Continued from page 1

Mr. Beresford told The Times that he contacted several U.S. citizens listed in the database and none of them said they had received any notification from SAFEA. Although they had visited China at some time, they said, they were mystified about how their information came to be in the database.

“It is not clear who entered this data,” Mr. Beresford said, adding that some entries appeared to be from job applicants.

Mr. Beresford said vulnerabilities like those in the SAFEA database were rife on Chinese government and private-sector networks.

He said computer administrators at another Chinese state agency, the Institute for High Energy Physics, part of the Chinese Academy of Science, had “not updated their [Web] server for a couple of years.” The program they use to run the site was outdated and vulnerable to being hacked.

“You could get in” to the institute’s Web server using that flaw and then “access any computer that’s connected to the [institute’s] internal network,” he said.

He added that a similar security risk existed on the network of a high-security defense institution, which he declined to name because he had not had the opportunity to notify them of the breach.

Mr. Beresford said he was acting out of a desire to improve computer security and transparency about it in China.

“I am notifying them of everything I find,” he said, “I am trying to go through the proper channels.”

In recent days, he has sent Chinese a steady stream of email messages about the vulnerabilities that he finds using custom-designed tools that automatically scan the Internet looking for flaws and other gaps in security.

U.S. intelligence officials think China’s military collaborates with hacker groups in conducting widespread industrial espionage and other spying against foreign firms.

But the vulnerabilities Mr. Beresford has uncovered reveal another aspect of the picture.

Despite the enormous efforts of the Chinese government to lock down the Internet in their country against dissenters and enemies, government computer networks there are vulnerable in many of the same ways as their Western counterparts.

“In recent years, the Internet has been developing dramatically in China,” CN-CERT’s Mr. He said in email. “Many departments and local branches of the Chinese government have established their own websites, which inevitably increases the possibility of crackers exploiting these websites’ vulnerabilities and carrying out attacks.”

Mr. He and Mr. Fu expressed gratitude to Mr. Beresford for bringing the vulnerabilities to their attention. “I hope this case will be a good lesson to many [in the] Chinese government, especially for the seems-healthy ministry Web system,” Mr. He added.

The vulnerabilities exposed by Mr. Beresford also have implications for Chinese national security.

Story Continues →