Home / Blogs

Lessons Behind the Microsoft 3322.org Takedown

Wout de Natris

The Microsoft action against 3322.org, a Chinese company, started with the news that computers were infected during the production phase. Stepping away from the controversy surrounding the approach (read e.g. Suresh's in-depth article here), there are important lessons that cyber security officials and upper management, deciding on the level of and budget for cyber security in organisations should learn and take into account. I'm writing this contribution from a premise: China uses the fact that most IT devices are built in China to its advantage. Allow me to start with an account from personal memory to set the stage.

In a train from Paris. Industrial espionage

On one of my very first trips abroad as international liaison at OPTA I came back on the high-speed train from Paris after contributing for three days at the OECD on the anti-spam tool kit. Next to me was a gentleman sitting in silence. When he came back from a visit elsewhere in the train he said something polite after I stood up for him, which I responded to in the same vein. Next he asked me what I'd been doing and I asked him the same. It was then that I found out that the man was bursting at the seams from anger and indignation. He worked for a multinational and came back from discussing a crisis in Paris within the company having to do with production in China. The multinational had built a plant there, because of the low wages, closing down plants in Eastern-Europe as a result. Let me tell you what I heard and why this is of interest to you if you work in cyber security or have to make decisions at the management level on what systems and devices you want to buy or have connected to the sensitive networks within your organisation.

The plant in China

The company was allowed to build a plant in China after negotiations with the Chinese government. One of the prerequisites was that there had to be a Chinese upper manager. This person left the plant after one year, after which circa 500 meters down the road another plant was built, manufacturing the exact same product, but circa 50% under the price and selling this product to several major customers of the multinational. You get just one guess who the manager of the latter plant was. So my travel companion wanted his company to pull out of China as of now, but others decided to remain. Too much money had been invested to pull out. How much did the multinational really save through wages though? Perhaps the opposite happened. It seems a classic case of on-site industrial espionage.

Recent examples

Whether this example is common practice, I do not know. Is the story on Huawei and the spy element in their product strange? And what about the pre-infected computers case, where Microsoft decided to take out the malware's hosting company? Is this as far out as it may seem at first read? Of course conspiracy theories are always fun to read and I'm not one to take them seriously on the whole. I can fully understand Huawei saying it will never support spying through its products; even that the spokesperson is telling the truth, but who guarantees that it happens without management knowing? Australia appears to be banning the company. But is this specific case sufficient when we consider cyber security? Let's take take the high road of conspiracy thinking here.

Hints 2008-2010

The first time I heard of pre-infected devices was through a presentation at a workshop or seminar, when someone reported on a specific brand of an iphoto device that infected computers on connections. This was later explained that an old stand alone computer, infected, tested the devices and infected them before leaving the factory in China. The virus was old and out of fashion. This was the element that surprised the researchers as they discovered and researched the case.

In his book 'McMafia', British journalist Misha Glenny already made a short reference to corruption in production processes in China giving criminals access to plants. This way computers were infected for a, mind, twisted commercial approach, not governmental. Low wages are a sure road towards (the temptation to) corruption.

Richard Clarke in his book on 'Cyber war' wrote that China had infiltrated the whole US smart grid with digital bombs in strategic places.

Next to these examples, espionage through the net, connected to servers in China is reported on regularly (and probably more often kept quiet or plainly not noticed). In short, it is not as if nothing has happened since 2000.

Production in China

In the past decade all major western computer device companies decided to shift their production (in part or whole) to China. Lower wages and (perhaps) resulting in lower prices. It's solely for economic reasons these choices were made. So let us make a hypothetical assumption here.

Bring your own device (BYOD)

Devices became more and more popular in the past ten years. Bring your own device is a novelty security officers are forced into, not knowing anything about the security implications of connecting any device to networks holding the data that is most sacred to your organisation. Whether it's production, administration, research and development, policy, privacy sensitive data, etc., each is meant to stay within your network. And here come all these products "made in China", able to connect to the most sensitive places within your network. Did you ever give a thought to this, as with BYOD no one negotiated with anyone from China? It's just some device from a shop or an operator as part of a private contract. In the Australian Huawei case this is different as negotiations would go with Huawei itself.

Negotiations on desk and laptops

Off course computers and laptops were in place long before devices ever came up. And you change them every three years or so. But has the place of production ever entered a negotiation? Did negotiating checks on inner security ever take place during purchasing a product? I very much doubt it. Should it? I leave this up to you, but I'd say yes.

Apps

As an interesting aside. Did you ever bother to read the "contract" you enter into with apps? Do you really know what "is allowed to look through your messages" means. Or "has access to your address book"? Why should "they", whoever "they" are, and what does this company do with your data? The app is privately installed on the device that is subsequently connected to your organisation's network. Who knows what sort of info leaks this way. The most simple ones: telephone and email addresses. How about content? Documents attached? Passwords? I'm just guessing here, but doesn't this scare you?

Temptation

We have some examples in the recent past of espionage. So even if nothing is happening, the temptation to do so is gigantic. I've read at some stage that the military in China is one of the biggest investors and that many companies are joint-ventures. To be honest I do not see a reason to doubt that the Chinese government is active just in this way. They do so economically, so why not strategically, if they have these easy ways to do so? I probably would if I was in its shoes. Hence, for the sake of this blog post let us proceed with the hypothesis: China uses production facilities within its country for espionage. So supposing this to be true, what does this tell governments, industry, associations, etc. in the rest of the world?

What do organisations need to contemplate before buying hard and software and before devices, (whether or not) made in China, are allowed to connect to networks. What choices do they need to make before they buy, rent or hire internet or telephony related systems?

These are questions those responsible need to address, just as cyber security is of such importance that it has to be prioritized on agendas. My best guess is that imagining what could happen in a worst case scenario helps to take measures and write protocols to follow. Yes, and I wrote this several times before, this costs money, but Coca Cola losing its secret recipe through infiltrated system costs multi fold the costs of cyber security and it is the same when you lose your crown jewels, negotiation angle, price offer or policy.

By the way. The same questions should be asked before entering the cloud. Does an organisation want to enter the cloud just because it saves some money? How much does it stand to lose when it does so unthinkingly? Let me remind you of the story I started with.

(If I lived in China, I could write this same story about CIA or NSA involvement in Microsoft and Google, I suppose, if I wanted to write on conspiracies there. And it does not matter to cyber security whether it is espionage or criminality causing the infections. Both are dangerous to organisations and private persons.)

Think and decide knowingly before acting

Some things are irreversible. The digitization of society, production in China, the love of devices. This does not mean that everything has to change just because we can or because the manager brings his new iPhone 5 to the business. It's never the bell boy who shows up first. I repeat: Don't change because it's technically possible!!!

To seriously work on cyber security, an organisation's management and cyber security staff have to agree on the safest way(s) to change and implement. From now on this should never go on the spur of the moment again. There have been enough warnings I'd say. So decide on what to check before and during negotiations as well as the implementation, have protocols in place and stick to them and remember that what you can think of beforehand, is probably already happening. These are some important spin-off self goals, to paraphrase Suresh's title. Awareness starts right here.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cyberattack, Cybercrime, Internet Governance, Malware, Privacy, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

What you described is rather well known Suresh Ramasubramanian  –  Sep 23, 2012 7:53 PM PDT

Most corporations who, in this day and age, enter the chinese market naive, happy and full of pride in how good they are with chopsticks, "your english is better than my chinese" polite remarks and lots of past family photographs of the Great Wall and the Xi'an clay soldiers are in for a rude shock.

http://www.nytimes.com/2009/10/01/business/global/01danone.html?_r=0 - danone (the mineral water people) and wahaha, a local brand they partnered with.

Or this article, about a patented process for manufacturing Titanium Dioxide (which is what makes toothpaste and oreo cookies blinding white in color, have fun) .. http://www.atimes.com/atimes/China/NB11Ad01.html

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign
dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNS Security

Sponsored by
Afilias