Shoe on the other foot? Chinese web­sites ex­posed to hack­ers

The Washington Times Weekly - - Geopolitics - BY SHAUN WATER­MAN

China is known as an ag­gres­sor in cy­berspace, but hun­dreds of Bei­jing’s own gov­ern­ment net­works are vul­ner­a­ble to cyberattack, says one se­cu­rity ex­pert whose hobby is find­ing back doors into Chinese com­puter sys­tems.

Among the sys­tems that hack­ers have pen­e­trated is a data­base con­tain­ing per­sonal de­tails, in­clud­ing email ad­dresses, cell­phone and pass­port num­bers, and even psy­cho­log­i­cal test re­sults, of 11,000 peo­ple, in­clud­ing thou­sands of Amer­i­cans.

The data­base, main­tained by the state agency that re­cruits for­eign spe­cial­ists to work in China, was breached by hack­ers last year, ac­cord­ing to U.S. se­cu­rity re­searcher Dil­lon Beres­ford.

But many of the Amer­i­cans in the data­base did not know their de­tails were there and had been ac­cessed by hack­ers.

Other vul­ner­a­ble net­works Mr. Beres­ford found in­clude the web­site of the Bei­jing-based In­sti­tute for High En­ergy Physics and the com­puter sys­tems of hun­dreds of other gov­ern­ment agen­cies and de­part­ments us­ing poorly con­fig­ured In­ter­net tele­phones, we­b­cams and other de­vices. Spies could use these de­vices to eaves­drop on the Chinese gov­ern­ment or mil­i­tary of­fices where they are in­stalled.

Chinese com­puter se­cu­rity of­fi­cials con­firmed Mr. Beres­ford’s find­ings in emails to The Wash­ing­ton Times.

Over the April 23-24 week­end, Mr. Beres­ford sent Chinese authorities a de­tailed ac­count of the vul­ner­a­bil­i­ties in the data­base, main­tained by the State Ad­min­is­tra­tion of For­eign Ex­perts Af­fairs (SAFEA), and a por­tion of the per­sonal data he down­loaded on the 11,000 peo­ple.

“It took me 20 min­utes to dis­cover the vul­ner­a­bil­ity, hack the web­site and down­load the en­tire data­base,” Mr. Beres­ford told The Times.

He Ship­ing of China’s Com­puter Emer­gency Re­sponse Team (CN-CERT) ac­knowl­edged in email to The Times “many in­cred­i­ble mis­takes” in the SAFEA data­base. He called it “amaz­ing.”

The com­puter net­work ad­min­is­tra­tor for SAFEA, Fu Jun­sheng, told The Times via email that he dealt with the prob­lem as soon as Mr. Beres­ford raised the alarm.

“We have done [the] nec­es­sary patch­ing to en­sure [the se­cu­rity of the data­base],” he in­sisted. “Af­ter check­ing our sys­tem logs care­fully, we are sure that the data has not been vis­ited by any non-au­tho­rized peo­ple.”

But Mr. Beres­ford said the per­sonal data of the 11,000 peo­ple in the data­base al­ready had been stolen. “Some­body was def­i­nitely there be­fore me,” he said.

He ex­plained that the com­puter code the at­tack­ers used, prob­a­bly last year, was vis­i­ble in the data­base when he down­loaded it. He said an at­tacker could have tam­pered with the logs to hide ev­i­dence of the breach.

Mr. Fu did not re­spond by press time to a re­quest for clar­i­fi­ca­tion.

In his ini­tial email, Mr. Fu said the agency would be no­ti­fy­ing peo­ple in the data­base “to pay at­ten­tion to per­sonal pri­vacy pro­tec­tion” and “will also con­tinue to take mea­sures to ef­fec­tively pro­tect the pri­vacy of our users in the fu­ture.”

Mr. Beres­ford told The Times that he con­tacted sev­eral U.S. cit­i­zens listed in the data­base and none of them said they had re­ceived any no­ti­fi­ca­tion from SAFEA. Al­though they had vis­ited China at some time, they said, they were mys­ti­fied about how their in­for­ma­tion came to be in the data­base.

“It is not clear who en­tered this data,” Mr. Beres­ford said, adding that some en­tries ap­peared to be from job ap­pli­cants.

Mr. Beres­ford said vul­ner­a­bil­i­ties like those in the SAFEA data­base were rife on Chinese gov­ern­ment and pri­vate-sec­tor net­works.

He said com­puter ad­min­is­tra­tors at an­other Chinese state agency, the In­sti­tute for High En­ergy Physics, part of the Chinese Academy of Science, had “not up­dated their [Web] server for a cou­ple of years.” The pro­gram they use to run the site was out­dated and vul­ner­a­ble to be­ing hacked.

“You could get in” to the in­sti­tute’s Web server us­ing that flaw and then “ac­cess any com­puter that’s con­nected to the [in­sti­tute’s] in­ter­nal net­work,” he said.

He added that a sim­i­lar se­cu­rity risk ex­isted on the net­work of a high-se­cu­rity de­fense in­sti­tu­tion, which he de­clined to name be­cause he had not had the op­por­tu­nity to no­tify them of the breach.

Mr. Beres­ford said he was acting out of a de­sire to im­prove com­puter se­cu­rity and trans­parency about it in China.

“I am no­ti­fy­ing them of ev­ery­thing I find,” he said, “I am try­ing to go through the proper chan­nels.”

In re­cent days, he has sent Chinese a steady stream of email mes­sages about the vul­ner­a­bil­i­ties that he finds us­ing cus­tom-de­signed tools that au­to­mat­i­cally scan the In­ter­net look­ing for flaws and other gaps in se­cu­rity.

U.S. in­tel­li­gence of­fi­cials think China’s mil­i­tary col­lab­o­rates with hacker groups in con­duct­ing wide­spread in­dus­trial es­pi­onage and other spy­ing against for­eign firms.

But the vul­ner­a­bil­i­ties Mr. Beres­ford has un­cov­ered re­veal an­other as­pect of the pic­ture.

De­spite the enor­mous ef­forts of the Chinese gov­ern­ment to lock down the In­ter­net in their coun­try against dis­senters and en­e­mies, gov­ern­ment com­puter net­works there are vul­ner­a­ble in many of the same ways as their West­ern coun­ter­parts.

The vul­ner­a­bil­i­ties ex­posed by Mr. Beres­ford also have im­pli­ca­tions for Chinese na­tional se­cu­rity.

He has pro­vided Chinese authorities with a list of 12,000 de­vices, in­clud­ing we­b­cams, com­puter rout­ing switches and In­ter­net tele­phones, that are us­ing a vul­ner­a­ble ver­sion of a spe­cial soft­ware pro­gram called VxWorks.

The pro­gram con­trols the de­vices. But in the vul­ner­a­ble ver­sion, an at­tacker can get con­trol and turn we­b­cams into sur­veil­lance cam­eras and In­ter­net phones into eaves­drop­ping de­vices, Mr. Beres­ford said.

He said it was dif­fi­cult to tell ex­actly which de­part­ments or agen­cies the vul­ner­a­ble de­vices were lo­cated, but many of them were on net­works used by the Chinese mil­i­tary. “You could eaves­drop on any of­fice where a com­puter that is us­ing one of these de­vices is lo­cated,” he said.

Mr. Beres­ford said he hoped the im­pact of his work would en­cour­age Bei­jing to “tone down its ag­gres­sion in cy­berspace” and im­prove re­la­tions be­tween se­cu­rity re­searchers in China and the U.S. “Both coun­tries are vul­ner­a­ble,” he said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.