Microsoft Subnet An independent Microsoft community View more

Black duck eggs and other secrets of Chinese hackers

Attacks on U.S. Web sites far more ominous than "laughable" Google hack

Black duck eggs on the menu of a Chinese restaurant drew the suspicions of a security consultant reporting to renowned security expert Ira Winkler.

The colleague, a former Russian security agent named Stan, was at a new Chinese restaurant in "the middle of nowhere" in the United States, but conspicuously near the R&D center of a Fortune 5 U.S. business.

"Don't you know black duck eggs are a delicacy in China?" Winkler said Stan asked. "I can't get black duck eggs in San Francisco, let alone this little piece of crap town in the middle of nowhere." Stan's conclusion was that the Chinese restaurant was a front for a Chinese espionage operation targeting the Fortune 5 business.

"That's an example of how they work," said Winkler, president of Internet Security Advisors Group, in a Web cast today hosted by the RSA. It was a followup to a presentation he made at the annual RSA Conference 2010 held in March in San Francisco.

Winkler, who considers the attention and outrage paid to the reported attack on Google from inside China last year to be "laughable," says Chinese espionage and cyber espionage is far more pervasive than anyone realizes, and that physical and computer security systems are extremely ill-equipped to deal with it. Although computer defenses can and should be improved, Winkler thinks those operating computer networks need to be much more aware of the scope of the threats.

Listening to the Web cast was an eye opener, making me realize that as robust as the network security market may be, the bad guys may be more robust.

Besides continually innovating at hacking computer networks in the U.S. and globally, Chinese interests also hack companies physically by infiltrating them with people who can then be recruited as spies, Winkler said.

A U.S. oil company seeking drilling rights off the coast of China was told that it could help secure those rights with a "gesture of good will" of hiring 30 recent Chinese graduates of various U.S universities. The company did that but later became suspicious that one of the employees was speaking a lot in Chinese on the phone. An investigation revealed the employee was calling an official in a Chinese consulate known to be a Chinese intelligence agent.

"Hacking Google? They're already inside Google. Why do they have to hack them?" Winkler asked.

Far more alarming are the attacks by Chinese hackers, be they with the government or condoned by the government, on U.S. interests including power grids, military and other government systems. In recent years, he said, hackers have broken into the networks of the Department of Defense, the Department of Energy, the White House, the Naval War College and NIPRNET, a defense logistics network that keeps track of the location of critical military assets.

U.S. corporations are vulnerable, too, he said, because China sees nothing wrong with committing economic espionage in the service of Chinese companies, many of which are state-owned anyway. Of course, the U.S. and other countries spy on each other all the time, but the U.S. would never spy on Toyota and share that intelligence with General Motors, for example. China, on the other hand, has no such qualms.

After explaining the elaborate schemes hackers use to infiltrate computer systems, Winkler lamented the lax security that networks use to protect themselves. "We don't have proactive-based defenses from zero day attacks," he said, referring to software vulnerabilities discovered by hackers but not yet by IT security people. Sure, signature-based intrusion detection is a typical way to protect networks, "but I don't see behavioral-based intrusion detection. There's very little of that," Winkler said. Two-step authentication is "exponentially" better protection but not foolproof.

In previous posts, I've reported on how Microsoft argues that if organizations adopted the most up-to-date operating systems or Web browsers, and were diligent about patch management, they'd be better protected against threats. But Winkler said, despite the wide use of Microsoft globally, this threat goes way beyond anything Microsoft alone can do. "Many companies, when you actually do an audit on them, they're not running the latest version of whatever operating system they have."

Winkler's conclusion: "We're generally screwed. They are constantly innovating. But what we can do is be more aware of what's going on."

Think about that the next time you see black duck eggs on the menu of a Chinese restaurant in the middle of nowhere.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies