Feeds

China: Online predator or hapless host?

Reg man asks if all the China-bashing is justified

Choosing a cloud hosting partner with confidence

In order to flourish, this kind of “Crime-as-a-Service” also requires so-called bulletproof hosting firms where hackers can run C&C servers and register malicious domains safe from the prying eyes of law enforcement. “These places provide a safe haven. Two or three different actors in China come to mind, accepting domain registrations which ultimately lead to attack campaigns – it’s a black hole,” said Manky.

“Interestingly China has done something. It had a problem with fraudulent registrations so the government acted to [tighten registration], but … there are still loopholes in the system – not just China but everywhere.”

The latest CNCERT stats reveal 140 malicious domains, just over a third located in mainland China, which could have been hosted in this way by attackers outside of the country.

FireEye EMEA product manager Jason Steer told El Reg that China was number three in the firm’s recent report for hosting C&C systems, below the US and South Korea, but agreed with Manky that this in no way signifies that actors inside the country are attacking global targets in huge numbers.

“Actually, I'd argue something different: attacks coming from within your country indicate that C&C servers are set up in-country to dupe defenders. Attackers are less easy to spot and find with traffic staying in country first and then being moved on,” he said.

“Given the size of China and the size of its PC population, it's an obvious place to attack from – with high speed internet and the same insecure computers running Windows there as they do across the world. As it rolls out high speed internet, clearly it’s a good place to locate systems without questions being asked.”

Home-grown problems

For the record, China's internet population at the end of 2012 stood at 564 million, around 50m more than a year previously. That's still only 42 per cent penetration but still a lot of users to target, meaning China is likely to remain an attractive location for global crime gangs to launch attacks from for some time to come. The vulnerabilities in the nation's address space are also being exploited by home-grown attackers, of course, as a report on China’s Online Underground Economy released last August shows. It claimed that nearly a quarter of the country’s internet users and 1.1m web sites were affected in 2011, at a cost of over 5bn yuan (£526m).

Trend Micro VP of cyber security Tom Kellermann told The Reg that there are over 90,000 members of the Chinese shadow economy.

“Over the past two years there has been an explosive growth in criminal hacking within China targeting Chinese corporations,” he added. “The great firewall of China has numerous vulnerabilities and as the nation becomes global economic hegemon the king of the mountain is beginning to experience the dark side of globalisation.”

China’s challenge is to promote greater levels of information security awareness among its vast populace, especially as more and more users come online for the first time, and tighten up the loopholes which have allowed bulletproof hosters to flourish. Such steps will make it less attractive for criminals – reducing the number of attacks launched by operators outside the country using compromised Chinese IP addresses, as well as cutting its domestic cyber crime problems.

It’s difficult to feel much sympathy with Beijing given the apparent volume and persistence of state-sanctioned attacks originating from within the Great Firewall. But it’s also worth remembering that activity of this kind is certainly being carried out to a lesser or greater extent by all major global powers.

In a notable report from last September, Trend Micro’s Kellermann even concluded that “hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts”. China’s problem is that it’s currently the noisiest out there. Perhaps if it wants the damaging headlines to go away it needs to get its own house in order and get caught less frequently. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.