Hacks on Google and over 20 other US companies linked to the Chinese Government

[MGMorden]

Not sure if you guys have been following the news, but after some recent hacks into their servers Google is threatening to pull business out of China all together.  It has already been suspected, but now there has been evidence to prove that the hacks against Google's servers (as well as numerous other US tech companies) did indeed originate from the Chinese government.

http://tech.slashdot.org/story/10/01/14/1637251/Google-Attackers-Identified-as-Chinese-Government?art_pos=1
http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

This has been happening for a while now, but Google has really pushed it into the headlines.  As one of if not the largest US tech company in regards to Internet prescense, them totally pulling the plug on Chinese operations all together is not a small move.

All of this is ending up looking like "cyber warfare" will be a major (if not THE most important part) of future conflicts. 

[teamnelson]

Hacks against US entities (public and private) originating from China number in the tens of thousands per day. They have no regulation or restriction on their internet systems, and offer it free to all citizens ... they encourage private citizens to engage in hacking, piracy ... all forms of CyberWar. The hacks aren't the only issue; they collect alot of information, which has helped them artificially regulate the value of their own currency, and place them #1 in exports, and soon to be #1 economy on the planet ... booting us to #3. Talk about terror ... what is failed consumer confidence other than fear (terror) about the economy? An artfully executed hack could create more terror in this country than 911.

That's why the US has strategically made Cyber the equivalent of land, sea, air & space, and stood up CyberComm.

[MGMorden]

They have no regulation or restriction on their internet systems, and offer it free to all citizens ... they encourage private citizens to engage in hacking, piracy ... all forms of CyberWar.

Au contraire.  The Chinese CITIZENRY is one of the most heavily locked down groups on the planet when it comes to the internet.  They have strict censorship laws regarding what they can and can't access, all access to the Internet is through a heavily filtered firewall (amusingly known as the "Great Firewall of China" ) and they're always trying to actively limit how much time the citizens spend on the Internet, which is certainly not free (most Chinese don't have computers at home - they most commonly access the Internet via "Internet Cafe's", for which one pays by the hour, but there are always attempts to limit how much time one can spend inside an Internet Cafe).  Trust me, to the Chinese government, the Internet in the hands of the citizens is a dangerous thing.  It lets them communicate, talk, and share ideas just a little too freely for their tastes.  That's why in an effort to spite the Chinese Google has removed all of their filtering from their Chinese sites - allowing the Chinese populace to freely search on the search engine.

These types of attacks are coming from the actual Chinese government itself.  It's a state sponsored and controlled activity.  It's looking pretty "ballsy" of them at this point, and I can't help but think that this sort of a thing will be coming to a head soon.  

The problem is - what to do?  They're essentially calling our bluff.  We don't want to engage them militarily because regardless of who wins, the casualties will be enormous.  The political fallout for taking such actions in response to a non-violet cyber attack would also be harsh for our politicians.  Why should we mobilize soldiers when no one was hurt in their "attack"?  Economic sanctions?  Yeah right.  The people would be storming the walls of the capital if the cheap import in Wal-mart got cut off.  

Literally we're catching them red handed and they're basically laughing in our face saying "What are you gonna do about it?", and to be honest I don't have a good answer.  The best I can think of at the moment is to harden our servers, beef up the security of the systems, etc, but it's darned hard to make a system 100% secure.  As a UNIX Admin instructure once told me in college: if you want to make a computer truly secure, weld it in a steel vault, take it out to the middle of the ocean, and dump it there.  Nobody will hack it.  If you think that anything connected to the Internet will ever be 100% secure though then you're just dreaming.".  Best we can hope to do is make it harder to do.

[SHOOTALL]

 I would be inclined believe the door swings both ways . It would appear the tools of the new cold war are in action .

[Black Eagle]

Our kids live in China and there is, indeed, censorship on the internet.  Many people have figured out ways to get around it. I don't know about the free internet however. Our son teaches at a University and he gets free internet even in his home.  He also tells us that the censorship isn't bad for the people at the University and they seem to get access to anything they want.

The DoD has known for years that even the most secure computer systems in the Pentagon have been hacked by the Russians and the Chinese.  I am told that it is a major worry and every time they invent a new security system to protect it, the Russians and Chinese have already found a way around it. What I don't know is whether we have done the same to their systems. I guess the rule is, there are no secrets anymore.

[teamnelson]

I work for CyberComm in the Pacific ... censorship in China is focused on activity subversive to China. Official Chinese government policy however is to promote and support any activity against anyone else. They have fielded programs that placed computers and network access freely in the hands of some of their citizens to cultivate the expertise required to accelerate our security development beyond our ability to keep up. They've got more internet users than we have Americans.

I guess the rule is, there are no secrets anymore.

I used to teach cryptoanalysis; technology has made encryption a more dynamic and accelerated form of the space race or the atom race. However, the preferred method of defeating protected systems remains exploiting the human factor. You don't have to spend millions to build a stronger system if you steal the right laptop.

What I don't know is whether we have done the same to their systems.

If we already engage in defensive and offensive warfare on land, sea, air & space, and now Cyber gets its own command under DOD ... you have your answer.

[MGMorden]

He also tells us that the censorship isn't bad for the people at the University and they seem to get access to anything they want.

Foreigners aren't subjected to as tight of censorship as the native population.  They have figured that you already have your own ideas and know a lot more anyways, so unless you try to preach about Tiananmen Square to the locals they don't bother you much.

The DoD has known for years that even the most secure computer systems in the Pentagon have been hacked by the Russians and the Chinese.  I am told that it is a major worry and every time they invent a new security system to protect it, the Russians and Chinese have already found a way around it. What I don't know is whether we have done the same to their systems. I guess the rule is, there are no secrets anymore.

Sometimes it's finding ways around it - other times it's backdoors (intentional security holes) left in the product.  A TON of our products - including computer equipment running embedded firmware, comes from China.  A lot of it runs closed source software that cannot be code audited since the code is already compiled. 

Personally, IMHO for government systems - most ESPECIALLY military, we should be running computer hardware ideally manufactured stateside, but at a bare minimum it should be running software/firmware that we have code audited and compiled over here. 

I used to teach cryptoanalysis; technology has made encryption a more dynamic and accelerated form of the space race or the atom race. However, the preferred method of defeating protected systems remains exploiting the human factor. You don't have to spend millions to build a stronger system if you steal the right laptop.

Indeed, social engineering is common, but plain security holes in the applications are responsible for a ton of it.  Too many background programs and server daemons will allow unauthorized access with nothing more than a buffer overflow attack.  The widespread use of PHP code and the like by too many websites has also led to bad programming practices.  At least half the time if you find a database driven site it can be hacked with a simple SQL Injection attack.  If you average 15 year old computer enthusiast can do it you can bet the Chinese government can. 

As to encryption itself, the more modern forms of cryptography in general are pretty darned secure.  Most of the latest standards are nigh on unbreakable.  The problem is all of them have a decryption key (either password based or certificate based), and if that key is compromised the strongest encryption in the world means nothing (because after all, it's SUPPOSED to decrypt when presented with the right key).  Another big problem is simply that a lot of places simply don't use encryption where they should.  I've witnessed within our own organization (before I managed to get it stopped) - HR mailing an entire database of employees with full contact information and SSN#'s to an insurance company over plain email.  Encryption wasn't even used.  When worked with a company 2 years ago I insisted that when transmitting our tax data back and forth that we use encrypted containers.  I swear it took me 20 minutes to convince them that I wasn't going to compromise on that.  They acted as if it was just an unnecessary hassle and I was being paranoid.

Overall, the US companies, government, and technical infrastructure just has to step up and take computer security seriously.