China taking noteworthy steps to improve cybersecurity

HD Moore is the  embodiment of principled greyhat researchers, software experts who push hard for immediate full-disclosure of freshly-discovered security holes and exploits — without crossing the line into actually using this knowledge for criminal acts. The greyhatters  at Goatse Security clearly crossed the line by actually stealing data after outing the AT&T – iPad vulnerability earlier this week.

LastWatchdog first interviewed Moore in 2005, just after Moore, then with Metasploit, posted proof-of-concept exploit code for a Windows plug-and-play vulnerability. A few days later, Farrid Essebar, aka Diab10, released the Zotob worm, using this exploit code.  Then 25, Moore told me his goal was to provide technicians with information in real time, so they can accelerate the process of stiffening their defenses. He acknowledged the obvious. “Some people will use it to test their defenses; some will use it break into systems.”

Moore’s intense scrutiny of cyberthreats has endured. He is now Chief Security Officer at Rapid7. In this LastWatchdog guest post he comments on the deeper significance of  the U.S. recently replacing China as the top source of malicious servers.

By HD Moore

The 2010 Q1 report by Kaspersky highlights the dramatic result of China’s newly implemented domain registration policy. The “cn” top-level domain (TLD) for China went from hosting 32.8% of all malware sites in Q4 2009 down to only 12.84% in Q1 2010. This new policy, enforced by the China Internet Network Information Center (CNNIC), restricts the “cn” domain to registered business and requires all applicants to provide their business seal, a copy of their business license, and a copy of the applicant’s government ID to the registrar. As a direct result, while China saw a 20% drop in the “cn” TLD being used for malware, the Russian “ru” TLD picked up a 14% increase in malicious domains. Russia’s own policy change, which mirrors the CNNIC regulations in many regards, went into effect April 1st and will likely trigger another mass relocation of malware sites to another TLD.

The policy changes by both China and Russia are a direct response to the criticism their governments have received from the west. Chinese operators are often blamed in large-scale attacks, even when the only evidence pointing to Chinese involvement is an IP address or domain name. The Chinese response has been to state that they are constantly under attack themselves and that the servers conducting the attacks are often under the control of a foreign intruder. This response has been scoffed at in US press, but even a Google dork for common Web application flaws will confirm that network security in China is well behind the US and Europe.

The tightening of domain registrations is just one piece of the larger picture in China. Over the last five years, awareness and prosecution of cyber crime has been on the rise. The Chinese security research community has had to walk a fine line between following their passion and being seen as criminals. Many of these researchers have ended up working for security companies in China, which provide them a legitimate environment to practice their craft and stay on good terms with the government. This relationship has lead to sensational claims that China’s top hackers are now state-sponsored, but the reality is not that different from how the US-based L0pht Group worked with government officials in the late 1990s. The government needs the expertise and the researchers need the legitimacy; the business angle ensures that these researchers are taken care of and have time to focus on what they do best.

While the established researchers may be doing well within Chinese security companies, the next generation is learning about Chinese cyber crime laws the hard way. The security industry within China is still in its early stages and many aspiring hackers turn to crime when they fail to find legitimate work. The Black Hawk Safety Net portal, which operated as a paid “hacker school”, was shut down in November of 2009 and six of its operators were arrested. A new law introduced in 2009 also made the mere distribution of “hacking tools” a crime in China, adding China to the ranks of countries with similarly broad statutes, such as France and Germany.

I had a rare opportunity to visit China last year and meet many of the prominent researchers, professors, business leaders, and government officials that focus on computer security. While there was no debate that there is still much work to be done, everyone I spoke with was aware of the international perception and optimistic about China’s future. During my travels I witnessed some of the problems with security awareness first-hand; WEP was in widespread use for wireless networks, firewalls were missing, and even in locations with tight building security, the physical network ports were easily accessible.

China started off 20 years behind the US in terms of Internet access, but is catching up at an incredible rate. The challenge is managing that growth to ensure that the resulting infrastructure is secure and can withstand attacks long enough to be upgraded to more robust solution. While I have no doubt that China will continue to be a source of and a host for malicious activity, their recent actions have a shown a commitment to clamping down on cyber crime, and I too, am optimistic about its future.

About the author

HD Moore is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the leading open-source penetration testing platform. HD founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development. Prior to joining Rapid7 and continuing his work on the Metasploit Framework, HD was the Director of Security Research at BreakingPoint Systems, where he focused on the content and security testing features of the BreakingPoint product line. Prior to BreakingPoint, HD spent seven years providing vulnerability assessments, leading penetration tests, and developing exploit code.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone