
China bugs and burgles Britain - jacquesm
http://www.timesonline.co.uk/tol/news/uk/crime/article7009749.ece
======
thorax
I feel we've just been introduced to the realities of the new world of
warfare.

Getting inside information on Google, Adobe, etc, would be of immense value
for cyberwar. I don't think the information is as nearly useful for economic
purposes as it is for making new software weapons. Every bit of source code or
critical system you access gets you more information your teams can analyze
for "0-day exploits" and more backdoors/trojans you can place to get more
access to more networks whenever you need.

Imagine you've amassed a lot of brilliant computer scientists and security
experts. Getting access to source code and installing trojans would be of
immense value to you because you'd be sitting on a huge stockpile of weapons
just waiting for you to analyze them in parallel long after you've infiltrated
(and even if you were detected/shut-off). If we're seeing exploits streaming
out of small security firms and off-shore spammers--- imagine the wealth of
exploits a well-funded military division would be able to come up with. Now
imagine you wanted to stay competitive with other such militaries... To them
the means to get new weapons is more important (in a meta-sense) than pretty
much anything else.

From my arm chair, I'd say for weapons of mass cyber influence the most prized
possessions would be:

(1) control over the pipes (presumably the U.S. has this for a lot of key
stuff, but these backdoors, too, might be exploitable)

(2) unknown exploits in common software

(3) control of highly/specially trafficked systems/services

(4) unknown exploits in specialized software

I'm not trying to make anyone paranoid, but it does seem to me that this sort
of infiltration into corporations and government software/systems would be
just as valuable to any country anywhere that had a powerful high-tech army. A
weapon is a weapon and would be just as valuable to anyone.

There are only a few places that could coordinate attacks like these. We'd
have to assume military-- the only other real option being organized crime
(with their growth in this economy).

As such, I put it at, maybe, 80% chance that the attacks from China were from
Chinese military sources, but (given motive, skill, and funding) there's at
least 10-15% chance these are actually coordinated by the U.S. military or
intelligence agencies themselves and pinned solidly on China. The remaining
5-10% or so falls on other militaries or maybe brilliant criminals.

If I was thinking like a cybergeneral, I would want someone else to be
scrutinized other than myself. I might even specifically seek out companies
important to me that also did business with my opponents so that it was easier
to pass the blame. I feel the U.S. intelligence/military probably has the
cleverness to make that all happen if they wanted. I very much doubt they did
so, but I think we're silly to ignore the possibility.

What we really need to stop ignoring is that our software and systems are
actually turning into weapons. I think the days of idle worry over spambot
exploits is behind us--- now we have to imagine that your favorite websites,
your business servers, and your home PCs are pawns in a very big game of
chess.

~~~
quanticle
I think the chess analogy is fundamentally flawed. You're presuming that
there's a Chinese "chessmaster". Instead, as we have seen from all sorts of
phenomena, from the Anonymous protests against Scientology to Al Qaeda
terrorism, distributed movements with no central control are as powerful (and,
in many cases, more powerful) than centralized armies.

Where you envision a controlled, organized hacking scheme organized by the
Chinese military, I see a widespread group of nationalistic Chinese hackers
employing whatever means are at their disposal to advance Chinese interests
and disrupt Western businesses and governments. The threat might be the same,
but the way one responds is vastly different.

~~~
budu
"Instead, as we have seen from all sorts of phenomena, from the Anonymous
protests against Scientology to Al Qaeda terrorism, distributed movements with
no central control are as powerful (and, in many cases, more powerful) than
centralized armies."

Are you sure the Anonymous have done any long term damage to Scientology? Or
that Al-Qaeda actually achieved anything meaningful against the occident? If
you look at history, those who are more centralized are always the ones how
are the more powerful. Up until the point they become too big and things start
to break down. After that, it's back to normal and the more centralized win.
Short-term imperialism and attempts at unification throughout history gives us
good examples of how things unfold.

There's certainly a lot of nationalistic Chinese hackers, but I don't think
they could pose any significant threats. The best they could do is adding
noise so that the "real" government hackers go undetected. They would also
become dangerous if coordinated by the government, but at that point they're
no longer decentralized.

I think decentralization have its advantages when considered in the right
context. But politics and religion are all about centralization and always
have been.

------
tom_pinckney
Points also to the issue that thinking about security from a perimeter point
of view (everything outside firewall is bad, everything inside is good) is
outdated. There is no inside vs outside anymore.

~~~
jacquesm
That always was a stupid strategy. Trusting stuff on one side of the firewall
just because it is on the other side is not good enough, that means that after
any breach at all your whole network is wide open.

Security should be applied at the lowest possible level, just like you would
in a physical installation.

It's not like when you work in a bank once you are allowed 'backstage' that
that automatically gives you the right to visit the tellers cage or the vault.

~~~
jhancock
My bank takes a different approach, an old one, to security. Here are three
things that happened to me at their main bank office over the last 6 months.

1 - I sat down with a mid-level manager asking about a debit card in my wife's
name for one of my accounts. The manager pulled up my account and says "I see
you were in Wilmington last week. My family is from there." And we chatted
about Wilmington for a bit.

2 - I walked up to the teller desk and said "Please move $500 from account A
to account B." I filled out no forms, showed no id, didn't even know the
account numbers. The teller said "No problem Mr. Hancock, have a nice day."

3 - I needed to change my phone number linked to all my accounts. I walked
into the teller and told her I have 5 accounts and wanted to change the phone
number on all of them but didn't have my account numbers at hand. She handed
me a post-it note and asked me to write down the new phone number: "No problem
Mr. Hancock, we'll see it gets done."

The approach this bank takes is oriented around trust and liability, not IT
security. Some may be upset that a bank manager would/could scan my
transactions and openly acknowledge they see where I was last week. But I see
this as openness in acknowledging that they can see the data. All banks can
see this data and many credit data warehouses have this data. My bank simply
doesn't pretend they can't see it.

In response to your post, jacquesm, I completely agree with your point of view
from an IT perspective. However, I do not expect a bank, large or small, to
get things perfect internally. So I choose to do business with one I trust to
uphold their end of liability. I take this approach with most business
partners, as I'm sure many do. When I buy a $50 item on ebay, I expect less of
the supplier and pay accordingly.

~~~
jacquesm
Yes, but that works at _your_ branch.

If you were to walk in to say the New York city branch of a major bank that
you have an account with in the countryside then you'd be looking at a
completely different situation.

I once borrowed E100K from my bank just on my promise that I would pay it back
within 7 days. That would have been a lot harder if I had not been a very good
customer of theirs for more than a decade.

But I still doubt they'd let me past the 'no customers beyond this sign',
simply because they have a duty to safeguard the privacy of their other
customers, even if we'd have a higher than normal level of trust between
ourselves as people.

~~~
jhancock
Your right; that's why I don't do much business with large banks ;).

I have one account with a large bank. I have not had any problems, but I limit
my transactions with them to well documented transfers and have standing
orders to not allow any other type of transactions.

I have no expectation that a large bank will cover my liability better than
they cover theirs. I engage with them accordingly.

~~~
jacquesm
The best way to spread your risk with banks is to make sure you never have
more than your federally insured cap with any one bank. (that's a luxury
problem though). Over that and you're up the creek without a paddle if
anything should happen to that bank.

The funny thing here is that the people that the bank owes money over that
amount are ruthlessly culled, but the people that owe the bank are not.

I think that should cut both ways, in other words if a bank folds then both
the debts _and_ the deposits should be capped or none. But it seems to be
completely asymmetrical to keep the people that owe the bank on the hook while
capping those with whom the bank is in debt.

------
FluidDjango
I shudder to think how routine may be such activity by Chinese corporations.
Imagine sending a not-too-tech-savy sales/marketing dude to China. In the
evening he gets 'friended' by a young lady offering a free thumb drive (or
herself). How much training are western corporations giving their
international staff about high-tech security?

~~~
jff
At my job, at least (research at a major government contractor) we all have to
undergo annual counterintelligence training. And that's for me, the intern who
never leaves the country.

Among other things in the training is the assertion that multiple employees
are currently being targeted for espionage and at least a few employees are
most likely working for foreign governments. They also warn about accepting
gifts and give examples of "spooky" things, like random strangers befriending
workers on foreign travel only to reveal that they know way too much about
that person.

Training is there in big corporations, maybe not in startups.

~~~
bediger
I took the Official Counterintelligence Training at a major aerospace
contractor in the late 80s. It was bunk. The korean war vet who ran the class
gave us some cock-and-bull story about Bulgarians flying ultralights at the
state park not too far from the "Main Plant". But everything of merit about
our rockets got published in Aviation Week every two years or so. Even
material about possible payloads, which was so compartmentalized that we knew
next to nothing, maybe a bolt pattern, mass and location of center-of-mass
above the bolt pattern.

The "training" was all superstition and cargo cult management by slogan. When
you thought about it for a minute or two, nothing they said made any sense.

~~~
jff
The first time I took it, we had a video of an ex-KGB guy assuring us that
agencies like his previous employer are indeed targeting us. These days,
there's no concern about Bulgarians in ultralights, it's all about buying an
employee a new car so he'll load up a USB drive with interesting info.

I wish I could be targeted for something like that... I don't even have access
to secrets but "they" don't know that, and I could use some extra money.

------
nfnaaron
Re comments that this has been going on a long time, and that the West does it
too.

It probably has been happening a long time. Many may have assumed it. If
Western governments have been papering it over, it's good that it comes out so
that citizens and businesses can know how widespread the problem is, and how
likely or unlikely anyone will be affected directly. I suspect that if we knew
exactly what was happening, most would be surprised at the extent.

The West probably does do it too. I strongly suspect that there are a set of
"niceties" that Western governments observe (or sometimes not, but there is
that restraining tendency). I doubt that any similar niceties exist within the
Chinese government at all; the very concept is probably amusing to them.

When China starts selling cars in the US, how much espionage do you think will
be brought to bear on their US operations and employees? I'm guessing little
more than an entry in a catalog at the CIA.

How much espionage is potentially brought to bear on Western companies
operating within China? If I brought my business to China I would assume it
was targeted. If I brought my business to Canada I wouldn't give it a thought.

IANASpook (but then, I would say that)

------
miguelpais
Don't you just think these news about hacks from China are getting way to
frequent?

The attack on Google was said to be a way to get access to the accounts of
free rights activists, but they also attacked several other US companies. The
reason must be to steal the companies' know how.

Would you be surprised if a few years from now a Chinese Google was announced
and similar and maybe better products in other industries?

And I think these actions are all supported by the Chinese goverment which
knows getting chinese competitors in some key fields is the only way of
exponentially develop its economy.

~~~
Tangurena
According to Bruce Schneier, the Google attacks were using the CALEA intercept
points which are mandated by US law. There is no possible way that Google
could shut down those access points without violating US law.

> _In order to comply with government search warrants on user data, Google
> created a backdoor access system into Gmail accounts. This feature is what
> the Chinese hackers exploited to gain access._

[http://www.cnn.com/2010/OPINION/01/23/schneier.google.hackin...](http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html)

~~~
felixc
You'll note that he provided no support for that claim; he just said it in an
authoritative tone.

~~~
iuguy
For some reason I'm strangely reminded of the episode of Big Bang Theory where
Sheldon talks on NPR whilst having helium pumped into his room. That would be
an authoritative Schneier.

------
motters
Are MI5 trying to suggest that they don't use the same tactics against other
countries? Industrial espionage has always been common, so this is nothing new
except perhaps for the particular technologies used.

~~~
iuguy
Yes CPNI is technically part of MI5 but they're not full on spooks per se (and
MI5 don't do CPNI's job). They receive intelligence from other departments and
are responsible for certain elements of gov.uk security, although the primary
source for information assurance/security is CESG based at GCHQ (which is more
MI6 than 5).

CPNI also handle liaison what's called the Critical National Infrastructure.
That is to say things that are not government owned but would cause problems
if affected (like power companies, transport firms etc.).

As an analogy CESG are probably closer to NIST and the standards part of the
NSA, whereas CPNI are closer to the FBI. Note that in the US model something
like that type of tactic would be a CIA or military operation, not NSA - MI5
and MI6 would be the same, offensive security if anywhere would have fallen in
the remit of the armed forces, at least until the recent cybersecurity
strategy came out which establishes the structure of the UK's offensive
function.

~~~
motters
Well whatever the particular acrynms might be I find it hard to believe that
British secret service agencies don't use near identical tactics to obtain
information from other countries or organisations.

------
beholden
To be perfectly honest if the all the people caught in Chinese honey traps
just went to their wives and the press saying "I committed adultery because
the Chinese attempted to get leverage over me, it was irresistible"

I think they'd get awarded the Victoria cross for bravery or something. Ig
noble prize for politics please?

CHINA! Feel free to send honey traps this way. I'm in local government.
Fantastic. They've obviously not looked at the divorce statistics lately.

------
Estragon
Anyone got a link to the leaked MI5 document itself? I don't really trust this
article to present its claims faithfully.

------
aditya
This whole thing is fishy.

Here's an article from 3 years ago, with a very similar "document":
<http://www.foxnews.com/story/0,2933,314718,00.html>

~~~
beholden
Excuse me.

Even though Darth Siddy may own the times, journalistic integrity is a point
of pride in Britain. Not everywhere but in the Times, BBC, Guardian etc it
certainly is.

He also owns Sky and that's our version of faux news. Sky is rubbish and
complains the BBC is 'too big' and a 'monopoly'.

Why? Because the BBC is made of uhm. 'Win'. No adverts and an insane amount of
programming for less than a couple of months of Sky (For Sky think Cable).
Fantastic.

~~~
aditya
I'm not sure I understand your point, however the link I posted was Fox News
syndicating the Times which as you say, does have journalistic integrity...

I'm sure this document is real, I'm just saying that the fact that the chinese
government has been spying on large multi-national corporations across the
world is not "news" or even "hacker news".

~~~
jacquesm
If one government trying to hack another using gifted USB sticks and cameras
isn't hacker news then I really don't know what would be, but if you feel that
way there is always the 'flag' option.

------
nehemiahap
the report this journalist quotes appeared on wikileaks over the summer. I
wonder how legitimate his sources are. I'd like to see an official report from
MI5, but of course, as the writer puts it, it is a "restricted report", so I
guess we wont actually get a source on this.

------
vorg
"The growing threat from China has led Evans to complain that his agency is
being forced to divert manpower and resources away from the fight against Al-
Qaeda."

Good.

~~~
gcb
Think about the children!

