China is known as an aggressor in cyberspace, but hundreds of Beijing’s own government networks are vulnerable to cyber-attack, says one security expert whose hobby is finding back doors into Chinese computer systems.
Among the systems that hackers have penetrated is a database containing personal details - including email addresses, cellphone and passport numbers, and even psychological test results - of 11,000 people, including thousands of Americans.
The database, maintained by the state agency that recruits foreign specialists to work in China, was breached by hackers last year, according to U.S. security researcher Dillon Beresford.
But many of the Americans in the database did not know their details were there and had been accessed by hackers.
Other vulnerable networks Mr. Beresford found include the website of the Beijing-based Institute for High Energy Physics and the computer systems of hundreds of other government agencies and departments using poorly configured Internet telephones, webcams and other devices. Spies could use these devices to eavesdrop on the Chinese government or military offices where they are installed.
Chinese computer security officials confirmed Mr. Beresford’s findings in emails to The Washington Times.
Last weekend, Mr. Beresford sent Chinese authorities a detailed account of the vulnerabilities in the database, maintained by the State Administration of Foreign Experts Affairs (SAFEA), and a portion of the personal data he downloaded on the 11,000 people.
“It took me 20 minutes to discover the vulnerability, hack the website and download the entire database,” Mr. Beresford told The Times.
He Shiping of China’s Computer Emergency Response Team (CN-CERT) acknowledged in email to The Times “many incredible mistakes” in the SAFEA database. He called it “amazing.”
The computer network administrator for SAFEA, Fu Junsheng, told The Times via email that he dealt with the problem as soon as Mr. Beresford raised the alarm.
“We have done [the] necessary patching to ensure [the security of the database],” he insisted. “After checking our system logs carefully, we are sure that the data has not been visited by any non-authorized people.”
But Mr. Beresford said the personal data of the 11,000 people in the database already had been stolen. “Somebody was definitely there before me,” he said.
He explained that the computer code the attackers used, probably last year, was visible in the database when he downloaded it. He said an attacker could have tampered with the logs to hide evidence of the breach.
Mr. Fu did not respond by press time to a request for clarification.
In his initial email, Mr. Fu said the agency would be notifying people in the database “to pay attention to personal privacy protection” and “will also continue to take measures to effectively protect the privacy of our users in the future.”
Mr. Beresford told The Times that he contacted several U.S. citizens listed in the database and none of them said they had received any notification from SAFEA. Although they had visited China at some time, they said, they were mystified about how their information came to be in the database.
“It is not clear who entered this data,” Mr. Beresford said, adding that some entries appeared to be from job applicants.
Mr. Beresford said vulnerabilities like those in the SAFEA database were rife on Chinese government and private-sector networks.
He said computer administrators at another Chinese state agency, the Institute for High Energy Physics, part of the Chinese Academy of Science, had “not updated their [Web] server for a couple of years.” The program they use to run the site was outdated and vulnerable to being hacked.
“You could get in” to the institute’s Web server using that flaw and then “access any computer that’s connected to the [institute’s] internal network,” he said.
He added that a similar security risk existed on the network of a high-security defense institution, which he declined to name because he had not had the opportunity to notify them of the breach.
Mr. Beresford said he was acting out of a desire to improve computer security and transparency about it in China.
“I am notifying them of everything I find,” he said, “I am trying to go through the proper channels.”
In recent days, he has sent Chinese a steady stream of email messages about the vulnerabilities that he finds using custom-designed tools that automatically scan the Internet looking for flaws and other gaps in security.
U.S. intelligence officials think China’s military collaborates with hacker groups in conducting widespread industrial espionage and other spying against foreign firms.
But the vulnerabilities Mr. Beresford has uncovered reveal another aspect of the picture.
Despite the enormous efforts of the Chinese government to lock down the Internet in their country against dissenters and enemies, government computer networks there are vulnerable in many of the same ways as their Western counterparts.
“In recent years, the Internet has been developing dramatically in China,” CN-CERT’s Mr. He said in email. “Many departments and local branches of the Chinese government have established their own websites, which inevitably increases the possibility of crackers exploiting these websites’ vulnerabilities and carrying out attacks.”
Mr. He and Mr. Fu expressed gratitude to Mr. Beresford for bringing the vulnerabilities to their attention. “I hope this case will be a good lesson to many [in the] Chinese government, especially for the seems-healthy ministry Web system,” Mr. He added.
The vulnerabilities exposed by Mr. Beresford also have implications for Chinese national security.
He has provided Chinese authorities with a list of 12,000 devices - including webcams, computer routing switches and Internet telephones - that are using a vulnerable version of a special software program called VxWorks.
The program controls the devices. But in the vulnerable version, an attacker can get control and turn webcams into surveillance cameras and Internet phones into eavesdropping devices, Mr. Beresford said.
He said it was difficult to tell exactly which departments or agencies the vulnerable devices were located, but many of them were on networks used by the Chinese military. “You could eavesdrop on any office where a computer that is using one of these devices is located,” he said.
Mr. Beresford said he hoped the impact of his work would encourage Beijing to “tone down its aggression in cyberspace” and improve relations between security researchers in China and the U.S. “Both countries are vulnerable,” he said.
Analysts say there are some signs that the Chinese recognize that, which is why they have begun to explore an international legal framework for cybersecurity.
In mid-2009, China reached out through semiofficial channels to start a dialogue on the issue with Washington specialists and former national security officials, a participant confirmed to The Times.
James A. Lewis of the Center for Strategic and International Studies, the former U.S. diplomat to whom the Chinese originally reached out, said several sessions of exploratory talks had been held. “They are very aware of their vulnerabilities,” he told The Times.
“It’s actually a good thing,” Mr. Lewis said. “Both countries are afraid about cybersecurity, and that shared fear gives us a basis for negotiation.”