Someone in MI5 is pissed off at China:
In an unprecedented alert, the Director-General of MI5 sent a confidential letter to 300 chief executives and security chiefs at banks, accountants and legal firms this week warning them that they were under attack from “Chinese state organisations.”
Firms known to have been compromised recently by Chinese attacks are one of Europe’s largest engineering companies and a large oil company, The Times has learnt. Another source familiar with the MI5 warning said, however, that known attacks had not been limited to large firms based in the City of London. Law firms and other businesses in the regions that deal even with only small parts of Chinese-linked deals are being probed as potential weak spots, he said.
A security expert who has also seen the letter said that among the techniques used by Chinese groups were “custom Trojans”, software designed to hack into the network of a particular firm and feed back confidential data. The MI5 letter includes a list of known “signatures” that can be used to identify Chinese Trojans and a list of internet addresses known to have been used to launch attacks.
A big study gave warning this week that Government and military computer systems in Britain are coming under sustained attack from China and other countries. It followed a report presented to the US Congress last month describing Chinese espionage in the US as so extensive that it represented “the single greatest risk to the security of American technologies.”
EDITED TO ADD (12/13): The Onion comments.
EDITED TO ADD (12/14): At first, I thought that someone in MI5 was pissed off at China. But now I think that someone in MI5 was pissed that he wasn’t getting any budget.
Posted on December 4, 2007 at 12:34 PM •
I don’t know if this story is true:
Portable hard discs sold locally and produced by US disk-drive manufacturer Seagate Technology have been found to carry Trojan horse viruses that automatically upload to Beijing Web sites anything the computer user saves on the hard disc, the Investigation Bureau said.
Around 1,800 of the portable Maxtor hard discs, produced in Thailand, carried two Trojan horse viruses: autorun.inf and ghost.pif, the bureau under the Ministry of Justice said.
The tainted portable hard disc uploads any information saved on the computer automatically and without the owner’s knowledge to www.nice8.org and www.we168.org, the bureau said.
EDITED TO ADD (12/14): A first-hand account.
Posted on November 20, 2007 at 12:52 PM •
What is it with sports and spying this month? Now it’s the Chinese spying on the Danish women’s soccer team.
Posted on September 18, 2007 at 2:05 PM •
The study, carried out by graduate student Earl Barr and colleagues in the computer science department of UC Davis and the University of New Mexico, exploited the workings of the Chinese firewall to investigate its effectiveness.
Unlike many other nations Chinese authorities do not simply block webpages that discuss banned subjects such as the Tiananmen Square massacre.
Instead the technology deployed by the Chinese government scans data flowing across its section of the net for banned words or web addresses.
When the filtering system spots a banned term it sends instructions to the source server and destination PC to stop the flow of data.
Mr Barr and colleagues manipulated this to see how far inside China’s net, messages containing banned terms could reach before the shut down instructions were sent.
The team used words taken from the Chinese version of Wikipedia to load the data streams then despatched into China’s network. If a data stream was stopped a technique known as “latent semantic analysis” was used to find related words to see if they too were blocked.
The researchers found that the blocking did not happen at the edge of China’s network but often was done when the packets of loaded data had penetrated deep inside.
Blocked were terms related to the Falun Gong movement, Tiananmen Square protest groups, Nazi Germany and democracy.
On about 28% of the paths into China’s net tested by the researchers, blocking failed altogether suggesting that web users would browse unencumbered at least some of the time.
Filtering and blocking was “particularly erratic” when lots of China’s web users were online, said the researchers.
Posted on September 14, 2007 at 7:52 AM •
The story seems to have started yesterday in the Financial Times, and is now spreading.
Not enough details to know what’s really going on, though. From the FT:
The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American officials.
The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.
Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People’s Liberation Army.
One senior US official said the Pentagon had pinpointed the exact origins of the attack. Another person familiar with the event said there was a “very high level of confidence…trending towards total certainty” that the PLA was responsible. The defence ministry in Beijing declined to comment on Monday.
EDITED TO ADD (9/13): Another good commentary.
Posted on September 4, 2007 at 10:44 AM •
Richard Clayton is presenting a paper (blog post here) that discusses how to defeat China’s national firewall:
…the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection—and obey. Hence the censorship occurs.
However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this—and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall—just shut your eyes and walk onto Platform 9¾.
Ignoring resets is trivial to achieve by applying simple firewall rules… and has no significant effect on ordinary working. If you want to be a little more clever you can examine the hop count (TTL) in the reset packets and determine whether the values are consistent with them arriving from the far end, or if the value indicates they have come from the intervening censorship device. We would argue that there is much to commend examining TTL values when considering defences against denial-of-service attacks using reset packets. Having operating system vendors provide this new functionality as standard would also be of practical use because Chinese citizens would not need to run special firewall-busting code (which the authorities might attempt to outlaw) but just off-the-shelf software (which they would necessarily tolerate).
Posted on June 27, 2006 at 1:13 PM •
We’ve talked about counterfeit money, counterfeit concert tickets, counterfeit police credentials, and counterfeit police departments. Here’s a story about a counterfeit company:
Evidence seized in raids on 18 factories and warehouses in China and Taiwan over the past year showed that the counterfeiters had set up what amounted to a parallel NEC brand with links to a network of more than 50 electronics factories in China, Hong Kong and Taiwan.
In the name of NEC, the pirates copied NEC products, and went as far as developing their own range of consumer electronic products – everything from home entertainment centers to MP3 players. They also coordinated manufacturing and distribution, collecting all the proceeds.
Posted on May 1, 2006 at 8:02 AM •
Here are the side-by-side search results for “tiananmen” on google.com and google.cn.
Posted on February 3, 2006 at 2:01 PM •
Seems that the censorship service that Google has set up at China’s request suffers from a trivial bug: if you type your searches using capital letters, you bypass the censor.
This’ll be fixed real soon, I’m sure.
Posted on January 31, 2006 at 3:00 PM •
There seems to be a well-organized Chinese military hacking effort against the U.S. military. The U.S. code name for the effort is “Titan Rain.” The news reports are spotty, and more than a little sensationalist, but I know people involved in this investigation—the attackers are very well-organized.
Posted on December 13, 2005 at 4:39 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.