We had two Soylents send us news of a new tactic in state-sponsored attempts at silencing undesired content on the internet:
China Is Said to Use Powerful New Weapon to Censor Internet.
Late last month, China began flooding American websites with a barrage of Internet traffic in an apparent effort to take out services that allow China’s Internet users to view websites otherwise blocked in the country.
Initial security reports suggested that China had crippled the services by exploiting its own Internet filter — known as the Great Firewall — to redirect overwhelming amounts of traffic to its targets. Now, researchers at the University of California, Berkeley, and the University of Toronto say China did not use the Great Firewall after all, but rather a powerful new weapon that they are calling the Great Cannon.
The Great Cannon, the researchers said in a report published Friday ( https://citizenlab.org/2015/04/chinas-great-cannon/ ), allows China to intercept foreign web traffic as it flows to Chinese websites, inject malicious code and re-purpose the traffic as Beijing sees fit.
The system was used, they said, to intercept web and advertising traffic intended for Baidu — China’s biggest search engine company — and fire it at GitHub, a popular site for programmers, and GreatFire.org, a nonprofit that runs mirror images of sites that are blocked inside China. The attacks against the services continued on Thursday, the researchers said, even though both sites appeared to be operating normally.
[Continued after the break.]
China's "Great Cannon" used to silence government critics
Citizen Lab, a Canadian human rights organization, published a report on what it calls the Great Cannon - a DDOS system that they say is deployed by the Chinese government. This system was allegedly used for the recent attack against GitHub.
We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.
The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system,4 affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.
Related Stories
It appears that whatever entity controls the "Great Firewall of China" is using malicious ECMAScript to launch a distributed denial of service attack on Github. The ECMAScript is being delivered through advertisements served by Baidu, which are on many non-Chinese websites. Baidu is denying any involvement, and it seems like the ECMAScript is probably being injected as the advertisements leave China's firewall.
The attack was originally attempting to target the repositories of two specific users; one is Great Fire (which aims to help users circumvent the Chinese government's firewall) and the other is CN-NY Times (an uncensored Chinese version of the New York Times). Since Github is only available through https, this effectively turned into a general attack on the website. It is unclear whether the specific pages were targeted despite being behind https due to technical ignorance on the part of the attackers, or as a way of sending a message.
More to follow:
The New York Times has an article about China's online censorship factories and how they operate. Censors are specially educated accurately in history and politics so that they have mastery over how to spot and eliminate references, even indirect ones, to forbidden topics. Potential employees for censorship factories have to cram for two weeks for a comprehensive exam which they must pass in order to begin work. This education is followed by ongoing training which includes regularly visiting and reviewing web sites normally blocked by the Great Firewall of China.
Li Chengzhi had a lot to learn when he first got a job as a professional censor.
Like many young people in China, the 24-year-old recent college graduate knew little about the 1989 Tiananmen Square crackdown. He had never heard of China’s most famous dissident, Liu Xiaobo, the Nobel Peace Prize laureate who died in custody two years ago.
Now, after training, he knows what to look for — and what to block. He spends his hours scanning online content on behalf of Chinese media companies looking for anything that will provoke the government’s wrath. He knows how to spot code words that obliquely refer to Chinese leaders and scandals, or the memes that touch on subjects the Chinese government doesn’t want people to read about.
Previously:
Censorship a Trojan Horse (2018)
Unpublished Chinese Censorship Document Reveals Effort to Eradicate Online Political Content (2018)
The "Great Cannon" of China (2015)
(Score: 5, Insightful) by Gravis on Sunday April 12 2015, @10:08AM
this kind of MITM attack makes an excellent case for encrypting all network traffic.
(Score: 3, Informative) by Nerdfest on Sunday April 12 2015, @03:29PM
China has heir own certificates, which I believe means that they can MITM at least *some* (SSL) encrypted traffic as well. If you're not using a browser or platform that has removed the CNNIC certs (Apple, I'm looking at you), you may want to manually remove them yourself.
(Score: 0) by Anonymous Coward on Sunday April 12 2015, @10:40AM
also request firewalls in client browsers
its is unacceptable, that browser simply makes ALL the requests javascript tells it to make, without possibility of filtering by user.
(Score: 4, Informative) by maxwell demon on Sunday April 12 2015, @12:33PM
That's exactly what RequestPolicy [mozilla.org] is.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Informative) by McD on Monday April 13 2015, @12:01AM
RequestPolicy is great, but power users only need apply. And as that page points out, the torch has been passed to RequestPolicy Continued [github.io].
Personally, I'm really pleased with Policeman [mozilla.org], which seems like RequestPolicy with a much improved interface. I've found it quite usable, even in it's "beta" state.
But as great as it is to have control via extensions like these, they're simply too complicated for most users.
(Score: 2) by maxwell demon on Monday April 13 2015, @08:04PM
Thank you for the information; the Policeman extension indeed looks very interesting. Does it also handle redirects?
Also, do you know if existing rules can be moved from RequestPolicy to Policeman?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by McD on Wednesday April 22 2015, @04:00PM
Sorry for the lag, didn't notice your reply. I believe Policeman handles redirects, but haven't seen enough to recall for sure.
I also believe it offers to import RequestPolicy rules on first run.
(Score: 2) by maxwell demon on Wednesday April 22 2015, @07:01PM
Thank you for the information.
A comment on the add-on page says it has trouble with Firefox 37, so I'll wait a bit before trying, but I'll definitely try it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Informative) by M. Baranczak on Sunday April 12 2015, @02:22PM
also request firewalls in client browsers
How the hell would a firewall help in this case?
its is unacceptable, that browser simply makes ALL the requests javascript tells it to make, without possibility of filtering by user
Most users don't even know what Javascript is, giving them control over it would be pointless. Also, Javascript isn't even required for this sort of attack. You could also inject a frame or img tag.
(Score: 5, Interesting) by anubi on Sunday April 12 2015, @10:45AM
Nasty Javascript?
If the machines were not honoring javascripts, would the attack be successful?
My fear is that "they" ( NSA, China, Terrorist, whoever ) would vector communications through a proxy server, so you end up logging into them and think you are logging onto Baidu, Alibaba, AliExpress, whatever. Even if I am not honoring scripts, I would be losing financial privacy, such financial credentials used later to cause problems for me and the merchant who thought I was doing business with him.
It is going to be interesting what we come up with for security, being neither of us can trust either our own governments nor internet service providers, nor even our own machine. This goes for me and the Chinese citizen alike. I am wondering maybe if we may have to drop to tunneling protocols run on Arduinos for a secure low-speed link that would handle financial details - as we do not know how compromised our bigger machines are. I know about the ADVAPI.DLL backdoor [wnd.com], and also wonder how many other backdoors there are... and are they in the processor and BIOS silicon as well? Stuff like that would give me nightmares if I were a businessman absolutely dependent on my machines.
I know its just a matter of time, given how many special interest groups are on the internet, that I will see the day a lot of people *thought* they filled out their tax forms but it all got vectored to some server in some hostile nation. And it will be done via a back door mandated by our very own government!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2, Interesting) by Anonymous Coward on Sunday April 12 2015, @11:59AM
> I am wondering maybe if we may have to drop to tunneling protocols run on Arduinos for a secure low-speed link that would handle financial details
The threat is hardly limited to financial details. As the bar gets lower we will see people doing MITM attacks for all kinds of reasons. There is a story in the submission queue about one that seems to have been about voyeurism and loneliness.
(Score: 3, Insightful) by maxwell demon on Sunday April 12 2015, @12:45PM
Hmm ... this makes me think: Is there a way to specify which root certificates are to be trusted for which domain (possibly with a browser extension)? For example, I could check the certificate authority my bank uses, and then instruct the browser to not silently accept certificates from another certificate authority for my bank's web site, without actually deleting all other root certificates (which would make many other web sites inaccessible).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Interesting) by Anonymous Coward on Sunday April 12 2015, @02:44PM
The problem with that is they then MITM you when you "check the certificate authority your bank uses." It's turtles all the way down.
There is cert pinning which remembers the certificate between sessions and errors out if it changes. So as long as your first access to the site was not compromised you are OK until that cert expires. Cert pinning is slowly being deployed in fits and starts.
(Score: 3, Informative) by maxwell demon on Sunday April 12 2015, @04:53PM
Since the root certificates are stored locally, they cannot MITM them. So unless they have access to my bank's certification authority's private key (likely for the NSA, unlikely for China), the checking process is immune against MITM attacks.
Ah, that's interesting. Another useful property would be if replacement certificates were always signed with the previous certificate, so you could easily check whether the replacement certificate is valid (well, unless additionally the previous certificate was compromised, but I don't think there's much one can do in that case).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Informative) by Anonymous Coward on Monday April 13 2015, @05:38AM
There's a Firefox extension called "Certificate Patrol [mozilla.org]" that tells you when a certificate changes with a "CA-only" option to only warn you if the CA changes, but it appears to be no longer supported. There's also some plugins that use a third-party server to keep track of which certificates have been seen for a given server in attempt to detect MITM attacks. Convergence [wikipedia.org] is one of them, Perspectives [perspectives-project.org] is another. They might have a mode for just running locally and alerting of certificate changes, I'm not sure.
(Score: 2) by maxwell demon on Monday April 13 2015, @07:53PM
I'm using Perspectives, and it doesn't have such an option (or I can't find it).
On the Convergence web site, I don't find any information about such functionality (I haven't however searched very thorough). Anyway, it looks like an interesting alternative to Perspectives, thank you for making me aware of it; unfortunately according to the web page it's still beta.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday April 12 2015, @04:49PM
"I know about the ADVAPI.DLL backdoor "
Does anyone here have more information on this backdoor and how to remove it?
Suspicious the search results show nothing.
(Score: 1, Interesting) by Anonymous Coward on Sunday April 12 2015, @07:11PM
It looks like the solution is just "don't use anything crypto-related that uses Windows' built-in crypto libraries". Don't use Bitlocker, don't use any other cryptographic software from Microsoft.
Alternatively, don't use Windows.
(Score: 2, Interesting) by anubi on Monday April 13 2015, @03:02AM
Unfortunately, ADVAPI.DLL is a critical part of the kernel. Without in, Windows won't run. All of the certificate authorization in order to run anything seems to require this.
Simply deleting ADVAPI.DLL will only cause Windows to crash.
I have been watching for someone to make a drop-in for ADVAPI.DLL with the backdoor removed.
Apparently this is a very closely watched file. Google the filename and you can read from what others have attempted that it would be easier to completely switch operating systems than to reverse this one.
I never know when the government is going to sell out to the RIAA or the like, and I get into all sorts of trouble over something somebody else questions my right to have a copy of. I believe there is not a one of us who has music or the like on their machine, without having absolute proof they bought the stuff. I ripped some of my favorite CD's into mp3's... will some handshaking suit-and-tie Congressional-lobbying oafs come after me for this? I fear the day that owning a computer will be as burdensome as generating an income then having to fill out income tax forms detailing every part of our financial lives every year.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 5, Interesting) by zocalo on Sunday April 12 2015, @11:59AM
Anyway, it seems like there is a fairly obvious fix for this. Since most advertising traffic is US based, perhaps GitHub could reach out to the big advertising providers like Google, Yahoo!, etc. and see if they might be prepared to either drop the traffic going to Baidu (depriving the PRC of foreign currency always makes them sit up and take note) or just start insisting that it use HTTPS and render the current attack vector moot. I'm sure the PRC (is anyone seriously doubting this isn't officially sanctioned?) can figure out a new approach soon enough, but the more ways they use the more evidence there will be. And the more evidence there is, there's more liklihood that the US might be willing to approve and maybe use that cyber-retaliation law Obama was just talking about. I'm pretty sure the PRC wouldn't been too keen on the NSA taking down the Great Firewall in a way that allowed their population to have completely unrestricted access to the Internet, as a for instance.
UNIX? They're not even circumcised! Savages!
(Score: 1, Informative) by Anonymous Coward on Sunday April 12 2015, @12:42PM
Spin? Why would China need to spin anything? After all, the US govt sees nothing wrong with intercepting *physical goods* in transit to inject malicious payload.
(Score: -1, Troll) by Anonymous Coward on Sunday April 12 2015, @01:35PM
Well, . . . , THOSE guys are doing something else!!! Waaah.
Nice argument from a 10-year-old. This is irrelevant to the story AND the topic.
(Score: 0) by Anonymous Coward on Sunday April 12 2015, @02:47PM
Spin? Why would China need to spin anything? After all, the US govt sees nothing wrong with intercepting *physical goods* in transit to inject malicious payload.
So you are saying that the US govt is the ultimate moral authority?
(Score: 2) by zocalo on Sunday April 12 2015, @04:05PM
Now that the evidence is piling up that the attack is being sourced by HTML/JavaScript injection being perfomed by the Great Firewall, or perhaps this Great Cannon, then claiming "we have nothing to do with it" is tantamount to saying "we're incompetent and have lost control of a key part of our network". As spin, that doesn't work because it doesn't really paint the PRC in a positive light no matter how you interpret it so, given the importance of "face" to their culture, I was wondering if they might have changed their story yet, or are just going to adopt the stony silence approach.
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by kaszz on Sunday April 12 2015, @01:11PM
China will perhaps deny HTTPS through the firewall? And even if they didn't the current CA system allows them to use their CAs to MITM HTTPS anyway. So either browsers need to be redone or traffic to China dropped.
(Score: 2) by zocalo on Sunday April 12 2015, @02:55PM
And on top of all that, making changes that are specifically designed to sustain the DDoS on GitHub will only risk implicating the government further, right when the US is showing signs that it thinks enough is enough and it might be time to be more aggresive in dealing with the problem. It's looking increasingly risky for the Chinese to continue being so brazen about this to me, and unlike many other countries that don't have a national firewall in place, hiding sanctioned attacks behind the noise generated by botnets is a very flimsy excuse when you (presumably) have the capability to block a lot of outbound botnet traffic almost at source.
UNIX? They're not even circumcised! Savages!
(Score: 2) by kaszz on Monday April 13 2015, @12:41AM
If I recall it correctly China owns so much US bonds (government debt) that they can shoot the US economy into the depths of financial crisis that US perhaps isn't too brave. And invading isn't a realistic option either. These two countries can do a tit-for-tat for a long time without getting much net result.
What happend with CNNIC's root cert?
The military might also face a resource problem if supplies is "Made in China" .. ;-)
Perhaps most of that is manufactured in US but then factory lights isn't and the cars that bring people to work is kept running with made in China etc..
(Score: 2) by zocalo on Monday April 13 2015, @07:42AM
CNNIC's CA "lent" one of their root certs to a third party that used it to generate fake TLS certificates for Google domains and put them on a proxy device, e.g. they MITM'd Google's traffic. Google somehow found out and was (as might be expected) somewhat upset. The result is that to varying degrees Google, Mozilla and MS have revoked, or are in the process of revoking, the root level certificate in their browsers and other tools. CNNIC and their customers are currently going through the hassle of having to reissue a lot of certificates and CNNIC is also being required to perform various audits to demonstrate they are worthy of the trust given to a top-level CA. Soylent covered the original news here [soylentnews.org], and the response here [soylentnews.org].
UNIX? They're not even circumcised! Savages!
(Score: 2) by Mr Big in the Pants on Sunday April 12 2015, @07:55PM
Then look it up. My understanding is that the main news orgs are owned by the government and print their propaganda verbatim.
Their propaganda, much like russia, is usually ridiculous and aimed at their citizens rather than the rest of the world. This disconnect makes for very amusing reading at times - such as during the whole Ukraine thing.
When I could be bothered looking int he past China's was usually "shrill" and utterly transparent - but perhaps they have become better at it?
(Score: 2) by Yog-Yogguth on Tuesday April 14 2015, @12:46AM
That's such a curious statement I have to ask: did you meant to type ‘the US’ rather than ‘Russia’? Even by US sources like the DoD it is official that there is US military personnel in Ukraine and the State Department has said there are no Russian armed forces there and as the months passed even the Pentagon had to admit they were right and that there never was any evidence to the contrary.
Yeah not exactly front page stuff in western media, haven't seen any hoopla being made about how the Russians are evacuating US citizens out of Yemen either. Imagine that: if you're an American/Usian in a warzone you're better off asking the Russians for help.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by Mr Big in the Pants on Tuesday April 14 2015, @06:39AM
What complete and utter shite...
Nothing more to say on the matter...
(Score: 3, Insightful) by mtrycz on Sunday April 12 2015, @01:43PM
"Malicious [javascript] code" injected into traffic is the equivalent, hell no it's not even an equivalent, it *IS* a VIRUS. It should be no different to malicious payloads injected into downloaded binaries. China was injecting viruses to peoples pageloads.
While regular antivirus technologies are mature, and somewhat effective (as far as broken OSes let them be), we don't have an equivalent for the code running inside the browser. Also, probably black/whitelisting won't work for the regular user.
We should start having javascript antivirus software. Something with comprehensive distributed access lists, or maybe behavioural control. Hey, a man can dream!
In capitalist America, ads view YOU!
(Score: 1, Interesting) by Anonymous Coward on Sunday April 12 2015, @09:43PM
Signed Javascript [mozilla.org] used to be a thing, and that prevented injection of untrusted code. Then everyone realized that it didn't solve any problems that SSL didn't.
(Score: 2) by mtrycz on Monday April 13 2015, @08:51AM
You could still have someone tampering with the files at origin, sites that are downright malicious, or advertisers.
A behavioural heuristic could sort that out too. Hey, maybe since the domain is kinda restricted, it could be workable?
In capitalist America, ads view YOU!
(Score: 2) by cykros on Wednesday April 15 2015, @04:39AM
I think what you want is basically a subscription system for preconfigured noscript whitelists or blacklists, taking most of the work out of the hands of the end user and centralizing it with a community/company effort. Frankly, nothing really stops you from setting one up, as with a simple browser extension (to make it really user friendly; alternatively far less coding intensive methods work fine, such as an rsync share, but these step up the technical abilities of your end user) and the lists (which frankly, should be easy enough to generate pooling active noscript user's input).
The problem is, we capable users tend to just figure it out for ourselves and let that be that. A little motivation goes a long way.