Saturday, November 08, 2008

Off Topic: Paying for Eight Years of Bush's Delusions

Robert Fisk writes in The Independent:

American lawyers defending six Algerians before a habeas corpus hearing in Washington this week learned some very odd things about US intelligence after 9/11. From among the millions of "raw" reports from American spies and their "assets" around the world came a CIA Middle East warning about a possible kamikaze-style air attack on a US navy base at a south Pacific island location. The only problem was that no such navy base existed on the island and no US Seventh Fleet warship had ever been there. In all seriousness, a US military investigation earlier reported that Osama bin Laden had been spotted shopping at a post office on a US military base in east Asia.

That this nonsense was disseminated around the world by those tasked to defend the United States in the "war on terror" shows the fantasy environment in which the Bush regime has existed these past eight years. If you can believe that bin Laden drops by a shopping mall on an American military base, then you can believe that everyone you arrest is a "terrorist", that Arabs are "terrorists", that they can be executed, that living "terrorists" must be tortured, that everything a tortured man says can be believed, that it is legitimate to invade sovereign states, to grab the telephone records of everyone in America.

As Bob Herbert put it in The New York Times a couple of years ago, the Bush administration wanted these records "which contain crucial documentation of calls for a Chinese takeout in Terre Haute, Indiana, and birthday greetings to Grandma in Talladega, Alabama, to help in the search for Osama bin Laden". There was no stopping Bush when it came to trampling on the US Constitution. All that was new was that he was now applying the same disrespect for liberty in America that he had shown in the rest of the world.

More here.

Image source: AP / Charles Dharapak, via

Registrar Hide And Seek

John R. Levine:

In the past year ICANN has been putting a lot more effort into its compliance activities, which is a good thing, since the previous level was, ah, exiguous. That's the good news. The bad news is that while they're paying more attention to misbehaving registrants, the registrars, gatekeepers to the world of domains, have serious issues that ICANN have yet to address.

One straightforward problem is registrar (as opposed to registrant) compliance with the Registrar Accreditation Agreement (RAA). ICANN has sent out quite a few termination notices for failure to comply, but in nearly every case the failure involves not paying their bills. Other than that, the only meaningful enforcement has been their recent attempt to shut down Estdomains for the felony conviction of one of their principals.

Registrar Dynamic Dolphin is run by infamous high volume e-mail deployer Scott Richter. In 2003 Richter pled guilty to felony charges of receiving stolen property. Earlier this year Richter settled a suit with MySpace for $6 million, for spamming MySpace users using phished accounts. Section 5.3.3 of the RAA says that ICANN can terminate a registrar if an officer:

" convicted of a felony or of a misdemeanor related to financial activities, or is judged by a court to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN deems as the substantive equivalent of any of these..."

Why hasn't ICANN acted in this case? ICANN certainly knows about it.

More here.

Report: Terrorists Use Cash, Avoid Financial Ties

An AP newswire article by Pamela Hess, via The Washington Post, reports that:

The international system for tracking and cutting off terrorist financing has achieved major successes but is fraying seven years after the Sept. 11 attacks, two former Treasury Department officials report. Some U.S. allies in the fight against terrorism pose the weakest links.

U.N. countries froze the assets of some 300 al-Qaida and Taliban members after the 2001 attacks. By early 2004, 112 countries had ratified an international effort to suppress terrorist financing. In addition, al-Qaida is not providing money for operations at past levels. Instead, local cells increasingly are self-funded and send money back to "corporate" al-Qaida.

But international interest in continuing to comply with U.N. enforcement rules is waning, according to the former officials, and terrorists have shifted from official financial institutions, frustrating government efforts to cut off their money streams.

"Few assets are now being frozen and, in fact, many countries still have not put in place the legal framework necessary to take action," the report states. The arms embargo and travel ban against those on the list have not been enforced.

More here.

FBI Finds Most Terrorism Threat Reports Baseless

Randall Mikkelsen writes for Reuters:

The FBI tracked about 108,000 potential terrorism threats or suspicious incidents from mid-2004 to November 2007, but most were found groundless, a Justice Department review found on Friday.

The department's office of inspector general gave the figure in an audit of the FBI's terrorism case-tracking system, called Guardian, launched in 2002 after the September 11 attacks.

"The FBI determined that the overwhelming majority of the threat information documented in Guardian had no nexus to terrorism. However, as a result of information reported in Guardian the FBI initiated over 600 criminal and terrorism-related investigations from October 2006 to December 2007," the inspector general's report said.

The report did not discuss the result of the investigations.

More here.

Image of The Day: Billboard Liberation Front Strikes Again

Image source: Billboard Liberation Front

Report: FBI Kept File On Author David Halberstam

An AP newswire article, via, reports that:

The FBI tracked the late Pulitzer Prize-winning journalist and author David Halberstam for more than two decades, newly released documents show.

Students at the City University of New York's Graduate School of Journalism obtained the FBI documents by filing a Freedom of Information Act request. The university posted the documents on its Web site Thursday.

The FBI monitored Halberstam's reporting, and at times his personal life, from at least the mid-1960s until at least the late '80s, the documents show. The agency released only 62 pages of a 98-page dossier on the writer, citing security, privacy and other reasons.

More here.

Friday, November 07, 2008

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, Nov. 7, 2008, at least 4,191 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,388 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two fewer than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

As of Friday, Nov. 7, 2008, at least 555 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Thursday at 10 a.m. EDT.

Of those, the military reports 403 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

U.S. Intelligence Agencies Loosen Hiring Rules For Immigrants

An AP newswire article by Pamela Hess, via, reports that:

U.S. intelligence agencies have loosened security clearance and hiring rules to open their ranks to first- and second-generation Americans and to outside professionals with cutting-edge technological skills, a top intelligence official said Friday.

First- and second-generation immigrants have been essentially blackballed from getting the highest security clearances because their family ties to people in other countries have been considered security risks, said Ronald P. Sanders, the associate director of national intelligence, in an interview with The Associated Press. The same concerns have all but blocked applicants with dual citizenship.

The problem is that those are exactly the kind of people the intelligence agencies need to spy on the decentralized and shadowy world of terrorism. They speak foreign languages, understand the culture and have associations that can help penetrate extremist networks.

"Security clearance rules served as impediments," Sanders said. "They had their roots in the Cold War, and a lot of their assumptions are no longer valid."

Until October, it was nearly an automatic disqualification to have close relatives who were not U.S. citizens, and dual citizens had to renounce their foreign citizenships.

More here.

Friday Monkey Blogging: Monkey Guard Dog

As I mentioned a few weeks ago, I have started a regularly recurring blog entry meme every Friday afternoon, inspired by Bruce Schneier's regular series of "Friday Squid Blogging" posts, and my very own maddening Monkey Theory.

Here is this week's installment.

Keepers at Jiaozuo City Zoo have given an orphan monkey its own guard dog, because the other primates in the cage were bullying it. After being forced to intervene to save its life several times, they settled upon the trained canine, named Sai Hu, and are happy to report that it has been very successful.

"Whenever the baby monkey gets bullied, he dashes up and drives the others away. And the baby monkey is also very smart. Each time he smells danger he runs to jump on the dog's back and holds on tight. The alpha male monkey has been really unhappy since we sent in Sai Hu. He tried to organise several ambushes on the little monkey, but they all failed because of the dog," said a zoo spokesman.

Via, with a hat-tip to Neat-O-Rama.

U.S. Air Force Won't Lead Military in Cyber War

Noah Shachtman writes on Danger Room:

For a while, there, the Air Force was selling itself as the only service that could lead the military through a cyber war. Now, the Pentagon chiefs have made it clear: They're not buying. All of the military services are going to have a role in fighting online.

“It rebuffs the Air Force grab for predominance in cyber operations,” a Pentagon official tells Inside Defense.

Last fall, the Office of Secretary of Defense pushed back an even more intense effort by the Air Force to grab control of the military's unmanned air force.

More here.

Security Expert Talks Russian Gangs, Botnets

Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "CoreFlood" prior to April 6, 2004, when the alleged theft took place. Shortly after the wire transfer occurred, the sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining sum was, however, frozen by Latvian banking authorities. The Bank of America has since settled; neither side has revealed the terms.

More here.

Ex-Massachusetts Inmate Charged in Prison Computer Hacking

Jeannie M. Nuss writes on The Boston Globe:

Authorities arrested a former Massachusetts prisoner in North Carolina on Wednesday and charged him with hacking into a Plymouth prison's computer system and providing inmates with a list of current and former prison workers, US Attorney Michael J. Sullivan said yesterday.

Francis G. Janosko, 42, whose last known address was in South Carolina, allegedly hacked into the Plymouth County Correctional Facility's computer's management program and provided inmates with access to the names, dates of birth, Social Security numbers, home addresses, and telephone numbers of more than 1,100 current and former prison employees.

He was indicted Oct. 29 on one count of intentional damage to a protected computer and one count of aggravated identity theft, Sullivan said in a statement.

He could face up to 10 years in prison and a fine of up to $250,000 if convicted on the computer charge and two years in prison if convicted of identity theft.

More here.

Chinese Hack Into White House Network

Demetri Sevastopulo writes in The Financial Times:

Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.

On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer experts patched the system.

US government cyber intelligence experts suspect the attacks were sponsored by the Chinese government because of their targeted nature. But they concede that it is extremely difficult to trace the exact source of an attack beyond a server in a particular country.

”We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations,” said the official.

The official said the Chinese cyber attacks had the hallmarks of the “grain of sands” approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.

More here.

Thursday, November 06, 2008

Classic xkcd: Mephistopheles Encounters the EULA

We love xkcd.

- ferg

Russian Military Insider 'Sidesteps' Gov't Involvement in Georgian Cyber Attacks


Anatoly Tsyganok is a retired officer who’s now the Director for the Center of Military Forecasting at the Moscow Institute of Political and Military Analysis.

His essay “Informational Warfare - a Geopolitical Reality” was just published by the Strategic Culture Foundation. It’s an interesting look at how the July and August cyber warfare between Russia and Georgia is viewed by an influential Russian military expert.

More here.

Commercial Satellites Alter Global Security

Peter Eisler writes on USA Today:

The secretive National Geospatial-Intelligence Agency is rushing to get the latest, high-definition satellite photos of Afghanistan into the hands of U.S. ground troops as they ramp up operations in the country's tangled terrain.

The NGA analysts aren't tapping the government's huge network of highly classified spy satellites; they're getting the pictures from commercial vendors. That's the same stuff pretty much anyone can get, either through free, online programs, such as Google Earth, or by buying it from the same companies supplying Uncle Sam.

It's a remarkable turn, given the warnings that security experts in the USA and worldwide raised a few years ago about giving the entire planet — terrorists and rogue states included — access to high-resolution satellite photos once available only to superpowers.

More here.

BBC's Russian Changes Under Fire

Owen Gibson writes on The

A wide-ranging shake up of the BBC World Service's Russian operations has been criticised by high profile academics and writers, including the Nobel Prize for Literature winner Doris Lessing, who have called the plans "demented".

In an open letter, the BBC is accused of caving in to Russian pressure to cut its operations in the region by axing 22 hours a week of programming and dropping long form analytical and cultural programming. "At a time when in Russia misunderstanding and mistrust of Britain has reached a height unprecedented since the end of the USSR this decision seems a perverse, even demented concession," says the letter, organised through the GB-Russia society.

More here.

Toon of The Day: Water Under The Bridge

We love Mr. Fish.


- ferg

Researchers Hijack Storm Worm to Track Profits

Brian Krebs writes on Security Fix:

A single response from 12 million e-mails is all it takes for spammers to turn annual profits of millions of dollars promoting knockoff pharmaceuticals, according to an unprecedented new study [.pdf] on the economics of spam.

Over a period of about a month in the Spring of 2008, researchers at the University of California, San Diego and UC Berkeley sought to measure the conversation rate of spam by quietly infiltrating the Storm worm botnet, a vast collection of compromised computers once responsible for sending an estimated 20 percent of all spam.

The teams at Berkley and UCSD conducted the experiment by impersonating a key component of the Storm worm network used to hand off instructions from the worm's master control servers to the "worker bots" -- the tens of thousands of infected end-user systems that do all the spamming.

This allowed them to redirect a subset of the spam to virtual storefronts created by the researchers to mimic the pharmaceutical Web sites advertised by the real Storm spam.

More here.

Company Gets Extortion Letter Over Patient Files

A Reuters newswire article, via The New York Times, reports that:

Express Scripts, the pharmacy benefit manager, said Thursday that it had received an extortion letter threatening to expose millions of patient records.

The letter, which was sent in early October from “an unknown person or persons,” contained information on 75 Express Scripts members, including names, dates of birth, Social Security numbers and, in some cases, prescription information.

Express Scripts said it immediately notified the Federal Bureau of Investigation, which is investigating, and it notified the members named in the letter last week.

The company said it was conducting an investigation with the help of specialists in data security and computer forensics.

More here.

2008 Data Breaches: 30 Million And Counting

Orla O'Sullivan writes on Bank Systems & Technology:

Roughly 30 million consumers have had sensitive personal data stolen in the 552 reported data breaches so far in 2008, the Identity Theft Resource Center, told BS&T.

The ITRC, a national non-profit organization to help victims of identity theft, provided figures as of this Tues., Nov. 4. They show the breach trend continuing strongly upward since the ITRC reported in September that breaches reported for the first nine months of this year already exceeded those for all of 2007.

Jay Foley, executive director of the San Diego-based organization, said it's hard to say whether this reflects a rise in actual breaches or better reporting of breaches. It is only within the past five years that most states (44) now require that consumers be told when their data has been breached. "Are we having more breaches or more companies stepping up and saying 'we're having breaches'?" Foley asks rhetorically.

Most of the 30,498,740 records exposed this year represent single individuals, Foley explained. "Each is an individual [name and driver's license number/social security number], a credit card number or a financial account number," he said.


Pakistan Sets Death Penalty For Cyber Terrorism

Isambard Wilkinson writes on The

Cyber terrorism is described as the accessing of a computer network or electronic system by someone who then “knowingly engages in or attempts to engage in a terroristic act”.

“Whoever commits the offence of cyber terrorism and causes death of any person shall be punishable with death or imprisonment for life,” according to the ordinance, which was published by the state-run APP news agency.

The Prevention of Electronic Crimes law will be applicable to anyone who commits a crime detrimental to national security through the use of a computer or any other electronic device, the government said in the ordinance.

It listed several definitions of a “terroristic act” including stealing or copying, or attempting to steal or copy, classified information necessary to manufacture any form of chemical, biological or nuclear weapon.

More here.

Obama Website Goes Online

Via AFP.

The official website of US President-elect Barack Obama for his transition to the White House,, went online on Thursday inviting users to offer their ideas for the future of the country.

Under the headline of "Open Government," the website asks readers to "Share Your Vision" via email.

"The story of the campaign and this historic moment has been your story," the website states. "Share your story and your ideas, and be part of bringing positive lasting change to this country."

The website's homepage notes that it's "75 days until inauguration," when Obama is to be sworn in as president on January 20, 2009.

It also features a quote from Obama: "Today we begin in earnest the work of making sure that the world we leave our children is just a little bit better than the one we inhabit today."

More here.

SpyTalk: Who Will Run CIA?

Jeff Stein writes on SpyTalk:

With snow already falling in Afghanistan, Barack Obama's not likely to wait long to pick America's next top spy.

For my two cents, it's as hard to imagine the president-elect keeping Mike Hayden at the CIA as it is picking Anthony Lake for the job, no matter how much we're hearing about Obama naming Republicans like Chuck Hagel and Richard Lugar to top national security posts.

Notwithstanding Hayden's restoration of calm professionalism at the agency after years of turmoil, he was a loyal soldier in the Bush administration's secret warrantless wiretapping program, as director of the NSA before moving to the CIA.

That will never sit well with most Democrats, at least some of whom will think of Hayden, fairly or not, as a potential fifth columnist.

Obama will want somebody he knows and trusts running herd on the agency's spies and analysts.

More here.

The Presidential Transition and Secrecy

Steven Aftergood writes on Secrecy News:

The possibilities for significant changes in government secrecy policy are starting to attract official attention as the presidential transition process begins.

“I know things are going to change,” one executive branch official with national security classification responsibility said this morning. “The folks that are inbound have a keen appreciation for the kind of things that need to occur,” the official said.

He noted the role of John Podesta as leader of the transition team. Mr. Podesta, now at the Center for American Progress (where he said he will return after the transition), is a former Clinton White House chief of staff. He played an influential part in the development of the Clinton executive order on classification policy, which generally favored openness and dramatically increased declassification of historical records.

Mr. Podesta testified on government secrecy policy before the Senate Judiciary Committee as recently as last September 16, where he presented his own agenda for secrecy reform.

More here.

ITU Challenges ICANN to Involve Governments

Rebecca Wanjiku writes on

The debate over the role of governments within the Internet Corporation for Assigned Names and Numbers has taken a new twist after Hamadoun Touré, secretary general of the International Telecommunications Union (ITU), labeled the ICANN Government Advisory Committee as "cosmetic."

The GAC is merely advisory, and ICANN may choose to take the advice or not, Touré noted at a public meeting in Cairo.

"The structure is weak, and I have discussed this with GAC Chairman Janis Kirklins before," he added.

With ICANN's claim that it is inclusive, Touré said, governments should be able to participate on equal footing as other ICANN constituencies.

More here.

Two Los Angeles Traffic Engineers Admit Hacking

Andrew Blankstein writes in The Los Angeles Times:

Two Los Angeles traffic engineers admitted today to hacking into a computer system that controls traffic lights before a job action related to contract negotiations with the city, prosecutors said.

Gabriel Murillo, 39, and Kartik Patel, 36, who worked with the city's Automated Traffic Surveillance Center, each pleaded guilty to a single felony count of illegally accessing a city computer connected to the center.

The illegal access occurred hours before a job action in August 2006 by members of the Engineers and Architects Assn., which represents the engineers who run and maintain the city's traffic center. It took four days to get the traffic control system fully operational afterward and underscored the vulnerability of L.A.'s the complex system.

More here.

Wednesday, November 05, 2008

UK: Fears Grow Over Government Plans to Store ALL Internet Traffic With 'Black Box' Technology

Via The Daily Mail.

Fears were growing today over government plans to store details of all internet traffic in the UK using new 'black box' technology.

Home Office officials have told senior telecommunications figures of proposals to use the Interception Modernisation Programme to retain raw data of every phonecall, email and internet visit, which would be transferred to a database controlled by the Government.

The information would be used to fight terrorism and serious crime.

Further details of the database emerged at a meeting on Monday between Home Office officials and internet service providers including BT, AOL Europe, O2 and BSkyB.

More here.

Three Plead Guilty in $2 Million Citibank ATM Caper

Kevin Poulsen writes on Threat Level:

Three New Yorkers accused of using hacked Citibank ATM card numbers and PINs to steal $2 million from customer accounts in four months have pleaded guilty to federal conspiracy and access device fraud charges.

The defendants -- Ivan Biltse, Angelina Kitaeva and Yuriy Rakushchynets, aka Yuriy Ryabinin -- are among 10 suspects charged earlier this year in connection with a breach of transaction processing server handling ATMs at 7-Eleven convenience stores. The ATMs are branded Citibank, and owned by Houston-based Cardtronics.

Court records indicate a Russian hacker breached the ATM server in late 2007, and monitored transactions from 7-Eleven cash machines long enough to capture thousands of account numbers and PINs. The Russian then farmed out the stolen data to mules in the United States, who burned the account numbers onto blank mag-stripe cards and withdrew cash from Citibank ATMs in the New York area for at least five months, sending 70 percent of the take back to Russia.

Citibank reported the breach to the FBI in February. In a separate investigation, U.S. Secret Service agents had already identified Rakushchynets as a member of the computer underground, and they tied him to the Citibank heist after comparing ATM surveillance photos to pictures of Rakushchynets posted on ham radio websites.

More here.

Toon of The Day: Day One


By Mike Luckovich, via

Mark Fiore: Lame Duck?

More Mark Fiore brilliance.

Via Mother Jones.

- ferg

In Passing: Michael Crichton

Michael Crichton
October 23, 1942 – November 4, 2008

'Remember, Remember the Fifth of November...'

Happy Guy Fawkes Night.

- ferg

Malware Piggybacks on Obama Win

Brian Krebs writes on Security Fix:

Cyber criminals are blasting out massive amounts of spam touting a video of President-elect Barack Obama's victory speech. Recipients who click the included link are taken to a site that prompts visitors to install an Adobe Flash Player update. The bogus update, however, is actually a data-stealing Trojan horse.

The messages, with such subject lines as "election results winner," and "the new president's cabinet?", and "fear of a black president," direct recipients to a site featuring a picture of Obama beneath an official U.S. government seal and the domain name (the real domain names used to host these fraudulent sites appear to differ from message to message). Beside Obama's visage is an embedded video player that reads "loading player." A few seconds after the site loads, the visitor is prompted to download the malware, disguised as "adobe_flash9.exe".

More here.

Note: Also noted over on the Sunbelt Software Blog. -ferg

Obama and McCain Campaign Computers Compromised By 'Foreign Entity'


The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, NEWSWEEK reports today.

At the Obama headquarters in midsummer, technology experts detected what they initially thought was a computer virus—a case of "phishing," a form of hacking often employed to steal passwords or credit-card numbers. But by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised. A top McCain official confirmed to NEWSWEEK that the campaign's computer system had been hacked and that the FBI had become involved.

Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps' policy positions—information that might be useful in negotiations with a future administration. The Feds assured the Obama team that it had not been hacked by its political opponents. (Obama technical experts later speculated that the hackers were Russian or Chinese.) A security firm retained by the Obama campaign took steps to secure its computer system and end the intrusion. White House and FBI officials had no comment earlier this week.

More here.

Barack Obama - The 44th President of The United States

Image source: Patrick Moberg / Laughing Squid

Tuesday, November 04, 2008

A New Day in America: All Things Are Possible

I am so very proud to be an American tonight.

My faith is indeed renewed -- we are on a path of change which we so desperately need.

I think I'll just take a few hours to let it soak in...

- ferg

Programming Note: Election day

Things have been rather hectic today, and as you might have noticed, I have not posted to the blog at all. I'll be watching the election returns on television tonight, so I probably will not be posting until this thing is wrapped up.

And if Barack Obama wins (as it looks like he will at this point), my faith in the American democratic process will be restored.


- ferg

Monday, November 03, 2008

U.S. Toll in Iraq, Afghanistan

Make sure you think about this when you VOTE TOMORROW.

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Monday, Nov. 3, 2008, at least 4,190 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,388 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is three fewer than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

As of Monday, Nov. 3, 2008, at least 554 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Monday at 10 a.m. EDT.

Of those, the military reports 402 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Is The World Bank in The Middle of Security Meltdown?

Richard Behar writes on FOX News:

Over the past year, as FOX News reported three weeks ago, the bank has suffered a series of Internet attacks that penetrated at least 18 and perhaps as many as 40 of the bank's data servers. Moreover, spyware was apparently installed on computers inside the bank's treasury unit in Washington. The bank denies that sensitive data was compromised in any of the attacks.

Now, FOX News has learned, hundreds of employees of an India-based technology contractor that World Bank president Robert Zoellick ordered off the agency's property last April on security grounds are still working for the financial institution. They have been transformed in recent months into bank staffers or shifted onto the employment rolls of other contractors.

These revelations raise more questions about the safety of sensitive information at the world's largest and most influential anti-poverty lender. They also raise questions about the dependence of the bank on outside contracting help to maintain an information and communications system that is a hodgepodge of both semi-obsolete and cutting edge technologies, and far less secure than many people around the world have reason to expect.

More here.

No on Prop 8: Home Invasion

Via Crooks and Liars.

Vote No on Prop 8.

- ferg

IT Worker Let Spammers Into Ex-Employer's Servers

Robert McMillan writes on

An IT manager who logged onto to his former employer's computer network five months after being fired and opened the e-mail server up to spammers has been sentenced to one year in prison.

Steven Barnes had earlier pleaded guilty to computer intrusion charges, saying in a plea agreement that he accessed servers at a San Mateo, California, Internet media company called Akimbo Systems and turned the company's mail system into an open mail server that spammers could use to send out messages. He also deleted the company's Microsoft Exchange e-mail database and files that the computer needed in order to boot up.

In a letter to the presiding judge, Barnes said that he had battled drug and alcohol addictions at the time, and was upset after Akimbo representatives showed up at his door in April 2003 -- one carrying a baseball bat -- and taken both his work and personal computers.

He logged onto company servers on Sept. 30 after trying an old password that had been valid before he was fired. "To my complete disbelief, I soon realized... they had no firewall and the passwords were not even changed," he said.

More here.

Cyber-Criminals Have Easy Ride in The UK

Carrie-Ann Skinner writes on

Cyber crime has increased because it's easy get involved and offenders are rarely caught or punished, says the Corporate IT Forum.

Research by the company identified that 69 percent of the 3,5000 businesses surveyed have seen an increase in cyber crime such as denial of service and website hacking. In fact, cyber crime is so rife that 68 percent of companies are forced to spend as much as 40 percent of their security budgets protecting themselves from cyber crime.

The survey also highlighted that confidence in the UK Government's ability to help fight cyber crime is at an all time low with only four percent claiming they'd report incidences of cyber crime and 57 percent admitting they feel that any report of cyber crime won't be handled properly.

More here.

Cyber Crime: Where Are the Registrars?

Matt Hines writes on the eWeek "Security Watch" Blog:

That's the big question that some people think needs to be answered, or at least one of them, if ICANN is indeed to play a more active role in helping to keep larger numbers of cyber criminals and schemers offline.

As notorious registrar Estdomains sits in limbo waiting to see if ICANN is going to pull its accreditation, based on the fact that its CEO is believed to be a convicted felon (credit card fraud, money laundering and document forgery), some market watchers are postulating that even more shady registrars could be kept from going into business in the first place if ICANN would force the companies to provide accurate, verifiable information upfront about their physical locations and corporate officers.

Garth Bruen, the mind behind anti-spam effort/portal KnujOn, someone who was calling for Estdomains to be taken offline months before ICANN moved to do so, is one of the people leading the effort to push ICANN to further formalize its registrar registration efforts.

"We have before us rare opportunity to close a big Internet policy loophole. You may not be aware but Registrars (companies authorized to issue domain names) are not required to publicly disclose their ownership or location," Bruen said in a letter to supporters on Monday. "It is my firm belief that this policy failure has helped criminals to get a foothold within the Internet infrastructure."

More here.

SCADA Watch: Infrastructure Cybersecurity Is in Our Hands

Keith Larson writes on

Even without the terrorist attacks of September 11 and the U.S. Dept. of Homeland Security’s resultant push to secure the country’s critical infrastructure, an organized effort to protect process automation systems from cyber events was bound to bubble to the top of our priority list. Call it the law of unintended consequences at work. Process automation systems were once isolated as well as proprietary, two natural—and highly effective—ways to protect critical systems from malware and other scourges of the Internet age.

But even as the problem—and awareness—of cyber security issues gathered steam in the outside world, the process automation community unintentionally increased the cyber vulnerability of many of its systems.

Indeed, over the past 15 years, we drove the widespread adoption of the very same commercial, off-the-shelf (COTS) computing platforms that the black hats were targeting.

And simultaneously, in recognition of the need for manufacturing data transparency, we pushed the interconnection and integration of process control with other enterprise systems to unprecedented levels, effectively multiplying our systems’ vulnerabilities.

More here.

Note: Indeed - this is exactly the same point that I have tried to make many times. -ferg

U.S. Air Force Aims to 'Rewrite Laws of Cyberspace'

Noah Shachtman writes on Danger Room:

The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the "laws of cyberspace."

It's more than a little ironic that the U.S. military, which had so much to do with the creation and early development of internet, finds itself at its mercy. But as the American armed forces become increasingly reliant on its communications networks, even small, obscure holes in the defense grid are seen as having catastrophic potential.

Trouble is that even a founding father can't unilaterally change things that the entirety of the internet ecosystem now depends on. "You can control your own networks, rewrite your own laws," says Rick Wesson, CEO of the network security firm Support Intelligence. "You can't rewrite everybody else's."

More here.

Sunday, November 02, 2008

On Security, Microsoft Reports Progress and Alarm

John Markoff writes in The New York Times:

Microsoft plans to report on Monday that the security of its Windows operating system has significantly improved, while at the same time the threat of computer viruses, frauds and other online scourges has become much more serious.

The company blames organized crime, naïve users and its competitors for the deteriorating situation.

In the latest edition of its twice-a-year “Security Intelligence Report,” Microsoft said that the amount of malicious or potentially harmful software removed from Windows computers grew by 43 percent during the first half of 2008.

More here.

U.S. Intelligence: Partnering for Cyberspace Security

Walter Pincus writes in The Washington Post:

In two recent speeches that have attracted little notice, Donald Kerr, principal deputy director of national intelligence, has called for a radical new relationship between government and the private sector to counter what he called the "malicious activity in cyberspace [that] is a growing threat to everyone."

Kerr said the most serious challenge to the nation's economy and security is protecting the intellectual property of government and the private sector that is the basis for advancements in science and technology.

"I have a deep concern . . . that the intelligence community has still not properly aligned its response to what I would call this period of amazing innovation -- the 'technological Wild West' -- by grasping the full range of opportunities and threats that technology provides to us," he said at the annual symposium of the Association for Intelligence Officers on Oct. 24.

More here.

UK's Gordon Brown: 'I Can't Make Any Promises About Keeping Your Personal Details Safe'

James Black writes on the Mail On Sunday:

Gordon Brown today admitted the Government cannot promise to keep safe the millions of pieces of sensitive personal information it has gathered on the British public.

The Prime Minister's remarks came amid an urgent inquiry into how a memory stick with user names and passwords for a key Whitehall computer system was found in a pub car park.

The Gateway website allows members of the public to access hundreds of government services including self-assessment tax returns, pension entitlements and child benefits.

There are 12m people registered on it, and it had to be temporarily suspended.

It is the latest in a string of similar blunders, including the loss of the details of 25m Child Benefit claimants, and information on tens of thousands of the country's worst criminals.

More here.

Hat-tip: Pogo Was Right

Terrorists Try To Infiltrate UK's Top Weapons Labs

Mark Townsend writes on The Guardian:

Dozens of suspected terrorists have attempted to infiltrate Britain's top laboratories in order to develop weapons of mass destruction, such as biological and nuclear devices, during the past year.

The security services, MI5 and MI6, have intercepted up to 100 potential terrorists posing as postgraduate students who they believe tried accessing laboratories to gain the materials and expertise needed to create chemical, biological, radiological and nuclear weapons, the government has confirmed.

It follows warnings from MI5 to the Foreign and Commonwealth Office that al-Qaeda's terror network is actively seeking to recruit scientists and university students with access to laboratories containing deadly viruses and weapons technology.

More here.