Saturday, November 17, 2007

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Saturday, Nov. 17, 2007, at least 3,867 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,151 died as a result of hostile action, according to the military's numbers.

The AP count is four higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Indian Provincial Government's Offical Website Hacked

Via The Deccan Herald.

Goa government's Information and Publicity Department's official website has allegedly been hacked by a Turkish hacker who has posted anti-American slogans on it.

Goa government has started a process of filing an FIR with police on the issue. "This is a very serious matter and we will be filing FIR with the police," state Chief Secretary J P Singh, who also holds charge as Information Secretary, said.

The website, which otherwise has information of Goa's people in power and related data, besides various government schemes, was flooded with pictures of executions and arms seizure.

More here.

Friday, November 16, 2007

Air Canada Reservations Glitch Creates Delays for 96k Passengers


Matt Hartley and Erika Beauchesne write in The Globe and Mail:

Air Canada officials spent Friday trying to find the cause of a massive network failure that brought down the company's reservation system, grounding flights and delaying thousands of weekend travellers at airports across Canada and around the world.

Around 4 a.m., Air Canada's operations ground to a halt when its central reservation system experienced a communication error with computer systems at Canadian airports. It was several hours before the airline was able to rectify the problem, resulting in the cancellation of eight round-trip flights and lengthy delays for an estimated 96,000 passengers as employees had to process boarding passes manually.

Although Air Canada pegged the average delay at 40 minutes, many travellers said they were left waiting for hours. By Friday afternoon, some were still languishing in lineups, while Air Canada struggled to expedite the backlog, predicting everyone would reach their destinations before the day was over. Meanwhile, company officials tried to figure out what went wrong.

More here.

Toon of the Day: Scary Connections


Click for larger image.

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, Nov. 16, 2007, at least 3,867 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,151 died as a result of hostile action, according to the military's numbers.

The AP count is four higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

As of Friday, Nov. 16, 2007, at least 398 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Nov. 10, 2007, at 10 a.m. EST.

Of those, the military reports 269 were killed by hostile action.

There were also four CIA officer deaths and one military civilian death.

More here and here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

California Man Arrested in Theft of 1.8M Social Security Numbers from Veterans

Erika M. Torres writes in The OC Register:

A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain.

The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file.

Tae Kim, 28, was booked at Orange County Jail and is being held in lieu of $1 million bail after being arrested at 5 p.m. Thursday at a car wash in Koreatown, police said.

On April 7, two Asian men identified as Kim and Justin Hong, purchased jewelry from Jewelry Exchange at 15732 Tustin Village Way using three skimmed cards belong to three different victims, one of whom was actor Marlon Wayans, Strain said.

More here.

(Props, Pogo Was Right.)


Auditors: One NASA Hack Cost $1.5M

Wilson P. Dizard III writes on GCN.com:

A recent series of intrusions into the Earth Observing System’s networks “cost NASA $1.5 million for incident mitigation and cleanup costs alone,” said the agency’s inspector general, Robert Cobb, in a memo issued Nov. 13.

Those costs came on top of the “operational impact to the agency‘s mission, such as the temporary suspension of automated processes,” caused by the criminal hack of the networks, Cobb said. The memo was addressed to NASA’s administrator and accompanied the IG’s report titled “NASA’s Most Serious Management and Performance Challenges.”

“Our criminal investigative efforts over the past five years confirm that the threats to NASA’s information are broad in scope, sophisticated and sustained,” auditors wrote in the report.

More here.

Quote of the Day: Robert X. Cringely

"So change your damned passwords and put an end to this kind of scam. Perhaps remembering new character strings will help to stave off Alzheimer's."

- Bob Cringely, writing in his weekly column "The Pulpit".

Flying Spaghetti Monster Gets Academic Attention


An AP newswire article by Justin Pope, via MSNBC, reports that:

When some of the world's leading religious scholars gather in San Diego this weekend, pasta will be on the intellectual menu. They'll be talking about a satirical pseudo-deity called the Flying Spaghetti Monster, whose growing pop culture fame gets laughs but also raises serious questions about the essence of religion.

The appearance of the Flying Spaghetti Monster on the agenda of the American Academy of Religion's annual meeting gives a kind of scholarly imprimatur to a phenomenon that first emerged in 2005, during the debate in Kansas over whether intelligent design should be taught in public school sciences classes.

More here.

Deja Vu All Over Again at Veterans Administration

Jaikumar Vijayan writes on ComputerWorld:

In what's become a fairly familiar routine for them of late, the U.S. Department of Veterans Affairs is investigating a potential data breach -- the theft of three computers containing personal data on potentially 12,000 individuals.

Two desktop PCs and one laptop containing that data were stolen from a medical facility in Roudebush, Indiana -- ironically enough, on Veterans Day. The records belong to patients who were treated at the hospital and include Social Security numbers and other personally identifiable information.

More here.

9th Circuit Deals Setback to NSA Surveillance Victim

Ryan Singel writes on Threat Level:

A federal appeals court reversed a decision letting two Americans who claim to have been given proof they were spied on by the government's secret, post-9/11 surveillance program to rely on a document the government accidentally turned over to prove that they were spied on.

Instead, the court ruled that the document was protected by the so-called state secrets privilege, but sent the matter back down to a lower court to see if a redress provision in the nation's spying laws would re-allow the document to be used.

The ruling is also a setback for the government which wanted the suit tossed simply on the grounds that any lawsuit about a government surveillance program would hurt the nation.

More here.

U.S. Senate Passes Cybercrime Bill

William Jackson writes on GCN.com:

The Senate on Thursday passed a bill amending federal law to directly address online crimes, including identity theft.

The Identity Theft Enforcement and Restitution Act of 2007 was passed by unanimous consent. It is one of a host of bills before Congress that would deal with what many in the information technology industry and law enforcement say are holes in the current legal structure regarding cybercrime. A similar bill in the House has not moved out of subcommittee.

The Senate bill would amend Title 18 of the U.S. Code to specifically address conspiracy to commit cybercrime and close loopholes to prohibit online extortion and address botnets — networks of compromised computers used by criminals to launch attacks and conduct fraudulent activity — by making it a crime to damage 10 or more computers in a year. It also would give victims of identify theft a chance to seek restitution in federal court for the loss of time and money spent restoring their credit.

More here.

Thursday, November 15, 2007

University of Washington Professor Detained for Taking Pictures Sues


Jennifer Langston writes in The Seattle Post-Intelligencer:

Artist Shirley Scheier drove to Snohomish to make the kind of picture you couldn't get in a city -- power lines against an unobstructed sky.

She wound up being patted down, handcuffed and put in the back of a police car on that day two years ago, in a detention that lasted 44 minutes.

The electrical substation she photographed had been identified by the Department of Homeland Security as a "critical infrastructure" target.

The longtime UW professor sued the city of Snohomish on Thursday, in what her lawyers say is an example of harassment toward photographers resulting from misplaced fears about terrorism.

More here.

Note: I'm really keeping my fingers crossed in hopes that Professor Scheier wins her case, and sends a message that this nonsense needs to stop -- it's gotten way out of hand. -ferg

Image source: Wikimedia

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Thursday, Nov. 15, 2007, at least 3,866 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,147 died as a result of hostile action, according to the military's numbers.

The AP count is five higher than the Defense Department's tally, last updated Thursday at 10 a.m. EST.

As of Thursday, Nov. 15, 2007, at least 398 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Nov. 10, 2007, at 10 a.m. EST.
more stories like this

Of those, the military reports 269 were killed by hostile action.

More here and here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Many Retailers Easy to Hack, Study Finds

An AP newswire article by Mark Jewell, via SFGate.com, reports that:

Half of more than 3,000 retail stores that a wireless security company secretly monitored at major shopping areas in the U.S. and Europe use wireless data systems vulnerable to hacking, the company said Thursday.

The data that stores routinely transmit on wireless networks include credit card and Social Security numbers and other sensitive customer information.

AirDefense Inc., an Atlanta-based maker of security products for wireless data systems, found that about 25 percent of the stores' 4,748 wireless access points were exchanging data with no encryption at all to foil electronic eavesdroppers.

Another 25 percent were using an outdated encryption method called Wireless Equivalent Privacy that is easily cracked by thieves using widely available tools.

More here.

Guilty Plea: Phone Phreaks Use Caller-ID Spoofing to Get Foes Raided By SWAT

Kevin Poulsen writes on Threat Level:

An Ohio man has pleaded guilty to a federal conspiracy charge for being part of a gang of "swatters" -- one them blind -- who used Caller ID spoofing to phone the police with fake hostage crises, sending armed cops bursting into the homes of innocent people.

Stuart Rosoff of Cleveland, Ohio pleaded guilty to one count of conspiracy last Friday in federal court in the Northern District of Texas.

The case seems to confirm that swatters are using simple Caller ID spoofing to pull these unfunny hoaxes -- and not "hacking into 911" after all. But the court documents indicate that Rosoff was part of a remarkably sophisticated gang of old-school phone phreaks with serious access to at least one phone company's computers, which they used to get information on their targets.

More here.

Defense Focus: Spy Satellite Lessons Not Learned

Martin Sieff writes for UPI:

Underlying the $4 billion U.S. reconnaissance satellite fiasco lie deeper, uncomfortable truths almost never alluded to, let alone understood, by politicians of either major American political party: U.S. leaders and policymakers do not understand the science and technology available to them and have blind, childish, even magical faith in what it can do without beginning to understand how it really works.

The U.S. obsession with software engineering and virtual reality has distracted investment and career energies way from the essential, old-fashioned, "hard" engineering and technological disciplines that are still essential to get anything made, working and keep working.

More here.

Senate Judiciary Committee Passes Surveillance Laws Update in Face of Veto Threat - UPDATE

Terry Frieden writes for CNN:

The Senate Judiciary Committee Thursday passed on a strict party-line vote an update to the nation's electronic surveillance laws despite a veto threat from the attorney general.

The bill would mean the nation's intelligence services do not need to request a court warrant to monitor foreign-to-foreign communications involving suspected terrorists.

All 10 Democrats on the committee voted for the measure, while all nine Republicans opposed it.

Republicans objected to the effort to push through a complicated Foreign Intelligence Surveillance Act modernization plan on which they had not been consulted.

More here.

UPDATE: 19:39 PST: The AP is reporting that the full house approved this measure by a vote of 227-189. Details here. -ferg

Quote of the Day: Scott Amey

"We've always heard that the contractors were in bed with the government. This may literally prove that."

- Scott Amey, general counsel for the Washington-based watchdog the Project on Government Oversight, commenting on news that a former U.S. Army contracting officer in charge of awarding contractual work in Iraq did so on the basis of a sexual tryst with a contractor.

(Hat-tip: Danger Room)

'There Are Not 13 Root DNS Servers...'

Click for larger image.

Kim Davies writes on the ICANN Blog:

I am at the UN Internet Governance Forum, being held this week in Rio de Janeiro, Brazil. A recurring theme you can hear here is one that has vexed the technical community many times before — “Why are there 13 root servers?” This question is usually followed by questions like “Why are most of the root servers in the US?”

So let’s dispel these myths.

More here.

Image source: My good friend & colleague, Patrik Fältström.

Jilted Lover Jailed for Internet Monitoring

Kelly Jackson Higgins writes on Dark Reading:

Jealous husbands, beware: If you've ever entertained the idea of spying on your wife's Internet activity and email, think about Shawn Macleod, who recently learned he'd be spending four years in the slammer for secretly installing Internet monitoring software on his estranged wife's computer.

Macleod, of Austin, Texas, reportedly used a tool called SpyRecon to gather logs of the sites she had surfed and emails she had sent, and was charged with wiretapping, or "unlawful interception of electronic communication," a felony that can carry a sentence of up to 20 years in prison. His attorney says his client, who pleaded guilty in May, probably didn't know that his actions were unlawful.

More here.

Image of the Day: Rosetta 'Comet Chaser' View of Earth by Night


Via ESA News.

This striking composite of Earth by night shows the illuminated crescent over Antarctica and cities of the northern hemisphere. The images were acquired with the OSIRIS Wide Angle Camera (WAC) during Rosetta’s second Earth swing-by on 13 November.

This image showing islands of light created by human habitation was taken with the OSIRIS WAC at 19:45 CET, about 2 hours before the closest approach of the spacecraft to Earth. At the time, Rosetta was about 80 000 km above the Indian Ocean where the local time approached midnight (the angle between Sun, Earth and Rosetta was about 160°). The image was taken with a five-second exposure of the WAC with the red filter.

This image showing Earth’s illuminated crescent was taken with the WAC at 20:05 CET as Rosetta was about 75 000 km from Earth. The crescent seen is around Antarctica. The image is a colour composite combining images obtained at various wavelengths.

More here.

Image source: European Space Agency (ESA)

New Russian Movie Download Site Follows AllofMP3's Lead

Ed Oswald writes on BetaNews:

Although it is apparently not related to the music download site that was the bane of the music industry's existence, a new site is promising cheap downloads of movies.

Called ZML, the new site offers about 1,500 different titles for download that are free of any digital rights management restrictions. Among the titles available include recent hits 300 and Transformers, as well as classics Apocalypse Now and Aliens.

Each movie is available for download starting at a cost of $1.99, and are encoded in the DivX/Xvid codec according to the site's help files. Those wanting higher quality for larger screens would also have the option of a $2.99 and $4.99 version of the title.

Like AllofMP3, ZML claims it is following the policies of the Russian Organization for Multimedia and Digital Systems (ROMS).

More here.

Russian Business Network: Faking Its Demise


Via RBN Exploit.

HYPOTHESIS: Logically RBNs fake anti-spyware or rogue software should show major changes in serving and hosting over the last week or so, if the demise of the RBN is correct. Fortunately based on limited CYBERINT earlier we were able to show 57 well known ‘fakes’ and 34 of the top 40 being RBN related, below can be seen the specifics.

RESULT: With the exception of the loss of replacement of AS40989 secondary name servers there has been little or no change to the core IP addresses.

More here.

Image source: RBN Exploit

FBI's Top Lawyer Defends Data-Dragnet Powers

Declan McCullagh writes on C|Net's "Iconoclast" Blog:

The FBI's top lawyer defended the Patriot Act on Wednesday, saying the bureau's increased powers are vital to aiding investigations into attacks such as the London subway bombing.

FBI general counsel Valerie Caproni said during a conference at New York University's law school that the 2001 changes to the Patriot Act involving national security letters (NSLs) were crucial to accessing phone records. NSLs are subpoena-like orders that the FBI can use to obtain information about companies' customers.

Caproni, a former federal prosecutor who took her current position in 2003, said that after the July 2005 subway bombings in London--which killed dozens of commuters and injured hundreds more--the British security service gave the United States "lots" of phone numbers called by the suspected perpetrators.

More here.

U.S. Panel Urges Vigilance on China Spying, Cyber War


Paul Eckert writes for Reuters:

Chinese espionage posed "the single greatest risk" to U.S. technology, a congressional advisory panel said on Thursday and called for efforts to protect industrial secrets and computer networks.

The U.S.-China Economic and Security Review Commission also called in its annual report to Congress for closer work with China to promote energy security and deal with environmental problems such as climate change and pollution.

The panel urged the U.S. Congress to examine "military, intelligence, and homeland security programs that monitor and protect critical American computer networks and sensitive information, specifically those tasked with protecting networks from damage caused by cyber attacks."

More here.

Wednesday, November 14, 2007

Off Topic: Warp Drive


Via StarDate.org.

The dreamers at the British Interplanetary Society are thinking big today. They're hosting scientists and engineers from around the world who are studying the theory behind warp drive -- the propulsion system that powers fictional starships. They may not be sending anyone to Vulcan anytime soon, but they are learning more about how the universe works.

About a decade ago, a scientist named Miguel Alcubierre came up with a theoretical basis for warp drive.

He used Albert Einstein's theory of gravity to formulate a "bubble" in spacetime.

More here.

Maybe The Best xkcd Ever?


Click for larger image.



We love xkcd.

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Wednesday, Nov. 14, 2007, at least 3,864 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,147 died as a result of hostile action, according to the military's numbers.

The AP count is five higher than the Defense Department's tally, last updated Wednesday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Infotainment Break: Star Wars Meets Pulp Fiction





Sweet, sweet, sweet.

Here's what would happen if Quentin Tarantino directed Star Wars.


Via The Website at the End of The Universe.

Did NSA Put a Secret Backdoor in New Encryption Standard?

Bruce Schneier writes on Wired News' "Security Matters":

The U.S. government released a new official standard for random-number generators this year, and it will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90 [.pdf], the 130-page document contains four different approved techniques, called DRBGs, or "Deterministic Random Bit Generators." All four are based on existing cryptographic primitives. One is based on hash functions, one on HMAC, one on block ciphers and one on elliptic curves. It's smart cryptographic design to use only a few well-trusted cryptographic primitives, so building a random-number generator out of existing parts is a good thing.

But one of those generators -- the one based on elliptic curves -- is not like the others. Called Dual_EC_DRBG, not only is it a mouthful to say, it's also three orders of magnitude slower than its peers. It's in the standard only because it's been championed by the NSA, which first proposed it years ago in a related standardization project at the American National Standards Institute.

More here.

How to Check the WHOIS Record of an IDN Domain


Jay Westerdal offers some great advice over on the DomainTools Blog:

Have you every wanted to check if a domain was available for a common word for phrase in a different language. Asking us how to do a whois lookup on an IDN domain name is actually a common question in our support ticket system.

So I thought I would let the world know how to do it. Perhaps you want to look at the whois record for “world map” in Korean. Here is a step-by-step instruction on how to do it.

  1. Head over to Google Translate.
  2. Enter in your words, such as “world map”.
  3. Select the language you want to translate into. Example: “English to Korean”
  4. If your results look like, “????”, then you need to install a language pack for your operating system. On WindowsXP it is really easy, just follow these instructions for the Microsoft Language Packs on Microsoft’s website. You can enable this from your control panel in a few minutes.
  5. Once you have the translated words and it will look like a foreign language and it can be copied and pasted it into domaintools search box. Then the last step is to append “.com” to it. Then hit search and it will auto-translate it into the IDN script.


More here.

Image source: DomainTools

ITU Botnet Mitigation Toolkit


A colleague alerted me to this noble effort... FYI. -ferg

Via The ITU-D Cyber Security Project Page.

Botnets (also called zombie armies or drone armies) are networks of compromised computers infected with viruses or malware to turn them into “zombies” or “robots” – computers that can be controlled without the owners’ knowledge. Criminals use the collective computing power and connected bandwidth of these externally-controlled networks for malicious purposes and criminal activities, including, inter alia, generation of spam e-mails, launching of Distributed Denial of Service (DDoS) attacks, alteration or destruction of data, and identity theft.

The threat from botnets is growing fast. The latest (2007) generation of botnets such as Zhelatin (Storm Worm) uses particularly aggressive techniques such as fast-flux networks and striking back with DDoS attacks against security vendors trying to mitigate them. An underground economy has now sprung up around botnets, yielding significant revenues for authors of computer viruses, botnet controllers and criminals who commission this illegal activity by renting botnets.

In response to this, ITU is developing a Botnet Mitigation Toolkit to help deal with the growing problem of botnets. Inspired by the Australian Internet Security Initiative (AISI), the toolkit draws on existing resources, identifies relevant local and international stakeholders, and takes into consideration the specific constraints of developing economies. The toolkit seeks to raise awareness among Member States of the growing threats posed by botnets and the linkage with criminal activities and incorporates policy, technical and social aspects of mitigating the effects of botnets. The first draft of the toolkit will be made available in December 2007, with pilot tests planned in a number of ITU Member States in 2008.

More here.

Swedish Police Swoop on Dan Egerstad - UPDATE


Asher Moses writes on The Age.com.au.

The Swedish hacker who perpetrated the so-called hack of the year has been arrested in a dramatic raid on his apartment, during which he was taken in for questioning and several of his computers confiscated.

Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

The hack required little more than tools freely available on the internet, and Egerstad maintains he broke no laws. In fact, he is confident the email accounts he gained access to were already compromised by other hackers, so his efforts in fact prevented them from continuing their spying.

More here.

UPDATE: 19:23 PST: Kim Zetter has additional details here on Threat Level. -ferg

Image source: The Age

GAO: Bomb Parts Snuck Past Airport Checks (Again)

Via CBS News.

CBS News correspondent Bob Orr reports terrorists could slip past Transportation Security Administration screeners and, with a few readily available components, assemble an explosive that could cause severe damage to an airplane, according to a new report from the Government Accountability Office.

The report, obtained exclusively by CBS News, details how GAO investigators conducted covert tests at 19 airports earlier this year to test the vulnerabilities of the passenger screening process. The investigators succeeded in passing through TSA checkpoints undetected with components for making improvised explosive devices (IED) and improvised incendiary devices (IID).

"Our tests clearly demonstrate that a terrorist group, using publicly available information and a few resources, could cause severe damage to an airplane and threaten the safety of passengers," the report states.

More here.

U.S. House Focuses on Internet Sex Predators

An AP newswire article by Jim Abrams, via The Globe and Mail, reports that:

The House is taking on people who use the Internet to prey on children, working through bills that would make it easier to monitor and prosecute cyber crimes against juveniles and to educate children about online dangers.

"We need to think of this as a war," said Rep. Debbie Wasserman Schultz, D-Fla., sponsor of one of a half-dozen sex predator, child pornography and Internet safety bills heading for passage Wednesday. The bills were put together by Democratic majority but enjoyed wide bipartisan support.

Her bill would approve spending $1 billion over the next eight years to combat online child exploitation. It would create a Justice Department office to coordinate prosecution efforts; increases money for a program that helps state and local law enforcement; and provides more dollars to hire agents and improve forensic lab capabilities dedicated to child exploitation cases. It passed 415-2.

More here.

With Web 2.0, A New Breed of Malware Evolves

Robert McMillan writes on InfoWorld:

Web 2.0 technologies may be laying the groundwork for a new generation of hacker tools, a noted security researcher said Wednesday.

Google Mashups, RSS feeds, search, all of these can be misused by hackers to distribute malware, attack Web surfers and communicate with botnets, said Petko Petkov, a security researcher speaking at the Open Web Application Security Project (OWASP) U.S. 2007 conference, held on eBay's campus.

Tools like the downloadable MPack hacker toolkit have made it easier for the bad guys to deploy malicious code, but some of these emerging technologies promise to take hacking to a whole new level, he said. "Now people can use and abuse Web 2.0 technologies to construct something much larger," he said. "When you look at it from a hacker perspective, you'll see there are a whole lot of opportunities," he said.

More here.

TSA Denies Tipping Airport Screeners to Tests

Nicole Gaouette writes in The Los Angeles Times:

Bush administration officials vehemently denied today that airport screeners have been tipped about covert security tests even as lawmakers brandished an e-mail from Transportation Security Administration officials that not only warned employees of testing, but described the methods and appearance of those conducting the probes.

"There was no intent to tip off, there was no cheating," insisted TSA chief Kip Hawley, who said that TSA officials sent the e-mail not to tip off screeners, but because they thought the tests might really be an Al Qaeda operation.

Democratic lawmakers were openly incredulous of Hawley's contention.

More here.

Apple Update Fixes 41 Mac OS X, Safari Vulnerabilities

Ryan Naraine writes on the ZDNet "Zero Day" Blog:

Apple today released a monster update to provide belated cover for at least 41 security holes in its flagship Mac operating system.

With Security Update 2007-008 and Mac OS X v10.4.11, Apple patches multiple “highly critical” flaws that could cause unexpected system shutdowns, drive-by-malware downloads and remote code execution attacks.

The company also shipped a new version of Safari for Windows (beta) to patch 10 browser vulnerabilities affecting Windows XP and Vista users.

More here.

NHL, MLB Websites Hit by Traffic-Redirection Ad Attack - UPDATE

Jim Carr writes on SC Magazine U.S.:

Malicious banner ads first affected visitors to the websites of Major League Baseball and the National Hockey League late last week, according to researchers at Exploit Prevention Labs.

According to Roger Thompson, chief technology officer, the malicious banner ads hijacked user sessions on both websites. The malware then tried to force the visitor to download malware posing as an anti-virus application.

Thompson told SCMagazineUS.com today that visitors were not able to avoid the malware.

More here.

Note: Also, some additional details on how this works from the folks over at Sunbelt Software. -ferg

UPDATE: 17:48 PST: Lisa Vaas, over at eWeek, makes the RBN connection. Details here. -ferg

Comcast Sued Over BitTorrent Blocking

Ryan Singel writes on Threat Level:

A California man filed suit in state court Tuesday against internet service provider Comcast, arguing that the company's secret use of technology to limit peer-to-peer applications such as BitTorrent violates federal computer fraud laws, their user contracts and anti-fraudulent advertising statutes.

Plaintiff Jon Hart, represented by the Lexington Law Group, argues that Comcast's promises of providing internet connections that let users "Download at Crazy Fast Speeds" are false and misleading since Comcast limits downloads by transmitting "unauthorized hidden messages to the computers of customers" who use peer-to-peer file sharing software. Hart wants the court to force Comcast to stop interfering with the traffic.

He also wants the court to certify the suit as a class action and force Comcast to pay damages to himself and all other Comcast internet subscribers in California.

More here.

Quote of the Day [2]: Geoffrey Stone

"Only a tiny slice of the legal profession believes that the Bush surveillance program was lawful, and almost all of them had been recruited into the Bush White House."

- Geoffrey Stone, writing on the University of Chicago Law School's "The Faculty Blog".



(Hat-tip: Tim Lee)

Quote of the Day: Bruce Schneier

"This kind of thinking can do enormous damage to a free society."

- Bruce Schneier, commenting on Deputy Director of U.S. National Intelligence Donald Kerr's statement that "...it is time that people in the United States changed their definition of privacy."

UK Wants ISPs to Fight Terror

An AP newswire article by Raphael G. Satter, via PhysOrg.com, reports that:

British Prime Minister Gordon Brown wants Internet companies to help stifle online terrorist propaganda, he told lawmakers Wednesday, as officials say they plan to meet leading service providers to find ways of putting a lid on extremist content.

But the providers argue they already do all they can to fight illegal terrorist material online, and experts say even powerful filters cannot block determined users from getting their message out.

The prime minister's proposal comes as the European Union considers ways to sanction Web sites that display terror propaganda or recruit for terrorist groups.

More here.

Vint Cerf: Government Control of Internet Failing

Via TVNZ.co.nz.

Attempts by governments to create a controlling agency for the internet are likely to fail, Dr Vint Cerf, one of the founding fathers of the World Wide Web, said.

In an interview on the sidelines of a United Nations-led forum on internet governance in Rio de Janeiro, Cerf, 64, said the fact that the web is almost entirely privately owned is a major obstacle to such control.

The forum discussed issues like the fight against child pornography and Internet security as well as the possible establishment of an intergovernmental body to coordinate such efforts.

"It's tempting to think that you need a United Nations-like structure to deal with it," Cerf said.

"I believe it will be very hard to accomplish that objective for one simple reason - 99% of the internet, the physical internet, is in private sector hands, operated by the private sector," he said, defending a different governance structure made up of multiple stakeholders.

More here.

Election 'Fixes' Grave Concern for e-Voting Ballot Security

Alan Bernstein writes in The Houston Chronicle:

Johnnie German admitted he was nervous as he used high-security codes to tap into the Harris County elections computer system last week and change some of the results manually.

The system was in good hands as the votes were counted from the sprawling Nov. 6 contests. German is the county's respected administrator of elections, and there were witnesses present as he corrected the vote totals on a sales tax referendum for a fire/ambulance district in the Cypress-Fairbanks area of northwest Harris County.

But German's late-night deed, said by officials to be a first-time event in the six years Harris County has used the eSlate voting system, has rekindled the debate about whether the newest electronic methods for counting votes should be trusted.

What German graphically demonstrated was that with the proper physical and informational access, one person can alter the results of an election in a county of 1.8 million registered voters.

More here.

(Props, Realtime Messaging & Web Security.)

Animal Rights Activist Hit With RIPA Key Decrypt Demand

John Leyden writes on The Register:

An animal rights activist has been ordered to hand over her encryption keys to the authorities.

Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007, seven years after the original legislation passed through parliament. Intended primarily to deal with terror suspects, it allows police to demand encryption keys or provide a clear text transcript of encrypted text.

Failure to comply can result in up to two years imprisonment for cases not involving national security, or five years for terrorism offences and the like. Orders can be made to turn over data months or even years old.

The contentious measure, introduced after years of consultation, was sold to Parliament as a necessary tool for law enforcement in the fight against organised crime and terrorism.

But an animal rights activist is one of the first people at the receiving end of a notice to give up encryption keys. Her computer was seized by police in May, and she has been given 12 days to hand over a pass-phrase to unlock encrypted data held on the drive - or face the consequences.

More here.

Hacker Finds 492,000 Unprotected Oracle, SQL Database Servers

Ryan Naraine writes on ZDNet's "Zero Day: Blog:

A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.

Litchfield, co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses — TCP port 1433 (SQL Server) and 1521 (Oracle) — and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.

More here.

Tuesday, November 13, 2007

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Tuesday, Nov. 13, 2007, at least 3,861 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians.

At least
3,147 died as a result of hostile action, according to the military's numbers. The AP count is three higher than the Defense Department's tally, last updated Tuesday at 10 a.m. EST.

As of Tuesday, Nov. 13, 2007, at least 391 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department.

The department last updated its figures Nov. 3, 2007, at 10 a.m. EST.
Of those, the military reports 262 were killed by hostile action.

More here and here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Nigerian 419'er Arrested


An AAP newswire article, via The Sydney Morning Herald, reports that:

A Nigerian man accused of scamming a 56-year-old Queensland woman out of thousands of dollars over the internet has been arrested in his home country.

The 27-year-old man was arrested in Nigeria last week after a joint operation between Queensland police and the Nigerian Economic and Financial Crimes Commission.

Police today said the pair met on an online dating website.

Over several months the woman sent thousands of dollars to the man overseas, they said.

More here.

Shocker: Russia Casts A Selective Net in Piracy Crackdown

Peter Finn writes in The Washington Post:

The newspaper Novaya Gazeta, one of the last outposts of critical journalism in Russia, suspended publication of its regional edition in the southern city of Samara on Monday after prosecutors opened a criminal case against its editor, alleging that his publication used unlicensed software.

The case is part of a larger assault on independent news media, advocacy organizations and political activists, according to government critics. But it is one that is specifically tailored to deflect foreign criticism.

More here.

AT&T to Sell Equipment to Monitor Workplaces


Janet Morrissey writes in The New York Times:

AT&T plans to introduce a nationwide program today that gives owners of small- and medium-size businesses some of the same tools big security companies offer for monitoring employees, customers and operations from remote locations.

Under AT&T’s Remote Monitor program, a business owner could install adjustable cameras, door sensors and other gadgets at up to five different company locations across the country.

Using a Java-enabled mobile device or a personal computer connected to the Internet, the owner would be able to view any of the images in real time, control room lighting and track equipment temperatures remotely. All the images are recorded on digital video, which can be viewed for up to 30 days.

More here.

(IN)SECURE Magazine, Issue 14: Now Available



Available now [.pdf].

- ferg

Sensitive Guantánamo Bay Manual Leaked Through Wiki Site

Ryan Singel writes on Wired News:

A never-before-seen military manual detailing the day-to-day operations of the U.S. military's Guantánamo Bay detention facility has been leaked to the web, affording a rare inside glimpse into the institution where the United States has imprisoned hundreds of suspected terrorists since 2002.

The 238-page document, "Camp Delta Standard Operating Procedures," is dated March 28, 2003. It is unclassified, but designated "For Official Use Only." It hit the web last Wednesday on Wikileaks.org.

More here.

Ukrainian Government Website Hacked, Subdirectory Redirects to Bogus Pharma - UPDATE

Another day, another website compromise.

Although this is a bit more interesting, as it belongs to a Ukrainian Government agency (zito.mvs.gov.ua).

A friend and colleague at Trend Micro alerted me to this late this afternoon.

The image below shows the main page, which looks like it always does:


Click for larger image.



Having said that, however, a particular subdirectory (which I won't reveal here), redirects to a bogus pharma site (www.myphentermine.net):


Click for larger image.

Oops.

At the moment of this posting, it is still hacked.

On the bright side, it is located in The Ukraine:

www.myphentermine.net --> 62.149.17.20

% Information related to '62.149.17.0 - 62.149.17.255'

inetnum: 62.149.17.0 - 62.149.17.255
netname: COLO-CC5
descr: Colocall Ltd.
country: UA
admin-c: COLO3-RIPE
tech-c: COLO2-RIPE
status: ASSIGNED PA
mnt-by: AS15497-MNT
mnt-lower: AS15497-MNT
mnt-routes: AS15497-MNT
source: RIPE # Filtered
role: Colocall NOC
address: Turgenevskaya, 52-58
address: Kiev
address: Ukraine


For what it's worth, I have sent an e-mail to the technical contact of this domain to notify them of the issue -- but somehow I don't think they'll receive it:


----- The following address(es) had permanent fatal errors ----- ;
originally to rfc822;semch@centrmia.gov.ua (unrecoverable error)
The user to whom this message was addressed has exceeded the allowed mailbox quota.
Please resend the message at a later time.

Bummer.


- ferg

UPDATE: 22:53 PST, 14 November 2007: I have received word from colleagues that this website belongs to Office of Ministry of Internal Affairs in Zhitomir Region of Ukraine. And yes, it is still hacked. -ferg

Toon of the Day: Back Scratching


Click for larger image.



Via Truthdig.

Yahoo! Settles With Jailed Chinese Writers

Sarah Lai Stirland writes on Threat Level:

Yahoo on Tuesday settled a lawsuit filed in the United States by two mainland Chinese writers who were imprisoned after the technology company handed over their private account information to Chinese law enforcement authorities.

Terms of the settlement weren't disclosed. But a source at Yahoo said the company has been "working with the families, and we're working with them to provide them with financial, humanitarian and legal assistance."

Yahoo has also agreed to establish a global human rights fund to provide "humanitarian relief" to support dissidents and their families. The source said that details still have to be worked out.

More here.

Photo of the Day: Killer Gas Prices



I took this picture this morning in Milpitas while I was getting gas -- and after I let loose a string of epithets & expletives on the ridiculous prices.

And if this article in ConsumerAffairs.com is any indication, it ain't going to get better anytime soon. In fact, it is predicted to rise by $.20 a gallon (or more) in the next few weeks.

- ferg

DoJ Reopens Warrantless Wiretapping Inquiry Perviously Halted By Bush

An AP newswire article by Devlin Barrett, via SFGate.com, reports that:

The Justice Department has reopened a long-dormant inquiry into the government's warrantless wiretapping program, a major policy shift only days into the tenure of new Attorney General Michael Mukasey.

The investigation by the department's Office of Professional Responsibility was shut down last year, after the investigators were denied security clearances. Gonzales told Congress that President Bush, not he, denied the clearances.

"We recently received the necessary security clearances and are now able to proceed with our investigation," H. Marshall Jarrett, counsel for the OPR, wrote to Rep. Maurice Hinchey, D-N.Y. A copy of the letter, dated Tuesday, was obtained by The Associated Press.

Hinchey and other Democrats have long sought an investigation into the spying program to see if it complies with the law. Efforts to investigate the program have been rebuffed by the Bush administration.

More here.

Ex-FBI, CIA Employee Pleads Guilty to Computer Crime

Grant Gross writes on InfoWorld:

A former employee of the U.S. Federal Bureau of Investigation and Central Intelligence Agency has pleaded guilty to charges of fraudulently obtaining U.S. citizenship and accessing a U.S. government computer system to unlawfully find information about her relatives and the Islamic organization Hizballah.

Nada Nadim Prouty, 37, originally from Lebanon, also pleaded guilty Tuesday in U.S. District Court for the Eastern District of Michigan to conspiracy to defraud the U.S. government. She was accused of using her fraudulently obtained U.S. citizenship to gain employment with the FBI and CIA, and of using her position in the FBI to check on the information held on family members connected to Hizballah, according to the U.S. Department of Justice. The U.S. government considers Hizballah a terrorist group.

More here.

Report: Los Alamos Investigating Breach on Unclassified Network

Via LANL: The Rest of The Story.

The Laboratory is investigating a recent attack on its unclassified Yellow Network. A significant amount of unclassified material was removed. The exact nature of the stolen information is under forensic investigation.

Affected computers were disconnected from the Lab's network and the hacker's software has been disabled.

Laboratory Director Michael Anastasio reminded employees in an all-employee memo to be cyber security aware. "This recent occurrence is a reminder that awareness is the first and most important layer of defense against fast-spreading worms that target known vulnerabilities. The threat of comprehensive, malevolent attacks is continuous and high," said Anastasio.

More here.

U.S. Targets Terrorists as Online Thieves Run Amok

Ryan Blitstein writes in The Mercury News:

Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat, a Mercury News investigation reveals.

"The U.S. government has not devoted the leadership and energy that this issue needs," said Paul Kurtz, a former administration homeland and cybersecurity adviser. "It's been neglected."

Even as the White House asked last week for $154 million toward a new cybersecurity initiative expected to reach billions of dollars over the next several years, security experts complain the administration remains too focused on the risks of online espionage and information warfare, overlooking the international criminals who are stealing a fortune through the Internet.

More here.

UK: 50,000 Online Visa Applications Exposed on Foreign Office Website

Pam Caulfield writes on 24dash.com:

The Foreign Office broke data protection rules by failing to ensure its UK visas website was secure, the privacy watchdog said today.

A security breach meant the personal data of visa applicants was visible to other people visiting the website, the Information Commissioner's Office (ICO) found.

The Foreign and Commonwealth Office (FCO) has now signed a formal undertaking to comply with the Data Protection Act.

It follows an investigation by the ICO, sparked in May when the security breach on the visa processing website came to light.

More here.

(Props, attrition.org.)

TJX's Projected Breach Costs Increase To $216 Million


Evan Schuman writes on StorefrontBacktalk:

In a footnote in its Tuesday earnings announcement, TJX increased its estimate of pre-tax charges for the world's worst credit card data breach to $216 million. Back in August, it had projected only a $168 million pre-tax hit.

The data breach consisting of extensive cyber thief activity within TJX's network from 2003 through June 2004 and then again from mid-May 2006 through mid-December 2006, TJX said. Court filings have estimated that the data from some 96 million credit cards was accessed during the incidents.

More here.

Patch Tuesday Summary: Patch Now!




Patch Now.

More details here at the SANS Internet Storm Center & at Microsoft.

- ferg

Monday, November 12, 2007

U.S. Mortgage Crisis Slams E*Trade

An AP newswire article by Sinclair Lewis, via The Globe and Mail, reports that:

E*Trade Financial Corp.'s decision to become a more aggressive player in U.S. home loans whipsawed the discount brokerage in dramatic fashion Monday, pummelling its market value by almost 60 per cent and prompting one analyst to speculate the company could be heading for bankruptcy.

The grim financial prognosis has only reinforced suggestions that E*Trade is vulnerable to a takeover, and TD Ameritrade Holding Corp., the online broker in which Toronto-Dominion Bank owns a 40-per-cent stake, is viewed as one of the most motivated buyers.

More here.

Livermore Lab Warns of Layoffs

Betsy Mason writes on InsideBayArea.com:

Just six weeks after a new manager took charge, Lawrence Livermore National Laboratory announced Monday it will lay off of as many as 500 employees due to increasing costs.

At an all-hands morning meeting, lab director George Miller told employees that 2,000 of them would be given notice this week that they are among those whose jobs are in jeopardy.

Those laid off will be temporary workers with fixed-term contracts known as flex-term employees and supplemental labor workers hired through contractors including IAP Worldwide Services.

In addition to the impending 500 layoffs, at least 50 of these employees have already been let go, triggering the Warn Act which requires management to notify employees of the possibility of a mass layoff.

More here.