Tuesday, February 24, 2009

Chinese IT Firm Accused of Links to Cyberwarfare

An article recently published by Defense News entitled Chinese IT Firm Accused of Links to Cyberwarfare provides more insight into our discussion on the power of attacking the integrity of software, systems, and data. This article states that certain Chinese IT companies were actively probing popular software applications for vulnerabilities that could be easily be exploited.

According to the article, "in the past 10 years, Beijing-based Venus Info Tech has become the dominant provider of information technology (IT) network security to the Chinese intelligence and military community.
 It also has been accused of providing hacker services that help the Chinese government penetrate foreign government computer networks."

Further, the article notes that China's operating agreements with Microsoft and other technology vendors gives companies like Venus Info Tech the ability to examine source code in popular software. Having access to source code would allow a hacker to more easily find and exploit vulnerabilities. Specifically the article states,
several Chinese firms and government agencies have deep access to the source code of Microsoft Windows, the operating system that drives most of the world’s computers.
 In 2003, Microsoft opened the code to the China Information Technology Security Certification Center (CNITSEC), a government agency, under a government security plan that was intended to “provide a trustworthy computing environment,” said Tim Chen, then vice president and CEO, Microsoft Greater China, in 2003. He resigned in 2007.
 “Depending on the level of access they were provided, it would certainly seem to provide the Chinese with insight into flaws that they could exploit,” Henderson said. “You get enough people poring over the code, and I imagine you could design viruses based on weaknesses you find in the code.”

Discussion for Class:

Why would an adversary be interested in gaining the ability to easily discover and exploit vulnerabilities in popular software applications?

No comments: