Stuxnet Could Be Chinese Hit on India's Space Program

Stuxnet and Wikileaks were the top news last week. Questions still abound as to who created Stuxnet.

Many believe that it was Israel, but now some are saying that it could be China, and the intended target was not an Iranian power plant, but India’s space program. 

The question remains though if Stuxnet attacks Windows based vulnerabilities, how is Iran even using the software, if Microsoft can’t export to Iran?

But what most experts will agree that the sophistication of Stuxnet fairly limits the country source of origin. Computer Security company Eset Security released an in-depth technical analysis (PDF format) of the cyber weapon called “Stuxnet Under the Microscope”.

Wikileaks does it again. But this time they released nearly 400,000 classified reports on the Iraq war.

Wired.com had some great articles on the release. Superbombs and Secret Jails: What to Look for in WikiLeaks’ Iraq Docs talks about Iran’s involvement in the Iraq war.

And thanks to Wikileaks, we now have proof that there were Weapons of Mass Destruction found in Iraq.

One would wonder how Wikileaks could get away with taunting the United States. In the past, Wikileaks used servers in a converted Swedish cold war nuclear bunker to host their data.

But in a brazen move, recently used mirrors in not only Ireland and France, but also used Amazon.com in the US.

The document release was not without incident though. According to one report, Wikileaks was hacked by a very skilled hacker prior to the publication.

Lastly, should cyber-attacks against a NATO nation trigger a physical response?

If they are included in Article 5 of the North Atlantic Treaty they could, according to a Miller-Mccune article.

NATO countries will discuss this next month at its annual conference. I just hope they take Russian Col.

Anatoly Tsyganok comments to heart when they do, “These attacks have been quite successful, and today the alliance has nothing to oppose Russia’s virtual attacks.”

Cross-posted from Cyber Arms

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Stuxnet Could Be Chinese Hit on India's Space Program

Stuxnet and Wikileaks were the top news last week. Questions still abound as to who created Stuxnet.

Many believe that it was Israel, but now some are saying that it could be China, and the intended target was not an Iranian power plant, but India’s space program. 

The question remains though if Stuxnet attacks Windows based vulnerabilities, how is Iran even using the software, if Microsoft can’t export to Iran?

But what most experts will agree that the sophistication of Stuxnet fairly limits the country source of origin. Computer Security company Eset Security released an in-depth technical analysis (PDF format) of the cyber weapon called “Stuxnet Under the Microscope”.

Wikileaks does it again. But this time they released nearly 400,000 classified reports on the Iraq war.

Wired.com had some great articles on the release. Superbombs and Secret Jails: What to Look for in WikiLeaks’ Iraq Docs talks about Iran’s involvement in the Iraq war.

And thanks to Wikileaks, we now have proof that there were Weapons of Mass Destruction found in Iraq.

One would wonder how Wikileaks could get away with taunting the United States. In the past, Wikileaks used servers in a converted Swedish cold war nuclear bunker to host their data.

But in a brazen move, recently used mirrors in not only Ireland and France, but also used Amazon.com in the US.

The document release was not without incident though. According to one report, Wikileaks was hacked by a very skilled hacker prior to the publication.

Lastly, should cyber-attacks against a NATO nation trigger a physical response?

If they are included in Article 5 of the North Atlantic Treaty they could, according to a Miller-Mccune article.

NATO countries will discuss this next month at its annual conference. I just hope they take Russian Col.

Anatoly Tsyganok comments to heart when they do, “These attacks have been quite successful, and today the alliance has nothing to oppose Russia’s virtual attacks.”

Cross-posted from Cyber Arms

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

McAfee reseller program update adds new incentives, rewards

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map

All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy

View the original article here

McAfee reseller program update adds new incentives, rewards

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map

All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy

View the original article here

Google extends bounty program for Web application bugs

Search giant Google Inc. Monday extended its Google bug bounty program, adding rewards for bug hunters who find serious Web application flaws in Blogger, Orkut and YouTube.

The move is an expansion of Google's current bounty program, which was launched in February to reward security researchers who reported Chrome browser flaws. Google said it would reward as much as $3,133.70 for significant flaw finds. The number pays homage to "eleet," sometimes identified as 31337, an alternative alphabet used by coders on the Internet.

"Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope," Google said in an announcement on its security blog. "For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. We may expand the program in the future."

Google said it is difficult to provide a definitive list of vulnerabilities eligible for a reward, but added a number of categories that would be rewarded, including cross-site scripting errors, cross-site request forgery flaws and authorization bypass bugs. To be eligible for a reward, researchers must privately report the bugs using Google's security contact list.

"It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered," Google said. "Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release."

The base reward for qualifying bugs is $500. At each bug hunter's discretion, Google will publicly credity the finds if the flaws are deemed legitimate. Google said each submission will be evaluated by a security expert panel, which "may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward." In addition, bug hunters can donate rewards to charity, through Google.

Google said it chose to extend the bounty program for Web application bugs because it received a sustained increase in the number of high-quality reports from researchers on bugs found in the Chromium browser, the open source browser on which Google Chrome is based. Those bugs can be reported using the Chromium bug tracker system and include flaws discovered using plug-ins shipped with the Chrome browser by default.

Some other software makers offer similar programs. Mozilla announced its Security Bug Bounty Program in 2004, funded by Linux distributor Linspire (now owned by Xandros Inc.) and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid, critical security bugs nowreceive a $3,000 cash reward and a Mozilla T-shirt. The maximum cash reward was increased from $500 in July.

By contrast, Microsoft refuses to reward bug hunters with cash prizes. In an announcement in July regarding responsible disclosure, Dave Forstrom, director of Microsoft's Trustworthy Computing Program, said such programs run counter to Microsoft's vulnerability research efforts and ultimately don't help the customer.

"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said in an earlier interview. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."

View the original article here