15 June 2015

Chinese Hackers Can Now Circumvent VPN and TOR Privacy Tools

Nicole Perlroth
June 12, 2015 

SAN FRANCISCO — Chinese hackers have found a way around widely used privacy technology to target the creators and readers of web content that state censors have deemed hostile, according to new research. 

The hackers were able to circumvent two of the most trusted privacy tools on the Internet: virtual private networks, or VPNs, and Tor, the anonymity software that masks a computer’s true whereabouts by routing its Internet connection through various points around the globe, according to findings by Jaime Blasco, a security researcher at AlienVault, a Silicon Valley security company. 

Both tools are used by Chinese businesses and by millions of citizens to bypass China’s censorship technology, often called the Great Firewall, and to make their web activities unreadable to state snoopers. 

The attackers compromised websites frequented by Chinese journalists as well as China’s Muslim Uighur ethnic minority, Mr. Blasco discovered last week. As long as visitors to those websites were also logged into one of 15 Chinese Internet portals — including those run by Baidu, Alibaba and RenRen — the hackers were able to steal names, addresses, sex, birth dates, email addresses, phone numbers and even the so-called Internet cookies that track other websites viewed by a user.

To get around the Tor and VPN technology, the attackers relied on a server software vulnerability that China’s top companies apparently didn’t patch, Mr. Blasco said. 

While Mr. Blasco and others have not been able to pinpoint the identity of the hackers, the list of targets and the sophistication of the attacks suggest they may have been directed by the Chinese government. 

“Who else could be potentially interested in this information and go to such lengths? Who else would want to know who was visiting Uighur websites and reporters’ websites inside China?” Mr. Blasco said in interview. “There’s no financial gain from targeting these sites.” 

Since taking power in late 2012, President Xi Jiinping has shown a personal interest in how the Internet is managed, by creating and leading a committee responsible for Internet governance. 

He has also given broad powers to the newly formed Cyberspace Administration of China, which has in turn targeted Internet celebrities who influence online opinion, increased blocks on foreign websites and sought to project China’s influence over the Internet internationally. 

In the last few months, the Chinese government has blocked sales and disabled the protocols of VPNs. It also hijacked Internet traffic flowing to Baidu, China’s biggest Internet company, using it to overwhelm and knock down websites like GitHub that carry content China’s sensors deem hostile, including content from The New York Times. 

Activists and security experts advised Chinese Internet users to protect themselves from state-sponsored surveillance by using Tor and VPNs, and foreigners inside China have long done so. But Mr. Blasco’s discovery suggests that Beijing’s Internet censors have found a way to render those tools useless. “There’s a growing sense within China that widely used VPN services that were once considered untouchable are now being touched,” said Nathan Freitas, a fellow at the Berkman Center for Internet and Society at Harvard and technical adviser to the Tibet Action Institute.

The Cyberspace Administration of China did not return requests for comment. 

Mr. Blasco said the Uighur and press-related sites had been compromised with a “watering hole attack” in which attackers find a way to hide malicious code in websites frequented by their targets and then wait for their victims to come to them. Once people visit those sites, that code gets injected into their web browsers. 

The technique has been used by governments and hackers for surveillance and to steal passwords. 

What made the attacks particularly serious, Mr. Blasco said, was that as long as the victims were logged into China’s 15 top web services — including major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the attackers could identify them and siphon off their personal digital information, even if their victims were logged into Tor or a VPN. 

They did this with the aid of a particularly serious vulnerability that 15 web services in China apparently never patched. 

The vulnerability, known as JSONP, is not new. It was publicized in a Chinese security and web forum around 2013, about the same time that forensic evidence suggests that attackers used it to target Muslim Uighur websites and nongovernmental organizations’ sites, Mr. Blasco said. 

By not patching this hole, Mr. Blasco said, major web portals like Baidu and Taobao, a subsidiary of Alibaba, effectively neutered the only privacy protections available to web users inside China. 

“The equivalent would be if law enforcement was able to exploit a serious vulnerability in Facebook to deanonymize users of Tor and VPNs in the United States,” Mr. Blasco said. “You would assume Facebook would fix that pretty fast.” 

It is not clear, given the severity of the vulnerability and its discovery some two years ago, why so many of China’s top web portals did not fix it. 

A Baidu spokesman said the company did try to deal with the problem. 

“To the best of our knowledge, our earlier efforts were successful in preventing any serious leak of personal use data. But in light of this further information, we have decided to implement a more aggressive and thorough fix across Baidu for the JSONP vulnerability,” the spokesman said. 

A spokesman for Alibaba also said the company was now moving to deal with the problem. “Alibaba Group takes data security seriously and we do everything possible to protect our users,” said Robert Christie, vice president of international media at Alibaba. 

“Many companies in our space have faced this issue, and once we discovered this issue, we moved swiftly to address it. We have found no evidence that any user information has been compromised,” he said. 

Researchers say the complexity of the attack and the lack of digital fingerprints indicate that someone with significant influence had to have been directing it. Otherwise, “there must be a cybercriminal out there with pretty significant access to China’s Internet infrastructure,” said Mr. Freitas. 

No comments: