China Staging a Nationwide Attack On iCloud and Microsoft Accounts

New submitter DemonOnIce writes: According to The Verge and an original report from the site that monitor's China's Great Firewall activity, China is conducting a large-scale attack on iCloud and Microsoft accounts using its government firewall software. Chinese users may be facing an unpleasant surprise as they are directed to a dummy site designed to look like an Apple login page (or a Microsoft one, as appropriate).

ouch

[BringsApples]

Gotta suck to live in China. Er, wait...

Popular US browsers will warm, Chinese ones won't

[Rosyna]

If you use Firefox, Safari, Chrome, or IE in China, they will all warn you that MiTM attack has occurred (if you trying going to https://icloud.com./ [icloud.com.] But the most popular browser used in China (according to Qihoo, the claim is dubious), Qihoo’s Chinese 360 "Secure Browser" [360.cn]. will allow Man in the middle attacks to occur, by design.

Re:

[Rosyna]

Forgot to mention that enabling 2FA in China may be useless if they can also intercept the messages and do a replay attack.

Re:

[Rosyna]

The ones that use SMS.

Re:

[ThatsMyNick]

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

2 factor auth is not supposed to prevent a MITM BTW. A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

Re:

[WaffleMonster]

The ones that use SMS dont prevent replay attacks? Any half decent SMS two factor authentication will prevent replay attacks.

I don't know why I'm stating the obvious... SMS is not a trustworthy communications channel especially when your adversary is your government.

2 factor auth is not supposed to prevent a MITM BTW.

Haha ha ha ha funniest thing I've heard all day.

A page MITM-ing facebook can just pass information between the user and the server (the user will give the 2 factor auth to the MITM-ing server, which will just pass it on to facebook), and keep the session alive for as long as they want.

This is why real systems cryptographically bind both factors.

Re:

[WaffleMonster]

you appear to be clueless around security.

I openly admit to being clueless around everything. You still have to support your arguments.

2FA is not a mitigation against man in the middle. It about raising the confidence level of the identity of the person who initiated the authentication.

Authentication is establishing proof of identity. Over networks this requires strong crypto and guarding of pre-established basis of trust specific to each factor.

There is no way around this basic truth. Number of factors involved is irrelevant.

Just because Google does x or old RSA fobs did y or some bank did z does not make those schemes secure. They may represent practically useful tradeoffs to some subset of

Re:

[WaffleMonster]

Please describe a 2 factor authentication method that is not susceptible to a man in the middle attack.

Client certificate + password

certificate based smart cards /w keypads

Specifically, describe a 2FA mechanism that is safe where one channel is completely compromised (Lets say; the Web Page you are "logging in to" is being man in the middled by the Chinese government).

This is not "Prove something doesn't exist", but show me even one example of a mechanism that does exist that is "man in the middle-proof". Seriously.

Too many people seem to be poisoned by the way things are vs how they could be if the proper readily available technology was brought to bear on the problem. Collection of credentials from web forms per your example is breathtakingly stupid way to have your users fall victim to attacks yet it is **everywhere**

For "what you know" use of zero-knowledge key agreement protocols such as TLS-SRP (RFC5054) enable two parties to establish mutual

Re:

[WaffleMonster]

Which Two-Factor Authentication methods lack replay attack prevention techniques?

All of them except smartcard/cert.

Re:

[QuantumReality]

Don't be naive. It's so easy to do it without warning. I can tell you at least 3 different methods of doing that. Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP.

Re: I believe you missed who the adversary is

[xiando]

Grandparent got downvoted to -1 for stating the plain obvious: "Don't be naive. It's so easy to do it without warning. " (..) Remember, it's not just a single hacker, but government that controls whole traffic, that can impersonate not only any domain but any ip they want, they control BGP."

This is ./ so it is to be expected that such true and damning information was swiftly downvoted. I see the reply to that also got downvoted even though it calls the simple truth "shit": "Sorry but you are full of shit,

Re:

[fulldecent]

This is a cute post that implies governments will use influence over CAs to sign fake websites that are accepted by default by browsers.

Given any such forgery would:
- leave immediate and permanent evidence
- be a known attack vector that people are actively seeking evidence of
- be of high interest to slashdot and browser makers

Then I would recommend the naive null hypothesis that governments do not do this on a large scale has a high bar to be rejected.

OTOH, targeted attacks against i

Re:

[dgatwood]

https is and always was broken by design. It is, and never was, safe against a government adversary and it never will be.

Other than certificate pinning (which you can do with CA certs and SSL/TLS just as easily), describe a scheme that doesn't have this problem. No?

At some point, you have to have a trusted party to provide trust in a cert. Otherwise, you have nothing. And that trusted party can be compromised, at which point you have nothing.

Web of trust:

The closest thing I'm aware of to avoiding that

Why?

[ClaraBow]

Are the Chinese officials trying to score some celebrity porn?

Re:Why?

[gandhi_2]

It's almost like they are a... communist country.

Re:

[Anonymous Coward]

China hasn't been Communist for 30+ years, just like how the DPRK isn't a democacy.

Re:Why?

[Jeremi]

It's almost like they are a... communist country.

Right -- only a communist country would attempt such shenanigans. Western democracies are totally above that sort of misbehavior. ;^)

Re: Why?

[Anonymous Coward]

Posting AC. I provide IT support for a chinese company based in the US. They wanted an American firewall and anti-virus suite. One of the employees insist on using some security 360 shit that's very chatty on the network. I blocked its net-block range and shortly he complained and wanted it fixed ASAP. I strongly suspect he's a CCP mole. Fuck him, he can suffer with the software approved by corporate.

Re:

[ryocoon]

Yeah, I hate 360 with a livid passion. I see it on all my relatives' computers and it drives me nuts. It runs like molasses in winter. It is incredibly noisy on the network when it shouldn't be. It pops ads all over the place and revs the CPU like crazy at times. Yeah, most of the banking software all require these specialty security certificates, unsigned drivers for weird USB fobs, only work in IE 8 or below, and often doesn't work at all on x64 versions of Windows. It is a nightmare to try and navigate

Re:

[Anonymous Coward]

It's almost like they are a... communist country.

What does that have anything to do with anything? Their economic policies are hardly relevant.

They're a dictatorship, that's their political model and why they get away with this.

Re:

[radicalskeptic]

Well, close. I wouldn't technically call it a dictatorship because the power is spread out around various people and groups, including the Standing Committee, former members of the Standing Committee and the military. But you're on the right track. 1) China is communist only in name. 2) Even if they were fully communist, that's an economic system, not a political one per se. The word that you and the grandparent poster is looking for is 'authoritarian.' BTW I lived in China for three and a half years and I

Re:Why?

[Earthquake Retrofit]

The BBC reported today: "The Beijing-appointed leader of Hong Kong, Leung Chun-ying, said Monday evening that it was unacceptable to allow his successors to be chosen in open elections, in part because doing so would risk giving poorer residents a dominant voice in politics... he backed Beijing’s position that all candidates to succeed him as chief executive, the top post in the city, must be screened by a “broadly representative” nominating committee appointed by Beijing. That screening, he said, would insulate candidates from popular pressure to create a welfare state, and would allow the city government to follow more business-friendly policies to address economic inequality instead."

Whatever it is, it doesn't sound like communism to me.

Re:

[pushing-robot]

Communism went bankrupt a long time ago. All that's left is the brand name.

Re:

[Anonymous Coward]

"Fascism may be defined as the merger of corporations and state." - Il Duce

Re:Why?

[XxtraLarGe]

The BBC reported today: "The Beijing-appointed leader of Hong Kong, Leung Chun-ying, said Monday evening that it was unacceptable to allow his successors to be chosen in open elections, in part because doing so would risk giving poorer residents a dominant voice in politics... he backed Beijingâ(TM)s position that all candidates to succeed him as chief executive, the top post in the city, must be screened by a âoebroadly representativeâ nominating committee appointed by Beijing. That screening, he said, would insulate candidates from popular pressure to create a welfare state, and would allow the city government to follow more business-friendly policies to address economic inequality instead."
Whatever it is, it doesn't sound like communism to me.

It's probably better described as fascism [wikipedia.org], but there has never been a place on earth where communism in practice resembled communism in theory. It's not possible to ever implement it, because the power hungry use it as a method for personal enrichment. As Lord Acton said "Power tends to corrupt. Absolute power corrupts absolutely. Great men are almost always bad men."

Re:

[TheOldFart]

because doing so would risk giving poorer residents a dominant voice in politics..

That sounds a lot like... Texas?

Re:

[Andrewkov]

Their honesty is refreshing.

Re:

[peragrin]

So how many times has the NSA done the same thing? oh that's right the NSA merely forces Cisco to install hardware that lets them monitor such connections.

The NSA has done far far worse to Americans, let alone everyone else in the world. China at least primarily limits it's attempts to it's own citizens.

Re:Why?

[Anonymous Psychopath]

Are the Chinese officials trying to score some celebrity porn?

It's possibly related to the protests in Hong Kong and the government's desire to identify the leaders/participants.

Re:

[Wintermute__]

Are the Chinese officials trying to score some celebrity porn?

It's possibly related to the protests in Hong Kong and the government's desire to identify the leaders/participants.

Or any other type of dissident or protester they can collect dirt on.

Like the NSA or any other spy agency, if they can scoop up any private data, they are going to want it.

Re:

[Anonymous Coward]

> Are the Chinese officials trying to score some celebrity porn?

Probably because of the Hong King protests. Despite how we view China from the outside, the leadership there considers themselves to be very vulnerable. To the point of paranoia sometimes. China does have a history of local uprisings getting "out of hand" and toppling governments. Plus authoritarianism is inherently unstable. So maybe they are on to something.

Whatever the legitimacy of their fears, they are probably looking for signs of

Re: Why?

[antifoidulus]

It's only going to get worse as the chinese economy stagnates. I've been saying this for years, but people are finally starting to realize that China copied the post-war Japanese model right down to the bad loans, today's China is pretty much where Japan was in 1988, barreling towards the cliff. The difference between the 2 countries is the government though. Outside of the economy the CCP has been deeply unpopular for years. However there was little unrest since the economy was booming. However what will happen when growth slows is much more unclear. Hong Kong like protests against the government would probably be the best case. More likely is large scale riots as unemployment coupled with a large # of men being unable to find a wife is a recipe for disaster. The CCP knows they are living on borrowed time and are going to do everything in their power, including perhaps returning to the days of the cultural revolution if it finds it necessary. In the short term expect spying incidents like this to become the norm.

China still has room to grow

[Anonymous Coward]

China moved from a per capita of few hundreds of dollars per year, to several thousands per year. Today's technology, permits a few tens of thousands per year income for many industrialized nations. That is about where Japan maxed out at. Even if income in Japan has stagnated for the last couple of decades, it stagnated in a good place, and things could definitely be worse. Naysayers be damned, China is going to keep on growing. China might stop at Russia's per capita income, but that's not too bad.

Re:

[metlin]

Spying on their citizens - Check

The difference here is that we the people still have the right to question the government, and organizations like the EFF continue to fight for it.

Economic stagnation - Check

You must be joking. American economy is anything but stagnant. Between 2009-2013, the U.S. GDP growth 1.9%, which is pretty good compared to most other OECD countries.

It may be "stagnant" when you compare it to a country like China at 7.7%, but that is simply not sustainable, not without artificial curren

Re:

[operagost]

To be fair, that 5.9 number is after millions of people decided to quit working and either 1. Live with a lower single income in the family or 2. Go on the public dole indefinitely, whether through social security or welfare. The federal government permanently removes these people from the rolls, as if people who aren't even looking for work don't drain the rest of the people who are being productive.

Re: Why?

[thetoadwarrior]

You're only allowed to speak out because they allow it. Huge chunks of the population technically don't have constitutional rights thanks to the constitution free zone around the border. Technically no one in Florida is covered by the constitution. The U.S. government just does a better job at making people think they're free.

Re:

[antifoidulus]

How many people were saying the same thing about the Japanese economy in the late 80s? Answer, almost all of them. Do a google search for China and debt and you will see what I mean. They are also not the "sole manufacturing center for most of the west". Very little value is added in China, and it's manufacturing that can be done elsewhere, and is increasing done elsewhere as China gets more and more expensive, both economically and politically. Crappy hardware trade shows do not an economy make.

Re:

[antifoidulus]

Do you realize what the "made in" actually means? It means simply where the final assembly was done. Final assembly is not a complicated process, you obviously have no idea what you are talking about.

Re:

[phantomfive]

The CCP knows they are living on borrowed time and are going to do everything in their power, including perhaps returning to the days of the cultural revolution if it finds it necessary.

The CCP uses fear of the cultural revolution as a way to stay in power. That's what all the talk about 'Harmony' means. Not many people in China want to go back to that. They understand it made no sense to have red stoplights mean go,for example.

even Chinese celebs post nekkid pics

[turkeydance]

somebody has to do it.

Chinese ops a great idea, right?

[__aaltlg1547]

I wonder if this will make companies like Microsoft and Apple rethink their ties to China.

Re:

[Wintermute__]

I wonder if this will make companies like Microsoft and Apple rethink their ties to China.

That's quite an optimistic attitude you've got there.

Re:

[mythosaz]

And lose 1.36BN potential customers?

Re:

[__aaltlg1547]

Only a small fraction of that buy Apple or Microsoft products.

Re:

[Teresita]

Sure they buy Microsoft products. They get Windows XP SP3 for $1.99 from Sum Dum Phuc.

Re:

[dk20]

Only a small fraction of that buy Apple or Microsoft products.
Citation? You have data backing up the statement?

Looking at it another way, lets say just 10% of Chinese buy Apple products, that would work out to 136,704,000 customers

Are you aware that Companies like GM actually sell more cars in China then any other market?

Re:

[Joel Cahoon]

You wouldn't download a car...

Re:

[bloodhawk]

China is a massive market, even a small fraction of the market is bigger than most other countries. 1% is still 13.6 million customers and I would happily bet they have far more than a 1% share.

Re:

[__aaltlg1547]

If you count HK, China makes up a significant percentage of customers. If you don't count HK, not so much. Apple and Microsoft make products that are very costly with respect to Chinese wage scales.

Re:

[bloodhawk]

You are clinging to the past. China has a large and rapidly growing middle class as well as a strong wealthy segment. As to the HK comment, that is just moronic, HK population in its entirety doesn't even equal 1/5th of chinas population that earns over 200k a year.

Behind the curve

[Tablizer]

What, they haven't found a subtle and quiet way to sneak in like the N-S-A does?

Re:

[gurnec]

:-) Very nice pun there, thanks for that.

Easy to fake...

[gurnec]

Just an FYI... I've no reason to disbelieve the story, but it would be simple to fake the evidence presented...

I also wonder why the hotmail.com certificate was mistakenly created for the hotmai.com domain [googleusercontent.com]... that seems rather amateurish for a nation state. (Of course, perhaps plausible deniability is the reason.)

Regardless of whether or not it's fake, it does serve to point out the intentional flaws of Qihoo’s Chinese 360 "Secure Browser" pointed out by Rosyna above -- certainly a good thing to publicize.

Re:

[Bite The Pillow]

I don't see a mistakenly created certificate. It looks like it is legitimately for hotmai.com

Which seems to be owned by microsoft and exists to redirect people who are not cautious about typing domains to the intended destination.

Taking over the DNS redirects and serving hotmail-looking content is a good way to catch a few people, if that's your game.

Or another way - if Microsoft is catching typos, why would a nation state be amateurish for doing the same thing?

Re:

[gurnec]

I don't see a mistakenly created certificate. It looks like it is legitimately for hotmai.com
...
Or another way - if Microsoft is catching typos, why would a nation state be amateurish for doing the same thing?

Microsoft isn't doing the same thing, though. You're right that the (real) hotmai.com site does redirect to outlook.com, however it doesn't have a certificate, nor does it even have https enabled.

Furthermore, the packet capture shows that whoever created it was trying to visit "login.live.com" (it's in the SNI field of the SSL Client Hello message), and so the server should have responded with a cert for that domain, not for hotmail.com nor hotmai.com.

I'll stick by my interpretation that this was amateurish

Re:

[Bite The Pillow]

I stand by my interpretation that once you type the domain, and verify a few certificates, you don't care.

You, specifically, are not "you", the collective.

Even an amateurish attack will be successful from time to time.

If a nation state tries to intercept the easy, hard, and next-to-impossible data, is it still amateurish? Defend.

Re:

[Clsid]

I have reason to disbelieve this story. I have been soing tests and no matter where I connect I still get the legitimate sites. I think this is like some sort of anti-Communist hysteria or something.

Dubious reports

[Clsid]

I think what those guys experienced would be related to an ISP. I'm in China and traveling at the moment, so I can tell you that I'm still getting to the legit sites either using airport wifi, hotel wifi or a residential ISP.

There is interference with the internet, no doubt about that, especially since the Hong Kong protests, when they took down the whole BBC website. But unless I see it reported from a reputable source I will call this bs, since I have never been able to verify their claims in previous occ

Re:

[ruir]

Probably they implemented common standard corporate technology nationwide that has its own certs to intercept SSL traffic. I doubt they are targeting known sites to capture passwords.

I've been experiencing SSL errors with Hotmail..

[Rick in China]

This has been going on for maybe a month -- but glad someone has logged/traced/pointed it out.. at least for hotmail.com. It's not consistent - but it has happened to me maybe 10 or 15 times in the last month. Typically it's perfectly fine.

Apple's icloud trademark trampled

[laughingskeptic]

I wonder if Apple will complain to the world trade commission regarding the self-signed www.icloud.com certificate. This is a purposeful violation of Apple's trademark.

Re:

[dk20]

Please post us a picture of your Chinese entry visa so we know you have actual evidence, not just regurgitating what you saw on FOX or CNN.