Dominic White

The South African Police Services have released the crime stats for the last financial year. I still need to wrap my head around the numbers, as many of the categories don't seem discreet, or intuitive. However, I think the executive summary contains some good insight into the 'threat landscape'. It also backs up several of my 'gut feel' assertions about crime in SA. However, as Russell points, there may be an independence issue, as the report is "written by the guys whose job is on the line", and I haven't found any information on how the stats were independently verified. I've culled some sections from the executive summary and given them my own headings, formatting and order. Whatever your take on crime in SA, these stats are a good read, and certainly more likely to be accurate, even with bias, than the eight year old drivel on Wikipedia.

Microsoft has released a security advisory detailing three ways to respond to the SQL injection attacks. This advisory doesn't covery a patch, just three tools:

1. HP Scrawlr is a light weight version of HP's WebInspect that will look for SQL injection flaws. I love that they used the Bobby Tables XKCD comic.
2. A new version of UrlScan (3.0 beta) the IIS version of mod_security.
3. A source code analyser which will identify SQL injection vulns, although it currently only works for ASP and not ASP.NET.

That's pretty awesome, although, as always, these should be used to aid clue, not replace it.

We had our second Johannesburg GeekDinner yesterday. We're keeping it small until we build a dedicated team/community, so it was more of a GeekLunch. Unfortunately, I missed Yusuf's talk, on why CSS is rubbish, due to a mistimed afternoon nap, but Tristan's on per-user app DBs for scalability was certainly an interesting challenge to the status quo, and his knowledge certainly carried him through his last minute volunteering. I did some live demoing of 0wning a browser with XSS Proxy. We got some serious geek all over the place, which was great, and I think this will grow into something good. Shehnaaz's hand made (from scratch) pizza's were amazing, and she was a gracious host along with Yusuf. The next one has been planned, but we're keeping it invite only until we have it more stable, thanks to nVent for volunteering.

Over the last few weeks, we have seen a set of incredibly uncomplicated and simple attacks effectively compromise several hundred South African web pages, and several million internationally. Many of the South African sites compromised were important; including major media organisations, several government institutions, large mining houses and even one information security company, who still have not removed the pie from their face. The intention of the attacks was to use the compromised web pages to infect visitors with a variety of malware, but most commonly, a trojan which attempts to steal as many passwords as it can, including specific references to some internet banking sites.

The response to the incident from both consumers and the affected companies seems to indicate that when it comes to the web in South Africa, nobody cares.

The guys over at the Mail & Guardian invited me to write for their TechLeader group blog, it is available here. I will be reposting content here after it goes live there. The audience is more technical and less security and the writing will attempt to reflect that.

I've been ranting about the SQL injections for a while now. While infecting your visitors with malicious software semi-silently generally doesn't put the pressure on the right people (i.e. the externality lies on the infected user not the infecting business), having your organisation blacklisted by Google shifts that externality. Here are the screenshots of Google warning me that the South African Broadcasting Company (SABC) may harm my computer. Check it yourself by googling 'sabc'. At the time of writing, the SABC had fixed the page.

After my previous entry on EMV cards, Grant pointed me to this wonderful site, complete with wonderful PDF, neatly breaking down all the many reasons why EMV cards are broken. Well worth a read, especially if you are a Ross Anderson fan-boy.