Black Hat Black Hat founder Jeff Moss opened this year's shindig in Las Vegas with tales of quite how odd the hacking culture in China is.
You see, Moss also founded the DEF CON conference series, and has started running DEF CON events for nerds in China – which makes sense given the sizable reservoir of infosec and computer science talent in the Middle Kingdom. However, he said, when talking to folks over there, he realized quite how different black-hat culture is in Asia.
“I’d assumed internet crime in China was just like over here,” he said. “I was wrong.”
For a start, identity theft is virtually unknown, Moss said. There’s no point in hacking systems to steal strangers' identities to use for nefarious purposes, because it’s easy to obtain a legitimate identity direct from someone, and assume their persona. Hackers and their ilk simply go into the farming belt and find someone willing to sell their identity, with a typical price around $3,000 per ID. That's about the annual wage of a low-income person in China, which, don't forget, is home to about 1,400,000,000 people.
This approach, however, has a few problems, mainly that the same person may sell their identity to multiple hackers. So the first thing anyone using a bought ID does is to check that the same credentials aren’t being used in that geographical locale.
Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patchedREAD MORE
Denial-of-service attacks within China also work slightly different. Miscreants can bribe Chinese companies to send overwhelming amounts of network traffic to victims' systems to knock them offline. These requests can be routed to go out through the nation's Great Firewall, and back in again, obfuscating the source of the packets, apparently. Moss said this technique was surprisingly effective.
There’s also a small headache with content distribution in China, he said, besides, presumably, the government-mandated censorship. There are four ISPs in the country, two dominate the field, and the pair barely talk to each other’s networks. While there are small interconnects, neither internet provider feels the need to expand the bandwidth between them. This forces companies to set up data centers dedicated to each ISP so that all broadband subscribers, regardless of which ISP they want, can smoothly reach those companies' websites and other online services. This extra gear increases the security and technical burden on system admins.
Admittedly, online organizations in America and other countries tend to spread out their content distribution over national and global networks for reliability, connectivity, and redundancy purposes, though in China it appears to be more of a minimum necessity rather than a luxury due to the lack of cooperation between ISPs.
Turning to IT security in general, Moss said if you want to get things done, you need more than just your boss and your boss's boss or boss's boss's boss onboard – you need the highest level of the company to agree that defending computer networks is a critical must, and not a set of expensive bells and whistles. And that requires clear communication.
“Now we have management’s attention on security we need to know how to communicate with the board,” he said. “Communicate well, and you can get more budget. Do it badly, you could get fired. The quality of communications really matters for security.” ®