Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Behind the Great (Fire) Wall

The Great Chinese Firewall.
June 20, 2014
For anyone who hasn’t been to China yet, the realization when you get there that the ‘Internet’ isn’t the ‘Internet’ can be slightly alarming. China blocks many of the most popular web sites and services that the Free World uses on a daily basis.

Forget updating your Facebook page, YouTube, or your personal blog to 'show and tell' your friends and family about your wonderful trip to the Great Wall, Forbidden City, or Summer Palace. Forget also about catching up on news from popular news sites. Most are blocked - especially if there's a story about China!

No other country censors the Internet quite like the People’s Republic of China does. It determines almost completely what it allows its 1.4 Billion citizens to read, write, listen to, watch, or post. .... No other country that is, excluding the more than slightly isolated hermit kingdom of North Korea where there’s often no electricity even if you are one of the few elites allowed to access a computer.

Twitter, Blogger, Gmail, Google Plus, even the Google Search Engine are all blocked at the present time. Major publications like The New York Times, The Wall Street Journal, BBC, The Times, and Bloomberg are blocked also. China doesn’t permit the free flow of information in or out of the country, so if you want your service to be accessible to China’s 618 million online users you have to abide by China’s rules, and that means you need to self-censor or be blacked out entirely. Some companies like Google for example refuse to censor the truth, re-write history, or compromise its charter to “do no evil’ for the sake of doing business in China. Consequently, and at the present time, Google is to put it lightly, not particularly liked by the China Net Police.

China effectively has its own 'national intranet', with its own providers and its own rules. So far, none of the big U.S. Internet firms has managed to make significant headway there, and the ones who try must play by the rules. LinkedIn, for instance, which entered the market this year, is drawing flak for blocking posts about political matters in China. Even sensitive pages in Wikipedia are blocked.

Bing and Yahoo search engines work but forget searching for such heinous terms as ‘Tienanmen Square Massacre’, ‘Dalai Lama’, ‘Muslim ethnic riots', ‘protests in Tibet’ or ‘Chinese Official corruption’. These things don’t exist as far as China is concerned unless the government says so. They are mere ‘untruths’ fabricated by the West to make China look bad. Its not quite George Orwell’s '1984', but there are a lot of similarities. China allows just enough freedom to make its citizens believe that they have free access. It regards its filtering actions as being nothing more than paternalistic protection of its citizens.

There is no official warning or 'verboten' page for trying to access blocked content. Your request will just time-out as if the web site is down rather than being blocked. Sometimes its hard to know whether the site or service is purposely blocked, or whether the traffic-slowing 'Great Firewall', or the less than stellar China network is to blame. You just have to try later. The notion of things like 'Internet quality of service' (QOS) in China simply doesn’t exist. One day you can connect with decent bandwidth, the next, nothing seems to work properly. That is however as much for internal China hosted web sites as it is for ones hosted overseas.

There is no official censorship list either. Sites and services just get blocked - sometimes returning, sometimes not, depending upon relationships with the West, and internal political activities like self immolation in Beijing, or Lhasa, protesting of any kind, or the cause of ethnic Uighur separatists in Western China’s Xinjiang province much of which was once called 'East Turkestan' before China occupied it in 1949.

Pro Democracy Protests / Tiananmen Square Massacre
Of course the 25th anniversary this month of the Tiananmen Square Massacre in which untold thousands of Chinese students and ordinary citizens, along with paramedics and doctors treating the injured, were gunned down, bayoneted, or purposely run over by tanks has been an especially auspicious time for the censors. The mere thought that the Chinese population should find out about the events of 1989 when China's leaders mobilized complete battalions of the Peoples Liberation Army (PLA), and sent over 300,000 armed troops and tank regiments into Beijing to break up the peaceful democracy protest, sends shivers down their spines. This month, even shortwave radio is blocked - just in case the BBC Word Service or Voice of America should mention the anniversary.

As for available services - unblocked web sites or email for example, forget the idea that your surfing or email messages are private. You should fully expect that someone, somewhere, in China is monitoring what you do, what you read and what you write. Even SSL/TLS email and web sites are often decrypted by the Great Firewall, examined and filtered before being sent on or dropped.

Don't expect western style privacy in China but something closer to Orwell's "1984"
Your only option for secure communications with the outside world is VPN and even then it can be touch and go, and you absolutely need to set this up before landing in China. Encryption keys need to be long and complex and set to the highest encryption strength supported by your provider or VPN termination device outside of China. The web sites of companies that offer VPN services are generally blocked in China, so if you don’t have a service agreement beforehand and your encryption keys along with your setup information with you when you arrive in China, tough luck!

PPTP is generally blocked. I’ve found it to work at major western branded hotels in big cities like Beijing, but blocked in the same hotel chain in other cities.

L2TP is a lot better and generally works in many upmarket western or Chinese hotels.

The fact is that things change all the time in China so come prepared.

Your best bet however, is SSL VPN which uses SSL rather than an IpSec tunnel to encapsulate traffic. Services and complexity of setup for both client and server can be more difficult, but its worth the extra cost and effort to ensure connectivity. Most SSL VPN clients can be configured to attempt connection on a number of ports and protocols. Your best bet is to include TCP port 443 in your configuration. This is the port commonly used for secure https web communications, so if your connection on a higher custom port fails, you can normally always get out and obtain a secure tunnel on TCP 443.

OS X, Windows and most Linux distros already contain the software needed to support PPTP and L2TP VPN connections. Third party applications such as Viscosity and Tunnelblick can be downloaded to support SSL VPNs and software found on the Apple Store and Google App Store for iOS and Android devices.

Hotels in China usually provide both wired and wireless Internet access. Wireless is usually ‘open’ meaning that your communication to the WiFi Access Point is unencrypted and could easily be observed, intercepted or exploited by ‘man-in-the-middle' attacks. You want to avoid connecting to any open wireless connection in China. Make sure that you bring an Ethernet cable and if using a Mac or slim laptop then a dongle to allow you to use the RJ45 socket in your room. A wired Ethernet connection could still be intercepted, but there's less chance of your average China hacker doing so. Besides, you can employ extra layers in your cyber defense as I'll explain.

Security in China is a MUST so rather than rely upon directly connecting your laptop to the wired network, and to facilitate access for other devices that only have WiFi connection capabilities - iPads, iPhones, etc., consider bringing a simple wireless router-firewall and loading it with the open source DD-WRT firmware. You then have this router open an SSL VPN out of China so you can use one tunnel for everything, and secondly can setup a WPA2 WiFi network for your wireless devices in your hotel room so that they can connect securely too.

Builds of DD-WRT have been written and can be easily downloaded freely for most common consumer WiFi Routers from Linksys, Netgear, D-Link, etc., but you need to load a larger 'FULL' or 'VPN 'build to be able to use it as a your SSL VPN termination point. That usually requires more RAM and Flash memory than the cheapest routers to load and run the build than an 'light or 'regular' build. Check out the DD-WRT Router Database for supported hardware and the Wiki for how to flash and configure both DD-WRT and to setup your VPN. Interestingly, older versions of the same router may often contain more RAM and Flash storage than the latest version in which case go check out eBay for the version you need.

OpenWRT is an alternative project to DD-WRT though not as many devices are supported and its a little tougher to configure. It has great support for Linksys hardware however. There are a number of different projects within OpenWRT, including Tomato which is one of the more popular distros, but an Internet search will tell you what hardware is supported on which distro.

Remember to build out, test and if needed, troubleshoot your DD-WRT / OpenWRT loaded router BEFORE your trip to China.

Before purchasing or re-imaging a router, ensure that is has sufficient RAM and Flash memory to support a 'Full' or 'VPN' build of DD-WRT / OpenWRT.

Secondly, make sure that its power adapter is multi-voltage as China uses 220 to 240volts
.
A decent surge protector for all your electronic gear is probably a good investment also as the power in China is often quite dirty.

As to the privacy of your computer, tablet or smartphone, forget that too unless it never leaves your side. Web pages where you agree to the Internet access terms of service in the coffee shop or hotel, sometimes have malicious code that is automatically pushed without your knowledge to your system unless you have that system locked down WAY tighter than most users would. Creating a user account with minimal privileges is definitely a good precaution. The more concerned may consider taking a blank machine with nothing more than a locked hypervisor and a read-only virtual machine.

And forget leaving your device in your locked hotel room or safe while you go for breakfast too. You are not the only one with a key - even to a combination lock. The maid will have a forensic acquisition of your hard drive completed before you get to your second breakfast cup of coffee - even if that hard drive is full-disk-encrypted!

Big Brother is watching you

Of course if you happen to be in China on business, then expect to be targeted. Chinese companies, most of which are owned by the Chinese State or Peoples Liberation Army (PLA) have been issued 'five year plans' to catch up and surpass their western counterparts using any and all means available including outright theft of intellectual property and trade secrets. The paternalistic monitoring forces of China are eager to aid in this endeavor even in just the acquisition of your phone contacts, so don’t lose sight of your phone or anything else.

Watch out for hidden cameras too - especially if you maybe targeted. Cover keyboards and be very careful when entering passwords in computers, phone or hotel safes. And be concerned what you do / who you bring back to your room. Just assume that you are always being watched and that anything you do, can and usually will be used against you.
Big Brother IS watching you in China
That being said, China is a great place to visit, so come prepared and enjoy your stay! Just be aware of the risks you face and take the appropriate precautionary measures to protect yourself and the data you may have with you.

See also: Why is the Chinese Military so focussed on the theft of Intellectual Property


Post Script
Eric Jacksch recently published an interesting article on the use of Chromebooks for international travel in order to safeguard private information. If crossing an international border concerns you with information on your laptop that simply should not be disclosed then this might be an option for you. However the same concerns exist for unfiltered and un-monitored access to the Internet when in China. Read Eric's full article

Mricon.com also published a Linux / Chromebook setup guide for attending conferences or meetings in China.

MacWorld published a Data Security Guide while traveling with your Mac, iPad or iPhone.

Network World recently published a crackdown by the Communist Chinese Government on ISPs to block VPNs out of the country. China goes after unauthorized VPN access from local ISPs


Not Opting-Out doesn’t mean that I am Opting-In!



Does the fact that I didn't explicitly ‘opt-out’ of your email list mean that I agree implicitly to you sending me unsolicited spam email, or any partners you may decide sell my contact information to?

Does the fact that I missed or failed to uncheck the tiny radio button in your 17 page agreement mean that I agree to providing you access to datamine my contacts, my bookmarks, or my internet history?

Most users would say, “No!” However, Facebook announced recently that it intends to start targeted advertising to its users, by pulling their interests, passions and surfing habits from their Web browser histories.
The free content ad network said in a blog post that Facebookers who hate the idea of yet more intrusive advertising, can switch the feature off via the "industry-standard Digital Advertising Alliance opt out". In other words, all Facebook users in the US will have their browsing behavior tracked by default. The company would not be able to do the same stealth-ad-bomb exercise in the European Union, however, because consent for such a mechanism has to be granted first.
While one can appreciate the need for companies that offer free services, to pay for those services via advertising - a principle that many a Web-based business uses, the fact that a U.S. based user is deemed to have consented to the use of their personal and private information, as Web browsing history surely is, only because they haven’t yet opted out is ridiculous.

Are you sharing a computer between several people? You'd better hope that one of them doesn’t like to surf porn or your Facebook targeted advertising could be interesting!

Less than 1% of users ever read the small print of the absurdly long, unintelligible and usually highly legalese user agreements, let alone the constant changes of agreements as a company updates its policy. For a company to claim then that users have been informed and are fully cognizant, aware and agree with the company’s latest policies is delusional. Most users have no idea what they are agreeing with; they just want to get on to Facebook to see who has posted to them on their way home from work, school or the airport.

To further claim that because a box agreeing to give up some aspects of a user’s privacy is checked by default by the owner of that page, and that a user must uncheck such a box or radio button to NOT grant such access, before clicking the large bright button at the end of the agreement, which states “I agree,” is insane to rational and intelligent users.

“I didn’t agree to that!” is what I often hear from common users – and quite rightly so.

Yet in the United States this assumed legitimacy of the corporations to pillage whatever private information they please goes largely unchecked. In Europe or Australia (other modern and arguably more advanced civil societies) such actions would land those corporations in court, having to cough up hefty fines and punitive damages while forcing them to leave court with a preverbal corporate tail between their legs!

As recently as June 1st, a UK Court ruled against a large retail store for spamming a prospective customer who inquired about home delivery of groceries and had to enter his home and email addresses in order to find out if they serviced his area. He failed to notice the hidden checkbox that the retailer had checked by default asking for permission to add him to the store’s email list. The court ruled against the retailer and awarded damages to the plaintiff.

The store argued that because the plaintiff had not opted-out of receiving their emails, he had automatically opted-in. The court however agreed with the plaintiff that ….
"..an opportunity to opt-out that is not taken is simply that. It does not convert to automatic consent under the law and companies risk enforcement action if they use pre-ticked boxes.”
If the owner of a web page checks a box granting consent to itself and the onus is on the individual to reverse that action then the owner has not received permission to whatever agreement the checkbox referred.

Facebook said it planned to start offering ad preferences controls to US users over the next few weeks. The policies governing its new targeted advertising initiative however will not be released until later this year.

That’s akin to Congress passing a law and deciding what to put in that law at some point after the Bill has been passed and gone into law......and Americans sometimes wonder why the rest of the world doesn't take them seriously!