FBI Warns US Companies About Backdoors In Chinese Tax Software (zdnet.com) 36
An anonymous reader writes: The US Federal Bureau of Investigation has sent an alert on Thursday warning US companies about backdoor malware that is silently being installed on the networks of foreign companies operating in China via government-mandated tax software. The backdoors allow threat actors to execute unauthorized code, infiltrate networks, and steal proprietary data from branches operating in China. Making matters worse, the FBI says that all foreign companies are required by local Chinese laws to install this particular piece of software in order to handle value-added tax (VAT) payments to the Chinese tax authority. FBI officials said the backdoor malware was spotted in the VAT software of two Chinese tech companies -- namely Baiwang and Aisino. Unfortunately, these are the only government-authorized tax software service providers allowed to operate VAT software in China, officials said, suggesting that any foreign company operating in China was most likely affected by this issue.
So Snowden was right about China too (Score:2)
Watching everyone all the time. It's what governments and companies do *if* they can.
Re: (Score:2)
Just assume EVERYONE is watching EVERYONE. :(
Re: (Score:2)
> I love it when people use strange terminology to try to make shit sound more complicated
Those of us who study such things and try to protect you do actually have to distinguish between things such as vulnerabilities, threats, and risks. They may sound similar to you, but to professionals the denote very different things. You can have a vulnerability without a significant threat, and you can have a threat without a risk.
We distinguish between different types of threat actors because a script kiddie i
Re: (Score:2)
Are they "terrorists" or "freedom fighters"? Your distinctions are valid, but you need to be more consistent in making them. "Bad guy" is always from some particular viewpoint, so if you use the term you need to specify the viewpoint. Currently being the consensus viewpoint doesn't guarantee that the same view will hold in another five years. And it's not even guaranteed to hold for all areas of one country at the present moment. (Consider "Is Robert E. Lee a hero?", "Is Ulysses S. Grant a hero?", "Wh
Firewall Firewall Firewall (Score:4, Insightful)
If I had a company that for some reason had to have a presence in China, I would treat every computer there as completed untrusted... and for that Chinese Tax software? Yeah that is only transferring data on and off via USB stick, no connection to internal networks whatsoever (I'm betting China requires that software to have an outside internet connection to function, but no reason it has to be on the internal network or ever see how to access it...).
Re:Firewall Firewall Firewall + (Hypervisor) (Score:2)
I'd go one step further:
I'd run that software on a VM (with no other VMs in the Physiscal hardware, and the real hardware outside my network), and put all the tools at my disposal to analyze the trafic to/from it, and monitor the rest of its internal behaviour using the tools that the Hypervisor gives.
Re: (Score:2, Insightful)
And would you do that with US software in the USA?
Re: (Score:3)
If the IRS made me run their software on my computer, yes I would be highly suspicious. I would definitely run it only on a computer that is disconnected from everything else in my life.
Re: (Score:2)
I would definitely run it only on a computer that is disconnected from everything else in my life.
What good would that do? It's filing your taxes. It's going to require some sort of internet connection to send the info to the IRS. Every bit of info that they'd be after would be entered into the software (whatever is being sent to the IRS, would also go to China). The rest of the attack is designed to just feel things out, but that's not what they're after at all.
Re: (Score:2)
Uncle Sam already knows all my bank deposits and what I buy from the grocery store.
Re: (Score:1)
With any software any government mandated I run, absolutely. You would NOT???????
Re: (Score:2)
And would you do that with US software in the USA?
I would do the same for government mandated software in the USA. And if backdoors were found, we would report it to the press and try to sue the government to get them to stop doing it. I believe in China doing any of those 3 things would land you in prison.
Re: (Score:1)
And would you do that with US software in the USA?
1/ There is no government mandated software in the US
2/ And the US would be more subtle, they wouldn't try to force everyone to install software infested with easily detected malware because they know it would fail.
3/ The courts in the US are somewhat functional, certainly in the case of a large company suing the government, and are known to rule against the government, unlike China where they exist merely to rubber stamp the will of Xi/the CCP.
So your attem
Re: (Score:2)
Any time, any outside corporation demanded to install their software onto the computer system I controlled. I would install it on an isolated from the rest of the network computer, with the required network link to the outside organisation and use it just for that required function and transfer in the data via sneaker net, drive and keyboard as necessary and that is all that computer would do. I mean fuck $500 for the hardware who cares and little extra labour to input the data and that is anywhere in the w
and when you must it use to work with china? (Score:2)
and when you must it use to work with china?
Re: (Score:3)
Re: (Score:3, Interesting)
Firewall, and send logs to the authorities in both countries.
So you have this software that's required to do business in China. And you find it contains malware (specifically: spyware / backdoor). Just out of curiosity: what if you confront supplier of that software with that finding?
"Hey, we've installed your software, and it contains malware! Can you explain this?".
No I'm not naive enough to expect a helpful answer. But nonetheless: what answer would you get? Seems like the facts you could present, would be hard to deny. And tax software shouldn't ne
Re: (Score:2)
Re: (Score:2)
Exactly. Try working with people in China without using wechat. It can't be done.
Re: (Score:2)
Use a dedicated computer outside your network. They aren't that expensive. Or, if you do enough business with China, set up a separate network for business with China. And only transfer sanitized text files between the networks, and that via read only media (say DVDs).
If you need to you can get fancier, but more complications become more expensive, and create more places where failure can happen. But you could, e.g., switch OSes between networks. And have an intermediate network that can parse the inco
Price of doing business there (Score:2)
Re: (Score:2)
"Yeah, the US government just taps every Internet connection to spy on you. The Chinese have to get into your computer."
This statement demonstrates an ignorant or malicious lack of appreciation for the difference between tapping an Internet connection (data traveling outside of a corporate data center) and "getting into a computer" (having access to processes running on a computer inside of a data center).
I would be surprised if the Chinese government wasn't monitoring Internet traffic.
Re: (Score:2)
GTFO (Score:4, Insightful)
Re: (Score:3)
I really couldn't agree more about it being time for U.S. companies to pull out of China. It was a mistake to ever be there, and it needs to be rectified ASAP.
Re: (Score:2)
It was a good attempt by Nixon to try to get China to move away from authoritarian rule but the entrenched powers recognized the threat and neutralized it.
The Chinese people also seem to be mostly sheep, but it's not different my much anywhere else.
I wonder if they realized just how effective controlling the narrative can be by watching North Korea all those years.
Software, schmoftware (Score:2)
Clear & Present Danger (Score:3, Funny)
Why or how is anti malware SW not quarantining/deleting this crap without asking?
How can these systems pass a compliance audit?
Western governments ought to prohibit this software from being installed on any system that is connected to any other system in the EU, Canada or the US.
Any U.S. Corporation Operating In China (Score:2)
When will US corporations learn (Score:1)
The cost of meeting China's convoluted trade and taxation rules
The loss (probably far higher than admitted) of profit due to Chinese industrial espionage
The questionable quality of everything that comes from China
The strategic cost of the gradual movement of American manufacturing capabilities to China
The ill will generated with the American public due to loss of American jobs
The increase in US tax loads necessary to support American displaced by shipping everything t
Re: (Score:2)
My sentiments exactly. I keep reading comments from U.S. corporate executives, phrased along the lines of "China is trying to steal our intellectual property!" and "The Chinese government requires significant local partners and require that they have access to our strategic resources!". "We are surprised and dismayed by these acts!"
Those excuses were weak 30 years ago, when we should expect such executives to have performed due diligence in studying contracts and trade rules back then. Since then (meaning 2
Funny.. (Score:2)