SecurityMaverick.com

A logical alternative theory of who targeted Iran:

In 2008, China decided to assist the IAEA inspectors after it learned that Iran was in possession of blueprints to shape uranium metal into warheads, according to this article in The Telegraph. That same article discloses that Chinese designs for centerfuges were discovered in Iran, supplied via Pakistan’s AQ Khan.

On April 13, 2010, Beijing reiterated its opposition to Iran’s goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counter-productive. In other words, the PRC wanted to support its third largest supplier of oil (after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop its uranium fuel enrichment program. What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz’ centerfuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanctions pushed by the U.S. It’s both simple and elegant.

Bottom line: we’ll never know unless someone comes forward.

Popularity: 46% [?]

The French Twitter hacker claimed it was an ethical hack. This defense has rarely been credible in the US since 9/11 due to the uptick in professional services and change in cultural mindset.

… he wanted to reveal just how vulnerable online data systems are to break-ins — and he says he didn’t mean any harm.”I’m a nice hacker,” suspect Francois Cousteix told France 3 television Thursday, a day after he was released from police questioning, adding that his goal was to warn Internet users about data security.

Here is why I no longer report security vulnerabilities I find.

Popularity: 58% [?]

The New York Times ran a story on how China is under constant security attacks and how vulnerable their infrastructure may be:

Despite China’s robust technological abilities, its cyber defenses are almost certainly more porous than those of the United States, American experts say. To cite one glaring example, even Chinese government computers are frequently equipped with pirated software from Microsoft, they say. That means many users miss out on security upgrades, available to paying users, that fix security breaches exploited by hackers. (emphasis mine)

100% WRONG: Paul Cooke from Microsoft states on the Windows Security Blog:

There seems to be a myth that Microsoft limits security updates to genuine Windows users.

Let me be clear: all security updates go to all users.

Not only do all security updates go to all users’ systems, but non-genuine Windows systems are able to install service packs, update rollups, and important reliability and application compatibility updates. In addition, the users of non-genuine Windows systems can also upgrade a lot of the other software on their computer.

Given my experiences in South Korea/Asia, this porousness is more likely due to a lack of policy, a lack of enforcement of existing policy and a non-priority given to information security than to pirated Windows software. Non-uniform policies and application of security resources as well as little respect and lack of eduction by those under the infosec policies are also primary factors. Most infosec professionals in the US experience something akin to the following at one point or another:

Deep inside a Chinese military engineering institute in September 2008, a researcher took a break from his duties and decided — against official policy — to check his private e-mail messages. Among the new arrivals was an electronic holiday greeting card that purported to be from a state defense office.

The researcher clicked on the card to open it. Within minutes, secretly implanted computer code enabled an unnamed foreign intelligence agency to tap into the databases of the institute in the city of Luoyang in central China and spirit away top-secret information on Chinese submarines.

It’s just not a unique Chinese situation.

Popularity: 30% [?]

It is alleged that Goldman Sachs did this in London:

The Robinhood Tax campaign claimed that one of the two computers used to spam the Internet poll with “no” votes on Thursday, belonged to the investment bank.

Technical staff for the Robinhoodtax.org.uk said that the website registered more than 4,600 negative votes over a 20-minute period starting at 3.41pm.

The number of “no” votes jumped from 1,400 to 6000 before the site’s security was tightened.

I wrote about this possibility — although using a different technique to simply change public opinion — back in 2008 for the US presidential elections.

Popularity: 24% [?]

There is a debate in the UK whether prisoners should have the right to internet access, including social media sites like Facebook. From that debate comes the following way around normal prison internet security controls:

British prisoners are banned from using social networking sites like Facebook. Britain — unlike many European countries — bars almost all inmates from access to the Internet, except for educational purposes under supervision. But authorities acknowledge that some have used smuggled mobile phones to update their pages, or have gotten friends on the outside to do it for them.

This obviously works at almost any corporate entity too.

Popularity: 36% [?]