDoS toolkit. Considered to pose a very effective, multi-level threat, itsoknoproblembro has been the favored weapon in headline-making DDoS attacks against the US banking industry

Cleveland Clinic spinoff spreads big data across health care (Fierce Big Data) We reported in October on the $10 million big data investment being made at the University of Pittsburgh Medical Center by companies such as IBM (NYSE: IBM), Oracle (NASDAQ: ORCL) and dbMotion, designed to explore the secrets of human health. Not to be outdone, the Cleveland Clinic also has been investing in the technology to unlock its own secrets and to streamline its methods and procedures for better health lifecycle management and profitability. The health care company even spun off its own cloud-based platform business in 2009, now known as Explorys

Bargain BlackBerry Betrays RIM's High-End Aspirations (InformationWeek) BlackBerry Curve 9315, launched Thursday for T-Mobile USA, is not the RIM smartphone you want

Microsoft Tries To Outflank Amazon With Azure Upgrades (InformationWeek) Azure enhancements leave Microsoft well positioned against cloud competitors in 2013, analyst says

Technologies, Techniques, and Standards

How to talk security so people will listen (and comply!) (IT World) From phishing your own employees to sharing your company's hack history, here are five techniques for getting users' attention about security

How a regular IT guy helped catch a botnet cybercriminal (Naked Security) Veteran cybercrime investigator Bob Burls looks back on a case where the diligence of an IT professional helped convict a botmaster who had made tens of thousands of dollars

Don't Be Caught Playing the Fool (A Lesson in Why Change Control is Important) (infosec island) This is a real world story around the dangers of not following proper change control processes when placing new systems in production. In this blog I will discuss how one persons actions could have resulted in an attacker gaining complete access to the organizations internal network. I am hoping this example will cause organizations to take their change control processes a little more seriously

Risk I/O Lowers Risk by Raising IT Security Intelligence (eSecurity Planet) There are a lot of different tools and methods to perform IT security vulnerability assessments. Making sense of all the data that various tools collect is important if an enterprise wants to truly understand its risks. Ed Bellis knows this better than anyone after serving as the CISO of travel website Orbitz."We had a bunch of different tools doing assessments, including network, dynamic and static application scanning," Bellis told eSecurity Planet

Wells Fargo, Ally Bank See the Camera as Key to Mobile Banking (American Banker) A revolutionary as mobile banking has been, it's the camera that resides within smartphones that's lighting the fire underneath adoption drives at banks such as Wells Fargo (WFC) and Ally Bank."The camera is critical. If you look at the kinds of growth in mobile banking over the first couple of years, it was about the basics of mobile banking. But what's really exciting me and my team for the next couple of years is figuring out how to take advantage of the ability of the mobile device," says Brian Pearce, senior vice president and head of the retail mobile channel in the digital channels group at Wells Fargo

Practical IT: are your firewalls in the wrong place? (Naked Security) Firewalls have come a long way in the last 15 years. But today's standard architecture might leave something to be desired and we talk about what firewall administrators want to look at

Improve your firewall auditing (Help Net Security) As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and

To thwart hackers, firms salting their servers with fake data (Washington Post) Brown Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets -- online editions and subscriber databases -- were increasingly at risk with the proliferation of cyber-espionage. And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception

NIST releases draft trusted cloud geolocation proof of concept (Fierce Government IT) Security challenges involving infrastructure-as-a-service cloud computing technologies and geolocation are being addressed in a draft proof of concept implementation document from the National Institute of Standards and Technology

The efficacy of trend analysis using personal health apps (Fierce Big Data) John Grohol, doctor of psychology and founder, and editor-in-chief, of PsychCentral, has a long-standing concern about the bias of samples used in psychology research. He says now, with the ubiquity of smartphone apps, developers and entrepreneurs are pursuing data without understanding the basics of good, reliable, scientific data collection

Deferring to differential privacy (Fierce Big Data) The term anonymize is not only a bad verb, it's equally bad at doing what it purports to do, which is make data not personally identifiable. Foiling early efforts at anonymizing data has proved fairly simple, putting at risk a company's freedom to use it for intelligence purposes or to monetize it. The Simons Foundation recently cited an example in Massachusetts where the state made health records available to researchers after removing personally identifiable references such as name, address and social security number, only to have a grad student from MIT re-identify the data using other public records

CSOs Say: 'Court' Your Middle Managers, Too (Dark Reading) Security for Business Innovation Council (SBIC) members warn of 'disruptive' technologies for 2013 that will test enterprise security. Everyone talks about winning over the executive boardroom, but top security executives from the world's largest corporations say middle managers are also key to making information security part of the business plan

Marketplace

DHS to Pick Up $6 Billion Tab for Cyber Surveillance Systems at Every Department (NextGov) The Homeland Security Department is footing a potentially $6 billion bill to provide civilian agencies with the technology and expertise needed for near real-time threat detection, DHS officials said this week. The White House has demanded so-called continuous monitoring since 2010, but many agencies did not have the resources or know-how to initiate such surveillance. Executives at prospective contractor Booz Allen Hamilton said their bid for the task will highlight the Virginia-based consulting firm's own internal continuous monitoring system…"We're definitely eating our own dog food on continuous monitoring," said George Schu, a senior vice president who handles the company's federal cyber business. "I think this is a defining moment for the nation, and the government has an important role"

Defense bill emphasizes cyber operations (Federal Computer Week) The Defense Department is taking more aggressive steps in cyberspace, including clearer authorities, more oversight and a key partnership to identify and address gaps, due to provisions in the National Defense Authorization Act for fiscal 2013. Those provisions in the NDAA, which President Barack Obama signed into law on Jan. 2, require DOD officials to report on cyber operations to Congress on a quarterly basis, beginning March 1. It also outlines authorities and expectations for military forces in cyberspace

Defense Firms Seek Alternatives As U.S. Cuts Military Spending (Wall Street Journal) RTI is part of a broader shift by defense companies, large and small, looking for ways to contend with lost business. Some of them are diversifying. Others are shedding unprofitable segments, closing plants or laying off workers. Many are looking to increase sales on the international market.

TIGTA: IRS must improve CADE 2 requirements management, testing, security (Fierce Government IT) Key developmental processes of the IRS's Customer Account Data Engine 2 program need improvement, especially in the areas of requirements management, testing and security, says the Treasury Inspector General for Tax Administration

CMS issues request for information on hospital and vendor EHR readiness (Fierce Government IT) The Centers for Medicare and Medicaid Services is seeking information from hospitals and vendors on their electronic health record readiness beginning in 2014 for EHR hospital inpatient quality data reporting, according to a Jan. 3 notice in the Federal Register

Challenges remain for agency cloud computing adoption, says CAGW (Fierce Government IT) While federal agencies have made progress expanding their use of cloud services, many challenges remain for full implementation, Citizens Against Government Waste says in its 2012 review of the federal cloud

Army may work with Palantir on intel software (Army Times) Elements of Palantir's off-the-shelf intelligence collection, analysis and dissemination software, which has had success anticipating locations of

CTC, InfoTech Partnering on $5B DIA Intell Analysis IDIQ (ExecutiveBiz) Concurrent Technologies Corp. and New York-based software integrator InfoTech Solutions will team up to provide intelligence analysis services to the Defense Intelligence Agency under a $5.6 billion contract

HP Wins $36M to Migrate 600,000 at VA to Microsoft 365 Cloud Email (The New New Internet) The Veterans Affairs Department announced on November 13 that they will transfer 600,000 personnel to the cloud using Microsoft Office 365 for Government, according to a GCN report. HP Enterprise Services was awarded a $36 million contract for 5 years under the VA's transformation twenty-one total technology (VA T4) program

Lockheed CEO Hewson greets employees, comments on sequestration delay (Washington Business Journal) Newly inaugurated Lockheed Martin Corp. CEO Marillyn Hewson picked up the policy torch left by predecessor Bob Stevens, commending Congress and the White House for their decision to delay $1.2 trillion in automatic federal budget cuts, but emphasizing the need to eliminate the so-called sequestration entirely

Amazon's R&D Group Lab126 Embarks On Hiring Spree As Kindle Business Expands (TechCrunch) Amazon's Lab126, the secretive R&D group behind the Kindle, is apparently on a hiring spree, as noted by the EETimes, which speculates that the organization may be planning to spin out the lab as a stand-alone company. There are currently about 250 job openings available, with most based in Silicon Valley, but several in Hyderabad, India, one in Shenzhen, China and another in Tokyo

CipherCloud Expands Management Team (Dark Reading) CipherCloud, the leader in Cloud Information Protection, announced two new members to its executive leadership team. Travis Patterson, who recently served as Marble Cloud's senior vice president of Sales and Support, joins as senior vice president of Worldwide Sales. Paige Leidig joins as CipherCloud's first chief marketing officer, coming from SAP where he served as global vice president, Office of the CEO. Both executives report directly to CipherCloud's CEO and founder, Pravin Kothari

Storage giant EMC unites with PC OEM Lenovo on new joint venture (Ars Technica) Ashes of Iomega transformed into SMB-focused "LenovoEMC Ltd"

Research and Development

Imagining The Future: Ray Kurzweil Has 'Unlimited Resources' For AI, Language Research At Google (TechCrunch) Last month, famed inventor, entrepreneur and futurist, Ray Kurwzeil, announced that he was joining Google as a director of engineering. Many have wondered what Kurzweil's new position would mean for Google and the billions of people its global reach directly or indirectly touches. Would they be uploading Kurzweil's brain into their datacenters? Become the next Skynet

Broadcom claims cryptography first as it enhances STB security (Rapid tv news) Broadcom is claiming a world's first in enabling Cryptography Research (CRI) differential power analysis (DPA) countermeasures across its line of set-top boxes (STBs). The result, says the semiconductor solutions provider, will be that by embedding

Security Patches, Mitigations, and Software Updates

All Ruby on Rails versions affected by SQL injection flaw (Help Net Security) Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order to fix an SQL injection vulnerability that affected all the previous versions

'Holey code, Batman!' Microsoft to patch 12 vulns on Tuesday (The Register) Microsoft has issued its prePatch Tuesday report, saying it will issue seven patches fixing 12 code flaws next week but it won't provide a permanent fix for the exploit discovered during the recent holidays that is already being used in the wild."With 2013 starting on a Tuesday, our monthly bulletin release is upon us a bit earlier than usual," says Dustin Childs, group manager of Microsoft Trustworthy Computing.""Next Tuesday we'll release seven bulletins; two Critical and five Important, which address 12 vulnerabilities. The Critical-rated bulletins address issues in Microsoft Windows, Office, Developer Tools and Microsoft Server Software."The full patches, along with advisory notices for IT managers on the recommended deployment strategy, will be released on January 8 at 10am PST (6pm UTC.)

Microsoft to patch Windows 8, but stays mum on IE zero-day fix (Computerworld) Microsoft today said it will release seven security updates next week -- including one rated critical for Windows 8 and Windows RT -- to patch 12 vulnerabilities in Windows, Office, SharePoint Server and the company's website design

Cyber Attacks, Threats, and Vulnerabilities

Cyber Attack On PNC's Online Banking Slows Customer Access (CBS Local Pittsburgh (KDKA)) Bob Williams of Edgewood is one of thousands of PNC customers who enjoy the bank's online banking system -- until recently. "What just happened?" KDKA money editor Jon Delano asked Williams as he tried to log on to the PNC

Mobile devices set to become next DDoS attack tool (CSO) While no DDoS attacks have been linked to mobile devices, one analyst is convinced it's only a matter of time

Evidence of Possible Spring Cyber Attack on Banking Industry (Signal Magazine) The purpose of the attack is purely robbery, says a cyber expert, who has shared his McAfee report with government officials. A cyber attack that could result in the theft of millions of dollars from American banks could take place this spring

IE Zero-Day Watering Hole Attack Expands to Handful of Political Sites (Threatpost) The attacks further demonstrate the effectiveness of watering hole attacks compared to phishing attacks for example, which require some advance legwork in order to target victims. "The whole point of the waterhole tactic is that they believe such sites

Symantec links latest Microsoft zero-day with skilled hacker gang (IT World) Analysis of the attack code used to exploit the vulnerability has similarities to other code used by the Elderwood group to exploit other zero-day vulnerabilities in Microsoft's software, the company wrote on its blog. In one example, Symantec found

Fraudulent digital certificate for Google web properties used in active attacks (Help Net Security) A fraudulent digital certificate that could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties has been discovered by the Google

Turkish Certificate Authority screwup leads to attempted Google impersonation (Naked Security) Another Certificate Authority has been caught out having issued certificates that were being used to impersonate Google. Does the SSL padlock not mean we are safe anymore

Fraudulent Digital Certificates Could Allow Spoofing (Microsoft Security Tech Center) Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows

Browser vendors rush to block fake google.com site cert (The Register) Google and other browser vendors have taken steps to block an unauthorized digital certificate for the " *. google. com" domain that fraudsters could have used to impersonate the search giant's online services

Malware SNEAK dons cunning disguise, opens creaky back door to servers (The Register) A malicious backdoor designed to infect web servers poses a severe threat, Trend Micro warns. The malware, dubbed BKDR_JAVAWAR. JG, poses as a Java Server page but actually creates a backdoor on compromised servers

Survey Malware Could Be 'Portent' of Bigger Threats (eSecurity Planet) Malware that uses a pop-up window to hijack a user's machine and asks them to take a survey could lead to more serious demands, says Malwarebytes' lead analyst. Hackers are always finding new ways of getting PC users to give up information or money. Recently they've appropriated an annoying but usually innocuous online fixture, a pop-up window that asks users

Details of 5,000 Canadians Compromised After HRSDC Employee Loses USB Stick (Softpedia) On November 16, 2012, an employee of Human Resources and Skills Development Canada (HRSDC) reported that a USB stick containing the details of 5,000 individuals was missing. The information contained on the drive included social security numbers and other personal details, but HRSDC hasnt found any evidence to show that it has been used for fraudulent purposes, The Vancouver Sun informs. On December 21, HRSDC notified the privacy commissioners office

The War Z comes under heavy cyber attack, bounces back (VG247) The War Z comes under heavy cyber attack, bounces back. Servers for controversial survival MMO The War Z has been suffering "various forms of malicious attacks" attacks, according to a post on its forums. Hammerpoint Interactive believes the most

OpRollRedRoll: AnonAcid leaked records of 50,000 Steubenville, Ohio Citizens (E Hacking News) A Hacker with Twitter handle AnonAcid has claimed to have leaked the records of more than Steubenville,Ohio residents as part of the operation called "OpRollRedRoll". The campaign has been launched after news broke out that authorities might be protecting members of the Steubenville football team accused of abusing a 15-year-old girl. The hacker uploaded the dump in Mediafire

Over 18,000 PayPal Phishing Websites Identified in December 2012 (Softpedia) Phishing websites, ones created by cybercriminals to harvest sensitive information from unsuspecting users, have become highly problematic lately. Because theyre so effective, crooks have launched a considerable number of sites that replicate popular companies. For instance, according to a study performed by Trend Micro for December 2012, a total of 18,947 phishing websites have been found to replicate PayPal.

Phishing Visualized: U.S. More Dangerous Than Russia, China (Toms Hardware) Netcraft published a dynamic map that shows the likelihood of a phishing attack on a site hosted in a specific country. The map may be surprising to some. The greatest chance to encounter phishing site in any country is Morocco (1 in 102), followed by Turkmenistan (1 in 103)

World Wildlife Fund Hacked (eSecurity Planet) A new hacker group calling itself the DarkWeb Goons recently breached the Chinese Web site for the World Wildlife Fund and leaked several thousand user names and passwords."The leaked data has been uploaded to the Dark Web Goons site in the format of a txt file that contains over 80,000 accounts of which 54,000 have email:passwords and usernames," Cyber War News reports. "The Dark Web Goons is a new crew that has been kicked off by @INST1NCT_ in recent days. All accounts that have been leaked contain clear text passwords which appear to be in numeric format only.""Many of the email addresses are registered with Chinese providers such as Sina or QQ, but a few thousands belong to Hotmail, Gmail and Yahoo customers," notes Softpedia's Eduard Kovacs

Blue for Reset? (Internet Storm Center) Over the holidays, a friend of mine was busy trying to repossess her online accounts that had been hacked and taken over. While her experience wasn't quite as bad as Mat Honan's, it still was a mess to untangle. Initially, we had suspected spyware, and spent some time looking through her PC for the presence of a keylogger. None was found. Once the first few accounts were returned to her, including an email account, we were able to (partially) reconstruct what had happened. Like in Mat Honan's case, it wasn't the password, but rather the "I forgot my password" functionality that had been breached. Duh-oh

Could China blocking VPNs lead to spying on business? (CSO) 'Great Firewall of China' upgrade could also allow China to spy on international companies doing business in the country. And some observers say this may not only be an effort to stop citizens from reading or viewing Western information, but also to spy on international corporations doing business in the country who encrypt their internal communications

Academia

Teachers targeted by pupils using social media, says SSTA chief (CSO) Misbehaving pupils are getting away with using social media to anonymously target school teachers with abuse, threats and ridicule, Scottish Secondary Teachers' Association (SSTA) president Margaret Smith has said. In a strongly worded analysis, Smith noted that the problem of teachers being targeted using such technologies ran across the social spectrum and could affect even teachers working in "leafy suburb" schools. Female teachers were a particular target, and could find themselves on the receiving end of personal comments that would be considered sexual harassment in any other walk of life."Social media networks, mobile phones and other technologies to which pupils have access make it so much easier to make a teacher's life intolerable and his or her job impossible," said Smith

Litigation, Investigation, and Enforcement

Bush-Era Wiretapping Case Killed Before Reaching Supreme Court (Wired Threat Level) A federal appeals court's August ruling in which it said the federal government may spy on Americans' communications without warrants and without fear of being sued won't be appealed to the Supreme Court, attorneys in the case said Thursday

Record 5-Year Prison Term Handed to Convicted File Sharer (Wired Threat Level) The leader of the in-theater camcording gang known as the IMAGiNE Group was handed a 60-month prison term Thursday in what is the nation's longest sentence in a file-sharing case

Megaupload claims it was asked by US to keep infringing files (Computer World) The U.S. government misrepresented facts when it approached a court for search warrants against Megaupload, according to a filing Wednesday by counsels of the file-sharing site. The basis for the warrants was the charge that Megaupload had not removed from its servers infringing copies of copyrighted motion pictures, despite a criminal search warrant of June 24, 2010 from the U.S. District Court for the Eastern District of Virginia to hosting company, Carpathia Hosting, the filing said. Megaupload had every reason to retain the files in good faith because the government had sought its cooperation in retrieving the files, and warned that alerting users to the existence of the warrants, and the government's interest in the files, could compromise an investigation, the filing said

Major global Facebook Botnet taken down (Journalism) A fraud ring worth around 525 million has been taken out of action by the joint efforts of Facebook's own security team and local police forces in the UK, Peru, the US and a number of other countries. The gang managed to steal the massive sum from Facebook users by secretly planting spyware on victims' computers that would steal credit and bank card details. Along with financial details, personal information with worth on the black market was also lifted

Home Ministry ordered 10k wire taps in last 90 days, orders tapping of 1300 email ids (India Times) The Ministry for Home Affairs ordered interception of about 10,000 phones and 1300 email ids, during October to December last year, according to a document reviewed by ET. Home Secretary RK Singh, the designated officer for authorizing a wire tap by a security agency, cleared about 4,000 fresh requests of phone surveillance, which includes tapping of about 700 overseas connections. About 500 new email addresses of individuals have also come under the scanner, besides the 800 email ids already under surveillance

Google Settles FTC Antitrust Inquiry (InformationWeek) Google has settled with the Federal Trade Commission to resolve the agency's 19-month antitrust investigation into the company's advertising business practices and its use of industry-standard patents against competitors. The deal prevents Google from using standard patents against competitors, but brings only minor changes to the company's search business.

How Google resolves antitrust cases without impeding its creeping monopoly (Quartz) It's hard to say what constitutes "unfair" competition in a marketplace in which anyone with a browser is free to switch from Google's search engine to Bing, Yahoo, or lesser known but differentiated competitors like DuckDuckGo. Yet Google now represents 67% of all searches in the US, an all-time record

Big data's 4th Amendment problem (Fierce Big Data) While the country squabbles over the Second Amendment, the Fourth Amendment may need just as much attention. Since any abuse of privacy is a potential threat in terms of regulatory ramifications that could limit the ability of industries and institutions to realize the full potential of big data, then any abuse of the Fourth Amendment should be taken seriously by this community

Design and Innovation

How fast does 'virtual reality' have to be to look like 'actual reality'? (Ars Technica) Low latency is important to an effective VR display but might not be everything

The top ways federal websites messed up in 2012 (Fierce Government IT) A team that tests federal websites for usability says in a Dec. 28 blog post that they found four main problems in 2012