China’s Massive Internet Security Turmoil:Updated

Update:Penn-Olsen, a Chinese Tech watching website is reporting that Chinese Hackers say release of massive amounts of data was just a joke.

The data released on the internet last week was already widely available in hacking circles, according to Wan Tao, the founder of a popular hacking online community. Wan told the Dongfang Daily that the reason the data looks so old (most of the information released involves pre-2009 usernames and passwords) is that it is old. Apparently, the databases have been floating around in hacker circles for some time, and hackers told the paper that whoever released the data must have done it for fun, as there is no way anyone could make money from such an old, widely-circulated database.

Given the precarious security state of Chinese pirated PC infrastructure, the last laugh may be reserved for a new gang of pirates.


Original Story:
In Marketwatch there was  strange story today  by Caixin Online, Marketwatch’s Chinese business associate site
.Chinese Search Engines Required to Post Government Bank Website links. the basic story is a bit quizzical. The ten largest Chinese search engines including Baidu, Bing, and Yahoo are required to post links to the 6 largest Chinese Government banks on the top of every search page. Hunh??? Whats going on here?

A quick search around  the Web turned up nothing not even from DigiTimes, the Taiwan based electronic news service. But  more searching on  the Caixin website turned up the following story from December 29th, 2011. – 100 Million Usernames, Passwords Leaked. Now this is a major security breach – equivalent to 30million online ids and passwords in the US. And the causes are spoken and unspoken. Thespoken causes in the Caixin report were too familiar to North American computer users:

Anti-virus company Qihoo 360’s Vice President Shi Xiaohong attributed the leak to companies neglecting to encrypt their users’ passwords and account information, Xinhua reported. Legal experts told Caixin that the massive leak also revealed shortcomings in Chinese internet security law and online ID theft protections.

But ye Editor wondered if the presence of pirated software in China might have a bearing on the situation.

Bingo! The following report from earlier this summer provides the insight:

Microsoft has launched a new web site that is aimed to step up its campaign to move users off from Internet Explorer 6. The new IE Countdown site includes a world map, highlighting which countries around the world still have the most IE 6 installations. China is apparently the biggest country which is still using the horrible, outdated web browser, with a whopping 34.5% of usage. IE6’s usage share in China is more than five times that of the rest of the world! IE6 has created huge headaches for developers and security risks for end users, so why do the Chinese Internet user still sticking to this insecure web browser?

According to statistical reports, China has approximately 420 million Internet users, which has already surpassed the U.S. (info here). Of course Microsoft can read those data and acknowledges that China is a bastion of the nine-year-old IE6. IE6 has a strong relation with Windows XP. The XP operating system, which debuted in 2001, included IE6 as its default browser. While Windows XP operation system is a “huge presence” in China. According to Microsoft own research data, XP has a staggering 81.8% share in China, while Windows 7’s share was only about 10%. So, see the picture?

China has dramatically different browser usage patterns than developed countries. Most Chinese people are still using IE6, due to many of them still using old Windows XP machines, and failing to upgrade the hardware, the OS and its default browser. XP users who want to run a newer version of Internet Explorer, such as 2006’s IE7 or 2009’s IE8, have had to either manually upgrade or accept a browser upgrade from Windows Update. But in China, over 90% of software is pirated, most Chinese users never connect to Windows Update or even upgrading their web browser. The reason for this is because most Chinese users are afraid that Microsoft will detect their software as illegal, and disable or cripple it. While anyone can install IE7 or IE8 manually, even on a cracked XP install, but the lack of automated updates likely discourages Chinese users to give up IE6.

Another main reason for IE6 still remaining popular in China, is because most commonly used Chinese websites have been constructed and tested to work with IE6 only, without consideration of web standard (W3C), non-IE browsers (Firefox, Safari, Chrome), or non-Windows platforms (Linux). For example, the China Government’s IT department registration website (MIIT), is IE6 only. Without IE6, authorities cannot file their registration information (story see here). Online banking in China is also strictly a Windows and IE6 love affair. They usually used ActiveX login system, any western companies setting up their brunch office in China, must install IE6 in their Windows PCs, otherwise no work can be done through any of the major Chinese banks. The same case for those China major online shopping sites, which require their customers to use IE, rather then other web browser’s options.

Now Chinese hackers have taken advanatge of the fact that IE6 and Windows XP are both the dominantly used client OS and browsers in China. But Chinese hackers have broken into both IE6 and Windows for more than two years to extent that zero-day attacks including the infamous Google hacks of 2 years ago rely on IE6 and Windows being open targets. So long as pirated but old software like IE6 dominates the Chinese scene – this vulnerability will get even worse because IE6 is no longer being patched even for security updates and  security support for Windows XP ends in April 2014. But the reality is that hundreds of millions of  Chinese Windows users who run pirated copies are already out of this update loop.

The Hacking Bottom Line

If these hacking attacks in China persist or get worse, the Chinese  government will be confronted with a major dilemma. How do they update literally millions of computers? Do they issue their own mandated security updates to Windows XP and IE6 – non compliance meaning cutoff from key government and business sites[this will be hard to do because business and government sites are themselves mired in XP and IE6].? Do they release a mandated move to Chinese  Linux – something previously tried without success? Or do they move to an updated and secure tablet OS? Whatever the choice, the solution to China’s massive Hack Attacks will have huge implications for the global PC and Mobile Computing markets for the next 1-3 years. Finally a 5th of the Finest to whomever can answer – who benefits the most from China’s Pirated Software conundrum: Apple, Google, Microsoft, Unicom or  some other third parties?