China Cyber-Threat Again Highlighted

February 19, 2013

Responding to the buzz generated by the release of a new evidence-rich report on  China’s cyber threat actors by Mandiant, a pair of articles today point out again China-sourced cyber-threats to businesses.  Financial services is a global enterprise.  Virtually all financial services organizations are attempting to enter China markets and are pursuing investments in China in order to better diversify their portfolios and offer their customers opportunities in throughout Asia.

The report by Mandiant and signals from the U.S. government remind us again that it is important to resist the types of attacks that seem to continue out of China.  Mandiant documented that the China-based hostile actors have systematically stolen hundreds of terabytes of data from at least 141 organizations.  The White House specifically highlighted that this threat was directed against Financial Services organizations, among others.

Writers at The Washington Post said that the recent “Mandiant report echoed a classified National Intelligence Estimate by the U.S. intelligence community that concluded that China was the most aggressive perpetrator of a massive campaign of cyber-espionage against commercial targets in the United States.”

Writers in the Wall Street Journal added that:

“U.S. officials said the allegations in the Mandiant report come as no surprise and build on other evidence of cyber infiltration.

A 2011 intelligence report publicly accused China of a role in cyberattacks. More recently, a U.S. assessment known as a National Intelligence Estimate, which remains classified and hasn’t been released, cited the Chinese government as being behind pervasive cyberthefts resulting in the loss of intellectual property, according to people who have read it.”

Bringing value to China appears to come at a material risk.  Can you afford to lose your risk models?  Your fraud analysis engines? Your portfolio management tooling?  Your investing strategies?  We all have material investments in highly-portable intellectual property.  Protect it from known threats as a demonstration of threshold due diligence.

At a minimum, ensure that you have employed a full spectrum of threat-resisting technology and process that is already hand in every financial services organization. Ensure that your protective layers overlap and compensate for each other, and do so throughout your infrastructure, not just at the Internet edge. Plan for and fund enhancement of your detective, preventative, corrective, and compensating control capabilities — as the issue of persistent “world-class” state-sponsored hostile actors appears to be with us for the forseeable future.


“Mandiant Intelligence Center Report — APT1: Exposing One of China’s Cyber Espionage Units.”

“Report ties cyberattacks on U.S. computers to Chinese military.”
By William Wan and Ellen Nakashima; 02-19-2013

“U.S., China Ties Tested in Cyberspace.”
By JULIAN E. BARNES and SIOBHAN GORMAN in Washington and JEREMY PAGE in Beijing; 02-19-2013

Updated to include the following reference on 04-15-2013:
“contextChina’s Guide to Understanding Recent News on Chinese Hackers.”
By  , 02-22-2013

Mobile Devices Need Secure Software Too

February 17, 2013

I am frequently in the presence of individuals involved in development for mobile platforms. It is still common for one or another of them to describe their journey as unique in the history of development — untethered from all legacy ideas and constraints.

While real mobility has enabled new business use cases, it has not freed those involved in creating or acquiring software from their obligations to deliver and maintain risk-appropriate products and services. This is especially true for those supporting financial services.  Successful application security service providers tend to understand this.  For example, Trustwave.

Charles Henderson, Director of Application Security Services at Trustwave, wrote a piece for Forbes that describes how that attitude can negatively impact mobile apps and the security of their users.

His thesis is that “the rush of companies and developers into the mobile software market has led to shortcuts that have repeated many security problems already solved in older technology platforms. Mobile has been fraught with issues of caching sensitive data, incomplete encryption and simple mistakes in coding.” He added that these devices are so portable that physical security concerns pose a new and material risk.

In misguided attempts to deliver what is often a friendly user experience mobile app developers will cache sensitive data. At Trustwave they have discovered apps caching, “for example, your online banking username and password, checking routing and account number, account history and so on.”

Henderson write that “Trustwave recently tested an otherwise secure banking application that wrote full debit card data, including card numbers, expiration dates and security code, to the phone’s log file in plain text.”

He also shared that some apps encrypt card numbers only while at rest on mobile devices, allowing “malware on the device to intercept the card number before it is encrypted.”

Mobile app development does not exist outside history and convention. Mobile app developers can, and must, learn from existing, hard won secure software practices.


“Is Your Mobile App Safe?” by Charles Henderson, 02-15-2013;

%d bloggers like this: