The official line in Washington D.C. is that there’s a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure.
For the last 18 months, Dillon Beresford, a security researcher with testing firm NSS Labs and divorced father of one, has spent up to seven hours a day of his spare time crawling the networks of China’s state and provincial governments, as well as stealthier networks belonging to the PLA and the country’s top universities. Armed with free tools like Metasploit and Netcat, as well as Google Translate, he’s pulled back the curtains on the state of cyber security in China. What he’s discovered may come as a surprise to many U.S. policymakers and Pentagon officials.
Contrary to the image of China as a nearly invincible cyber powerhouse, Beresford says in an interview with Threatpost Editor Paul Roberts, that the fast-growing nation suffers from woeful cyber security practices at home that leave, literally, thousands of networks and databases vulnerable to even trivial, remote attacks. Beresford, who publicized holes in domestic Chinese SCADA systems in September, 2010, said the country’s aggressive cyber offense abroad, he said, is in stark contrast to an almost total lack of basic cyber defense at home that has left both classified and unclassified government networks vulnerable to attack and compromise. That should give the Chinese government pause as it ponders the consequences of a global campaign of cyber espionage, and create an opportunity for the U.S. and China to de-escalate what he sees as a growing cyber arms race. Beresford has publicized holes in recent weeks highlighting insecure mail servers and databases he has uncovered. He spoke to Roberts on April 26th, 2011.
Threatpost: Why China? What got you looking at the vulnerability of China’s networks?
Dillon Beresford: The best answer to that question is ‘curiosity.’ I was reading a lot about cyber war and the capabilities of PRC and PLA. I was hearing a lot about the vulnerability of U.S. critical infrastructure, so I got interested in China and wanted to find out about its infrastructure – map out the flashpoints.
Threatpost: You suggest that China’s single party system is actually to blame for some of the poor security practices you discovered. Can you explain?
Dillon Beresford: One of the things I thought about with my research is the issue of transparency. This is an issue in China and, I would guess, other authoritarian regimes. A lot of what is running in China is developed in-house by Chinese firms. They’re not using Western products or open source platforms, because they don’t trust them or they’re worried that someone might put a back door into them. The down side is that they don’t benefit from the whole community of people who are crawling over those platforms and patching bugs and looking for holes.
In China, you see that not a lot of government and private sites are interconnected, as they are in the U.S. That kind of interdependence allows there to be lots of eyes looking at the same network and make it more likely that mistakes will get discovered and reported. But, in China, the government runs everything and there’s no clear policy for cyber security.
In Chinese culture, also, its hard to publicly come out and admit mistakes – a fear that people will lose faith in their abilities. So, for example, a journalist who is writing on this got an email from an official in the Office of Foreign Affairs who was worried about losing his job.
Threatpost: It’s interesting, because the picture you paint is so different from the one that’s presented in the media.
Dillon Beresford: Yes. The media hype in the U.S. is all about cyberwar and how the Chinese are kicking our ass. I wanted to know how vulnerable are the Chinese, and what I found is that they are just as vulnerable as the U.s. if not more-so. In large part, I think its because of this lack of transparency and openness. I’m hoping that, as a result of my work, they might realize this and maybe tone down their aggressiveness towards U.S. After all, we have the best people and it won’t be long before other researchers will do as I have.
Threatpost: Why haven’t other security researchers looked at this before you?
Dillon Beresford: I think the language barrier has discouraged people, but with Google’s translation tools, that really isn’t an issue any more.
Threatpost: How have you managed to navigate these networks and sites?
Dillon Beresford: Rosetta Stone. I’ve been studying Chinese for a year now, so its getting easier. And I work with people from China, which helps.
Threatpost: How do you choose your targets?
Dillon Beresford: Its really not hard. In fact, the amount of data I have found that is not intended for public consumption is amazing. I stopped after three terabytes. These systems are not maintained and are all vulnerable to attacks. HTTP is just one attack vector, but there are many others. For example: there was an LDAP server that was accessible from the Internet and it running a vulnerable version of PHP and, in addition, everything on the server was running as root. I find that a lot – its a bit of laziness by system administrators that makes their job easier. I was able to compromise the the server and then simply enumerate the directory and find other file servers and systems on the network that weren’t connected to the Internet. Another example is China’s National University of Defense Technology. They had a bunch of Web servers that weren’t using SSL or HTTPS, so everyone was logging in using plain HTTP. All you needed to do was compromise one box and you could sniff all the user names and passwords in clear text.
Threatpost: What kinds of vulnerabilities are you finding commonly?
Dillon Beresford: As I mentioned to you before, vulnerable VxWorks installations are very common. I see a lot of Huawei integrated access devices in the private sector there as well, and they all run VxWorks. When Cisco went to vxworks so did Huawei, and they’re just out there listening and waiting for a connection, and they haven’t been patched or they’ve got weak passwords that you can brute force. You can just fire up Metasploit and find the vulnerable vxworks installations. Once you have one vulnerable system, say a switch or router, its very easy to pivot from that to other devices.
I’ve found lots of appliances – routers, firewalls, IPS. A lot of them have back doors left by the developers. If I find it, I can generally exploit it and get into it. A lot of these devices have Web interfaces that have remote command execution vulnerabilities that allow you to use a function call, say, to log into the device without authenticating. If you have NetCat, you can just fire it up and connect directly to the box. And these publicly exploitable devices are so important, because they’re potentially connected to other parts of the network that are even more vulnerable, because it was assumed that they’re not public. So, if you find a Web server that’s connected to a private LAN (local area network) and the Internet, you can compromise it, then reach out and compromise ever other box on that network.
Threatpost: You’ve found lots of evidence of weak authentication and passwords, as well?
Dillon Beresford: Yes. I’d estimate that 40% of logins are user name and either all numerical or all lowercase passwords. There are no hash or space characters. They’re not complex and there are weak access controls – controls that aren’t properly implemented, or there’s no password requirement or two factor authentication, which is becoming increasingly common in the West. You don’t see any of that in China.
Threatpost: As you talk to officials in China, what sense do you get about the reasons for the widespread problems with insecure IT infrastructure?
Dillon Beresford: I think China is growing very fast and there aren’t enough people to maintain the infrastructure. They have more networks and government sites than their own government can even maintain. They don’t have the manpower or even the knowledge to maintain them. And, in many ways, China is still playing catch up with the US. They’re an aggressor in cyberspace, but their own networks are very weak and poorly designed. I’m not saying that to shed a negative light on China, but there’s so much out there that they just can’t maintain it all. Beyond that, there’s a lack of trust in Western products – even open source products. A fear that people will put back doors in them, which really misunderstands what open source is about, which is: if we have a lot of eyes looking at the code, people will spot problems and fix them.
Threatpost: Have there been any “whoa!” moments where you’ve come across a hole or exposed data that really surprises you?
Dillon Beresford: That moment was probably the National Institute of Defense Technologies. I mean, when you think about it, they have supercomputers there that they use for cryptography. What’s funny is that, if you look, you can’t find a Web site for the Ministry of State Security or the Ministry of Cryptography, but most of the projects that the government allocates money for those agencies goes to universities. Its the students who create spy tools, so if you want to find the classified information, you just have to go to the University networks and get it.
Its the same with the People’s Liberation Army. Their networks are hidden all throughout China and they’re hard to find. But if you can find a vulnerable file server, you can pivot and proxy into a network that may be their equivalent of SIPRNet (the United States’ classified information network). Students can make VPN connections into PLA networks. I’ve seen the client. You have students and cadets who attend university then, when they graduate, go to work for the PLA. In the meantime there’s a lot of traffic going between the PLA and the universities.
Threatpost: What do you want to accomplish with this research?
Dillon Beresford: I’ve been transparent about this research and reported everything to China CERT. I want to create awareness of the problem and raise the bar. I’d like there to be open communications between the U.S. and China. We have to sit down at the same table. If other researchers like myself publish vulnerabilities maybe china will think twice about attacking U.S. companies and acknowledge that they have problems and weaknesses as well.