[reuters] burma hackers and baidu holes
html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Dear Subscriber, a couple of short hits, both stories about cybersecurity issues; one about Myanmar hackers and another about vulnerabilities in Baidu's software and SDK. In themselves nothing earth shattering, but the former indicates just how well organised, brazen and mainstream hacktivism has gotten, at least for 'patriotic hacking'. There's a lot more we couldn't include in a report put together by the indefatigable Tord Lundstroem, which you can find here.
On Baidu, what's surprising here is how far one little hole can go. If it's in an SDK and that SDK is used by thousands of apps, downloaded probably billions of times, that's a big sieve. What's also noteworthy is that Baidu didn't fix the actual data gathering, but only the leakage of that data. More here.
Stories below. Thoughts, story ideas, tips as ever welcome. Thanks to those involved in these stories and others. Apologies for the brevity of the stories. Unsub details at the foot.
Jeremy
SINGAPORE/YANGON | BY JEREMY WAGSTAFF AND TIMOTHY MCLAUGHLIN
Burmese hackers say they have attacked Thai government websites since early January and stolen data, part of a long-running, broader campaign against those critical of Myanmar's government.
The Blink Hacker Group said in Facebook posts and in an email interview that its attacks were in retaliation for Thailand sentencing two Burmese to death for the murder of two British backpackers late last year.
The group said it posted online data it took from websites of the Thai prison agency and justice ministry, saying databases from any government websites it hacked "should be made public."
Thai police said they had yet to determine who was behind the attacks, but denied those responsible were from Myanmar.
Dechnarong Suthicharnbancha, a spokesperson for the Royal Thai Police, said there had been little impact from the attacks on police websites. "It was only a nuisance. We got the websites running again with no trouble at all."
The attacks do, though, mark an escalation in computer hacking since Myanmar opened up to foreign investment and ended decades of military rule in 2011, researchers say.
Nationalist attacks on other countries' websites are not new, but those by Myanmar-based groups have increased and have also hit domestic media perceived to be critical of government policies or supportive of Myanmar's Muslim Rohingya minority.
The Blink Hacker Group said it targeted independent media websites Irrawaddy and Democratic Voice of Burma (DVB) "because we believe that media should not (be) use(d) for propaganda."
Spokesmen for both media sites confirmed they had been hacked.
BUSINESS LINKS
Tord Lundstroem, a Swedish researcher who works for a company that hosts independent media websites including Irrawaddy, said domain hosting records linked the Blink Hacker Group and others to Yangon-based companies selling web design and security services, and the hacker groups' Facebook activity indicated informal links to people with military backgrounds.
Lundstroem said hackers were better organized and more sophisticated, noting that servers and email accounts at Irrawaddy and DVB had been penetrated around the time of last November's landmark democratic election in Myanmar - though he said these attacks were not the work of the Blink Hacker Group.
The Blink Hacker Group said it previously had been ready to work with Myanmar's military to help "build a better Internet" but had received no response. It said none of its 20 members were in the military.
Min Ko Ko of Creatigon, a web development company, said he belonged to a group called Myanmar Hackers Unite4M and was founder of Myanmar Security Forum, but was not a hacker. The founder of IT firm Cyber Wings Asia, Yan Naing Myint, said his company had provided hosting for the Blink Hacker Group's website, but neither he nor his business were involved in the group's activities or in hacking.
Myanmar government spokesman Ye Htut laughed off claims that the military had cyber war units, saying "I think people sometimes overestimate the capacity of the Myanmar military."
(Reporting by Jeremy Wagstaff and Timothy Mclaughlin, with additional reporting by Aukkarapon Niyomyat and Patpicha Tanakasempipatin in Bangkok; Editing by Ian Geoghegan)
SINGAPORE/BEIJING | BY JEREMY WAGSTAFF AND PAUL CARSTEN
Thousands of apps running code built by Chinese Internet giant Baidu have collected and transmitted users' personal information to the company, much of it easily intercepted, researchers say.
The apps have been downloaded hundreds of millions of times.
The researchers at Canada-based Citizen Lab said they found the problems in an Android software development kit developed by Baidu. These affected Baidu's mobile browser and apps developed by Baidu and other firms using the same kit. Baidu's Windows browser was also affected, they said.
The same researchers last year highlighted similar problems with unsecured personal data in Alibaba's UC Browser, another mobile browser widely used in the world's biggest Internet market.
Alibaba fixed those vulnerabilities, and Baidu told Reuters it would be fixing the encryption holes in its kits, but would still collect data for commercial use, some of which it said it shares with third parties. Baidu said it "only provides what data is lawfully requested by duly constituted law enforcement agencies."
The unencrypted information that has been collected includes a user's location, search terms and website visits, JeffreyKnockel, chief researcher at Citizen Lab, told Reuters ahead of publication of the research on Wednesday.
The problem highlights how difficult it is for users to know just what data their phone collects and transmits, and the risk that personal data might leak because of poor or no encryption. It also highlights how many different groups might be interested in accessing such data.
"It's either shoddy design or it's surveillance by design,"said Citizen Lab director Ron Deibert.
Citizen Lab said Baidu - which reports quarterly earnings in New York on Thursday - had fixed some of the problems since it brought them to the company's attention in November, but the Android browser still sends sensitive data such as the device ID in an easily decryptable format.
Baidu told Reuters its interest in the data was just commercial, but declined to say who else might have access.
Data security and privacy issues have been highlighted in the United States, where Apple is in a stand-off with the Federal Bureau of Investigation over requests to unlock an iPhone owned by one of those who went on a shooting rampage in San Bernardino, California in December.
Citizen Lab said its research into Alibaba's UC Browser last year was prompted by documents from National Security Agency whistleblower Edward Snowden showing Western intelligence agencies had used holes in the browser to spy on users.
Alibaba said then there was no evidence that user data was taken, but it had addressed concerns by asking users to update their browsers.
The researchers said it was not possible to assess how many users were affected by the Baidu problem, both in China and beyond.
Some software developers in China say a lack of encryption is commonplace, and partly due to rapid growth and poor security awareness.
"It's really, really painful, but it's a growing pain," said Andy Tian, CEO of Beijing-based app developer Asia Innovations.
(Reporting by Jeremy Wagstaff and Paul Carsten; Editing by Ian Geoghegan)
Jeremy
______________
Jeremy Wagstaff
Chief Technology Correspondent, Asia
Chief Technology Correspondent, Asia
Blog/guidance for PR: http://www.loosewireblog.com
|
Don't miss what's next. Subscribe to My Awesome Newsletter: