Chinese hackers have found a way around widely used privacy technology to target the creators and readers of Web content that state censors have deemed hostile, according to new research.
The hackers were able to circumvent two of the most trusted privacy tools on the Internet: Virtual private networks, or VPNs, and TOR, the anonymity software that masks a computer’s true whereabouts by routing its Internet connection through various points around the globe, according to findings by Jaime Blasco, a security researcher at AlienVault, a Silicon Valley security company.
Both tools are used by Chinese businesses and by millions of citizens to bypass China’s censorship technology, often called the Great Firewall, and to make their Web activities unreadable to state snoopers.
Illustration: Mountain People
The attackers compromised Web sites frequented by Chinese journalists as well as China’s Muslim Uighur ethnic minority, Blasco discovered last week.
As long as visitors to those Web sites were also logged into one of 15 Chinese Internet portals — including those run by Baidu, Alibaba and RenRen — the hackers were able to steal names, addresses, sex, birth dates, e-mail addresses, phone numbers and even the Internet cookies that track other Web sites viewed by a user.
To get around the TOR and VPN technology, the attackers relied on a server software vulnerability that China’s top companies apparently did not patch, Blasco said.
While Blasco and others have not been able to pinpoint the identity of the hackers, the list of targets and the sophistication of the attacks suggest they might have been directed by the Chinese government.
“Who else could be potentially interested in this information and go to such lengths? Who else would want to know who was visiting Uighur Web sites and reporters’ Web sites inside China?” Blasco said in an interview. “There is no financial gain from targeting these sites.”
Since taking power in late 2012, Chinese President Xi Jinping (習近平) has shown a personal interest in how the Internet is managed, by creating and leading a committee responsible for Internet governance.
He has also given broad powers to the newly formed Cyberspace Administration of China (CAC), which has in turn targeted Internet celebrities who influence online opinion, increased blocks on foreign Web sites and sought to project China’s influence over the Internet internationally.
In the past few months, the Chinese government has blocked sales and disabled the protocols of VPNs. It also hijacked Internet traffic flowing to Baidu, China’s biggest Internet company, using it to overwhelm and knock down Web sites like GitHub that carry content China’s sensors deem hostile, including content from the New York Times.
Activists and security experts advised Chinese Internet users to protect themselves from state-sponsored surveillance by using TOR and VPNs, and foreigners inside China have long done so. However, Blasco’s discovery suggests that Beijing’s Internet censors have found a way to render those tools useless.
“There is a growing sense within China that widely used VPN services that were once considered untouchable are now being touched,” said Nathan Freitas, a fellow at the Berkman Center for Internet and Society at Harvard University and a technical adviser to the Tibet Action Institute.
The CAC did not return requests for comment.
Blasco said the Uighur and media-related sites had been compromised with a “watering hole attack” in which attackers find a way to hide malicious code in Web sites frequented by their targets and then wait for their victims to come to them. Once people visit those sites, that code gets injected into their Web browsers.
The technique has been used by governments and hackers for surveillance and to steal passwords.
What made the attacks particularly serious was that as long as the victims were logged into China’s 15 top Web services — including major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the attackers could identify them and siphon off their personal digital information, even if their victims were logged into TOR or a VPN, Blasco said.
They did this with the aid of a particularly serious vulnerability that the 15 Web services in China apparently never patched.
The vulnerability, known as JSONP, is not new. It was publicized in a Chinese security and Web forum in 2013, about the same time forensic evidence suggests attackers used it to target Muslim Uighur Web sites and non-governmental organizations’ sites, Blasco said.
By not patching this hole, major Web portals like Baidu and Taobao, a subsidiary of Alibaba, effectively neutered the only privacy protections available to Web users inside China, Blasco said.
“The equivalent would be if law enforcement was able to exploit a serious vulnerability in Facebook to deanonymize users of TOR and VPNs in the United States,” Blasco said. “You would assume Facebook would fix that pretty fast.”
It is not clear, given the severity of the vulnerability and its discovery some two years ago, why so many of China’s top Web portals did not fix it.
A Baidu spokesman said the company did try to deal with the problem.
“To the best of our knowledge, our earlier efforts were successful in preventing any serious leak of personal use data, but in light of this further information, we have decided to implement a more aggressive and thorough fix across Baidu for the JSONP vulnerability,” the spokesman said.
An Alibaba spokesman also said the company was now moving to deal with the problem.
“Alibaba Group takes data security seriously and we do everything possible to protect our users,” Alibaba vice president of international media Robert Christie said.
“Many companies in our space have faced this issue, and once we discovered this issue, we moved swiftly to address it. We have found no evidence that any user information has been compromised,” he said.
Researchers say the complexity of the attack and the lack of digital fingerprints indicate that someone with significant influence had to have been directing it. Otherwise, “there must be a cybercriminal out there with pretty significant access to China’s Internet infrastructure,” Freitas said.
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Singaporean Prime Minister Lee Hsien Loong’s (李顯龍) decision to step down after 19 years and hand power to his deputy, Lawrence Wong (黃循財), on May 15 was expected — though, perhaps, not so soon. Most political analysts had been eyeing an end-of-year handover, to ensure more time for Wong to study and shadow the role, ahead of general elections that must be called by November next year. Wong — who is currently both deputy prime minister and minister of finance — would need a combination of fresh ideas, wisdom and experience as he writes the nation’s next chapter. The world that
The past few months have seen tremendous strides in India’s journey to develop a vibrant semiconductor and electronics ecosystem. The nation’s established prowess in information technology (IT) has earned it much-needed revenue and prestige across the globe. Now, through the convergence of engineering talent, supportive government policies, an expanding market and technologically adaptive entrepreneurship, India is striving to become part of global electronics and semiconductor supply chains. Indian Prime Minister Narendra Modi’s Vision of “Make in India” and “Design in India” has been the guiding force behind the government’s incentive schemes that span skilling, design, fabrication, assembly, testing and packaging, and
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.