(CNN)Readers
may have heard of the "Great Firewall," the powerful filters that the
People's Republic of China uses to prevent Chinese citizens from
accessing the whole Internet.
The
Great Firewall monitors traffic entering and exiting China, and then
disrupts prohibited content and connections. Imagine an eavesdropper on a
party line: when one party says something objectionable, the
eavesdropper shouts into the line until everyone hangs up. While very
effective, the Firewall is not an offensive weapon.
The device we dubbed the "Great Cannon"
is different; it acts as a "man-in-the-middle," able to not just shout
down a conversation but actually able to change content as it passes
through the Internet.
Unlike the Great
Firewall, whoever designed the Great Cannon created a deliberately
offensive tool, designed to selectively replace benign web content with
malicious content.
The only known use of the Great Cannon was to further Chinese censorship.
The organization GreatFire
seeks to monitor and circumvent Chinese censorship. One technique it's
developed has been dubbed "Collateral Freedom" -- hosting content on
encrypted services that it believes are "too important to block."
Denial of service attack
During
March and April, when a non-Chinese web surfer visited a page
containing unencrypted content served by Chinese search engine Baidu,
the Great Cannon would occasionally replace that content with a series
of instructions for the web surfer's browser.
These
instructions caused the browser to repeatedly fetch content from
"Collateral Freedom" pages, executing a "denial of service" (DOS)
attack. It would be like an attacker telling tens of thousands of
cellphones to all dial the same number at the same time.
The first round of attacks, between March 16 and March 26, directly targeted GreatFire's Amazon CloudFront
instances in an attempt to either cause Amazon to remove these
instances or simply run up GreatFire's hosting costs. Although this
significantly affected GreatFire's bill, it failed to block the services
and GreatFire responded with some technical changes to mitigate the
attack.
But GreatFire's CloudFront
domains aren't memorable, so those in China who wish to discover one
need another source. GreatFire uses Github for this, hosting both
instructions for evading the Great Firewall and directions on obtaining a
copy of the Chinese language New York Times. Previously, China tried blocking GitHub but quickly relented when local developers objected.
So
the Great Cannon's operator switched the target, instructing newly
hijacked web browsers to repeatedly contact GitHub. This attack
persisted until April 7, although GitHub was able to mitigate this
attack after the first few days. Since then, the Great Cannon has gone
silent; we have not detected any further attempts to use this device.
While
it still ran, we were able to isolate the Cannon's location, showing
that it wasn't a group of hacker vigilantes but a dedicated tool that
shares code and network location with the Great Firewall.
Evidence points to Chinese government
We
don't expect that hackers would have access to the Great Firewall's
source code or be able to install devices in the backbone of the Chinese
Internet across multiple Internet providers. Combined with the choice
of targets, the Great Cannon is almost certainly a tool of the Chinese
government.
Though the Great Cannon has
gone silent, the dangerous implications remain. To start with, China
seemed willing to explicitly attack a U.S. company, GitHub, in an
attempt to suppress online content that the Chinese government finds
objectionable.
It would also be a
trivial change for the Great Cannon's operator to turn the Cannon into a
direct exploitation tool, targeting web servers directly. Instead of
replacing content with the instructions to execute a DOS attack, the
replaced content instead could exploit the target's browser to take over
the target's computer.
Combined with
some target awareness and a minor change to the Cannon itself, the
Chinese could use this to hack any web browser -- if the Chinese can
identify their target's IP address and the target happens to fetch
unencrypted content hosted from within China.
The
Great Cannon was also a direct attack on Baidu. For everyone outside of
China, any page containing an unencrypted Baidu service, even something
as innocuous as an advertisement, now may be a vehicle for a Chinese
government attack.
And although the
Cannon primarily replaced content served by Baidu, it can just as easily
target any other Chinese service. Anyone concerned with the
possibility of Chinese government hacking now needs to consider the
entire Chinese Internet as explicitly hostile. How can Chinese Internet
companies hope to compete?
China has company
Although
China's use of the Great Cannon to censor content is objectionable, if
China instead chooses to use this to directly exploit computers, they
would have company.
According to recent revelations, the NSA in the United States and the GCHQ in the United Kingdom have developed and deployed an attack using similar techniques that they have used against Belgacom, Belgium's primary telecommunications provider.
The Internet is now a hostile place.
If
an adversary sees your unencrypted traffic, it is not just a data leak
but an attack vector they can use to exploit your computer. Encryption
isn't just a matter of privacy but a necessity for self-defense. VIDEO
Posts
