Wednesday, October 28, 2009

Programming Note: Off to Taipei For a Few Days...

Taipei, Taiwan, and the Taipei 101 Skyscraper

Blogging will be mostly non-existent for a few days (beginning today) while business calls me away to Taiwan.

I'll be back on Sunday, so blogging should get back to normal (whatever that is) soon thereafter.

Thanks for reading.


- ferg

Tuesday, October 27, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Tuesday, Oct. 27, 2009, at least 4,352 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,475 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two fewer than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

As of Tuesday, Oct. 27, 2009, at least 814 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Tuesday at 10 a.m. EDT.

Of those, the military reports 631 were killed by hostile action.

More here and here.

Honor the Fallen.

MAAWG's Mission Evolving As Botnets, Web Threats Intensify

Kelly Jackson Higgins writes on Dark Reading:

ISPs and vendors here at the mostly closed-door Messaging Anti-Abuse Working Group (MAAWG) meeting this week shared data and research on more than just email abuse -- botnets, Web-borne attacks, social neworks, and wireless threats were also among the topics for ISPs and email providers.

Spam and malicious email have been gradually declining as more stealthy and efficient Web-borne attacks have become a popular choice for the bad guys. MAAWG ISPs and vendors yesterday reported slight drops in email abuse, but it's still steady at around 90 percent of all email traffic.

"Email [abuse] will remain substantial," says Michael O'Reirdan, chairman of MAAWG and distinguished engineer in national engineering and technical operations at a major U.S. ISP. Even so, O'Reirdan says he'd like for MAAWG to change its name to more than a messaging title to better reflect the evolving threats to ISPs and their users.

Other MAAWG members, such as Cisco, note that malware distribution via email has become less of a threat in developed countries. "Email as a malware distribution [vector] is somewhat dead except in emerging economies," says Henry Stern, senior security researcher for Cisco's IronPort team. G-20 countries are now sending anywhere from 20 to 40 percent less spam this year than last, he says.

More here.

FireFox 3.5.4 Released

Get it now.

Fixed in FireFox 3.5.4:

MFSA 2009-64 Crashes with evidence of memory corruption (rv:
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing

- ferg

Internet Phone Systems Become the Fraudster's Tool

Robert McMillan writes on PC World:

Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.

In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.

The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.

Hackers made headlines for breaking into phone company systems more than 20 years ago -- a practice that was known as phreaking -- but as the traditional telephone system has become integrated with the Internet, it's creating new opportunities for fraud that are only just beginning to be understood.

More here.

Monday, October 26, 2009

FBI: Cyber Crooks Stole $40M From U.S. Small, Mid-Sized Firms

Brian Krebs writes on Security Fix:

Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.

According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries like Moldova, Russia and Ukraine.

Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, said criminals involved in these online account takeovers have attempted to steal at least $85 million from mostly small and medium-sized businesses, and have successfully made off with about $40 million of that money.

Normally, the FBI isn't eager to discuss losses, or even acknowledge the existence of specific cases. What's more, the agency is keen to avoid making any statements that might spook consumers or businesses away from online banking. But Chabinsky said the FBI is taking the unusual step of floating financial loss figures in order to grab the attention of those most at risk so they can adopt safeguards.

More here.