TAG | china
Another from the “if the data exists, it will get compromised” file.
This article from the Washington Post talks about an interesting case of counter surveillance hacking.
In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.
Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.
I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.
Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.
The short version is, if an attacker is going for you specifically, they can do enough research to craft an email and attachment that you are almost certain to open. The success rate against even very paranoid and sophisticated users is shockingly high.
In Bruce Schneier’s blog post about this he quotes Brian Snow, former NSA Information Assurance Director. “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”
It appears that China recently launched a poorly executed Man in the Middle (MITM) attack on GitHub.
GitHub.com is an https only website, so the only way to monitor it is to use a MITM attack to decrypt the contents of the communications. There is evidence that GitHub is widely used in China for code sharing, so the backlash from blocking it completely was too large, and it was unblocked a few days later.
The attack happened on January 26. It was poorly executed in that the faked certificate did not match the real one in any of the meta-data and it was not signed by a recognized certificate authority. This caused most browsers to report a security error. The MITM attack only lasted about an hour.
Based on reports it only impacted users in China, which strongly suggests that it was government backed at some level. My work in censorship circumvention over the years has shown that China is far from monolithic. This could have been the work of a local government or regional ISP. I have not seen an analysis showing if this was country wide or not. It seems very ham fisted for the central government.
The speculated reason for the attack is to monitor access to a list of people who have been involved in creating the Great Firewall of China, which is hosted on GitHub, and is connected to a petition on Whitehouse.gov proposing that those people be denied entry to the US.
This article from Threatpost discusses a study out of CMU of Chinese censorship of their home grown social networking websites.
Now that they are blocking most of the western social media sites entirely, the focus of censorship is internal. Obviously blocking the internal sites as well would defeat the purpose, so they are selectively deleting posts instead. This study looks at the rate at which posts with sensitive key words are removed from the services.
It clearly shows how censorship can be taken to the next level when the censor controls the websites as well as the network.