Category Archives: Vulnerabilities

NYT: Wrong about China Security

The New York Times ran a story on how China is under constant security attacks and how vulnerable their infrastructure may be:

Despite China’s robust technological abilities, its cyber defenses are almost certainly more porous than those of the United States, American experts say. To cite one glaring example, even Chinese government computers are frequently equipped with pirated software from Microsoft, they say. That means many users miss out on security upgrades, available to paying users, that fix security breaches exploited by hackers. (emphasis mine)

100% WRONG: Paul Cooke from Microsoft states on the Windows Security Blog:

There seems to be a myth that Microsoft limits security updates to genuine Windows users.

Let me be clear: all security updates go to all users.

Not only do all security updates go to all users’ systems, but non-genuine Windows systems are able to install service packs, update rollups, and important reliability and application compatibility updates. In addition, the users of non-genuine Windows systems can also upgrade a lot of the other software on their computer.

Given my experiences in South Korea/Asia, this porousness is more likely due to a lack of policy, a lack of enforcement of existing policy and a non-priority given to information security than to pirated Windows software. Non-uniform policies and application of security resources as well as little respect and lack of eduction by those under the infosec policies are also primary factors. Most infosec professionals in the US experience something akin to the following at one point or another:

Deep inside a Chinese military engineering institute in September 2008, a researcher took a break from his duties and decided — against official policy — to check his private e-mail messages. Among the new arrivals was an electronic holiday greeting card that purported to be from a state defense office.

The researcher clicked on the card to open it. Within minutes, secretly implanted computer code enabled an unnamed foreign intelligence agency to tap into the databases of the institute in the city of Luoyang in central China and spirit away top-secret information on Chinese submarines.

It’s just not a unique Chinese situation.

SPAM used to sway UK Tax election outcome

It is alleged that Goldman Sachs did this in London:

The Robinhood Tax campaign claimed that one of the two computers used to spam the Internet poll with “no” votes on Thursday, belonged to the investment bank.

Technical staff for the Robinhoodtax.org.uk said that the website registered more than 4,600 negative votes over a 20-minute period starting at 3.41pm.

The number of “no” votes jumped from 1,400 to 6000 before the site’s security was tightened.

I wrote about this possibility — although using a different technique to simply change public opinion — back in 2008 for the US presidential elections.

Breaking Prison InfoSec Controls

There is a debate in the UK whether prisoners should have the right to internet access, including social media sites like Facebook. From that debate comes the following way around normal prison internet security controls:

British prisoners are banned from using social networking sites like Facebook. Britain — unlike many European countries — bars almost all inmates from access to the Internet, except for educational purposes under supervision. But authorities acknowledge that some have used smuggled mobile phones to update their pages, or have gotten friends on the outside to do it for them.

This obviously works at almost any corporate entity too.