In China, some of the most successful cyberthreats are frighteningly simple.
One recent viral mobile message offered free golden retriever puppies to lure users into giving away personal information. Another online scam took thousands of US dollars from a woman who wired money to an impostor she thought was her son’s teacher.
A current favorite of Chinese cybercriminals, according to Pei Zhiyong (裴智勇), the senior security researcher of the antivirus company Qihoo 360 Technology, is to simply program malicious code that asks users to disable their antivirus software.
“It will say their security program is incompatible with whatever they’re trying to do,” he said. “We call it a ‘Candy Trojan Horse,’ and 30 percent of users will actually respond by turning off their antivirus system.”
Over the last decade, the Internet has gone mainstream in China. More than 600 million residents regularly go online, and China is also the world’s largest smartphone market. Domestic companies like the Alibaba Group are among the largest Internet companies in the world.
In its early days, China’s Internet market was plagued by malware and viruses. Popular free antivirus software offered by many companies has since helped stem that problem, but has led to a new one: Many PC users have become so comfortable that they are now easy prey to attacks that involve simply tricking them, instead of having their accounts breached by complex software. At Chinese companies, awareness lags that of their counterparts in developed nations, experts say.
In 2013, cybercrime cost Chinese companies and individuals US$37 billion, according to a research report by the security firm Norton, putting the nation second behind the US at US$38 billion and well ahead of the US$13 billion that cybercrime cost Europe or the US$1 billion for Russia.
Security analysts offer many reasons for this, but top among them is the naivete of China’s myriad new Internet users, as well as government policies that have emphasized the growth of the Internet industry above all else.
RELUCTANT TO PAY
At the same time, many businesses have no consistent approach to ensure employees do not inadvertently compromise corporate networks. Companies also are often reluctant to pay for security software.
The prevalence of pirated software in the nation — and the backdoors and other security holes in those programs — makes many businesses, and individuals, unwittingly vulnerable.
Beijing maintains strict control of the flow of information online and closely tracks many users. However, it has focused far less on stopping cybercrime or punishing companies that enable or encourage attacks. As a result, China’s companies tend to focus on attracting users above all else, and therefore a consensus among Chinese Internet companies on mitigating attacks has been slow to emerge.
“The Internet companies assume everyone is going to play dirty, so that’s how they approach it,” said Mark Natkin, managing director of China tech research firm Marbridge Consulting. “The Dudley Do-Rights get chopped off at the knees, so instead of trying to clean things up, they get scrappy.”
Things could get worse for China as new users take to the Web on smartphones. According to the Norton report, 75 percent of Chinese smartphone users have experienced mobile cybercrime in the 12 months leading up to the 2013 survey, compared with a global average of just 38 percent.
The high mobile cybercrime numbers are in part a result of government blocks on the Google Play app store, which offers applications for smartphones running the Android operating system.
“The ability to access Google Play is not there, so Chinese go to alternate app stores that don’t have the security capabilities [of Google’s official app store],” Intel Security chief technology officer Michael Sentonas said.
A 2013 study by the Data Center of China’s Internet showed that 35 percent of China’s most popular 1,400 apps tracked user data that had no connection to the function of the application.
When customers then bring their phones into work, the situation becomes dangerous for companies as well, Sentonas said.
The huge cost of attacks on companies has led to growing awareness among executives, though analysts say many companies still lack a high-level executive charged with security.
DRACONIAN MEASURES
Efforts by companies to ensure that employees do not inadvertently compromise corporate networks have ranged from negligence to draconian measures, according to Thomas Parenty, head of the information security firm Parenty Consulting.
In one instance, Parenty recalled how a manager of a Shenzhen company set up employee computers so they all faced the front of the room. He then set up his desk on a raised dais at the back of the room, giving him a view of employees’ screens so he could track online activity.
“It was like Oliver Twist,” he said.
At times, it is company policy, not employees, that leads to problems. Many Chinese companies have a tendency to spurn costly software, instead opting to use pirated copies of everything from Microsoft Windows to Adobe Photoshop, leaving them open to security holes in the software. There are many companies and organizations that use entirely unpaid-for copies of Windows, Parenty said.
At one organization, Parenty said, he discovered that “each employee computer’s disk was entirely full of bootleg software and downloaded movies.”
His firm “had to strip each desktop to the bare metal and then buy legitimate software and put in controls so they couldn’t just download pirated copies of everything Adobe has ever made,” he said.
To keep employees happy, he then set up a “tea break computer” not connected to the company’s network, where workers could sign onto popular Chinese chat, gaming and social media programs.
Recognizing that few companies will spend for security software, the most successful security firms in China offer software free. One of China’s largest antivirus companies, Qihoo 360, provides a suite of antivirus programs without charge, making money on advertisements and other promotions it pipes through its products.
The company had 495 million monthly active users for its PC-based products in September, according to the company’s recent earnings report. Still, analysts argue it is more vulnerable than most purchased services and is not ideal for protecting companies.
There are signs that the government is doing more to clean things up. Chinese President Xi Jinping (習近平) is chairman of a new group focused on the Internet that counts coordinating domestic Internet security policies among its goals, Natkin of Marbridge said.
As proof that things are changing, he pointed to the announcement of the arrest of three men in the Beijing area in connection with the creation of malware targeting Apple devices. Still, he said the tendency for the government to be top-down in its policymaking could slow down progress.
Paul Mozur and Shanshan Wang write for the NY Times News Service.
Could Asia be on the verge of a new wave of nuclear proliferation? A look back at the early history of the North Atlantic Treaty Organization (NATO), which recently celebrated its 75th anniversary, illuminates some reasons for concern in the Indo-Pacific today. US Secretary of Defense Lloyd Austin recently described NATO as “the most powerful and successful alliance in history,” but the organization’s early years were not without challenges. At its inception, the signing of the North Atlantic Treaty marked a sea change in American strategic thinking. The United States had been intent on withdrawing from Europe in the years following
My wife and I spent the week in the interior of Taiwan where Shuyuan spent her childhood. In that town there is a street that functions as an open farmer’s market. Walk along that street, as Shuyuan did yesterday, and it is next to impossible to come home empty-handed. Some mangoes that looked vaguely like others we had seen around here ended up on our table. Shuyuan told how she had bought them from a little old farmer woman from the countryside who said the mangoes were from a very old tree she had on her property. The big surprise
The issue of China’s overcapacity has drawn greater global attention recently, with US Secretary of the Treasury Janet Yellen urging Beijing to address its excess production in key industries during her visit to China last week. Meanwhile in Brussels, European Commission President Ursula von der Leyen last week said that Europe must have a tough talk with China on its perceived overcapacity and unfair trade practices. The remarks by Yellen and Von der Leyen come as China’s economy is undergoing a painful transition. Beijing is trying to steer the world’s second-largest economy out of a COVID-19 slump, the property crisis and
As former president Ma Ying-jeou (馬英九) wrapped up his visit to the People’s Republic of China, he received his share of attention. Certainly, the trip must be seen within the full context of Ma’s life, that is, his eight-year presidency, the Sunflower movement and his failed Economic Cooperation Framework Agreement, as well as his eight years as Taipei mayor with its posturing, accusations of money laundering, and ups and downs. Through all that, basic questions stand out: “What drives Ma? What is his end game?” Having observed and commented on Ma for decades, it is all ironically reminiscent of former US president Harry