A U.S. security expert has uncovered data on more than 10,000 job applicants for positions with China’s State Administration of Foreign Experts Affairs, including user names and passwords that could be used to gain access to other sensitive government systems.
The discovery by Dillon Beresford, a security researcher with NSS Labs, is part of ongoing research that has discovered thousands of loosely protected or unprotected computer servers operated by the Chinese government. Beresford also claims to have discovered 12,000 vulnerable devices running the VxWorks embedded operating system. Those devices include Voice over IP (VoIP) phone systems, telecommunications switches, routers and SCADA systems.
The State Administration of Foreign Experts Affairs (SAFEA) is a Chinese government organization dedicated to promoting overseas education and training for chinese professionals, and recruiting foreign experts from abroad to work in China. In 2008, the agency claims to have reached 480,000
persons and sent 30,000 Chinese professionals abroad for
training.The database of job applicants that was shared with Threatpost contains only user names and passwords, not the actual applicants’ names or identifying information. Threatpost was able to determine that the leaked user ID and password combinations are valid and can be used to access SAFEA’s Experts Online database.
Web application security is a touchy subject for most large organizations. Recent reports suggest that problems like SQL injection and cross site scripting vulnerabilities are a chronic problem in both the commercial and public sectors. However, Beresfords claims, if true, suggest that China’s IT infrastructure is failing to take even basic precautions to protect vulnerable or misconfigured systems that could be subject to even trivial attacks. He said he has identified vulnerable systems affecting most critical sectors of the Chinese economy, including government, defense, aerospace, transportation and manufacturing. Beresford provided Threatpost with a list of 11,762 exploitable VxWorks devices, identified by IP address. Threatpost has not been able to confirm that the devices are, indeed, exploitable.
Berensford earlier publicized serious vulnerabilities in SCADA systems within China. In recent days, he called attention to an e-mail server belonging to the provincial government for Guizhou Province in southwestern China that was publicly accessible, allowing anyone with access to the Web to create a government e-mail address.
China’s Computer Emergency Response Team (CN-CERT) has taken steps to restrict access to the Guizhou Province e-mail server, according to a copy of a message sent to Beresford and shared with Threatpost.
In an e-mail to CN-CERT Friday, Beresford said that “all publicly accessible database and Web servers belonging to the China’s State Administration of Foreign Experts Affairs are vulnerable to SQL Injection (attacks).” The Internet accessible devices also have improper PhpMyAdmin configuration, making it possible to access the administrative controls for the servers without requiring a user name or password. Other problems include “weak password authentication, deprecated SSL protocol usage and improper access control enforcement,” he wrote.
“I must say I find it somewhat perplexing as to how the database administrator could forget to lock down such an important database,” Berensford wrote.
There is evidence that his warnings are being heeded. Beresford received an e-mail response from CN-CERT Friday regarding the vulnerable Guizhou Province e-mail server, reporting that the vulnerable administrative interface had been locked down. CN-CERT said that the Chinese government is struggling to stay on top of the rapid growth of its IT infrastructure.
“In recent years, the Internet has been developing dramatically in China. Many departments and local branches of the Chinese government have established their own web sites, which inevitably increases the possibility of crackers exploiting these web site’s vulnerabilities and carrying out attacks,” the letter said.