While I have been blogging/writing in China for a good few years longer than most of even the longest China blogs out there (I started in 95, beat that haha!), I haven’t really thrown it all into one spot.

Plus mostly it all went into forum postings on long lost sites that I should revive at some point (D.D’s Club and Shanghaiguide I’m looking at you), so there is a vague chance I may get to revive some of it from the depths of bit rot hell, and post select bits in one place.

Too be honest, this is probably going to turn into a rant or pure SEO spammy keyword promo post to get more hits for the blog anyway but…

Apparently I should also mention Puppies, Kittens, that cool dude I totally hung out with last night and partied till dawn with, and the 15 chicks we hooked up with that night, plus god isn’t China a total pit, I mean they don’t even speak English here, what the F!*

*This is an in-joke that no-one else will get but the Jojo, and readers of That’s not Kitto.

Back to being eclectic, shall we, and less of the “in” jokes.

The honest truth is that I’m eclectic enough apparently, although that might also be a slightly schizophrenic way of looking at my diverse random project ideas.

Over the last few months, we’ve done the following interesting projects, some for love, some for money, and some for the hell of it.

Figure out which is which, and see which of them you like.

No.1 on our list is: LiURL.cn

Lets face it, once a geek, always a geek.
I discovered twitter, and for a few days was happy playing in a new medium.
I did note that twitter had a limited character span (140 chars) for messages, and it truncated URL’s to save space.
Taking a quick look around I saw plenty of clones oversea’s, but nothing local, so I grabbed my trusty keyboard, and a few hours later and a quick search of what was left in .cn domain space I invented LiURL.cn, the first Chinese TinyURL clone.

Its even got its own blog, and twitter feed.

Use is slowly growing, and we’re starting to see an increase in use and awareness of LiURL.cn in China and oversea’s.

SmartShanghai.com has also started using it for their venue twitter links (5000+ urls).

No. 2 is – iWantOne.cn

iWantOne started out as an outlet for our badges.

The badges themselves started out from a post on LPCoverLover via a sighting on BoingBoing.

A quick trip to taobao, and we had a badge machine, and lots of idea’s.

These quickly culminated in my staff going nuts over snoopy badges, and my prompting them for cool stuff for foriegners (we’re suckers for cultural revolution related artwork).

We quickly got bored doing that, and moved onto cool phrases.

Coffee at Moganshan lu led to a brainstorming session about cool ways to promote Shanghainese (an under promoted language imho), and a whole set of cool phrases.

Some publicity shots, and some talk about it over here at 56minus1.com.
(Note that I am also occasionally a contributor to the 56minus1 blog, although I completely avoid talking about stuff we do ourselves).

No 3. Fridge Magnets – is a rather cool unique idea, and something that led on from the badges.

One of our clients asked me why we didn’t put an English translation on the badges as well. Which, to be honest, I’d thought about, but as I’m a pretentious I can speak Chinese better than you so nya nya kind of foreigner, didn’t want to do. Plus it also meant remaking a bunch of badges, and I’m lazy.
*Pick one of the above for the correct answer.

It did lead me to think, well hey, why don’t I make some magnet word sets like you used to see a few years back when Magnet Poetry was all the craze.

An idea was born…

A few days later, we had our first rough draft of the first magnet set we wanted to make “Talking to your Ayi”, and a few agonizing days later teaching my art team how to use illustrator correctly so I didn’t have to spend over 12 hours redoing their alleged “good” version *again*, we had something we could play around with. This also involved some running with scissors, and lots of small pieces of sharp paper, to put the danger, and comic tragedy of it all into perspective.

A quick round or two with friends, roman’s and countrymen, and we had most of the mistakes corrected also.
Interesting factoid – I could point out more mistakes than the native speakers could.

Even more weeks passed and we had a sample set. Even more weeks x2 later, lots of shouting, changes, and scowling (followed by light rain), we actually had a box design that I liked, and all was good.

This was closely followed by lots of my own money changing hands with dodgy factories in outer godknowswhere, a minor whoops at the factory meaning a reprint, and finally a rather large kuaidi delivery to our office later, I actually had a product in my hands, yay!

We’re currently pimping the sets out to anyone that stands still long enough – Smart Shanghai is the first to publish something about us, and expect to have some more publicity and some sales soon.
Plus, its been rather fun making something that people can buy (or I can throw at the kuaidi guy), instead of our usual intangible products – websites, websites, and more websites.

Our Fridge Lingo Magnet sets are available now at select venues around town, or via the iWantOne.cn website.

Direct link to the Magnet sets here.
They are honestly quite cool, and I’m extremely happy to be a father to my first live baby project.

Anyway, I’ve rambled on enough, and to be honest, I’m a lot more eclectic on Twitter.

This is Lawrence signing out, and I hope you enjoyed the ride.

The news this week is full of alleged government interference with a certain exiled government leaders computers.

While there is sufficient evidence of  targeting by state sponsored actors, I don’t necessarily agree with  everything they wrote in the report, or all their findings.  While there is merit to discussion about that, its probably safer to avoid the topic, and examine how the attacks worked, and what we can do to avoid or mitigate events like that.

The actual report can be read here in PDF format – http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html

As the attack was through multiple vectors I thought it would be interesting to do a little actual research, on current techniques.

The report showed that there were a myriad of ways the attackers obtained access.

The first (and most likely to actually have been used) was via simple password cracking.
The targeted mail servers were hosted in the USA, and passwords were obtained using either sniffing or dictionary attack methods.

Once access was obtained,  emails were monitored simply by logging into the mail server and downloading mails.

What can be done to mitigate against that?

The first option, is to use decent passwords for your email, and use encrypted communication between points.
It also helps to actually read the logs on the servers and check for failed logins.

On our email servers here, I get a daily report on failed logins, and can quickly tell if someone is attempting to break in.
We also block further login attempts for a short period of time after a certain number of failures.

This stops dictionary attacks, but won’t stop a concerted attacker, who can spread attacks over a longer period of time.

In the above case, it would have been fairly easy for officialdom to tell the local ISP up in the Autonomous province to put a filter in the network to search for connections to the target mail server, and log communications.  As communications were going over the network in the clear (encryption wasn’t in use), the user names and passwords were available to anyone sitting in the right place in the network.  That that wasn’t done, and different vectors of attack were used is more telling.

Encryption would solve that kind of monitoring though.

There are 2 types of encryption that can be used.  Network encryption, or service encryption.
Mail is usually encrypted using TLS or SSL, we support both styles in our email systems.

If you’ve setup mail on a Mac using Leopard, you’ll find that Leopard will automatically detect and set this up for you on our systems.

Encrypted mail would still be visible on the network as headed to the target server though, and given enough time and money, could be decrypted.

One thing to note though is that service encryption only works if the service is encrypted (obviously!).  If you offer multiple ways to access a service, then you are only as secure as the weakest link.

In our setup we offer webmail over unsecured http access.  This means that user name and passwords go over plain text over the internet to our server.    We also offer unencrypted access to POP / SMTP ports, which again travel in plain text over the internet.

I will be taking a look at using SSL encryption for webmail in the near future, although there are a number of issues with that also, mainly to do with the way a handful of companies have sown up the SSL key market (thats a whole other story), making it cost prohibitive.

A better way to communicate would be to use network encryption – or as its more commonly known – VPN.

If a VPN was used, all communication from point A -> B would be encrypted.  This is still not infallible though, a VPN wouldn’t be much use if they used a point to point VPN to a known target, as more advanced techniques could be used to gain access to the VPN (man the middle, replay attacks etc).    VPN’s are more often used in China to allow access to sites otherwise blocked.

All this talk of encryption though is moot when people have access to one of the computers in the equation.

I’ll digress for a moment, and take a quick look at the case of banks.

With internet banking, you have a situation where you have an untrusted computer attempting to access a secure system.
Encryption stops people in the middle from snooping, but it doesn’t prevent someone who has already hacked into a computer from access.  So, how do banks solve this issue?

The solution to unauthorized access lies in the use of multiple access tokens.   The smarter banks are using keyfob random number generators which are used in conjunction with a transaction to verify that its true.  Having multiple contributory authentication mechanisms (google two factor authentication) solves the issue of password theft, as transactions or logins also need to be verified by the random number generator.  Its a shame more banks don’t use this.

Its interesting to see that Chinese banks (although big fans of ActiveX technology) are ahead of the curve here regarding this, compared to their Western equivalents.

Chinese banks will also send you SMS’s on transaction completion, and payments, so you get an immediate notification if something is amiss.

More talk about that here for the interested

If we head back to our original topic again, you’ll see I mention attack via access to one of the computers.

How do people get access to computers these days?

Spyware / Malware

The prevalence of insecure computers and a lack of security has led to people taking advantage of this fact.  While most infected computers are running Windows, there are a surprising number of servers that are compromised, assisting with the infections.

If we look toward the report regarding the attacks, there is mention of compromised computers being used from Hong Kong, California, and China. (Not so) Strangely enough, this ties in nicely with a large service provider.
http://blog.fireeye.com/research/2009/02/bad-actors-part-4—hostfresh.html

China unfortunately has a huge number of compromised servers and desktops used by spammers.  Last time I did some calculations I guesstimated something like 10-20% of all international network traffic in China was spyware related.

For some hard figures on infected servers see here – http://www.scribd.com/doc/5244100/Atrivo-white-paper-082808ac

(figures are on Pages 17 and 18)

Infected computers (not servers) in China number in the millions.

If we take a look at the hostfresh report above on the rather good FireEye blog, you’ll see mention of a number of different attack mechanisms.

PDF vulnerabilities.
Social Engineering (Mac’s are starting to see Malware via people installing Trojans masquerading as legit software)
The standard IE vulnerabilities (sad state of affairs really…)
Javascript exploits.

Worryingly, Mac’s are starting to be targetted for spyware.   Network monitoring appears to be the easiest method of detection at this point.  See Little Snitch et al.

Control of multiple computers requires a botnet server.   While there was talk about a server in Sichuan which was retrieving documents this in the article and the PDF, there was no real talk of Botnet’s, when clearly >1200 computers under control implies use of a botnet.

While it would be interesting to explain more about those points in detail, I’ll skip over that for now (if there is interest, let me know and I’ll probably write something about it).

This is where I disagree with the report however – they say that use of Chinese computers proves government involvement.  This is not necessarily the case.   There was a similar report last year about China’s alleged hacking of UK companies, and yet another one claiming attempts at Australian computers.  And yet another one about the World Bank here.

It is a whole lot more likely, that hacked Chinese computers were used by Malware / Botnet’s to infect other computers.

Therein lies the crux of the matter, or as we say Correlation does not imply causation

Location does not imply involvement.   What it does imply, sadly, is a systemic lack of system monitoring and security updates at most Chinese hosting providers, which effectively means most attacks will come from Chinese computers.

That said, there is overwhelming evidence of targeted attacks from interested parties in the report.

We’ve seen a resurgence of attacks again our own servers recently against common applications.  While we can monitor things relatively closely due to our relatively small server base (< 6 machines on 2 continents), its an ongoing threat that isn’t getting any easier to protect against.
Most of the attacks we see against us are web based scanning of vulnerabilities, or SSH dictionary attacks.   We are seeing a substantial increase in SQL injection attacks though in the last month.

Most of the attacks appear to be from compromised machines in China.   While we try to contact the compromised servers admins, we’re not always successful.  I usually have to end up using iptables to blacklist their servers from continually trying to scan ours.

An example of this would kind of attack would something like be scan attempts from this ip address 202.108.212.39 (owned by the Institute of Theoretical Physics), which is uh-oh – a government agency.    We have been seeing a low level of sustained scans from that ip address on one of our servers for at least a year.  Sadly though, the attacker doesn’t appear know the difference between Windows and Unix, and continually scans for ASP / IIS related holes.
While I’ve tried to contact the owners of the ip space, their email bounces.

In another fairly recent case an attacking computer was in the same data center as ours, and was causing a denial of service attack to one of our servers with a flood of ARP requests to anything on the same subnet.  We were seeing  up to 10M/sec ARP traffic, which was saturating our bandwith link for that machine.  I was sorely tempted to unplug it to stop it from DDOS’ing ours as I had physical access to it.  In the end our upstream provider agreed with me, and unplugged it before I got frustrated enough to do that!

Other random thoughts -

I’m also thinking about an article regarding chinese name registrations.  As a good number of spam / malware sites use Chinese domain names, due to ease of registration  (US based registrars are invalidating domains with incorrect registration details) it would be interesting to see if there is any correlation between spammers and registrars, and see if there is a preferred registrar.

Eg registrars for 2 recent malware domains mentioned at FireEye (one appears to be russian registered, the other american)

whois givemelog.cn
Domain Name: givemelog.cn
Sponsoring Registrar: 厦门华融盛世网络有限公司
Registration Date: 2009-01-15 03:08
Expiration Date: 2010-01-15 03:08

whois bulletproofmonk.cn
Domain Name: bulletproofmonk.cn
Sponsoring Registrar: 广东时代互联科技有限公司
Registration Date: 2009-02-16 17:59
Expiration Date: 2010-02-16 17:59
Some additional domains here – http://www.bluetack.co.uk/forums/index.php?s=3d12699cd5acbc5eabf0b7bd40c585e3&showtopic=18064&pid=91545&st=240&#entry91545

Would be interesting for someone over at 广东时代互联科技有限公司 ( now.cn ) to do a search for RoderickKiewiet@gmail.com, and see just how many domains they’ve bought, considering the majority are being used for spam / malware purposes.  Sufficient evidence for someone at Google to cancel that email account anyway..

Another registrar to look at is BizCN.com, they have a substantial amount of malware site registrations.

Things to think about -

Why are so many of China’s computers vulnerable?
Should the be government involvement in cleaning it up?
What can we do to prevent malware?
Should companies be responsible for their inaction when it causes issue for others?

I welcome comments.

Further reading:

http://realsecurity.wordpress.com/2008/11/26/finding-the-unknown-on-your-network/

http://www.contentverification.com/man-in-the-middle/index.html

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=24&rss=Y#sID202

http://www.itpro.co.uk/610182/should-the-bbc-botnet-have-hijacked-22-000-computers

http://garwarner.blogspot.com/