Saturday, July 25, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Saturday, July 25, 2009, at least 4,329 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,464 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is three fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Saturday, July 25, 2009, at least 677 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Friday at 10 a.m. EDT.

Of those, the military reports 506 were killed by hostile action.

More here and here.

Honor the Fallen.

Friday, July 24, 2009

Happy Tequila Day!

Yes, there is actually a Tequila Day, and yes, it was today.

And yes, I just found out about it, too.

But I keep a bottle of dark agave, so -- cheers!

- ferg

Network Solutions Hack Compromises 573,000 Credit, Debit Accounts

Brian Krebs writes on Security Fix:

Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months, Security Fix has learned.

Herndon, Va. based Network Solutions discovered in early June that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores, Network Solutions spokeswoman Susan Wade said.

Wade said the company is working with federal law enforcement and a commercial data breach forensics team to determine the cause and source of the break-in. The payment data stolen was captured from transactions made between March 12, 2009 and June 8, 2009.

More here.

Thursday, July 23, 2009

Mark Fiore: Stay Healthy!

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

Hacker Says iPhone 3GS Encryption Is 'Useless' for Businesses

Brian X. Chen writes on Gadget Lab:

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

With its easy-to-use interface and wealth of applications available for download, the iPhone may be the most attractive smartphone yet for business use. Many companies seem to agree: In Apple’s quarterly earnings conference call Tuesday, Apple chief operating officer Tim Cook said almost 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones apiece; multiple corporations and government organizations have purchased 25,000 iPhones each; and the iPhone has been approved in more than 300 higher education institutions.

But contrary to Apple’s claim that the new iPhone 3GS is more enterprise friendly, the new iPhone 3GS’ encryption feature is “broken” when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said.

More here.

Security Experts Push to Require Federal Information Security Guidelines

Jill R. Aitoro writes on

The final version of the National Institute of Standards and Technology's computer security controls will incorporate recommendations developed by security experts in industry and government for dealing with attacks on federal networks. Those professionals hope that including their prescriptions in official NIST guidance will be the first step toward a federal mandate for compliance.

After receiving more than 800 comments on its third revision of Special Publication 800-53 [.pdf] -- "Recommended Security Controls for Federal Information Systems and Organizations" -- NIST will post the final version online on July 31. One significant addition is guidance on how to fix the specific vulnerabilities in federal networks that hackers are known to exploit most frequently. These recommendations, known as the Consensus Audit Guidelines, were developed by security analysts from industry and government, including the Defense, Energy and Homeland Security departments, the National Security Agency, and the Government Accountability Office. They establish baseline information security measures and controls, most of which can be monitored continuously using automated processes.

More here.

Ukrainian Hacker Can Be Sued for Fraud Under Securities Exchange Act, Says 2nd Circuit

A New York Law Journal article by Mark Hamblett, via, reports that:

A man who hacked into a computer network to gain advance information about a company's financial reports can be sued for fraud under the Securities Exchange Act of 1934 even though he owed no fiduciary duty to the company, the 2nd U.S. Circuit Court of Appeals has ruled.

The circuit said there is nothing in the case law that "expressly imposes a fiduciary-duty requirement on the ordinary meaning of 'deceptive' where the alleged fraud is an affirmative misrepresentation rather than a nondisclosure."

The ruling in Securities and Exchange Commission v. Dorozhko [.pdf], 08-0201-cv, reversed a decision by Southern District Judge Naomi Reice Buchwald refusing to grant a preliminary injunction to the SEC that would freeze the alleged hacker's trading gains.

Buchwald had found that computer hacking cannot be considered "deceptive" unless there is a breach of fiduciary duty.

The appeal was decided by Judges Jose A. Cabranes and Peter W. Hall and, sitting by designation, Southern District Judge Richard J. Sullivan.

Ukranian national Oleksandt Dorozhko invested $42,500 through his online trading account in October 2007 and spent almost all of it on "put" options in IMS Health, Inc., betting the company's quarterly earnings would disappoint and the stock price would drop.

IMS Health Inc., which had hired Thomson Financial Inc. to provide investor relations and Web-hosting services, was set to announce earnings on Oct. 17, 2007, at 5 p.m.

The SEC alleges that Dorozhko made $286,456 on the put options when the company's earnings came in below the expectations set by Wall Street analysts. They also allege he was the one who hacked into Thomas Financial's secure server and downloaded critical information about IMS Health in advance of the earnings call.

More here.

Wednesday, July 22, 2009

Report: U.S. Must Attract More Cyber Security Pros

Brian Prince writes on eWeek:

The U.S. government needs to do more than buy technology to improve cyber-security – it needs to hire more experts, according to a new report.

The report was prepared by the non-profit Partnership for Public Service and consulting firm Booz Allen Hamilton and paints a picture of the government’s cyber-security efforts as dysfunctional, where a lack of coordination and fragmented governance “hinders the ability to meet federal cybersecurity workforce needs.”

Among other things, the report found in a survey of 18 federal agencies that only 40 percent of CIOs, CISOs and IT hiring managers are satisfied or very satisfied with the quality of applicants for federal cyber-security jobs. The report also found a disconnect between front-line hiring managers and government’s HR specialists.

“Our surveys reveal that front-line managers are consistently less satisfied with the effort to hire new cybersecurity talent than their peers in HR,” according to the report. “In addition, 41 percent of the CIOs/CISOs and 38 percent of HR managers reported being either dissatisfied or very dissatisfied at the level of collaboration with the Office of Personnel Management (OPM), which should provide vital support for agencies looking to acquire skilled cybersecurity workers.”

More here.

National Disgrace: More U.S. Troops Relying on Food Stamps

Bryan Mitchell writes on

Military members and their families are using more food stamps than in previous years – redeeming them last year at nearly twice the civilian rate, according to Defense Commissary Agency figures.

The agency reports that more than $31 million worth of food stamps were used at commissaries nationwide in 2008 – an increase of about $6.2 million, or more than 25 percent – from the $24.8 million redeemed in 2007. That contrasts with a 13 percent overall increase in food stamp use by Americans for the same period, according to the Department of Agriculture, which administers the food stamp program.

The spike reverses a 5 percent decrease in food stamp redemptions by military families from 2006 to 2007.

The commissary agency stressed that its figures include military retirees as well as Reservists and National Guardsmen who shop at its commissaries. Commissary agency officials were unable to provide numbers for the first half of 2009.

The rise in food stamp usage in the military may also be attributed to a recent change in the way the program is administered. Program users may now use a debit card to buy with food stamps rather than traditional paper vouchers – decreasing their visibility and so eliminating any stigma or reluctance to using the government-funded aid.

The increase in food stamp usage by military families can be viewed as part of a larger, national trend. Figures show that food stamp use had been rising sharply across the country even before the current recession, even though much of the previous decade was marked by a robust economy.

More here.

Hacking Oracle's Database Will Soon Get Easier

A Reuters newswire article by Jim Finkle, via, reports that:

Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information. Security experts have developed an easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems, but cybercrooks can use it for hacking.

The tool's authors created it through a controversial open-source software project known as Metasploit, which releases its free software over the Web. Chris Gates, a security tester who co-developed the Metasploit tool, will unveil it next week at the annual Black Hat conference in Las Vegas, where thousands of security experts and hackers will gather to exchange trade secrets.

"Anyone with no skill and knowledge can download and run it," said Pete Finnigan, an independent consultant who specializes in Oracle security and who advises large corporations and government agencies. He has not yet studied the Oracle tool but is familiar with other Metasploit software and said it works by automating many of the complicated procedures required to hack into Oracle databases, allowing amateurs to hack into them.

Oracle, which declined to comment, has already issued patches to protect against vulnerabilities that the Metasploit tool targets.

More here.

Adobe Confirms Flash Zero-Day Bug in PDF Docs

Gregg Keizer writes on ComputerWorld:

Adobe is investigating a critical vulnerability in its Flash format that is currently being exploited by hackers using malicious PDF documents, according to the company's security team and outside researchers.

Adobe said little in a short entry to its security blog late Tuesday. "Adobe is aware of reports of a potential vulnerability in Adobe Reader and Acrobat 9.1.2 and Adobe Flash Player 9 and 10," said Brad Arkin, the company's director for product security and privacy. "We are currently investigating this potential issue."

Reader and Acrobat 9.1.2 are the most current versions of those applications.

An Adobe spokesman early Wednesday confirmed that the vulnerability was an issue within Flash content that is inserted into a PDF (Portable Document Format) file. Users can drop Flash movies into PDF files, for instance.

More here.

Tuesday, July 21, 2009

The NSA is Still Listening to You

James Bamford writes on

This summer, on a remote stretch of desert in central Utah, the National Security Agency will begin work on a massive, 1 million-square-foot data warehouse. Costing more than $1.5 billion, the highly secret facility is designed to house upward of trillions of intercepted phone calls, e-mail messages, Internet searches and other communications intercepted by the agency as part of its expansive eavesdropping operations. The NSA is also completing work on another data warehouse, this one in San Antonio, Texas, which will be nearly the size of the Alamodome.

The need for such extraordinary data storage capacity stems in part from the Bush administration's decision to open the NSA's surveillance floodgates following the 9/11 attacks. According to a recently released Inspectors General report, some of the NSA's operations -- such as spying on American citizens without warrants -- were so questionable, if not illegal, that they nearly caused the resignations of the most senior officials of both the FBI and the Justice Department.

Last July, many of those surveillance techniques were codified into law as part of the Foreign Intelligence Surveillance Amendments Act (FAA). In fact, according to the Inspectors General report, "this legislation gave the government even broader authority to intercept international communications" than the warrantless surveillance operations had. Yet despite this increased power, congressional oversight committees have recently discovered that the agency has been over-collecting on the domestic communications of Americans, thus even exceeding the excessive reach granted them by the FAA.

More here.

EFF Plans Lawsuit To Unveil the CIA's Pentagon Papers

Ryan Singel writes on Threat Level:

The CIA and other agencies are sitting on a trove of documentary evidence of actual and suspected wrongdoing under the Bush administration, and the Electronic Frontier Foundation plans to file a lawsuit Wednesday to force the intelligence community to come clean, the group says.

At issue are the misconduct reports the spy agencies are required to file with the Intelligence Oversight Board, a board of private citizens with security clearances who oversee the spy agencies and report to the president. The board is tasked with evaluating the self-reported malfeasances of intelligence agencies, looking at the agencies’ responses, and forwarding on the worst to the attorney general when it believes criminal prosecution is called for.

The CIA is among the agencies that failed to respond to the EFF’s Freedom of Information Act (FOIA) requests for copies of the reports. Given the unfolding controversy over the CIA’s apparent failure to notify Congress of a secret agency assassination program, the withholding of these documents takes on even greater importance, according to EFF lawyer Nate Cardozo.

“If the CIA hasn’t been reporting these types of activity to Congress, which apparently they haven’t, then who are they reporting it to?” Cardozo asked. “If this is only body for the intelligence oversight, whether they are actually filing these reports is a good question.”

More here.

Monday, July 20, 2009

40 Years Later: Lunar Lander Base Still Standing Tall

Four decades after Apollo 11 astronauts Neil Armstrong and Buzz Aldrin left the Moon, the base of their lunar lander sits undisturbed in this image from Lunar Reconnaissance Orbiter -- the first picture of the lander ever snapped from lunar orbit.

LRO, which entered lunar orbit earlier this year, carries the most powerful camera of any lunar orbiter to date. In addition to the Apollo 11 site, it also photographed four of the five other Apollo landing sites. The Scientists expect to get even better pictures later in LRO's mission as it drops to a lower orbit around the Moon.


Image source: NASA / GSFC / Arizona State

Obama's Unwilling Cyber Czars

Andy Greenberg writes on

America's cyber czar, despite the impressive title, may not be such a coveted job after all. As early as this week, President Obama is expected to appoint a national cybersecurity adviser, who will report to the oval office and run the White House's efforts to defend the government from hackers and cyberspies. But for those hoping to get a sense of the cyber czar's place in Washington's pecking order, the appointee's name may not be as important as the names of those who have politely declined the role.

According to cybersecurity industry insiders monitoring the appointment process, at least three people were informally offered the cyber czar post and turned it down, including former Virginia Sen. Tom Davis, Microsoft security executive Scott Charney and Good Harbor Consulting Executive Paul Kurtz. One reason that the czarship has remained unfilled for the six months since Obama has taken office, those sources say, may be that the position has taken a back seat to another issue: the economy.

More here.

SCADA Watch: FERC Lays Out Priorities for Smart Grid Standards

Ben Bain writes on

The Federal Energy Regulatory Commission has said that standards being developed for the country’s smart grid should put a priority on cybersecurity and systems monitoring.

FERC's July 16 policy statement, which is meant to guide industry as it develops standards for interoperability and functionality of smart-grid systems and devices, also encouraged the coordinated integration of emerging technologies such as renewable resources.

The development of the smart grid – an information technology-enabled, next-generation power distribution system – is a priority of the Obama administration. FERC’s jurisdiction over smart-grid standards comes from the Federal Power Act and more recently, the Energy Independence and Security Act (EISA) of 2007.

The EISA law gave the National Institute of Standards and Technology (NIST) the main responsibility for working with industry to develop a framework of standards and protocols to ensure the interoperability and security for the grid. However, the law states the final standards need to be approved by FERC, which has regulatory authority over the interstate industry.

More here.

Security Fix: The Growing Threat to Business Banking Online

Brian Krebs writes on Security Fix:

Federal investigators are fielding a large number of complaints from organizations that are being fleeced by a potent combination of organized cyber crooks abroad, sophisticated malicious software and not-so-sophisticated accomplices here in the United States, Security Fix has learned. The attacks also are exposing a poorly-kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud.

Earlier this month, I wrote about Bullitt County, Kentucky, which lost $415,000 after criminals planted malicious software on the county treasurer's PC. That rogue program allowed the crooks to initiate wire transfers to more than two dozen so-called "money mules," people duped into laundering the money and wiring it to the perpetrators in Ukraine.

A few days after that story ran, I heard from a source in federal law enforcement who said the attack against Bullitt County was only the very tip of the iceberg, and that there were many other businesses also losing money in similar cyber attacks. The source, who is familiar with several of these investigations, asked to remain anonymous because he is not authorized to speak with the media.

More here.

Proposed Expansion of TLDs Generates Security Concerns

Marcia Savage writes on

A plan by Internet policymakers to expand the number of generic top-level domains (gTLDs) has generated concern in the financial industry over the security and trademark protection implications of a slew of new Internet domains.

The Internet Corporation for Assigned Names and Numbers (ICANN), the nonprofit that coordinates the Internet's addressing system, is working to expand the number of gTLDs (.com, .org, .edu) from 21 to potentially hundreds. They could include industry sectors like .bank, places such as .paris, company names or sport franchises. According to ICANN, the expansion will allow for more innovation and choice to the Internet's addressing system.

But the program, which ICANN has been planning for more than three years and hopes to launch next year, has been controversial with a range of business groups expressing concern about trademark protection and the potential for malicious conduct like phishing attacks. In the financial sector, the concern has been acute, with the American Bankers Association (ABA), Bank of America Corp. and the Securities Industry and Financial Markets Association among those filing objections with ICANN.

More here.

Court Rebukes U.S. Government Over 'Secret Law'

Steven Aftergood writes on Secrecy News:

“Government must operate through public laws and regulations” and not through “secret law,” a federal appellate court declared in a decision last month. When our government attempts to do otherwise, the court said, it is emulating “totalitarian regimes.”

The new ruling [.pdf] overturned the conviction of a defendant who had been found guilty of exporting rifle scopes in violation of the International Traffic in Arms Regulations (ITAR). The court said that the government had failed to properly identify which items are subject to export control regulations, or to justify the criteria for controlling them. It said the defendant could not be held responsible for violating such vague regulations.

Normally, “A regulation is published for all to see,” explained Judge Easterbrook, a Reagan appointee who is considered a judicial conservative. “People can adjust their conduct to avoid liability. [In contrast,] a designation by an unnamed official, using unspecified criteria, that is put in a desk drawer, taken out only for use at a criminal trial, and immune from any evaluation by the judiciary, is the sort of tactic usually associated with totalitarian regimes,” he said.

More here.

20 July 1969: One Giant Leap For Mankind

"...One small step for man, one giant leap for mankind."

- Neil Armstrong, 20 July 1969.

Sunday, July 19, 2009

Classic xkcd: Estimation


We love xkcd.

- ferg

Neil Armstrong Remembers the Team Work of Apollo

Neil Armstrong

Via Aviation Week.

Four decades and seven years ago, nine new astronauts arrived in Houston, answering the call for volunteers to fly to the Moon. Their predecessors, the Mercury Seven, the original seven, the magnificent seven, had made a remarkable contribution. They had converted "man in a can" to a genuine manned spacecraft program.

These new kids were novices, the Nearly Normal Nine. They arrived in September, the sultry yellow month. What they found were a very accomplished group of engineers and managers, and a very new organization, not yet solidified but advancing rapidly.

What qualified the Nearly Normal Nine to join the lunar program? They were reasonably well educated for the job. They were reasonably well experienced for the job. They all had an intense passion for the job. And like all the early NASA folks, they would work their tails off. And none of them had the foggiest notion of what it would really take to do the job.

Each was assigned a specialty responsibility: boosters, environmental controls, simulation and training, mission planning and the like. They noodled with people who knew a good deal about certain disciplines - dozens of people with whom they built a strong level of trust. They learned the essence and importance of working as a team.

There were diverse views and frequent disagreements. Then someone would ask, "Now, just what is our goal?" "Man on the Moon by the end of the decade." And that often ended the controversy of the day. It was coming together. They began to believe they just might pull this thing off.

More here.

'Silver Surfers' Targeted in Web Scams

Brett Winterford writes on

Australia's elderly population is being targeted by cyber-criminals, according to panellists at a security conference late last week.

Representatives from the law enforcement, ISP and vendor communities said that with life savings at risk and little experience on the internet, the country's 'silver surfers' are directly in the firing line.

The term 'silver surfers' refers to those consumers using the internet for the first time when over the age of 65.

"The Seniors within the community are the target," said Superintendent Brian Hay of the Queensland Police. "These people with self-managed super funds, they have the money, they are being targeted."

The Queensland Police is currently conducting research to determine why these groups are so often falling victim.

"They are not used to the cyber environment," Hay said.

More here.

Identified: Leader of Chinese Hacker Group That Planned DDoS Attack on CNN in 2008

Via The Dark Visitor.

In April of 2008, we reported Revenge of the Flame’s plan to carry out a DDoS attack on the CNN website. A series of events during that time period enraged the Chinese online community: European nations harshly criticized China’s response to the Tibetan uprising; pro-Tibetan independence protesters in Paris tried to snatch the Olympic torch from the hands of a wheelchair-bound Chinese female athlete; and Jack Cafferty, a CNN commentator, referred to Chinese products as “junk” and called the Chinese government “goons and thugs.” In response to these insults, Anti-CNN called for overseas Chinese in Europe to wave the Chinese flag and raise their voice to the sky.

In response to these same events, a hacker, using the online name cn_magistrate, formed a group called Revenge of the Flame and announced his plan to carry out a DDoS attack on the CNN website. We followed the events as calls went out for Chinese netizens to join the action. We were there when cn_magistrate called off the attack and disbaned the organization. Then he vanished…

More here.