The South African Police Services have released the crime stats for the last financial year. I still need to wrap my head around the numbers, as many of the categories don't seem discreet, or intuitive. However, I think the executive summary contains some good insight into the 'threat landscape'. It also backs up several of my 'gut feel' assertions about crime in SA. However, as Russell points, there may be an independence issue, as the report is "written by the guys whose job is on the line", and I haven't found any information on how the stats were independently verified. I've culled some sections from the executive summary and given them my own headings, formatting and order. Whatever your take on crime in SA, these stats are a good read, and certainly more likely to be accurate, even with bias, than the eight year old drivel on Wikipedia.

Microsoft has released a security advisory detailing three ways to respond to the SQL injection attacks. This advisory doesn't covery a patch, just three tools:

1. HP Scrawlr is a light weight version of HP's WebInspect that will look for SQL injection flaws. I love that they used the Bobby Tables XKCD comic.
2. A new version of UrlScan (3.0 beta) the IIS version of mod_security.
3. A source code analyser which will identify SQL injection vulns, although it currently only works for ASP and not ASP.NET.

That's pretty awesome, although, as always, these should be used to aid clue, not replace it.

Over the last few weeks, we have seen a set of incredibly uncomplicated and simple attacks effectively compromise several hundred South African web pages, and several million internationally. Many of the South African sites compromised were important; including major media organisations, several government institutions, large mining houses and even one information security company, who still have not removed the pie from their face. The intention of the attacks was to use the compromised web pages to infect visitors with a variety of malware, but most commonly, a trojan which attempts to steal as many passwords as it can, including specific references to some internet banking sites.

The response to the incident from both consumers and the affected companies seems to indicate that when it comes to the web in South Africa, nobody cares.

After my previous entry on EMV cards, Grant pointed me to this wonderful site, complete with wonderful PDF, neatly breaking down all the many reasons why EMV cards are broken. Well worth a read, especially if you are a Ross Anderson fan-boy.