Monday, March 01, 2010

In light of Chinese cyber attacks, flashback to 2003, when Microsoft started sharing source code with -- wait for it -- China's military

If you follow technology news even at a cursory level, you're likely aware of the massive information warfare campaign uncovered by Google recently. Attackers from Red China, which many experts believe to be the People's Liberation Army (PLA), compromised as many as 100 companies according to iSEC.

The attackers used a method called "spear-phishing." These are highly targeted and enticing emails ("Hey, Joe -- check out this salary spreadsheet I found!") that contain a link to an attack website. When the victims clicked on the links, their Internet Explorer 6 browsers were compromised using zero-day exploits ("zero-day" means the attacks were previously unknown). Once the browsers were attacked, the victims' machines were fully controlled by the PLA, providing network reconnaissance, key-logging, screen-shots and pretty much anything else the attackers wanted.

What were the attackers' goals? It would appear that lifting source code from companies like Google and Adobe would be job one. That would allow them to "look inside" the secret sauce and craft new zero-day exploits, which would permit them to burrow deeper into corporate and defense-related networks.

Flashback to 2003

In light of this attack, I recalled the following CNet article from 2003: China looks into Windows code.

The Chinese government has set up a lab to study Microsoft Windows source code... The Source Code Browsing Lab--set up in Beijing last week--is part of an existing government-run software site, the China Testing and Certification Center for Information Security Products, according a report in the People's Daily newspaper.

Microsoft is the first commercial software company to have signed an agreement for the browsing of its operating system source code with the Chinese government, said the report, which hinted that the lab is also open to other commercial software companies that wish to have their products certified for security.

The report stressed the need for checking Windows source code for security loopholes, especially in light of recent attacks. PCs running Windows software were recently the target of high-profile attacks by the Slammer and MSBlast viruses.

However, previous reports have said that the search for backdoors installed by national intelligence agencies is also among the aims of the agreement.

China--potentially a huge market for Microsoft, once the problem of software piracy is solved--has seen wholehearted government support for open-source operating systems such as Linux. In response, Microsoft has drawn up policies to develop closer ties with officials and to open up its Windows source code for inspection...

That's right: Microsoft gave (and perhaps still gives) the PLA access to its critical source code. This wouldn't be so bad if everyone had the same rights -- but they don't.

It would seem that China has a leg up when it comes to crafting attacks for Microsoft products. One wonders whether the IE6 hack came from knowledge gleaned by this "sharing program". In addition, we could speculate that China has numerous other zero-day exploits stockpiled, just like an arsenal, waiting for the day when further attacks are necessary.

And that's reason #747 why open source software is generally considered more secure than closed source: there's a level playing field when it comes to security.

Related Reading

• For anyone still using Internet Explorer: Download Firefox for fast, free and more secure web browsing
• For IT professionals: 'Can we trust any technology that comes from China?'
• For IT security professionals: iSEC's Aurora Response Recommendations (PDF)
• Background information: Pwnt: The Terrifying State of Cyberwarfare Today
• Background information: Anatomy of a Cyber-Espionage Attack, likely by the Chinese Military

No comments: