Slashdot Mirror
China Staging a Nationwide Attack On iCloud and Microsoft Accounts
New submitter DemonOnIce writes: According to The Verge and an original report from the site that monitor's China's Great Firewall activity, China is conducting a large-scale attack on iCloud and Microsoft accounts using its government firewall software. Chinese users may be facing an unpleasant surprise as they are directed to a dummy site designed to look like an Apple login page (or a Microsoft one, as appropriate).
If you use Firefox, Safari, Chrome, or IE in China, they will all warn you that MiTM attack has occurred (if you trying going to https://icloud.com./ But the most popular browser used in China (according to Qihoo, the claim is dubious), Qihoo’s Chinese 360 "Secure Browser". will allow Man in the middle attacks to occur, by design.
Forgot to mention that enabling 2FA in China may be useless if they can also intercept the messages and do a replay attack.
It's almost like they are a... communist country.
THL phish sticks
Are the Chinese officials trying to score some celebrity porn?
It's possibly related to the protests in Hong Kong and the government's desire to identify the leaders/participants.
Eagles may soar, but weasels don't get sucked into jet engines.
And lose 1.36BN potential customers?
It's only going to get worse as the chinese economy stagnates. I've been saying this for years, but people are finally starting to realize that China copied the post-war Japanese model right down to the bad loans, today's China is pretty much where Japan was in 1988, barreling towards the cliff. The difference between the 2 countries is the government though. Outside of the economy the CCP has been deeply unpopular for years. However there was little unrest since the economy was booming. However what will happen when growth slows is much more unclear. Hong Kong like protests against the government would probably be the best case. More likely is large scale riots as unemployment coupled with a large # of men being unable to find a wife is a recipe for disaster. The CCP knows they are living on borrowed time and are going to do everything in their power, including perhaps returning to the days of the cultural revolution if it finds it necessary. In the short term expect spying incidents like this to become the norm.
Monstar L
It's almost like they are a... communist country.
Right -- only a communist country would attempt such shenanigans. Western democracies are totally above that sort of misbehavior. ;^)
I don't care if it's 90,000 hectares. That lake was not my doing.
Don't be naive. It's so easy to do it without warning. I can tell you at least 3 different methods of doing that. Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP.
Well, close. I wouldn't technically call it a dictatorship because the power is spread out around various people and groups, including the Standing Committee, former members of the Standing Committee and the military. But you're on the right track. 1) China is communist only in name. 2) Even if they were fully communist, that's an economic system, not a political one per se. The word that you and the grandparent poster is looking for is 'authoritarian.' BTW I lived in China for three and a half years and IMO they are getting the government they deserve. Freedom, truth, and Classical Liberal ideals are not high on their list of values.
WARNING: If accidentally read, induce vomiting.
How many people were saying the same thing about the Japanese economy in the late 80s? Answer, almost all of them. Do a google search for China and debt and you will see what I mean. They are also not the "sole manufacturing center for most of the west". Very little value is added in China, and it's manufacturing that can be done elsewhere, and is increasing done elsewhere as China gets more and more expensive, both economically and politically. Crappy hardware trade shows do not an economy make.
Monstar L
Just an FYI... I've no reason to disbelieve the story, but it would be simple to fake the evidence presented...
I also wonder why the hotmail.com certificate was mistakenly created for the hotmai.com domain... that seems rather amateurish for a nation state. (Of course, perhaps plausible deniability is the reason.)
Regardless of whether or not it's fake, it does serve to point out the intentional flaws of Qihoo’s Chinese 360 "Secure Browser" pointed out by Rosyna above -- certainly a good thing to publicize.
Whatever it is, it doesn't sound like communism to me.
Fifty years of Yippie! 1968-2018
Communism went bankrupt a long time ago. All that's left is the brand name.
How can I believe you when you tell me what I don't want to hear?
Posting AC. I provide IT support for a chinese company based in the US. They wanted an American firewall and anti-virus suite. One of the employees insist on using some security 360 shit that's very chatty on the network. I blocked its net-block range and shortly he complained and wanted it fixed ASAP. I strongly suspect he's a CCP mole. Fuck him, he can suffer with the software approved by corporate.
The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.
2 factor auth is not supposed to prevent a MITM BTW. A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.
The difference here is that we the people still have the right to question the government, and organizations like the EFF continue to fight for it.
You must be joking. American economy is anything but stagnant. Between 2009-2013, the U.S. GDP growth 1.9%, which is pretty good compared to most other OECD countries.
It may be "stagnant" when you compare it to a country like China at 7.7%, but that is simply not sustainable, not without artificial currency manipulation.
Riots - Check
A few days of media blitz over a police shootout is not the same as protesters fighting for democracy.
High unemployment - Check
What on earth are you talking about? The U.S. unemployment is at 5.9% as of September 2014 and China's is estimated at ~4.5%.
Grandparent got downvoted to -1 for stating the plain obvious: "Don't be naive. It's so easy to do it without warning. " (..) Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP."
./ so it is to be expected that such true and damning information was swiftly downvoted. I see the reply to that also got downvoted even though it calls the simple truth "shit": "Sorry but you are full of shit, no mystical routing, ip rules or firewalls can remove the warning. The only way to get rid of the warnings are to either get ahold of trusted certificates or to have pwned the client box so you can control the client/MITM connections"
This is
Did you still miss that it is the GOVERNMENT of a major country we are talking about here? Now go take a good hard look at that default list of "trusted" root certificates shipped with all major browsers. And no, using Firefox or Chrome will not help you here.
https is and always was broken by design. It is, and never was, safe against a government adversary and it never will be. You can stick your head in the sand and think "my government lovs me" (that must be why false-flag terrorism is common, why the US has flouride in the water and so on) but that won't change the simple fact that any government agency can simply make a phonecall and get a valid certificate for any damn domain they want and you're none the wiser if you are a target.
9/11: Never forget it was a false-flag operation
This has been going on for maybe a month -- but glad someone has logged/traced/pointed it out.. at least for hotmail.com. It's not consistent - but it has happened to me maybe 10 or 15 times in the last month. Typically it's perfectly fine.
The BBC reported today: "The Beijing-appointed leader of Hong Kong, Leung Chun-ying, said Monday evening that it was unacceptable to allow his successors to be chosen in open elections, in part because doing so would risk giving poorer residents a dominant voice in politics... he backed Beijingâ(TM)s position that all candidates to succeed him as chief executive, the top post in the city, must be screened by a âoebroadly representativeâ nominating committee appointed by Beijing. That screening, he said, would insulate candidates from popular pressure to create a welfare state, and would allow the city government to follow more business-friendly policies to address economic inequality instead."
Whatever it is, it doesn't sound like communism to me.
It's probably better described as fascism, but there has never been a place on earth where communism in practice resembled communism in theory. It's not possible to ever implement it, because the power hungry use it as a method for personal enrichment. As Lord Acton said "Power tends to corrupt. Absolute power corrupts absolutely. Great men are almost always bad men."
Taking guns away from the 99% gives the 1% 100% of the power.
This is a cute post that implies governments will use influence over CAs to sign fake websites that are accepted by default by browsers.
Given any such forgery would:
- leave immediate and permanent evidence
- be a known attack vector that people are actively seeking evidence of
- be of high interest to slashdot and browser makers
Then I would recommend the naive null hypothesis that governments do not do this on a large scale has a high bar to be rejected.
OTOH, targeted attacks against individual people are a different story.
-- I was raised on the command line, bitch
Yeah, I hate 360 with a livid passion. I see it on all my relatives' computers and it drives me nuts. It runs like molasses in winter. It is incredibly noisy on the network when it shouldn't be. It pops ads all over the place and revs the CPU like crazy at times. Yeah, most of the banking software all require these specialty security certificates, unsigned drivers for weird USB fobs, only work in IE 8 or below, and often doesn't work at all on x64 versions of Windows. It is a nightmare to try and navigate (especially with my limited Chinese). I pity anybody who has to do tech support for folks who use that stuff.