Outsider Ren pits Huawei against the world

A piece I wrote for Reuters with Lee Chyenyee: 

(Reuters) – In the 1990s, Huawei CEO Ren Zhengfei visited the United States several times, hoping to learn from its leaders of industry about how to turn his Chinese telecoms equipment maker into a global company. On one trip in 1992, in the days before China had credit cards, he paid all his bills with cash from a $30,000 stash in his briefcase.

Sixteen years later, Ren was listed among Forbes’ 400 richest Chinese and Huawei was one of the world’s largest telecoms gear vendors, but the United States still treated him as an outsider. He was keen to win customers like AT&T, Verizon and Sprint but had secured just $200 million of business in the U.S. in 2007 – in a $23 billion global market. Early that year, the United States effectively vetoed Huawei’s bid for U.S. networking equipment manufacturer 3Com on security grounds.

Outsider Ren pits Huawei against the world | Reuters

On the ropes, Apple’s China nemesis still dreams

Here’s a piece I wrote with Lee Chyen Yee about the man and company behind the iPad trademark battle in China.

(Reuters) – Yang Long-san, Apple’s nemesis in a battle over the iPad trademark in China, once strutted the expo halls with dreams of market dominance. His company, Proview, may now be in ruins and his most valuable asset a disputed trademark, but those dreams remain intact.
“My biggest wish is to resolve all these frustrating problems and put them behind me,” Yang said in a recent telephone interview. “If we can resolve all the problems we have now and I have a chance to make a comeback, I’d still want to overtake my old competitors.”
Much of that will depend on whether he wins a long-running dispute over ownership of the trademark in China – Apple’s second-biggest market by revenue. Although a recent decision by the Shanghai district court to reject Proview’s demands that Apple stop selling the iPad was a setback for Proview, the case is still to be heard in the higher court in the southern Chinese province of Guangdong Wednesday.
A decision against Apple there would set a precedent that would create an uphill battle in other cases in lower courts around China. Local media have said Proview is seeking up to 10 billion yuan ($1.6 billion) in compensation.
Proview’s fortunes may currently be the polar opposite of Apple – one has creditors at the door and the other is the world’s most valuable listed company – but both illustrate how the fickle world of technology can make or break a company.
Yang and Proview rode the first wave, when every home and office desk had to have a computer, and a screen. For Apple, the last decade has seen it ride the crest of a new wave where the computer moved from a commoditized, clunky desktop to a fashionable mobile consumer device.
Proview may now be a shadow of a company, trying to convert its last major asset into cash, but it was not always so. “They definitely existed,” says IDC analyst Rhoda Alexander, who covered them for a while. “They were a significant manufacturer and a major player.”

The full story can be found at reuters.com

Facebook’s daunting Asian challenge

Here’s a piece I pulled together with the help of Reuters reporters Andjarsari Paramaditha, Camilo Mejia and Estelle Griepink in JAKARTA, Harichandan Arakali in BANGALORE, Lee Chyen Yee in HONG KONG, Kazunori Takada in SHANGHAI and Harry Suhartono in SINGAPORE.

Facebook aims to connect all two billion Internet users. So far it has captured 845 million of them. Of the rest, nearly 60 percent live in Asia and hooking them is going to be a daunting challenge.

A block on access in China, court cases in India and rivalry from other services elsewhere in the region stand between Mark Zuckerberg’s Facebook and more than 700 million users.

"The size of our user base and our users’ level of engagement are critical to our success," Facebook said in its SEC filing for an initial public offering. Quoting industry data that there were two billion Internet users globally, it said: "We aim to connect all of them."

Growth is held back in the rest of the world, either because of limited Internet penetration, or because those who want a Facebook account already have one.

Full text here.

China’s Mystery Patterns

This has absolutely nothing to do with what I should be working on but this piece in Gizmodo caught my eye: a number of weird lines and structures in the middle of the Gobi Desert in China’s western reaches. Like this one:

image

They don’t seem to make much sense, despite some quite ingeniuous explanations by some of the commenters.

I’ve put all the locations in one Google Map here. I don’t claim to have the answers but I’ve found some clues.

While it’s true that they seem to have some military connection, they are not close enough to Lop Nur to be part of the nuclear weapons testing that took place there.

A book by John Wilson Lewis and Litai Xue called China Builds the Bomb says that Dunhuang, the nearest town, became the temporary base for a PLA unit in 1958 assigned to find the country’s first nuclear test base. Although they quickly moved further west (settling for Lop Nur), the Soviet advisors had come up with a site some 140 km northwest of Dunhuang, relatively close to where all the weird patterns are.

Part of the explanation can be found on an Australian military buff’s website.  It doesn’t give sources, but describes the patterns which most resemble airfields to be mock airstrips along with concrete pads that serve as targets for missile testing (the piece was written in 2005.) This would seem to suggest that the other patterns are also targets, although they’re not mentioned in the piece.

资料图:在2006年珠海航展上亮相的国产月球车。.

Another clue is in this machine-translated piece about China’s lunar ambitions. It says that Chinese researchers are based about 200 km from Dunhuang where the country’s version of the Mars Rover is undergoing testing in conditions “closest to the moon.” It says they have  built a “a board room, five generators…and a huge indoor stadium.” I can’t see anything like that but given what is out there in that desert I wouldn’t be surprised to find several.

ASEAN Phishing Expeditions

Mila Parkour, the indefatigable phish researcher from DC, points to some recent spear-phishing attacks which to me help confirm that Southeast Asia, and ASEAN in particular, has become something of a focus for the chaps in China.

They also highlight just how vulnerable diplomats in the region are because of poor security.

One is a phish apparently coming from the Indonesian foreign ministry, in particular one Ardian Budhi Nugroho, whom the email correctly describes as from the Directorate of ASEAN Political Security Cooperation. The subject matter is topical and credible:

Dear Sirs/Mesdames,
Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 – 6 October 2011 in New York. A Tentative Programme of the Direct Consultations is also attached for your kind reference. Thank you for your attention and continued cooperation.

The only good thing about these phishes is that they reveal something of the attacker’s interests. These attacks are timed carefully a week or so ahead of key meetings–in this case a Oct 4-6 meeting in New York of ASEAN and P5 Nuclear Weapon states (one of those states, of course, is China). The email was sent on Sept 20.

The email address given, aseanindonesia@yahoo.com, doesn’t appear to be genuine, but it could easily be. Look, for example, at the email addresses listed here. More than half are either ISP or webmail addresses.

Diplomats need to get wise to these kinds of attacks by using their domain’s email addresses and being more sophisticated about their communications (not sending attachments, for one thing, and telling me they don’t.)

How does all this work? We don’t know who received this but it’ll probably be a list of diplomats attending the talks–not hard to find, as we can see from the above list. It only needs one member of each delegation to open the infected attachment for their whole delegation to be in danger of China–or whoever is behind this attack–to be able to monitor everything they do.

Former Soviet Bloc, Allies, Under Lurid Attack

Trend Micro researchers David Sancho and Nart Villeneuve have written up an interesting attack they’ve dubbed LURID on diplomatic missions, government ministries, space-related government agencies and other companies and research institutions in the former Soviet bloc and its allies. (Only China was not a Soviet bloc member or ally in the list, and it was the least affected by the attack.)

Although they don’t say, or speculate, about the attacker, it’s not hard to conclude who might be particularly interested in what the attacks are able to dig up:

Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.

Russia had 1,063 IP addresses hit in the attacks; Kazakhstan, 325; Ukraine, 102; Vietnam, 93; Uzbekistan; 88; Belarus, 67; India, 66; Kyrgyzstan, 49; Mongolia, 42; and China, 39.

The campaign has been going for at least a year, and has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.

Dark Reading quotes Jamz Yaneza, a research director at Trend Micro, as saying it’s probably a case of industrial espionage. But who by? ”This seems to be a notable attack in that respect: It doesn’t target Western countries or states. It seems to be the reverse this time,” Yaneza says.

Other tidbits from the Dark Reading report: Definitely not out of Russia, according to Yaneza. David Perry, global director of education at Trend Micro, says could be out of China or U.S., but no evidence of either. So it could be either hacktivists or industrial espionage. Yaneza says attackers stole Word files and spreadsheets, not financial information. “A lot of the targets seemed to be government-based,” he says.

My tuppennies’ worth? Seems unlikely to be hactivists, at least the type we think of. This was a concerted campaign, specifically aimed to get certain documents. Much more likely to be either industrial espionage or pure espionage. Which means we might have reached the stage where groups of hackers are conducting these attacks because a market exists for the product retrieved. Or had we already gotten there, and just not known it?

Either way, Russia and its former allies are now in the crosshairs.

More reading:

Massive malware attacks uncovered in former USSR | thinq_

Cyberspy attacks targeting Russians traced back to UK and US • The Register

Korean Banks

The Washington Post report that it seems the attack on South Korea’s Nonghyup agricultural bank back in April was the work of North Korea. The evidence?

South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

This is interesting. Command and control servers are compromised computers that are used by bad guys to “run” other computers—zombies—that actually do the grunt work. There’s definitely a common thread between the 2009 and 2011 DDOS attacks, and plenty of circumstan

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Taking Shady RAT to the Next Level

I know I’ve drawn attention to this before, but the timeline of McAfee’s Operation Shady RAT by Dmitri Alperovitch raises questions again about WikiLeaks’ original data.

Alperovitch points out that their data goes back to mid-2006:

We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises.

This was around the time that Julian Assange was building up the content that, he recounted in emails at the time, that his hard drives were filling up with eavesdropped documents:

We have received over 1 million documents from 13 countries, despite not having publicly launched yet! (Wikileaks Leak, Jan, 2007)

Although Assange has since denied the material came from eavesdropping, it seems clear that it was, until McAfee’s report, the earliest example of a significant trove of documents and emails stolen by China-based hackers. This may have been the same channel stumbled upon a year later by Egerstad (Dan Egerstad’s Tor exit nodes get him arrested and proves a point I made in July | ZDNet).

There were, however, reports in mid 2006 of largescale theft of documents: State Dept (May), and NIPRNet (June), US War College (Sept) and German organisations (October).

I would like to see more data from McAfee and, in the interests of transparency, at least the metadata from the still unrevealed WikiLeaks stash in order to do some note comparing and triangulation. I’d also like to see this material compared with the groundbreaking work by three young Taiwanese white hats, who have sifted through malware samples to try to group together some of these APTs: APT Secrets in Asia – InSun的日志 – 网易博客.

The work has just begun.

The Gmail Phish: Why Publicize, and Why Now?

This Google Gmail phishing case has gotten quite a bit of attention, so I thought I’d throw in my two cents’ worth. (These are notes I collated for a segment I did for Al Jazeera earlier today. I didn’t do a particularly good job of getting these points across, and some of the stuff came in after it was done. )

Google says the attack appears to originate from Jinan, but doesn’t offer evidence to support that. I think it would be good if they did. Jinan is the capital of Shandong Province, but it’s also a military region and one of at least six where the PLA has one of its technical reconnaissance bureaus. These are responsible for, among other things, exploitation of foreign networks, which might include this kind of thing. The city is also where the Lanxiang Vocational School is based, which was linked to the December 2009 attacks on Google’s back end systems. That also targeted human rights activists. Lanxiang has denied any involvement the 2009 attacks.

I’d be very surprised if this kind of thing wasn’t going on all the time. And I’m very surprised that senior government officials from the U.S., Korea and elsewhere are supposedly using something like Gmail. There are more secure ways to communicate out there. I think it’s worth pointing out that this particular attack was first identified by Mila Parkour, a researcher, back in February. Screenshots on her blog suggest that at least three U.S. government entities were targeted.

I asked her what she thought of the release of the news now, four months later. Does this mean, I asked, that it took Google a while to figure it out?

As for any other vendor, investigations take time especially if they do not wish to alert the actors and make sure they shut down all the suspicious accounts.

And why, I asked, are they making it public now?

I think it is great they took time to unravel and find more victims and try to trace it. Looks like they exhausted all the leads and found out as much as they could to address it before going public . It has been three months and considering that hundreds of victims [are] involved, it is not too long.

This is not the first time that Google and other email accounts have been hacked in this way, and it’s probably not the last. It’s part of a much bigger battle going on. Well, two: one pits China–who are almost certainly behind it, or at least the ultimate beneficiaries of any data stolen, against regional and other rivals–and the other is Google making these things public. For Google it’s a chance to point out the kind of pressures it and other companies are under in China. Google in January 2010 said it and other companies had been under attack using tricks that exploited vulnerabilities in Google’s network to gain unauthorized access.

Google says it went public because it wants to keep its users safe. This from Myriam Boublil, Head of Communications & Public Affairs at Google Southeast Asia:

“We think users should be aware of the disturbing campaign we’ve uncovered to collect user passwords and monitor user email.  Our focus now is on protecting our users and making sure everyone knows how to stay safe online”

This  attack is not particularly sophisticated, but it involves what is called spear phishing, which does involve quite extensive social engineering techniques and reveals the object of the attacker’s interest is not random, but very, very specific. If you judge a perpetrator of a crime by their victim, you don’t have to be a rocket scientist to figure out who is the ultimate recipient of any intelligence gathered.