Chinese hackers have found a way around widely used privacy technology to target the creators and readers of Web content that state censors have deemed hostile, according to new research.
The hackers were able to circumvent two of the most trusted privacy tools on the Internet: Virtual private networks, or VPNs, and TOR, the anonymity software that masks a computer’s true whereabouts by routing its Internet connection through various points around the globe, according to findings by Jaime Blasco, a security researcher at AlienVault, a Silicon Valley security company.
Both tools are used by Chinese businesses and by millions of citizens to bypass China’s censorship technology, often called the Great Firewall, and to make their Web activities unreadable to state snoopers.
Illustration: Mountain People
The attackers compromised Web sites frequented by Chinese journalists as well as China’s Muslim Uighur ethnic minority, Blasco discovered last week.
As long as visitors to those Web sites were also logged into one of 15 Chinese Internet portals — including those run by Baidu, Alibaba and RenRen — the hackers were able to steal names, addresses, sex, birth dates, e-mail addresses, phone numbers and even the Internet cookies that track other Web sites viewed by a user.
To get around the TOR and VPN technology, the attackers relied on a server software vulnerability that China’s top companies apparently did not patch, Blasco said.
While Blasco and others have not been able to pinpoint the identity of the hackers, the list of targets and the sophistication of the attacks suggest they might have been directed by the Chinese government.
“Who else could be potentially interested in this information and go to such lengths? Who else would want to know who was visiting Uighur Web sites and reporters’ Web sites inside China?” Blasco said in an interview. “There is no financial gain from targeting these sites.”
Since taking power in late 2012, Chinese President Xi Jinping (習近平) has shown a personal interest in how the Internet is managed, by creating and leading a committee responsible for Internet governance.
He has also given broad powers to the newly formed Cyberspace Administration of China (CAC), which has in turn targeted Internet celebrities who influence online opinion, increased blocks on foreign Web sites and sought to project China’s influence over the Internet internationally.
In the past few months, the Chinese government has blocked sales and disabled the protocols of VPNs. It also hijacked Internet traffic flowing to Baidu, China’s biggest Internet company, using it to overwhelm and knock down Web sites like GitHub that carry content China’s sensors deem hostile, including content from the New York Times.
Activists and security experts advised Chinese Internet users to protect themselves from state-sponsored surveillance by using TOR and VPNs, and foreigners inside China have long done so. However, Blasco’s discovery suggests that Beijing’s Internet censors have found a way to render those tools useless.
“There is a growing sense within China that widely used VPN services that were once considered untouchable are now being touched,” said Nathan Freitas, a fellow at the Berkman Center for Internet and Society at Harvard University and a technical adviser to the Tibet Action Institute.
The CAC did not return requests for comment.
Blasco said the Uighur and media-related sites had been compromised with a “watering hole attack” in which attackers find a way to hide malicious code in Web sites frequented by their targets and then wait for their victims to come to them. Once people visit those sites, that code gets injected into their Web browsers.
The technique has been used by governments and hackers for surveillance and to steal passwords.
What made the attacks particularly serious was that as long as the victims were logged into China’s 15 top Web services — including major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the attackers could identify them and siphon off their personal digital information, even if their victims were logged into TOR or a VPN, Blasco said.
They did this with the aid of a particularly serious vulnerability that the 15 Web services in China apparently never patched.
The vulnerability, known as JSONP, is not new. It was publicized in a Chinese security and Web forum in 2013, about the same time forensic evidence suggests attackers used it to target Muslim Uighur Web sites and non-governmental organizations’ sites, Blasco said.
By not patching this hole, major Web portals like Baidu and Taobao, a subsidiary of Alibaba, effectively neutered the only privacy protections available to Web users inside China, Blasco said.
“The equivalent would be if law enforcement was able to exploit a serious vulnerability in Facebook to deanonymize users of TOR and VPNs in the United States,” Blasco said. “You would assume Facebook would fix that pretty fast.”
It is not clear, given the severity of the vulnerability and its discovery some two years ago, why so many of China’s top Web portals did not fix it.
A Baidu spokesman said the company did try to deal with the problem.
“To the best of our knowledge, our earlier efforts were successful in preventing any serious leak of personal use data, but in light of this further information, we have decided to implement a more aggressive and thorough fix across Baidu for the JSONP vulnerability,” the spokesman said.
An Alibaba spokesman also said the company was now moving to deal with the problem.
“Alibaba Group takes data security seriously and we do everything possible to protect our users,” Alibaba vice president of international media Robert Christie said.
“Many companies in our space have faced this issue, and once we discovered this issue, we moved swiftly to address it. We have found no evidence that any user information has been compromised,” he said.
Researchers say the complexity of the attack and the lack of digital fingerprints indicate that someone with significant influence had to have been directing it. Otherwise, “there must be a cybercriminal out there with pretty significant access to China’s Internet infrastructure,” Freitas said.
A gap appears to be emerging between Washington’s foreign policy elites and the broader American public on how the United States should respond to China’s rise. From my vantage working at a think tank in Washington, DC, and through regular travel around the United States, I increasingly experience two distinct discussions. This divergence — between America’s elite hawkishness and public caution — may become one of the least appreciated and most consequential external factors influencing Taiwan’s security environment in the years ahead. Within the American policy community, the dominant view of China has grown unmistakably tough. Many members of Congress, as
After declaring Iran’s military “gone,” US President Donald Trump appealed to the UK, France, Japan and South Korea — as well as China, Iran’s strategic partner — to send minesweepers and naval forces to reopen the Strait of Hormuz. When allies balked, the request turned into a warning: NATO would face “a very bad” future if it refused. The prevailing wisdom is that Trump faces a credibility problem: having spent years insulting allies, he finds they would not rally when he needs them. That is true, but superficial, as though a structural collapse could be caused by wounded feelings. Something
Former Taipei mayor and Taiwan People’s Party (TPP) founding chairman Ko Wen-je (柯文哲) was sentenced to 17 years in prison on Thursday, making headlines across major media. However, another case linked to the TPP — the indictment of Chinese immigrant Xu Chunying (徐春鶯) for alleged violations of the Anti-Infiltration Act (反滲透法) on Tuesday — has also stirred up heated discussions. Born in Shanghai, Xu became a resident of Taiwan through marriage in 1993. Currently the director of the Taiwan New Immigrant Development Association, she was elected to serve as legislator-at-large for the TPP in 2023, but was later charged with involvement
Out of 64 participating universities in this year’s Stars Program — through which schools directly recommend their top students to universities for admission — only 19 filled their admissions quotas. There were 922 vacancies, down more than 200 from last year; top universities had 37 unfilled places, 40 fewer than last year. The original purpose of the Stars Program was to expand admissions to a wider range of students. However, certain departments at elite universities that failed to meet their admissions quotas are not improving. Vacancies at top universities are linked to students’ program preferences on their applications, but inappropriate admission
RSS