Saturday, February 14, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Saturday, Feb. 14, 2009, at least 4,243 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,406 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two greater than the Defense Department's tally, last updated Thursday at 10 a.m. EST.

As of Saturday, Feb. 14, 2009, at least 576 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Thursday at 10 a.m. EST.

Of those, the military reports 421 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Mark Fiore: Government Pork

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

Conficker Invades German Defense Computers

A DPA newswire article, via Monster & Critics, reports that:

A computer virus which has already hit defence computers in Britain and France has spread to German military systems, the Defence Ministry in Berlin said Saturday.

The Conficker computer worm has exasperated computer users right around the globe in recent weeks, but security-conscious military users had been thought to be better prepared to repel it.

The spokesman said several German armed forces sites had to be disconnected from the military network after hundreds of computers were taken over by Conficker. However, no other disruptions were reported.

He said army computer recovery specialists and a private company were ridding the computers of the virus.

France suffered a military outage from the worm in mid-January. Britain's Defence Ministry has also admitted problems with it.

Microsoft has posted a reward of 250,000 dollars for the capture of the person who spread the virus, which takes over Windows operating systems, attempts to crack passwords and downloads malware from the internet.

More here.

First Heartland Arrests, With New Twist To Bogus Gift Card Scheme

Evan Schuman writes on StorefrontBacktalk:

U.S. Secret Service and local law enforcement have confirmed the arrests of three Florida men on hundreds of counts of credit card fraud, using cards that police said were made using data stolen from credit card processor Heartland Payment Systems. But the arrests revealed a new kind of gift fraud technique, one where the fraudsters need never use identification and don’t have to pay for the equipment to manufacture bogus cards.

The Tallahassee arrests of Timothy Julsaint Johns, 21, Jeremy A. Frazier, 20, and Tony Acreus, 20, are very far from closing this case. Federal officials are still focusing on an overseas group—apparently in Eastern Europe—that accessed the data from Heartland. It’s not unusual for such groups to then sell the numbers in bulk to various smaller criminal groups, which then turn the data into bogus credit cards and false gift cards and then use those documents to purchase goods, which are then sold for cash.

Just this week, the Secret Service and the FBI issued an alert describing the methodology behind what it termed “a considerable spike in cyber attacks” against e-tailers. That detailed an alert typically means that authorities already are tracking the suspects, who most likely are fully aware they are being tracked. Hence, there’s little investigative risk to issuing an alert to try and minimize additional data theft attempts using the same procedures.

Meanwhile, the full impact of the Heartland breach has not been confirmed, but the number of financial institutions that say that they have been impacted by the Heartland continues to rise, now hitting 221.

More here.

Do We Need a New Internet?

John Markoff writes in The New York Times:

Two decades ago a 23-year-old Cornell University graduate student brought the Internet to its knees with a simple software program that skipped from computer to computer at blinding speed, thoroughly clogging the then-tiny network in the space of a few hours.

The program was intended to be a digital “Kilroy Was Here.” Just a bit of cybernetic fungus that would unobtrusively wander the net. However, a programming error turned it into a harbinger heralding the arrival of a darker cyberspace, more of a mirror for all of the chaos and conflict of the physical world than a utopian refuge from it.

Since then things have gotten much, much worse.

Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.

More here.

Italian Police Warn of Skype 'Threat'

David Willey writes for The BBC:

Criminals in Italy are increasingly making phone calls over the internet in order to avoid getting caught through mobile phone intercepts, police say.

Officers in Milan say organised crime, arms and drugs traffickers, and prostitution rings are turning to Skype in order to frustrate investigators.

The police say Skype's encryption system is a secret which the company refuses to share with the authorities.

Investigators have become increasingly reliant on wiretaps in recent years.

Customs and tax police in Milan have sounded the alarm.

They overheard a suspected cocaine trafficker telling an accomplice to switch to Skype in order to get details of a 2kg (4.4lb) drug consignment.

More here.

Friday, February 13, 2009

Heartland Data Breach: List of Victims Grows - First Arrests Made

Linda McGlasson writes on

The list of financial institutions impacted by the Heartland Payment Systems (HPY) breach now tops 220. In related news, three men in Florida were arrested earlier this week on multiple charges of credit card fraud, and some of the card numbers they allegedly used are tied to the Heartland hack.

The Leon County, FL. Sheriff's office arrested area residents Tony Acreus, Jeremy Frazier and Timothy Johns, who had allegedly used stolen credit card numbers since November, according to Sgt. Tony Drzewiecki, spokesman for the sheriff's office.

According to the Tallahassee, FL. Democrat, the suspects were running "a very sophisticated and complex criminal enterprise." Law enforcement is investigating how the three men were able to obtain credit card numbers from the Heartland breach, which was first announced on January 20.

Meanwhile, in just over a week, the number of financial institutions that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200.

More here.

Wednesday, February 11, 2009

Programming Work: The Day Job...

Posts to the blog will be few (or virtually non-existent) the next few days -- the "day job" calls.

I have an intense schedule of meetings, etc., over the course of the next three (3) days, so blogging should be back to normal on Saturday.

Thanks for reading, and thanks for your patience.


- ferg

Tuesday, February 10, 2009

Feds Find, Arrest Fugitive Hacker On The Run in Mexico

Sharon Gaudin writes on ComputerWorld:

A Miami man, on the run for more than two years after being arrested and charged with stealing and reselling VoIP services, has been caught in Mexico.

Edwin Pena was arrested in June of 2006 on computer and wire fraud charges. The government charges that from November 2004 to May 2006 Pena and a cohort hacked into the computer networks of VoIP service providers and routed calls of Pena's customers' through them.

According to a criminal complaint filed in U.S. District Court in New Jersey, Pena and co-conspirator Robert Moore of Spokane, Wash., sold more than 10 million minutes of VoIP service stolen from 15 telecommunications providers.

Pena, who is charged with one count of computer fraud and one count of wire fraud, faces a maximum of 25 years in prison.

More here.

Russia: Nashi Youth Leader Reveals Existence of Kremlin-Financed Spy Program

Via The Moscow Times.

Anna Bukovskaya, a St. Petersburg activist with the pro-Kremlin Nashi youth group, said she coordinated a group of 30 young people who infiltrated branches of the banned National Bolshevik Party, Youth Yabloko and United Civil Front in Moscow, St. Petersburg, Voronezh and six other cities.

The agents informed Bukovskaya, who passed the information to senior Nashi official Dmitry Golubyatnikov, who in turn contacted “Surkov’s people” in the Kremlin, Bukovskaya told The Moscow Times. Vladislav Surkov is President Dmitry Medvedev’s first deputy chief of staff.

The agents provided information on planned and past events together with pictures and personal information on activists and leaders, including their contact numbers, Bukovskaya said by telephone from St. Petersburg.

They were paid 20,000 rubles ($550) per month, while she received 40,000 rubles per month, she said.

She said Nashi, which is believed to have been created by Surkov, had nothing to do with the project and speculated that Kremlin officials might be behind it.

More here.

Big hat-tip: IntelFusion

BlackBerry Bitten by ActiveX Control Flaw

Ryan Naraine writes on the ZDNet "Zero day" Blog:

Research in Motion (RIM) today raised an alarm for a serious security vulnerability in the BlackBerry Application Web Loader, warning that it exposes Windows users to code execution attacks.

When a BlackBerry device user browses to a web site that is designed to install the BlackBerry Application Web Loader ActiveX control on BlackBerry devices over a USB connection, and clicks Yes to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the computer.

An advisory from US-CERT explains that a malicious hacker could use booby-trapped HTML documents or Web pages to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer to crash.

More here.

NSA Seeks Holy Grail of Spy Technology

Via Dark Government.

The National Security Agency (NSA) is developing a tool that George Orwell’s Thought Police might have found useful: an artificial intelligence system designed to gain insight into what people are thinking.

With the entire Internet and thousands of databases for a brain, the device will be able to respond almost instantaneously to complex questions posed by intelligence analysts. As more and more data is collected—through phone calls, credit card receipts, social networks like Facebook and MySpace, GPS tracks, cell phone geolocation, Internet searches, Amazon book purchases, even E-Z Pass toll records—it may one day be possible to know not just where people are and what they are doing, but what and how they think.

The system is so potentially intrusive that at least one researcher has quit, citing concerns over the dangers in placing such a powerful weapon in the hands of a top-secret agency with little accountability.

Known as Aquaint, which stands for “Advanced QUestion Answering for INTelligence,” the project was run for many years by John Prange, an NSA scientist at the Advanced Research and Development Activity. Headquartered in Room 12A69 in the NSA’s Research and Engineering Building at 1 National Business Park, ARDA was set up by the agency to serve as a sort of intelligence community DARPA, the place where former Reagan national security advisor John Poindexter’s infamous Total Information Awareness project was born.

More here.

Obama Begins Cyber Security Review

Via The BBC.

A review of how well the US thwarts spies and malicious hackers has been started by President Barack Obama.

The wide-ranging review is set to last 60 days and takes in all the "plans, programs and activities" of official US cyber security efforts.

The end result will be a strategy to improve the way the US defends itself against net-borne threats.

While campaigning, President Obama likened net risks to the threat of nuclear or biological attack.

More here.

Monday, February 09, 2009

FTC: Court Orders Permanent Halt to Illegal Qchex Check Processing Operation


At the request of the Federal Trade Commission, a United States District Court has ordered a permanent halt to the illegal operations of an Internet-based check creation and delivery service and ordered the operators to give up all the money they made from the illegal operation.

In September 2006, the FTC charged Qchex with violating federal law by operating an online check creation and delivery service with no safeguards in place to prevent fraud. created and sent checks drawn on any bank account that a Qchex user identified but did not verify whether the user had authority to draw checks on that account. As a result, fraudsters worldwide used the Qchex service to draw thousands of checks on bank accounts that belonged to unwitting third parties. Defendants’ practices harmed innocent account holders whose bank accounts were debited without their knowledge or consent, as well as individuals and businesses who received fraudulent Qchex checks as payment for goods and services.

Following protracted litigation, District Court Judge Janis L. Sammartino of the Southern District of California issued a final order supporting the FTC’s charges that the defendants had created and delivered checks drawn on identified bank accounts without first verifying that a person requesting a check had authority to draw checks on that bank account.

More here.

SQL Injection Attacks Targeting Flash, JavaScript Errors

Erin Kelly writes on

SQL injection has been the most common attack method among hackers recently and users can expect attacks against newer programming languages such as Flash and Java to increase over time, experts say.

Jacob West, security group manager of Fortify Software, said that Flash, JavaScript, and a collection of Web 2.0 technologies are now at a greater risk for vulnerabilities because their software is running on end-user machines rather than a server. When individuals or IT professionals work with data processing on the client side in Web 2.0 technologies, one must be extra careful about where they execute the validation, West said.

"The 'bad guy' might replace your client with a different client," West said. "The problems aren't new, it's just more of the same problems and harder to solve."

With Flash coding, the biggest problem is that the person coding the Flash application is potentially writing the vulnerabilities into it, allowing the code to be vulnerable to exploitation, West said.

More here.

U.S. Misses DNS Security Deadline

Carolyn Duffy Marsan writes on NetworkWorld:

The federal government missed its first deadline for rolling out DNS security mechanisms on its .gov top-level domain.

Federal officials now say they will cryptographically sign .gov by the end of February, one month behind their original schedule.

Federal agencies were required to deploy DNS Security Extensions (DNSSEC) on the .gov top-level domain by January 2009 and on all sub-domains by December 2009 under an Office of Management and Budget (OMB) mandate issued last year.

DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

More here.

Union: Hacker Broke Into FAA Computers

An AP newswire article by Joan Lowy, via MSNBC, reports that:

Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says.

Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breach.

FAA spokeswoman Laura Brown confirmed the agency's computers were hacked last week.

Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social Security is the U.S. government-directed pension system, and in the absence of a national identity card, other people's social security numbers can be used to steal identities for illicit purposes.

Waters said the other file contained medical information that was encrypted.

More here.

Biden Urges Cooperation on Cyber Security

Ben Bain writes on

Vice President Joe Biden has told the United States’ European allies that NATO should focus on cybersecurity.

In his first major foreign policy speech since becoming vice president, Biden pledged cooperation with those allies on a wide range of issues and laid out areas where NATO should focus its attention.

“Our alliance [NATO] must be better equipped to help stop the spread of the world's most dangerous weapons, to tackle terrorism and cybersecurity, to expand the writ of energy security, and to act in and out of area more effectively,” he said Feb. 7 in a speech at the Munich Conference on Security Policy, according to a transcript.

NATO officials announced in May they were launching a center focused on cooperative cyber defense in Tallinn, Estonia.

More here.

DHS Wants Cyber Security Sources

Ben Bain writes on

The Homeland Security Department wants to know which contractors can help DHS on a range of cybersecurity functions.

DHS said Feb. 5 that in anticipation of a future requirement, it was looking for contractors that were capable of providing support to its National Cyber Security Division (NCSD). The NCSD runs the United States Computer Emergency Readiness Team, which oversees the program that protects the government’s civilian computer networks.

DHS wants looking to learn about industry's abilities to provide:

  • Detailed analysis and characterization of malicious code to help identify cyber threats.
  • Technical coordination between various DHS offices.
  • Security architecture and analysis support.
  • Systems engineering.
  • Overall management of cyber protection technical programs.

Responses to the sources sought notice are due Feb. 12. DHS said the notice was for informational and market research purposes and did not guarantee a solicitation would be forthcoming.

More here.

Spooks' Secret New Network Ops Project


The Intelligence Advanced Research Projects Activity (IARPA) will conduct a briefing to potential Proposers in support of the anticipated ATHENA Program solicitation. ATHENA is a classified program focused on Computer Network Operations.

This Proposers' Day will be held at the Top Secret / Sensitive Compartmented Information (TS/SCI) level, and therefore, attendance is limited to individuals who are appropriately cleared. The Proposers' Day will occur in mid-February in the Washington, DC metro area.

More here.

Hat-tip: Danger Room

Kaspersky Hires Expert to Analyze Website Hack

Elinor Mills writes on C|Net News:

Moscow-based security firm Kaspersky has hired a security expert to investigate the weekend breach of its U.S. site, the company said on Monday.

Meanwhile, the hacker site claiming credit for the breach said on Monday that it had done the same compromise on the Portuguese Web site of antivirus provider BitDefender. A BitDefender spokesperson did not immediately respond to an e-mail seeking comment.

No sensitive or customer data was compromised in the Kaspersky breach, which was discovered on Saturday, Roel Schouwenberg, a senior antivirus researcher for Kaspersky, said on a conference call with reporters. But to allay concerns about the severity of the problem, Kaspersky has hired David Litchfield, an expert in database security, to conduct an independent audit of the systems involved, he said.

A section of Kaspersky's new U.S. support site was breached by someone using a SQL injection attack, in which a small malicious script is inserted into a database that feeds information to the Web site, according to Schouwenberg.

The portion of the site breached had been developed by an unnamed third-party and was not subjected to an internal code review process as it should have been, he said. "Obviously we are not happy about that and are in the process of making the review process stricter than it currently is," he added.

More here.

Sunday, February 08, 2009

German Federal Armed Forces Develop 'Cyberwar Unit'

BabelFish translation of an article.

The German Federal Armed Forces develop at present allegedly a “Cyberwar unit”, which do not only protect the own IT-infrastructure against attacks, but also investigations and manipulations on strange computers and/or “in opposing nets” would drive through are. After information mirror exists the troop of several dozen in Rhine brook with Bonn kasernierten graduate of computer science of the German Federal Armed Forces universities. At present - so that Hamburg news magazines - the “hackers practice in uniform”, fully still operationally should them only in the next year be.

Organizational the top secret unit is assigned and by Brigadier General Friedrich Wilhelm Kriesel is led allegedly to the command strategic clearing-up. With the German Federal Armed Forces so far no statement was to be gotten to the report. After the Basic Law the German defense army may not notice tasks in the interior, however there are plans since longer to eliminate this prohibition.

World-wide the experts argue whether a term is correct such as Cyberwar, because there are no dead ones and injured ones in such a war, on the other hand one however apparent exists agreement over the fact that the protection against such threats ranks among the tasks of the armed forces of a country. And even if the Cyberattacke on Estonia did not go through afterwards as “war”, then meanwhile each state, which operates a substantial electronic IT-infrastructure, takes potenzielle threats by Cyberattacken seriously.

More here (auf deutsch).

Hat-tip: Slashdot

- ferg

Hathaway to Head U.S. Cyber Security Post

Siobhan Gorman writes in The Wall Street Journal:

President Barack Obama will tap a top aide to President George W. Bush's intelligence director to head his cybersecurity effort, according to government officials familiar with the decision. An announcement is expected as early as Monday.

The appointment of Melissa Hathaway, a former consultant at Booz Allen Hamilton, is the president's first major decision on cybersecurity. She will lead a review of the government's efforts to secure computer networks against spies, terrorists and economic criminals and is expected to then head a new White House office of cybersecurity.

Ms. Hathaway helped develop a Bush administration cybersecurity initiative, which was expected to cost around $30 billion over five years, with spending this year of about $6 billion. Ms. Hathaway's new job is to carry out a 60-day review of the initiative and recommend a path forward.

On the campaign trail, Mr. Obama criticized the Bush administration for being too slow to address cyber threats and said he would create a "national cyber adviser" who would report directly to the president. "As president, I'll make cyber security the top priority that it should be in the 21st century," he said in a speech in July. He equated cyber threats with those of nuclear and biological weapons in a campaign ad he ran at the time.?

The decision to hold a review, however, suggests that any big moves are being put off for the time being.

More here.

UK: Spy Centre Will Track Britons On Holiday

David Leppard writes in The Times Online:

The government is building a secret database to track and hold the international travel records of all 60m Britons.

The intelligence centre will store names, addresses, telephone numbers, seat reservations, travel itineraries and credit card details for all 250m passenger movements in and out of the UK each year.

The computerised pattern of every individual’s travel history will be stored for up to 10 years, the Home Office admits.

The government says the new database, to be housed in an industrial estate in Wythenshawe, near Manchester, is essential in the fight against crime, illegal immigration and terrorism. However, opposition MPs, privacy campaigners and some government officials fear it is a significant step towards a total surveillance society.

More here.

Britain 'Under Attack' From 20 Foreign Spy Agencies

Sean Rayment writes in The Telegraph:

Russia and China have been identified as having the most active spy networks operating in the UK but it is understood that some European countries are also involved in espionage attacks against Britain.

Details of the spy plots were revealed in a government security document obtained by The Sunday Telegraph which states that Britain is "high priority espionage target" for 20 foreign intelligence agencies.

Security sources have revealed that the list of foreign agencies operating within the UK includes Iran, Syria, North Korea and Serbia, as well as some members of the European Union, such as France and Germany, who have traditionally been regarded as allies.

The document, marked "restricted", warns that foreign spies are trying to steal secrets related to the military, optics, communications, genetics and aviation industries.

The report, which was drawn up by an Army intelligence cell inside Whitehall, warns that it is too easy to "lose sight" of the threat from traditional espionage and become solely focused on attacks by al Qaeda.

More here.