Saturday, April 26, 2008

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Saturday, April 26, 2008, at least 4,052 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,306 died as a result of hostile action, according to the military's numbers.

The AP count is four less than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Saturday, April 26, 2008, at least 425 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Tuesday at 10 a.m. EDT.

Of those, the military reports 292 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Microsoft Responds: Questions About Web Server Attacks

Via The Microsoft Security Response Center (MSRC).

To begin with, our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are in no way related to Microsoft Security Advisory (951306).

The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here. Our counterparts over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations. Additional information can be found here.

More here.

Hackers Commandeer Israel Bank Website, Post Anti-Israeli Jibes


Hackers commandeered the Bank of Israel Web site early Friday and filled it with virtual graffiti in Arabic defaming Israel.

Web surfers who attempted to access the site Friday morning were met with Arabic scrawlings that the anonymous vandals placed on the site. The Bank of Israel has taken down the site until the glitch could be fixed.

More here.

Friday, April 25, 2008

Web 2.0: Whatever Google Knows About Spam, It Isn't Saying

Thomas Claburn writes on InformationWeek:

At the Web 2.0 Expo in San Francisco on Friday, Google engineer Matt Cutts, who heads Google's Web spam team, gave a keynote address titled "What Google Knows About Spam."

Cutts and many others at Google know a lot about spam because Google gets a lot of spam, in e-mail and on Web pages. The problem is, he couldn't say very much about it.

More here.

TJX CEO Received $6M in 2007 Compensation

An AP newswire article by Mark Jewell, via The Boston Globe, reports that:

TJX Cos. Chief Executive Carol Meyrowitz received compensation valued at nearly $6 million in 2007, her first year in the top job as the discount retailer's stock price held steady despite fallout from a massive data breach and a tough retail environment.

Meyrowitz received a base minimum salary of $1.4 million after being groomed to replace former interim CEO and current Chairman Bernard Cammarata at the start of TJX's last fiscal year on Jan. 28, 2007.

Meyrowitz, who added the CEO title to the president's role she's held since 2005, also received $2.3 million in compensation under a non-equity incentive plan, according to a Securities and Exchange Commission filing Thursday by the operator of nearly 2,600 stores including T.J. Maxx and Marshalls.

More here.

Department of Homeland Security Website Hacked

Dan Goodin writes on The Register:

The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches... showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot [above] shows, even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune. Other hacked sites include those belonging to the United Nations and the UK Civil Service.

More here.

Image source: The Register

New SQL Injection Technique Threatens Oracle Databases

Dennis Fisher writes on SearchSecurity:

Database security expert David Litchfield has devised a new method of exploiting various PL/SQL procedures that do not take any input. The technique, which he describes as lateral SQL injection, can be used to compromise Oracle databases remotely.

The attack exploits some common data types, including DATE and NUMBER, which do not take any input from the user and so are not normally considered to be exploitable. But, as Litchfield writes in his new paper [.pdf] on the lateral injection attack , using a bit of creative coding and some knowledge of the way the Oracle database management system works, an attacker can manipulate some common functions.

Litchfield, one of the founders of NGS Software Inc., of Surrey, England, says that the problem may not turn out to be easily exploitable in the wild, but that in specific cases it can be used to pass arbitrary SQL commands to the database.

More here.

FBI's Net Surveillance Proposal Raises Privacy, Legal Concerns

Declan McCullagh writes on the C|Net "The Iconoclast" Blog:

The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet.

During a House of Representatives Judiciary Committee hearing, the FBI's Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that.

Both have their problems, legal and practical, but let's look at step 1 first. Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said "legislation has to be developed" for "some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt" it.

More here.

Pellicano's Co-Defendants Accused of Supporting Roles in Scheme

Carla Hall writes in The Los Angeles Times:

In the courtroom drama starring Los Angeles private detective Anthony Pellicano, they are the supporting players -- the disgraced cop, the one-time Las Vegas businessman, the former phone company technician and the computer whiz.

It is Pellicano who faces the most counts and casts the biggest shadow over the trial, now in its eighth week. But prosecutors allege that his unlikely posse of co-defendants all played important roles in the elaborate wiretapping and racketeering scheme he is accused of masterminding. Some defendants, prosecutors allege, had bigger parts than others.

Former Los Angeles Police Sgt. Mark Arneson is accused of illegally tapping into law-enforcement computer databases to feed Pellicano confidential information for his clients. Arneson has already spent hours on the stand defending himself as a hard-working cop -- only to be filleted later by a prosecutor who painted him as a crooked liar.

More here.

QuickTime 0-Day for Vista and XP

Petko Petkov writes on GNUCitizen:

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). An attacker could exploit the vulnerability by constructing a specially crafted QuickTime supported media file that allows remote code execution if a user visited a malicious Web site, opened a specially crafted attachment in e-mail or opened a maliciously crafted media file from the desktop.

If a user is logged on with administrative privileges, the attacker could take complete control of an affected system. An attacker could then install malicious programs, view, change, delete sensitive data, or create new accounts with full user rights. Users who are logged on with less privileged account could be less impacted than users who operate with administrative user rights.

The vulnerability was successfully tested in Windows XP SP2 and Windows Vista SP1 environments. Other versions are believed to be exploitable as well. The vulnerability is currently held private. The GNUCITIZEN team is following responsible disclosure practices. Therefore, the vulnerability details will be privately disclosed to the vendor in a short period of time. This advisory is meant to inform the public and raise the consumer’s awareness.

More here.

Thursday, April 24, 2008

NY WiseBuys Data Theft Hauntingly Familiar to Hannaford Breach


Canton [New York] police are investigating the theft of thousands of dollars from local bank accounts in what is being described as a major identity theft ring.

The trouble all started when someone apparently hacked into the Canton WiseBuys store computer system during a changeover between December 5 and December 20.

The hacker obtained personal identification and banking numbers of hundreds of customers.

Hundreds of complaints have been coming in almost daily to the police station since the thefts first began being discovered by cardholders in early March.

Police say close to $100,000 was fraudulently taken in what police are describing as an “organized ring”.

More here.

Hat-tip: Evan Schuman

Late Night Flashback: Eddie Money - Shakin'


- ferg

Classic Onion: Tony Snow Moves to CNN

Via America's Finest News Source.


- ferg

FAA: Dallas Air Traffic Controllers Falsified Report

Alan Levin writes for USA Today:

Dallas air-traffic controllers hid dozens of safety errors that allowed planes to fly too close together, federal officials said Thursday.

Air-traffic officials blamed pilots for the errors when air traffic managers were actually to blame, the Federal Aviation Administration (FAA) said. Though most of the incidents were not serious, a handful were classified as significant safety risks, said Hank Krakowski, the agency's newly appointed chief of air traffic.

The revelations marked the second time in the past two months that federal whistle-blowers raised safety concerns at the FAA. The FAA admitted in March that inspectors overseeing Southwest Airlines allowed the carrier to fly planes that had not received critical safety inspections. A subsequent review of all airlines' maintenance triggered massive groundings after additional safety violations were found, disrupting travel for hundreds of thousands of people.

A federal watchdog who shepherded whistle-blower allegations in both cases charged that the FAA suffers from a culture of "complacency and cover up."

More here.

GOP Trying to Sneak FISA Amendment Onto War Supplemental Bill

Klaus Marre writes on The Hill:

Rep. Jerry Lewis (R-Calif.) announced Thursday that he will try to attach a measure updating the Foreign Intelligence Surveillance Act (FISA) as an amendment to the war supplemental bill.

Lewis, the ranking Republican on the House Appropriations Committee, said he would make the move if the war funding bill is taken up by the panel.

“It’s time for the Democratic leaders to put our national security ahead of the desires of trial lawyers and pass the FISA bill that was passed by the Senate,” the lawmaker said. “This Congress should make this legislation one of its top priorities until the intelligence gap is closed.”

Republicans and the White House have engaged in an all-out campaign to get House Democratic leaders to take up a version of the bill that was passed with bipartisan support in the Senate. One of the most contentious issues remaining is whether telecommunications companies should get retroactive immunity if they helped the government with eavesdropping initiatives following the Sept. 11, 2001, attacks. While Republicans support such a provision and it is included in the Senate bill, House Democrats say it needs to be stripped out.

More here.

Props: Pogo Was Right

DHS, FBI Must Reveal Whether Detained Tavelers Are On Watch List

Antonio Olivo writes in The Chicago Tribune:

After years of being detained and interrogated for hours by federal agents each time he returned from a trip abroad, Chicago entrepreneur Akif Rahman could finally know whether his name is on a government watch list for suspected terrorists, his attorneys said Wednesday.

If it is, the reason is still classified information that may or may not also be released, said Adam Schwartz, an attorney with the American Civil Liberties Union in Illinois who represents Rahman and nine other plaintiffs in a 2005 lawsuit alleging several instances of unreasonable confinement.

In a 25-page ruling made public last week that could affect how the government deals with all suspected terrorists, a federal magistrate judge ordered the Department of Homeland Security and the Federal Bureau of Investigation to turn over records showing whether those plaintiffs are on the government's radar.

Federal attorneys had argued that doing so would reveal "state secrets" that could jeopardize national security.

More here.

Judge Throws the Book at Phone 'SWATter': Five Years Prison

Kevin Poulsen writes on Threat Level:

A New York man was sentenced today to a five years in prison for being part of a gang of "SWATters" who specialized in phoning the police with fake hostage situations, sending armed cops bursting in to the homes of their party line enemies.

Chad Ward, 32, got the maximum possible sentence from U.S. District Court judge Jane Boyle in Dallas. Boyle also ordered Ward to pay $24,706.73 in restitution to police departments that responded to the hoax calls, and to serve three years of supervised release following the prison stretch.

More here.

Half-Million IIS Servers Hit in Cyber Attack

Andy Patrizio writes on

A massive cyberattack is targeting vulnerable Internet Information Server-based Web pages by redirecting visitors to the site toward one hosting malicious code, and it's growing rapidly.

When Panda Security first noted the infestation, it put the number of infected IIS servers at 282,000. Not even a day later and security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000.

The worst part of it all is that these infestations are not in seamy Web sites, they are taking place in legitimate Web pages. An IFRAME redirects the user to another page, where identity-stealing malware is downloaded onto their computer. So even users who think they are staying clean are not safe.

The vulnerability in IIS, developed by Microsoft, allows hackers to inject SQL code to manipulate legitimate Web pages. This code adds an IFRAME to redirect the user to a malicious Website that scans their computer for vulnerabilities and then downloads and installs malware that can get passed the user's defenses.

More here.

Netcraft: Clinton and Obama XSS Battle Develops

Via Netcraft.

While Clinton and Obama are battling it out in the political arena, security researchers are continuing to find vulnerabilities in the candidates' and supporters' websites. Interestingly, while a typical exploit is to redirect one party's site to their opponent's, the reasons for seeking to discover such vulnerabilities are not always politically motivated.

Following the recent cross-site scripting attacks against Barack Obama's website, Finnish security researcher Harry Sintonen has published an example of a cross-site scripting vulnerability on

Sintonen's example submits a POST request to the Vote Hillary website and injects an iframe, causing the site to display the contents of Barack Obama's website. Unlike the Obama incident, which redirected the user's web browser, Sintonen's method retains the URL in the address bar while displaying the opposing website.

More here.

Image source: Netcraft

Wednesday, April 23, 2008

Reminder: Yes. We. Can.

Yes. We. Can.

Make Barack Obama our next President.

- ferg

U.S. Justice Department Positioning Itself As Monitors of Internet Evils

Carrie Johnson writes in The Washington Post:

Speaking to an audience at the Center for Strategic and International Studies, Attorney General Michael B. Mukasey offered praise for the successful efforts by Robert F. Kennedy decades ago to break the back of the Italian American mafia but told listeners that the current threat from international syndicates poses even greater challenges.

The new breed of criminals is "more sophisticated, they are richer, they have greater influence over government and political institutions worldwide, and they are savvier about using the latest technology, first to perpetrate and then to cover up their crimes," Mukasey said.

Justice Department officials said yesterday that criminal elements were attempting to penetrate the energy sector, furnish weapons to terrorists and wreak havoc on the U.S. economy by using computers and shell companies to launder money and peddle phony goods. They said that judgment stemmed from a classified threat assessment and data from criminal investigations.

More here.

Note: See also here and here and here (and that's just today). The U.S Government is making a major political play to legislate itself into a position to monitoring every aspect of Internet communications. -ferg

SlideShare (Also) Slammed with DDoS Attacks from China

Mark Hendrickson writes on TechCrunch:

SlideShare, a Mountain View-based startup that lets you upload and embed PowerPoint presentations on the web, appears to have stirred the red dragon last week.

About ten days ago the company began receiving anonymous requests to delete slideshows that were deemed “illegal” by the requesters. The SlideShare staff checked out these slideshows and discovered them to be quite innocent. While some described ways to fight corruption in China, none of them violated the company’s terms of service, and so SlideShow did nothing to fulfill the requests.

SlideShare soon began receiving a different type of request from the same people, who could now be identified by their email addresses. This time they were pretending to be users who had lost their passwords. Once again doing nothing, the company got a very demanding, and almost threatening, call to its Indian office on Wednesday, one that insisted that the company grant access to an account.

More here.

Bush Lawyer Tangles With Judge Over Wiretaps

Bob Egelko writes in The San Francisco Chronicle:

A Bush administration lawyer resisted a San Francisco federal judge's attempts today to get him to say whether Congress can limit the president's wiretap authority in terrorism and espionage cases, calling the question simplistic.

"You can't possibly make that judgment on the public record" without knowing the still-secret details of the electronic surveillance program that President Bush approved in 2001, Justice Department attorney Anthony Coppolino said at a crucial hearing in a wiretapping lawsuit.

Chief U.S. District Judge Vaughn Walker didn't rule immediately on the government's request to dismiss the suit by an Islamic charity in Oregon, which says a document that federal authorities accidentally released showed it was wiretapped.

But Walker, in an extensive exchange with Coppolino, said Congress had spoken clearly in a 1978 law that required the government to obtain a warrant from a secret court before it could conduct electronic surveillance of suspected foreign terrorists or spies.

"The president is obliged to follow what Congress has mandated," Walker said.

More here.

U.S. Spies Use Customized Videogames to Learn How to Think

Michael Peck writes on Wired News:

In the wake of the intelligence bungles that propelled the United States into the Iraq war, it's no secret that the nation's spies have been working to improve the quality of their analysis. Now the top U.S. military intelligence agency has come up with a new tool for teaching recruits critical thinking skills: videogames.

The U.S. Defense Intelligence Agency has just taken delivery of three PC-based games, developed by simulation studio Visual Purple under a $2.6 million contract between the DIA and defense contractor Concurrent Technologies. The goal is to quickly train the next generation of spies to analyze complex issues like Islamic fundamentalism.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, April 23, 2008, at least 4,048 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,299 died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Mark Fiore: America Decides Network

More Mark Fiore brilliance.


Via The San Francisco Chronicle.

- ferg

April 24, 1184 B.C.: Trojan Horse Defeats State-of-the-Art Security

Randy Alfred writes on Wired News:

1184 B.C.: During the Trojan War, the Greeks depart in ships, leaving behind a large wooden horse as a victory offering. It is hauled inside the walls of Troy, and Greek soldiers descend from the horse's belly after dark to slay the guards and commence destruction of the city.

Whether this actually happened, and whether the traditional date given is true, archeological evidence has established that a Trojan War did occur in Asia Minor around 1200 B.C. You can debate how much of the accounts in Homer's Iliad, Virgil's Aeneid and elsewhere is legend. But it is in no way mere legend. The war and its lore are a firm part of Western culture and have enriched our language.

More here.

Analysis: New DHS Airline Fingerprint Plan

Shaun Waterman writes for UPI:

Angry airline executives are criticizing federal rules proposed Tuesday that would make them collect fingerprints from foreigners leaving the United States by air as part of the Department of Homeland Security's biometric border system, U.S.-VISIT.

They say the industry, already reeling from higher fuel prices and safety concerns, and beset by bankruptcies and mergers, cannot shoulder the $2 billion-plus cost of the plans and should not be doing the work of immigration and law enforcement officials.

"Given the fragile financial state of the industry, it is ludicrous to outsource this job -- which is properly a government function," said Steve Lott, North American communications director for the International Air Transport Association, which represents the global airline industry.

"You are turning airline employees into law enforcement and immigration officials," Lott told United Press International. "This is like the IRS outsourcing tax collection to accountants. … It makes no sense."

More here.

Hundreds of EPA Scientists Report Political Interference

Via The Union of Concerned Scientists.

An investigation of the Environmental Protection Agency released today found that 889 of nearly 1,600 staff scientists reported that they experienced political interference in their work over the last five years. The study, by the Union of Concerned Scientists (UCS), follows previous UCS investigations of the Food and Drug Administration, Fish and Wildlife Service, National Oceanic and Atmospheric Administration, and climate scientists at seven federal agencies, which also found significant administration manipulation of federal science.

"Our investigation found an agency in crisis," said Francesca Grifo, director of UCS's Scientific Integrity Program. "Nearly 900 EPA scientists reported political interference in their scientific work. That's 900 too many. Distorting science to accommodate a narrow political agenda threatens our environment, our health, and our democracy itself."

More here.

Hacker Testifies News Corp. Unit Hired Him

Tori Richards writes for Reuters:

A computer hacker testified on Wednesday that a News Corp unit hired him to develop pirating software, but denied using it to penetrate the security system of a rival satellite television service.

Christopher Tarnovsky -- who said his first payment was $20,000 in cash hidden in electronic devices mailed from Canada -- testified in a corporate-spying lawsuit brought against News Corp's NDS Group by DISH Network Corp.

The trial could result in hundreds of millions of dollars in damage awards.

NDS, which provides security technology to a global satellite network that includes satellite TV service DirecTV, denies the claims, saying it was only engaged in reverse engineering -- looking at a technology product to determine how it works, a standard in the electronics industry.

More here.

Quote of The Day [2]: Nicole Belle

"God bless Helen Thomas, the best thing about the White House Press Corps."

- Nicole Belle, writing on Crooks and Liars.

Republicans Pushing for Telco Immunity

Anne Broache writes on the C|Net New Blog:

Republican politicians in the U.S. House of Representatives failed last month to persuade Democratic leaders to back a spy law rewrite that would immunize telecommunications companies that cooperated with allegedly illegal government spying. Now they're trying to force the issue.

On Wednesday, a number of Republican leaders, including Lamar Smith (R-Texas), Peter Hoekstra (R-Mich.) and Peter King (R-N.Y.), began circulating what's known as a "discharge" petition, which they characterized as a "rare step." If they obtain 218 signatures from their colleagues, they say the Democratic leadership will be forced to schedule a vote on a version of the bill passed by the U.S. Senate in February that would likely wipe out pending lawsuits against AT&T and other phone companies accused of illegal cooperation with the National Security Agency.

More here.

TSA Has Fired Over 200 Employees for Stealing

Christopher Elliott writes on

Since it was created in 2001, the agency has fired about 200 employees accused of stealing. Although the TSA has taken steps to discourage these government workers from helping themselves to our personal effects — including background checks on new hires, video cameras in screening areas and rules forbidding backpacks or lunchboxes at checkpoints — more and more passengers... are coming forward to say they’ve been ripped off by the very people who are supposed to protect them.

One aviation insider I spoke with believes stealing is a systemic problem the federal agency is unable to control, particularly at problem airports like New York’s LaGuardia Airport and Philadelphia International Airport. Not all of the screening areas in U.S. airports are under surveillance, and the TSA’s rules have a big loophole that shifts liability for stolen baggage claims to the airline when luggage is delayed, he told me. In other words, there’s little incentive for the stealing to stop. “It’s the 800-pound gorilla no one wants to discuss at TSA,” he says.

More here.

Props: The Consumerist

Hannaford Breach Tests Limits of Security Controls

Brian Krebs writes on Security Fix:

Supermarket chain Hannaford Bros. is spending millions of dollars to upgrade its security in a bid to close the holes that allowed thieves to steal up to 4.2 million credit and debit card numbers from store networks.

The remarkable thing about this case is not that the company was hacked, despite being certified as compliant with the security rules laid out by the payment card industry, but that so few retailers and businesses who accept card data even reach the level of security Hannaford had in place prior to its breach.

More here.

Quote of The Day: Ryan Naraine

"Apple's Safari browser is beginning to look like a bullet-ridden car in Iraq."

- Ryan Naraine, writing on the eWeek "Security Watch" Blog.

Telecom Fear-Mongering: 'Phantom' VoIP Traffic Costing Billions

Grant Gross writes on PC World:

Some VoIP (voice over Internet Protocol) and mobile phone service providers are riding free when connecting to the traditional telephone network in the U.S., potentially costing carriers billions of dollars, according to testimony at a Senate hearing Wednesday.

Many voice calls now don't include the identification needed for carriers to charge access fees for calls coming into their networks, said Raymond Henagan, general manager of Rock Port Telephone, based in Missouri. These so-called phantom calls are particularly hard on rural telephone carriers, which receive an average 29 percent of their revenues from the intercarrier compensation system, he told the Senate Commerce, Science and Transportation Committee.

Some VoIP providers have refused to pay access fees by saying the U.S. Federal Communications Commission has "given them permission to use the networks for free because they're IP," Henagan said. "You and I both know these are regular voice calls, people talking to people. Because these companies have sprinkled IP fairy dust on them, they think they get a free ride."

More here.

JavaScript Injection Attack Infects 'Hundreds of Thousands' of Websites

Tim Wilson writes on Dark Reading:

Websense Security Labs yesterday reported a new JavaScript injection attack that has infected "hundreds of thousands" of Websites, including a United Nations site and some UK government sites.

Web users who browse the infected sites will unknowingly load a file that automatically attempts to serve up a concoction of eight different exploits designed to gain access to their computers and install information-stealing malware, Websense says in its report.

The mass attack appears to be from the same group of individuals who launched a similar "iFrame" attack a few weeks ago, which compromised thousands of Internet domains, including U.S. news and travel sites.

"The attackers have now switched over to a new domain as their hub for hosting the malicious payload in this attack," Websense says. "We have no doubt that the two attacks are related."

In the space of just a few hours yesterday, Websense said it saw the number of compromised sites increase by a factor of ten.

More here.

Note: See also Giorgio Maone's comments over at Hackademix, and Dancho Danchev's comments on his blog...

SANS: Pressure On Vendors Can Prevent Security Woes

Jeremy Kirk writes on InfoWorld:

Companies are having more success in pressuring software vendors into baking security into their products, a trend that vendors are resisting less, the director of research for the SANS Institute said Wednesday.

Before granting a contract, companies now are requiring that vendors also test software patches on systems with the same configurations as users are running, said Alan Paller of SANS, an IT training organization.

Another new trend is groups of companies agreeing on base security standards for applications and then passing those requirements onto vendors.

Web sites are rife with security problems: In 2006, the Web Application Security Consortium surveyed 31,373 sites and found that 85.57 percent were vulnerable to cross-site scripting attacks, 26.38 were vulnerable to SQL injection, and 15.70 percent had faults that could let an attacker steal information from databases.

"This is a big problem," Paller said. "We've got to get it fixed in a hurry."

More here.

FBI, Politicos Renew Push for ISP Data Retention Laws

Declan McCullagh writes on the C|Net "Iconoclast" Blog:

The FBI and multiple members of Congress said on Wednesday that Internet service providers must be legally required to keep records of their users' activities for later review by police.

Their suggestions for mandatory data retention revive a push for potentially sweeping federal laws--which civil libertarians oppose--that flagged last year after the resignation of Attorney General Alberto Gonzales, the idea's most prominent proponent.

FBI Director Robert Mueller told a House of Representatives committee that Internet service providers should be required to keep records of users' activities for two years.

More here.

FBI Wants Widespread Monitoring of 'Illegal' Internet Activity

Anne Broache writes on the C|Net News Blog:

The FBI on Wednesday called for new legislation that would allow federal police to monitor the Internet for "illegal activity."

The proposal from FBI Director Robert Mueller, which came during a House of Representatives Judiciary Committee hearing, appears to go beyond a current plan to monitor traffic on federal-government networks. Mueller seemed to suggest that the bureau should have a broad "omnibus" authority to conduct monitoring and surveillance of private-sector networks as well.

The surveillance should include all Internet traffic, Mueller said, "whether it be .mil, .gov, .com--whatever you're talking about."

More here.

Cyber Thieves Set Up Data 'Supermarkets'

Jane Wakefield writes for The BBC:

Web criminals are stepping back from infecting computers themselves and creating "one-stop shops" which offer gigabytes of data for a fixed price.

Speaking at InfoSecurity Europe, security firm Finjan said it had seen thousands of such online services.

Experts at the conference said web fraud was skyrocketing and called for police to urgently address the problem.

Security guru Bruce Schneier said anti-cyber crime efforts needed to be closely allied to the scale of threats.

More here.

$20 Million 'Virtual' Border Fence Scrapped

An AP newswire article, via MSNBC, reports that:

A $20 million prototype of the government's highly touted "virtual fence" on the Arizona-Mexico border is being scrapped because the system is failing to adequately alert Border Patrol agents to illegal crossings, officials said.

The move comes just two months after Homeland Security Secretary Michael Chertoff announced his approval of the fence built by The Boeing Co. The fence consists of nine electronic surveillance towers along a 28-mile section of border southwest of Tucson.

Boeing is to replace the so-called Project 28 prototype with a series of towers equipped with communications systems, new cameras and new radar capability, officials said.

More here.

Happy Birthday, Max Planck

Max Planck


Max Planck didn't set out to start a scientific revolution. In fact, at first he didn't even believe his own results. Yet Planck's insight into how the universe works has made possible everything from digital computers to the physics of black holes.

Planck was born 150 years ago today, the son of a German lawyer and college professor. He finished his education in record time, and decided to pursue a career in physics.

Planck spent most of his career at the University of Berlin. He was particularly interested in problems involving electromagnetic radiation -- visible light, infrared and ultraviolet energy, and so on.

In 1900, he was studying how objects absorb energy and radiate it back into space when he realized that energy must consist of particles, which he called "quanta." And the size and energy level of a quantum particle were related to the frequency of the radiation.

Planck's revelation formed the basis of quantum physics. It helped scientists understand how atoms are put together, plus much more. Today, quantum physics helps scientists study matter at the smallest scales, and in the most extreme environments -- like the interiors of black holes.

It took Planck a while to accept his own discovery. But others were much quicker. Albert Einstein, for example, was an early champion of the theory, and used it in work that eventually won him his only Nobel Prize. Planck won a Nobel for his creation of quantum theory in 1918.

More here.

Script (above) by Damond Benningfield, Copyright © 2008.

Tuesday, April 22, 2008

Bank of Ireland Kept Quiet About Stolen Client Details Since February

Ciaran Byrne and Joe Brennan write on

Bank of Ireland managers knew in early February that thieves had stolen personal data on 10,000 customers, but decided not to tell the authorities.

And even after the security breach was uncovered internally, the bank took no steps -- until yesterday -- to begin encrypting its laptop computers.

Despite making a profit of €1.7bn last year, Bank of Ireland's failure to spend an estimated €200,000 on encryption technology to protect its customers' data has caused shock.

The technology is used by all of its major banking rivals but Bank of Ireland's lack of investment in such a key area of basic security is a source of deep concern, experts said.

More here.

Props: Pogo Was Right

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, April 22, 2008, at least 4,044 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,299 died as a result of hostile action, according to the military's numbers.

The AP count matches the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Fantastical xkcd: Kama Sutra Mistranslations

We love xkcd.


- ferg

German Spies Snoop On Journalist (Again)

Via UPI.

Germany's foreign intelligence service apologized for once again having spied on a German journalist.

Spies from Germany's Federal Intelligence Service, or BND, read several e-mails that Susanne Koelbl, a reporter at German news magazine Der Spiegel, had exchanged with a politician from Afghanistan between June and November 2006.

Officials said BND head Ernst Uhrlau personally apologized to Koelbl, a 42-year-old journalist known as an Afghanistan expert with excellent contacts in the Afghan and Pakistani political realm. The case is to be discussed by a parliamentary control committee tasked with overseeing the intelligence services on Wednesday, Der Spiegel said in its latest issue.

It's not the first time German agents have been caught spying on journalists: In 2006 a report emerged from the parliamentary committee acknowledging that intelligence agents had illegally spied on journalists, with BND spies having picked through journalists' garbage to reveal their sources.

More here.

Army Spy Arrest Has Ties to Pollard Case

Michael Isikoff and Mark Hosenball write on

In a bizarre postscript to a two-decade-old spy scandal, the FBI on Tuesday arrested an 84-year-old former U.S. Army civilian engineer and charged him with providing classified defense documents to Israel.

The alleged crimes that led to the arrest of Ben-Ami Kadish took place between 1979 and 1985, when Kadish, a U.S. citizen, worked at the Army's Picatinny Arsenal—a weapons research center in northern New Jersey. But the most intriguing part of the case may have less to do with Kadish, the accused octogenarian American spy, than his alleged Israeli "handler."

According to court documents unsealed Tuesday, Kadish's alleged handler turns out to be the same Israeli consular official in New York who also allegedly served as a "control" agent for Jonathan Pollard, the notorious former Navy intelligence analyst and convicted spy whose case cast a cloud over U.S.-Israeli relations for years.

More here.

UN Puts Darfur Death Toll at 300,000

Maggie Farley writes in The Los Angeles Times:

The U.N.'s humanitarian chief on Tuesday updated the estimated number of conflict-related deaths in Darfur to about 300,000 and lamented that efforts to solve the crisis were stalled on all fronts.

In a briefing to the Security Council, John Holmes, the U.N. undersecretary-general for humanitarian affairs, said that continued attacks make it more difficult for aid workers to reach vulnerable people, food aid is about to be halved, the deployment of peacekeepers is beset by obstacles and the peace process has stalled.

"I am saddened and angry that after five years of suffering and four years since this council became actively engaged, we have still not been able to find a lasting solution to the suffering of these millions of men, women and children," he said.

Holmes also noted that there are six times more people suffering in Darfur than when the council first took up the issue four years ago this month. He said that five years of fighting between rebels and government-backed militias has seriously affected 4.27 million people, with 2.45 million driven from their homes and an additional 260,000 becoming refugees in neighboring countries.

More here.

WarGames: 25 Year Anniversary

Celebrating the 25th Anniversary of "WarGames", American Movie Classics (AMC) is airing this vintage classic tonight (twice).

A true classic never gets old.

Loving it.

- ferg

Was Your LendingTree File Hacked?

Bob Sullivan writes on the MSNBC "The Red Tape Chronicles" Blog:

LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.

The incident reveals just how aggressive the mortgage loan business was during the height of the housing boom, and also raises fears for consumers who share their information with companies that help them shop around for the best deal. And it highlights what experts say is an often overlooked source of data theft -- the inside job.

According to a letter sent to customers recently, former LendingTree LLC employees shared "confidential passwords" with lenders, who in turn used the login information to "access LendingTree's customer loan request forms."

More here.

Photoshop Executes Injected Code

Via heise Security News.

Scott Laurie has discovered a vulnerability in Adobe's Photoshop CS3, After Effects CS3 and Photoshop Album Starter Edition that attackers can use to inject trojans using manipulated images. Security specialist Kevin Finisterre has also reported the flaw. No updates that remedy the flaw have yet been released.

Laurie writes that the Adobe products in question do not check the headers of image files when processed, but merely assumed that the values are valid. As a result, buffer overflows can occur, allowing execution of any injected code. In his security advisory, Laurie provides some sample code of a specially crafted BMP file to demonstrate the vulnerability in Photoshop Album Starter Edition 3.2 under Windows XP SP2.

The flaw can be exploited when the software opens manipulated files. Photoshop Album Starter Edition also automatically searches removable media, such as USB sticks, when they are connected to the computer allowing manipulated files to inject malicious code as soon as the USB stick is plugged in. Apparently, this attack succeeds whenever the computer is running – even when it is locked.

More here.

FCC: Comcast Blocking Was Widespread

Grant Gross writes on InfoWorld:

Comcast's slowing of peer-to-peer traffic appeared to be more widespread than the company has disclosed, the chairman of the U.S. Federal Communications Commission said Tuesday.

FCC chairman Kevin Martin, testifying before a Senate committee, said Comcast's blocking of BitTorrent peer-to-peer traffic appeared to happen when there wasn't network congestion, in contrast to claims from the broadband provider. Comcast's actions, first described by the Associated Press last October, appeared to "block uploads of a significant portion of subscribers" in that part of the network, even during times when the network wasn't congested, Martin said.

More here.

More Widespread Blocking by ISPs

Via Save the Internet.

Another peer-to-peer software application is warning that many major phone and cable companies — not just Comcast — may be targeting and blocking legal Web traffic.

Vuze, maker of a popular P2P video distribution application, released a preliminary report [.pdf] that sheds light on ISPs’ prevalent practice of throttling communication between users.

Last fall, the Associated Press exposed Comcast for cutting off access to legal file-sharing programs. In response to petitions filed by Free Press and Vuze, the Federal Communications Commission has launched an ongoing investigation, which has included public hearings at Harvard and Stanford universities.

Vuze also launched its own investigation, creating a software plug-in to track network interruptions from reset messages. The rate of interruptions was so alarming, Vuze said it suggested that “network management practices that ‘throttle’ internet traffic are widespread.”

More here.

Bad Idea of The Week: 'Friendly Botnets'

Mason Inman writes on NewScientistTech:

Beating the "botnets" – armies of infected computers used to attack websites – requires borrowing tactics from the bad guys, say computer security researchers.

A team at the University of Washington, US, want to marshal swarms of good computers to neutralise the bad ones. They say their plan would be cheap to implement and could cope with botnets of any size.

Current countermeasures are being outstripped by the growing size of botnets, says the Washington team, but assembling swarms of good computers in defense could render DDoS attacks obsolete.

Their system, called Phalanx, uses its own large network of computers to shield the protected server. Instead of the server being accessed directly, all information must pass through the swarm of "mailbox" computers.

A paper on Phalanx was presented at the USENIX symposium on Networked Systems Design and Implementation, held last week in San Francisco, US.

More here.

Hat-tip: Slashdot

Microsoft: Vulnerabilities Down, Threats Up

Robert Lemos writes on SecurityFix:

The total number of vulnerabilities disclosed in 2007 fell nearly 5 percent, while the amount of malicious code detected jumped more than 40 percent, according to Microsoft's latest Security Intelligence Report released on Tuesday.

The report, released twice a year by Microsoft, found that vulnerability disclosures sank approximately 15 percent in the second half of 2007, and 5 percent for the year as a whole. The news was not so rosy for high-severity vulnerabilities, the company found: While the number of High-rated vulnerabilities fell in the second half of 2007, the total for the year topped 2006's tally. Approximately a third of all vulnerabilities in Microsoft products had publicly available exploit code in 2007, the same as the previous year.

While vendors appear to be taming their vulnerabilities, PC users should worry more about malicious code. The amount of malware removed from PCs by Microsoft's Malicious Software Removal Tool (MSRT) jumped 40 percent during the last six months of 2007. The most common type of harmful program appears to be Trojan horses that download or drop additional code. Microsoft observed a 300 percent increase in the number of such programs during the second half of 2007.

More here.

Businesses See Rise in Hacking Attacks

Mark Mayne writes on SC Magazine Online:

Businesses are reporting a massive increase in serious hacking incidents, with network intrusions reported to have rocketed from one per cent in 2006 to 13 per cent in 2007.

Andrew Beard, Partner, PriceWaterHouseCoopers, said: "The rise in intrusions is extremely worrying - bear in mind these are actual intruders caught on corporate networks, not just people knocking on the door..."

The shocking figures come from an otherwise upbeat PWC report into business threats over the last year. The report found that while businesses have responded to the overall security threat with increased implementations of anti-malware measures, big exposures remain. Nine per cent of respondents had cases of customers being fraudulently impersonated (such as following ID theft), while six per cent admitted they had lost customer data through a confidentiality breach.

More here.

Javascript Injection Claims UN and UK Government Websites

Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:

Comparisons between two mass Javascript injection attacks suggest they may be related, according to a security company. The latest attack has compromised various sites including one United Nations and several UK government sites with links to malicious servers.

On Tuesday Websense reported seeing distinct similarities between attacks staged earlier this month and over the weekend. Specifically, they cite the use of the same tool to execute the attack being resident on the malicious server. Last summer various groups used the MPACK toolkit to propagate a similar series of Javascript injections.

More here.

Earth Day: Honor Your Mother Earth - Take Action

Don't just sit on your ass - do something. Take action.

Your Mother Earth will thank you.

- ferg

Monday, April 21, 2008

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Monday, April 21, 2008, at least 4,041 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,298 died as a result of hostile action, according to the military's numbers.

The AP count one lower than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

TSA: Yes, 36 Screeners Have Become Air Marshals

Annie Jacobsen writes on Aviation Nation:

Yes, Virginia, the TSA is now making screeners air marshals. Chris Strohm, reporting for Government Executive, reveals the official number. "According to TSA, 36 screeners, have become air marshals."

Strohm also cites a quote from Kip Hawley to members of Congress that is appalling. Even Hawley can't wrap his brain around a Screener becoming an air marshal. Note how he calls the new air marshal a TSO.

More here.

IP Surveillance Camera Market Small, But Booming

Seth Benton writes on DSP Designline:

MultiMedia Intelligence reports that the market for IP/Networked video surveillance cameras grew nearly 50% in 2007, to approach $500 million worldwide. This growth is nearly four times the growth rate of the broader video surveillance equipment market, which also includes CCTV cameras, Digital Video Recorders (DVRs) and Network Video Recorders (NVRs), and IP Encoder/Streamers.

The transition from traditional CCTV surveillance to networked digital surveillance is revolutionary for the physical security industry. Yet this transition is also seen as over-hyped and under-performing compared to many expectations. Both are true.

More here.

Quote of The Day: Rep. Rush Holt (D-NJ)

"I'd like to ask the opponents how much spending is too much to have verifiable elections in the United States. I note that many people who opposed this legislation supported spending almost $330 million in recent years to provide election assistance in Iraq, Afghanistan, and Pakistan. I would have hoped those who supported efforts to export democracy abroad would be equally committed to strengthening democracy here at home."

- Rep. Rush Holt (D-NJ), in a statement regarding Emergency Assistance for Secure Elections Act (H.R. 5036), which was blocked by U.S. House Republicans. More here.

DoD Wary of Software Written Overseas

John Rendleman writes on

The Defense Department is increasingly concerned that software it procures from contractors is in some cases being written overseas and may include unexpected or harmful lines of code, according to the Pentagon’s chief information officer.

“It’s a big issue right now,” and is a growing concern in light of the DOD’s increasing reliance on contractors, and the contractors’ increasing use of overseas vendors for programming jobs, said Defense CIO John Grimes, speaking April 18 at an event sponsored by the northern Virginia chapter of the Armed Forces Communications and Electronics Association.

The Government Accountability Office reported that DOD’s reliance on contractor services increased 78 percent in the last decade, with its obligations on services contracts rising from $85.1 billion in fiscal 1996 to more than $151 billion in fiscal 2006.

More here.

Cyber Gang Surge Drives Organized Response by Law Enforcement

Rosie Lombardi writes on InterGovWorld:

Organized cyber crime rings are wreaking havoc because they're vastly more organized and better funded than Canadian law enforcement, say security experts. "The criminals are having a field day - we need to increase our efforts exponentially to tackle this effectively," says Ian Wilms, president of the Canadian Association of Police Boards (CAPB).

This imbalance is creating huge incentives for organized crime to get involved in e-fraud, hacking, phishing and other scams. These international rings can buy the best technology with stolen credit cards, but law enforcement doesn't have the budget or manpower to keep up with changing technology even at the federal level, let alone at the cash-strapped municipal level, says Wilms.

A related and disturbing trend is organized cyber crime's tendency to approach young people looking to make a quick, easy buck via chat rooms in colleges and universities, he says. "Organized crime is big business, and just like big business, they recruit the best and brightest. There are clear indications that smart young people are being attracted to this area."

More here.

Note: While this article primarily focuses on Canadian issues, this is also the case in every country around the world, to one extent or another. -ferg

Blue Coat to Acquire Packeteer

Tim Greene writes on NetworkWorld:

Blue Coat Systems is buying rival WAN-acceleration vendor Packeteer for $268 million to boost Blue Coat's product features.

The deal will bring better visibility into applications and improve the traffic-shaping capabilities in Blue Coat's ProxySG appliances. These are the areas of expertise around which Packeteer built its PacketShaper appliances, with the company only later branching out into WAN acceleration. By contrast, Blue Coat's initial technology focused on accelerating applications over WAN links.

The sale is expected to go through by mid-year. Blue Coat will buy all outstanding shares of Packeteer stock to carry out the purchase.

More here.

UK: New Anti-Terrorism Rules 'Allow U.S. to Spy on British Motorists'

Toby Helm and Christopher Hope write on The

Routine journeys carried out by millions of British motorists can be monitored by authorities in the United States and other enforcement agencies across the world under anti-terrorism rules introduced discreetly by Jacqui Smith.

The discovery that images of cars captured on road-side cameras, and "personal data" derived from them, including number plates, can be sent overseas, has angered MPs and civil liberties groups concerned by the increasing use of "Big Brother" surveillance tactics.

Yesterday, politicians and civil liberties groups accused the Home Secretary of keeping the plans to export pictures secret from Parliament when she announced last year that British anti-terrorism police could access "real time" images from cameras used in the running of London's congestion charge.

A statement by Miss Smith to Parliament on July 17, 2007, detailing the exemptions for police from the 1998 Data Protection Act, did not mention other changes that would permit material to be sent outside the European Economic Area (EEA) to the authorities in the US and elsewhere.

Her permission to do so was hidden away in an earlier "special certificate" signed by the Home Secretary on July 4.

More here.

Analysis: FBI Heads New Cyber Task Force

Shaun Waterman writes for UPI:

Last summer the FBI quietly established a special working group with U.S. intelligence and other agencies to identify and respond to cyber threats against the United States.

The group, called the National Cyber Investigative Joint Task Force, now has "several dozen" personnel working together at an undisclosed location in the Washington area, according to the man in charge, Shawn Henry, the bureau's deputy assistant director in charge of its cyber division.

In an interview with United Press International, Henry was tight-lipped about the task force's makeup, saying only that it involved "several intelligence, law-enforcement and other agencies from across the U.S. government."

Documents released earlier this month by the Department of Homeland Security said that the task force was being expanded "to include representation from the U.S. Secret Service and several other federal agencies."

More here.

NJ Court Requires Subpoena for Internet Subscriber Records

An AP newswire article by Jeffrey Gold, via Newsweek, reports that:

Internet service providers must not release personal information about users in New Jersey without a valid subpoena, even to police, the state's highest court ruled Monday.

New Jersey's Supreme Court found that the state's constitution gives greater protection against unreasonable searches and seizures than the U.S. Constitution.

The court ruled that Internet providers should not disclose private information to anyone without a subpoena.

More here.