According to security and censorship watchdog Great Fire, the latest iPhone just made its debut in China, and already new owners are being hacked by what appears to be a state-sponsored “man in the middle” attack. Though there have been many other allegedly government-backed attacks on US-based companies, presumably for commercial or political gain, this appears to be aimed at gaining iCloud identities of its own citizens, and its hard to not draw a dotted line to the recent Hong Kong protests, images and news of which were widely disseminated by mobile devices like the iPhone.
What this means for you:
Unless you are a Chinese citizen that has somehow managed to find your way to this modest blog, this particular event won’t have much impact on you. The hack is actually being perpetrated by China’s “Great Firewall” and only affects a specific, Chinese-only browser called 360 Secure Browser made by a company called Qihoo. Use of this browser is apparently mandatory for all education institutions in China. Seeing as other browsers not under the control of the Chinese government like Firefox and Chrome appear to be unaffected by the hack, it’s hard not to jump to some obvious conclusions. While the more conspiratorial among you may whisper that the American government is only a few steps behind the Chinese in this egregious breach of privacy, it’s important to note that unlike China, US-provided internet is not gated by a single, government-controlled firewall like China’s Great Firewall, nor our are students and teachers mandated to run a (allegedly) state-backed browser. However, this does not mean you should be less vigilant in protecting your security and privacy, as its quite apparent that US agencies like the NSA have no problems snooping on its citizens anyways.
A new battle front just opened up in the corporate espionage cyberwar. Security firm TrapX has released information on a new attack that appears to be focused on shipping and logistics firms, and is being delivered via hand-held inventory scanners made by a specific manufacturer in China. The wireless devices appear to contain malware that once connected to a company’s corporate network targets enterprise resource planning (ERP) servers and attempts to compromise them through a variety of known weaknesses. If successful it then facilitates the installation of command-and-control malware that provides a backdoor on the compromised server to an unidentified location in China. The manufacturer of the scanners has denied the devices were intentionally shipped with the malware, but their close proximity to the Lanxiang Vocational School (allegedly tied to other infamous hacking incidents) has raised security eyebrows everywhere.
What this means for you:
It’s a safe bet that you probably won’t be directly affected by this particular hacking vector unless you are one of the handful of firms who bought and used the devices before the manufacturer rectified the issue. However, this is just another crack in the dangerously swollen dike that is technology security, and the white hats are rapidly running out of fingers and toes with which to plug the holes. The fact that the Chinese have targeted supply chain technologies means they are fishing for big data to steal, and the amount of money (and power) at stake is enough for the bad guys to continually search out new ways to compromise and breach businesses. They know they have the good guys over a barrel, as we have to continually try to guess where the next mole will pop up in a playing grid with an infinite number of holes. Will we get to a point that we have to run a malware scan on anything with electronics and a means to transmit data? It’s starting to look that way.
According to the Washington Post, the Pentagon has recently received a report that states that over 2 dozen US weapon systems plans and specifications have been stolen via digital attacks on defense contractor and subcontractor systems. The list of possibly compromised systems include several key military assets such as the FA-18 fighter, the F-35 Joint Strike Fighter, the Black Hawk helicopter and the Patriot Missile. Officially, the Pentagon has downplayed the report, stating that they have no reason to believe the strength or integrity of the military compromised in any way, but Department of Defense officials have said, off record, that there is growing concern that the Pentagon and our government at large are increasingly falling behind in their ability to defend our digital borders from future cyber attacks.
What this means for you:
Regardless of your political leaning, there are few Americans who believe that our government runs a tight ship, and anyone who’s had any dealings with the Federal government knows that for the most part, they are woefully behind in just about every aspect of technology. Poor operational standards and old technology is a recipe for security disaster on a large scale for any business, and the Department of Defense is about as big a business as you can get.
Just like the problem life insurance salespeople face (no one wants to face the fact of dying), many businesses still have not come to grips with the fact that they will have (or already have had) a security breach. Many defense contractors who have lived in the bubble of American military superiority for so long have developed a complacency that is leading to poor decisions and lack of preparation until it is too late. The Chinese military is hungry to tip the scales, and it seems that they have the digital advantage.
Surely your business is more nimble than the Department of Defense. Have you grown complacent and ignored your technology’s security? Wouldn’t you rather do some work ahead of a security breach rather than scrambling to repair the damage?
Though it’s no secret to the security world, the US government has specifically avoided naming Chinese state agencies as the source of a tremendous surge in cyberattacks on corporate and government institutions over the course of the past 2 years. On Monday, the gloves finally came off as Obama’s security advisor, Tom Donilon pointed the finger of blame right at China’s military in a speech given to the Asia Society in New York, NY, as evidence gathered by multiple security firms continues to build an unavoidable confrontation on this issue. The Chinese government has of course denied these allegations, but has also said that it is willing to meet with the US and other nations to discuss cybersecurity.
What this means for you:
It’s still very early in the ballgame to decide if this is going to make things better or worse for the average business. At the moment, unless you are on the short list of companies that have information worthy of corporate or state-sponsor cyber-espionage, nothing will change for you, as your threats are likely still coming from the “traditional” vectors: either organized criminal elements seeking to steal from you, or random mischief and mayhem generated by malware controlled by those with less focus and malice. Today, as before, constant vigilance remains the most effective tool in your defense.
Targets of state-sponsored cyberattacks will continue to have a great deal to worry about. Where a “garden variety” attacker encountering strong defenses would normally move on to easier marks, cyber espionage targets will typically suffer through a dedicated, prolong campaign of multiple types of attacks (brute force, trojan horse, spear phishing, social engineering, etc.) because of the valuable data or services protected within and the deep pockets of the government powering their efforts.
It’s not immediately clear what either government hopes to accomplish around meeting on cyber warfare, other than to set up guidelines that will only be used for political leverage when violated by the other party, and probably ignored when it suits either country. As you can imagine, rules like the Geneva War Conventions only work when both sides are willing to abide by them.
In a House Intelligence committee report released on Monday, Oct 8, 2012, US lawmakers cite security concerns with Chinese electronics manufacturing firms Huawei and ZTE. Though neither could be considered a brand recognizable in the US, both firms manufacture electronics that are used to power telecommunication devices all over the world. Though no overt wrongdoing was detected in the 9-month investigation, the report notes that the firms refused to fully cooperate with the investigation. The Chinese government is known to have a heavy hand in directing operations and even strategy for Chinese businesses, mostly to ensure tight control over national security, so it’s no wonder investigators may have encountered resistance from the companies.
What this means for you:
Independent, industry-led investigations have not found any evidence that equipment utilizing parts manufactured by either company have purposefully included security defects or “backdoors” that may have been mandated by the Chinese government as a possible means to infiltrate other countries’ data networks, though vulnerabilities have been found in older Huawei routers. Similar defects have been found in Cisco routers (an American company) which lends credence that the vulnerabilities were not state-sponsored “backdoors”, but instead a product of ongoing security research and development. The intelligence report seems to be more politically minded as opposed to highlighting a clear and present danger, focusing on “what-if” scenarios given China’s heavy-handed government, and fails to note that Chinese (or any other nationality) hackers don’t need an easy-to-detect backdoor to hack American business interests.