The Dark Visitor » China internet

Shanghai Jiaotong named as a source in Google compromise

jumper — Fri, 19 Feb 2010 15:59:35 +0000

Loyal readers of TDV may remember Heike’s post about Peng Yinan, aka Coolswallow of Javaphile. According to this NY Times article, the school that Yinan has occasionally taught at was discovered to have been involved in the Google compromise revealed last month. At this point, it is only the IP addresses that seem to link the school to the compromise but it is an interesting coincdence that one of the most prolific Chinese hackers has a close connection to the school.

There are many possibilities for SJTU’s IP addresses being involved in the incident. Any assessments made about SJTU’s involvement at this point would be just a guess.

PRC Gov Responses to Hacking Allegations – Timeline

jumper — Thu, 21 Jan 2010 03:58:49 +0000

All dates represent the date the article was published, not necesarily the date that the quote was made.

July 26, 2004
In response to accusations that the Chinese government was involved in computer intrusions against ROK government agencies
“Some media reports that the Chinese government might be behind the hacking incident are groundless” – Chinese Embassy in Seoul (no personal attribution)

December 15, 2005
Response to SANS comments about China being involved in world wide hacking
“Work units and individuals are not permitted to use the Internet to be engaged in illegal activities or commit crimes,… China has laws that make tampering with or cracking a computer’s code illegal.” – Qin Gang

August 27, 2007
In response to a Der Spiegel article that reported intrusions into the German governemnt
“The Chinese government attaches great importance to the hacker attack on the German government networks,” adding China would take “determined” and “forceful” measures to combat hacker activities. – Wen Jiabao

August 28, 2007
In response to the reports of Chinese attributed intrusions into the government of Germany
“The Chinese government has always opposed and prohibited any criminal activity that breaks down computer networks, including hacker attacks,… China has clear rules and regulations on this.” – Jiang Yu

September 4, 2007
In a public response to the FT article that suggested PRC government involvement in a Pentagon intrusion
“The Chinese government has always opposed any Internet-wrecking crime, including hacking, and cracked down on it according to the law” – An Lu (editor)

September 10, 2007
Response to reports about intrusions into the French government for which the French plainly stated that they have no evidence to indicate PRC gov involvement.
“Saying that the Chinese military has made cyber-attacks on the networks of foreign governments is groundless and irresponsible and are a result of ulterior motives” – Jiang Yu

April 9, 2008
In response to Business Week’s e-Spionage article
“The Chinese Government always opposes and forbids any cyber crimes including “hacking” that undermine the security of computer networks. Chinese laws and regulations are explicit in this regard.” – Wang Baodong

April 1, 2009
In response to Ghostnet report
“There is a ghost called the Cold War and a virus called the Theory of China’s Threat overseas,… Some people, possessed by this ghost and infected with this virus, ‘fall ill’ from time to time. Their attempts at using rumors to disgrace China will never succeed… It is the ghost and the virus that should be ferreted out” - Qin Gang

May 15, 2009
Response to accusations of Chinese espionage in PACOM.
“We urge the United States to abandon Cold War mentality, stop its groundless accusations against China and do more to help build mutual trust between the United States and China and the friendship between the two peoples,” – Ma Zhaoxu
“The intrusion doesn’t exist at all” – Jiang Yu

Jun 12, 2008
In response to reports of Chinese hacking into computers in the offices of Rep. Frank Wolf and Rep. Chris Smith.
“Is there any evidence? … Do we have such advanced technology? Even I don’t believe it,… I’d like to urge some people in the U.S. not to be paranoid,… They should do more to contribute to mutual understanding, trust and friendship between the U.S. and China.” – Qin Gang

January 19, 2010
In response to Indian allegations of Chinese hacking (following the Google intrusion)
“I can say that these accusations are groundless… The Chinese government is firmly against hacking activities and will deal with relevant cases in accordance with the law” – Ma Zhaoxu

January 22, 2010
In response to US Sec of State Hillary Clinton’s remarks about Internet Freedom and the Google intrusion
“We urge the United States to respect the facts and cease using so-called Internet freedom to make groundless accusations against China” – Ma Zhaoxu
“China resolutely opposes Clinton’s remarks and it is not true that the country restricts online freedom…” – Ma Zhaoxu

January 25, 2010
In response to US Sec of State Clinton’s request for a transparent investigation into the Google intrusion
“We are resolutely against those who make a issue of things without referring to actual facts by needlessly accusing China, ignoring Chinese laws and interfering in Chinese internal politics” – unnamed spokesperson for the State Council Information Office

“As the global landscape is undergoing profound irreversible shifts, the calculated free-Internet scheme is just one step of a U.S. tactic to preserve its hegemonic domination” – Yan Xuetong

January 25, 2010
Response to Google intrusion
The “accusation that the Chinese government participated in (any) cyberattack, either in an explicit or inexplicit way, is groundless and aims to denigrate China… We are firmly opposed to that” – unnamed spokesman for the Ministry of Industry and Information Technology to Xinhua

Freedom of Speech? Not according to Baidu.

jumper — Sat, 16 Jan 2010 14:00:57 +0000

One of the Chinese blogs I read had a post about this Baidu dictionary reference.

Loosely translated: Freedom of Speech – basically not in China. It gives a link to a board where it may have picked up this definition. The author, greysign, laments that there are rampant lawless anti-party elements slandering China. Is it really slander to say that there isn’t freedom of speech in China?

Lawyers for company ripped off by green dam targeted in spear phishing attacks

jumper — Thu, 14 Jan 2010 03:36:52 +0000

This is starting to get boring…

Lawyers for Cybersitter, the company that claims its intellectual property was ripped off by PRC companies that developed the green dam youth escort in home censorware are now claiming that they have been targeted in spear phishing style attacks. Maybe the PRC companies didn’t get all of the code the first time.

Article here – linked from Danwei (one of my favorite China sites).

Chinese hackers don’t like Iranian Diabetics

jumper — Wed, 13 Jan 2010 04:52:00 +0000

In an apparent outrage at the defacing of Baidu, the great national symbol of the PRC interwebz, Chinese hackers have defaced an Iranian site that distributes information about diabetes. Take that Iranian nationalist hackers!

Brav[e|o] Google.cn

jumper — Wed, 13 Jan 2010 03:35:09 +0000

In what may be the most significant news posted to this blog in a long time, the Official Google Blog reports that Google will be working with the PRC government to deliver an unfiltered google.cn to users in the PRC. If an agreement with the PRC government cannot be reached, google.cn may suspend operations. From the blog post:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

This move is in response to an internal Google investigation that revealed widespread targeting and surveillance of human rights activists with interests in the PRC. The blog indicates that there are two distinctly different problems that were uncovered. One involved the compromise of internal Google intellectual property and the other involved the accessing of gmail accounts by unauthorized third parties.

…we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties.

Google believes that the sophisticated attacks that resulted in the internal compromise of Google information have also hit more than 20 other organizations.

So what does this mean? It is difficult to say at this point. Perhaps it will draw attention to the censorship issue as well as the widespread hacking frequently attributed to the PRC government. I think it will be unlikely that google.cn will be allowed to operate in the PRC without filtering its search results. This may mean that google.cn will cease to exist or that it is operated outside of the PRC where it will probably get GFW’d. Either way, Baidu wins.

It would be very cool if others (yahoo!, microsoft) follow suit.

PRC hackers attack Iranian websites

jumper — Tue, 12 Jan 2010 18:48:09 +0000

Several Chinese security bloggers and the Rising AV company are reporting that Chinese hackers are going after Iranian websites. Apparently in response to the Baidu DNS compromise.

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-12%2F32938.html

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-12%2F32926.html

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-12%2F32933.html

http://translate.google.com/translate?sl=auto&tl=en&u=http%3A%2F%2Fwww.hackbase.com%2Fnews%2F2010-01-13%2F32955.html

Baidu pwn3d by Iranian DNS hijackers

jumper — Tue, 12 Jan 2010 15:03:06 +0000

The Iranian Cyber Army has compromised the DNS records for baidu.com by logging into their DNS management portal at register.com. You might remember the Iranian Cyber Army from their recent twitter DNS compromise. There are many blogs and news outlets reporting on this.

I know some readers might wonder if this will spark some sort of cyber war between Iran and the PRC.

From BBC:

http://news.bbc.co.uk/2/hi/technology/8453718.stm

http://www.techcrunch.com/2009/12/17/twitter-reportedly-hacked-by-iranian-cyber-army/

Individuals can no longer register domains with .cn TLD

jumper — Mon, 14 Dec 2009 03:36:26 +0000

The .cn Top Level Domain has been frequently associated with malware, pornography and spamvertising. In an apparent effort to clean up the TLD, China NIC has started requiring a business license in order to register a .cn domain.

The China Internet Network Information Center (CNNIC) published a notice Sunday saying that applicants must submit written applications to the registration agents. The written materials must include an application form with an official seal, an enterprise business license and the registrant’s ID card.

In addition, the NIC will actually attempt to notify and verify individually owned .cn sites. If a site owner doesn’t respond in after five days, the domain will be revoked.

CNNIC plans to verify the information of the owners of personal site in the nation. Those found unqualified to have a site will be required to update the information in five working days, otherwise they will be shut down.

This is an interesting development. Clearly, something needed to be done about the .cn TLD garbage sites clogging up the tubes. I’m not sure what this means for individual site operators though. I’m sure it is still possible for individuals within the PRC to get a non-cn TLD and host their websites outside of the mainland.

Source: “All .cn websites require business license” – http://business.globaltimes.cn/china-economy/2009-12/491515.html – Linked from Danwei.

Piloyd worm pwning exe, asp and html files in PRC

jumper — Tue, 24 Nov 2009 18:49:59 +0000

HT to Sunbelt for this article about the piloyd worm jacking up web pages in the PRC. Not enough details yet to determine the vector. According to Sunbelt’s article, it is 8/41 on virustotal.com. I’ll update this post if I’m able to collect a sample for analysis.

Here are some details from threatexpert.com.