Security

China's Green Dam-Youth Escort censorship initiative is facing hurdles as some schools and Internet cafes either don't have the software or have uninstalled it.

Initially required for all new PCs when it was introduced in June, the Chinese government revised its mandate in August and effectively lifted the burden on PC makers to package the so-called content-filtering software in computers. However, the highly controversial software is still required to be installed in PCs used in schools and public places, including Internet cafes.

Green Dam is one of many tools the government uses to control Internet content.

Read more of "Green Dam enforcement watered down" at ZDNet Asia.

The Chinese government may be waving a white flag in response to all the criticism of its Green Dam filtering software.

Beijing won't force the widespread installation of the Internet filtering program on PCs and other consumer products, China's industry minister, Li Yizhong, said Thursday, according to a report in The Wall Street Journal.

In June, China said it would require that the Green Dam software be installed on all computers sold in the country by both domestic and foreign manufacturers. Since later that month, China has been delaying a permanent decision on whether to demand the software be preinstalled on all PCs.

According to the Wall Street Journal story, Li said that the intention was for the software to be installed voluntarily by individuals or their parents. He stressed that the program is intended to protect children from pornography and other harmful content and that attempts to politicize the issue or "attack China's Internet management system" are fanciful and irresponsible, the Journal reported.

China will still move forward with installing Green Dam in schools and Internet cafes across the country.

Since China announced the requirement of Green Dam, the software had been criticized on several fronts, putting pressure on the Chinese government to re-examine its decision.

In addition to protecting children from pornography, the filter was seen as a further attempt at censoring content objectionable to the Chinese government, also creating potential trade barriers and other headaches for PC manufacturers.

Experts also said the program is poorly developed and unsafe and would leave PCs vulnerable to hackers. One exploit popped up in late June that would allow attacks on computers outfitted with Green Dam.

Microsoft only just released final code for Windows 7 to manufacturers and the company is already facing a security risk.

The Windows Genuine Advantage antipiracy system in the Windows 7 Ultimate release to manufacturers (RTM) has reportedly been compromised by some Chinese hackers, according to a variety of Chinese forums, and first reported by Neowin.com.This means the user can fully activate the software offline without connecting to Microsoft's activation server.

The software's RTM code is generally the same as the retail code, which will be available to the public in October. PC makers tend to get the final product with plenty of time in advance of the launch to make their products ready on the launch date.

It must have been a complicated process, but in a nutshell, hackers reportedly used the leaked ISO file to get hold of the activation certificate that Microsoft digitally signed for the original equipment manufacturer, or OEM version of Windows 7. It's rumored that the key that got hacked is one that can be used to activate multiple OEM-branded installations, such as Dell's, HP's, or, of course, Lenovo's.

I am no fan of the activation, (it's a pain when you change computer parts, which I do very frequently) but this is rather upsetting news. I am sure, in no time, you will be able to buy a copy of Windows 7 in China or Vietnam for less than a dollar.

Addressing this, Microsoft released a this statement to CNET News:

We are aware of reports of activation exploits that attempt to circumvent activation and validation in Windows 7, and we can assure customers that Microsoft is committed to protecting them from counterfeit and pirated software. Microsoft strongly advises customers not to download Windows 7 from unauthorized sources. Downloading Windows 7 from peer-to-peer Web sites exposes users to increased risks--such as viruses, Trojans, and other malware and malicious code--that usually accompany counterfeit software. These risks can seriously harm or permanently destroy data and often expose users to identity theft and other criminal schemes.

China has indefinitely delayed enforcement of a requirement that PC makers preinstall Green Dam-Youth Escort software that experts believe would have screened not just Internet pornography but also some online political content.

Green Dam allows users to specify categories of sites to block.

(Credit: University of Michigan)

The reprieve, announced by China's Ministry of Industry and Information Technology, according to reports in The New York Times and the Associated Press, came just one day before the preinstallation rule was to go into effect.

But thus far the reprieve appears temporary: the ministry said the delay will give computer makers more time to comply with the rule, and the government also will continue to equip school and cybercafe computers with the software, according to the New York Times report.

Experts have warned that the Green Dam software poses security risks, and last week, the U.S. Trade Representative protested that Green Dam violates World Trade Organization rules

PC makers had been cagey about their plans to comply with the rule to install the software. Technical and other objections must be weighed against business concerns, and China is a large and growing market. Companies that deal directly with Internet content have been in the hot seat for years, and Google has had to wrestle with new Chinese censorship requirements this month.

The content-filtering software the Chinese government wants installed on all PCs sold in that country beginning next week was poorly developed and puts users at risk of having their computers compromised, a security expert who examined the code said on Thursday.

The Chinese government is requiring that all PCs include the Green Dam-Youth Escort software to block pornography, but it also blocks access to content related to violent computer games, illegal drugs and political speech, said Ben Feinstein, director of research at SecureWorks, a managed security service provider.

Critics are worried that the Chinese government could use Green Dam, a free download, to block all kinds of content and monitor online activities of users, as well as worried that the software could allow for a massive botnet to be created, either by cybercriminals or the Chinese government itself.

Green Dam allows users to specify categories of sites to block.

(Credit: University of Michigan)

Feinstein and colleagues at SecureWorks' Counter Threat Unit examined the Green Dam code earlier this month and found that it uses a variety of unsafe programming practices that have been banned at Microsoft and other U.S. companies, he said.

An example is the use of Strcpy, or string copy, a library function in the C programming language that copies memory from one buffer to another, according to Feinstein. If the copied string doesn't fit in the destination buffer, it will overwrite memory and can be used in a buffer overflow attack.

"This software appears to be of low quality and to have not been developed with a secure methodology," Feinstein said. "It likely suffers from a whole host of problems."

The way Green Dam is designed to inspect all Internet traffic coming into and going out of a PC means more parts of the code are exposed to potential attack compared with programs that are more limited in scope and process less data, he said.

In addition, having the software on all PCs in China, as mandated, would create a huge install base and be an attractive target for attackers who could attack millions of computers by targeting just this one program, Feinstein said.

China historically has censored the Internet using filters on the network, blocking access to pages that deal with politically sensitive subjects like Tiananman Square, Falun Gong, and Tibet. Installing filtering software on the end-user computers will make it easier to block content than doing it in the network, according to Feinstein.

"You get efficiencies of scale if you push the filtering down to the end point rather than inspect huge Trans-Pacific pipes entering and leaving your country," he said. Green Dam was published by Jinhui Computer Systems Engineering, which is run by a former officer of the Peoples' Liberation Army, he added.

Researchers at the University of Michigan issued a report two weeks ago that found two major security vulnerabilities in Green Dam that could allow someone to remotely take over a computer running the software. The software was later updated and patched, according to an update to the report issued a week ago, however the researchers said they had discovered an additional security hole that remained unfixed.

Separately, a security researcher said he had released on a public Web site an exploit for a buffer overflow that remained unpatched in the Green Dam update.

An exploit for a flaw in censorware mandated by the Chinese government has been made publicly available for download on the Internet.

The buffer overflow flaw exists in the latest, patched version of Green Dam, 3.17, according to security researcher "Trancer," who claims authorship of the attack code.

"I wrote a Metasploit exploit module for Internet Explorer, which exploits this stack-based, buffer overflow vulnerability in Green Dam 3.17," Trancer wrote in his Recognize-Security blog. "I've tested this exploit successfully on the following platforms: IE6, Windows XP SP2, IE7, Windows XP SP3, Windows Vista SP1."

The attack code, which has been posted to the Milw0rm Web site for proof-of-concept exploits, has been circulating in the wild for a week, according to security consultant and ZDNet blogger Dancho Danchev.

The Chinese government has ordered Green Dam censorware, billed as a pornography filter, to come preinstalled on all PCs sold in the country beginning July 1. Jinhui Computer System Engineering, which produces the software, patched Green Dam after a team from the University of Michigan exposed a buffer overflow flaw in it.

Last week, the researchers said in an addendum to their original paper that despite this patch, the software remains vulnerable to buffer overflow attacks, which indicates that Green Dam's security problems "run deep."

Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the patch, SurfGd.dll still uses a fixed-length buffer to process Web site requests, the researchers explained. Malicious Web sites could overrun this buffer to take control of the execution of applications on a target computer.

"The program now checks the lengths of the URL and individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer," wrote the researchers. "An attacker can compromise the new version by using both a very long URL and a very long 'Host' HTTP header. The pre-update version, 3.17, which we examined in our original report, is also susceptible to this attack."

Green Dam is also vulnerable to a blacklisting flaw, identified by University of Michigan researchers Scott Wolchok, Randy Yao, and J. Alex Halderman, which could allow third parties to upload malware via an innocuous-seeming update.

Western security experts have greeted the censorware with criticism. Bruce Schneier, BT's chief security technologist, told ZDNet UK the software could allow the creation of a massive botnet, either by Web criminals or even by the Chinese government. "Suddenly you have an army of a couple of billion computers," said Schneier. "This should worry all of us."

Tom Espiner of ZDNet UK reported from London.

Experts have warned of serious security flaws in the Chinese government's censorship software, which could open the door to hackers creating huge botnets.

Programming errors in the Green Dam Youth Escort software, which the Chinese Ministry of Industry and Information Technology said Tuesday must be preinstalled on all new computers in the country, are at the root of the flaws, according to experts from the University of Michigan.

This message pops up on PCs when the Green Dam software spots banned phrases.

(Credit: University of Michigan)

"Once Green Dam is installed, any website the user visits can exploit these problems to take control of the computer," wrote the university's researchers. "This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet." The warning came in a paper published Thursday by researchers Scott Wolchok, Randy Yao, and J. Alex Halderman.

The Green Dam software filters content by blocking URLs and Web site images and by monitoring text in other applications. The filtering blacklists include both political and adult content.

The researchers said that after only one day of testing Green Dam, they discovered programming errors in the code used to process Web site requests. These would result in buffer overrun conditions on all computers running the software, they said.

"The code processes URLs with a fixed-length buffer, and a specially crafted URL can overrun this buffer and corrupt the execution stack," said the researchers. "Any website the user visits can redirect the browser to a page with a malicious URL and take control of the computer."

The researchers built a proof-of-concept program to demonstrate the flaw and said it would crash any computer running Green Dam.

In addition, Green Dam can be used to install any other program on a computer, via a blacklist vulnerability. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer, after installing a filter update.

Chinese government news agency Xinhua reported that Jinhui Computer System Engineering, which developed Green Dam, had said the software was not spyware. "Our software is simply not capable of spying on Internet users, it is only a filter," Jinhui is quoted as saying.

The Xinhua article did not address whether the filter itself could be used to upload spyware.

The University of Michigan researchers recommended that anybody running Green Dam uninstall the software immediately. However, according to a translation of feedback on Jinhui's user forum, teachers and educational establishments have no choice but to use the software.

"Let me say something here," wrote one teacher. "We were forced to install the software. So I have to come to this website and curse. After we installed the software, many normal websites are banned."

Currently, Green Dam is only optimized for Microsoft's Internet Explorer browser, according to leaked technical specifications posted on the Wikileaks website.

Tom Espiner of ZDNet UK reported from London.

This story was originally published at CBSNews.com.

Somewhere deep in Washington's national security apparatus, more than a few old-timers surely pine for the clarity of the Cold War. Black versus white, American versus Russian, spy versus spy--the good old days.

Now, however, they face more ephemeral threats from shadowy foes that prefer to cloak their identities.

"There's a cyberwar going on," said Ed Giorgio, who spent nearly 30 years with the National Security Agency before starting an IT security consultancy in 2007. The problem, he says, is that identifying an online adversary isn't as easy as pinpointing an enemy tank formation.

"Adversaries are just as likely to be nationalists as they are likely to be countries," said Giorgio, echoing a theme that cybersecurity experts say is likely to shape the Pentagon's approach to building Internet defenses in an increasingly networked world.

The extent of the problem was hinted at earlier in the day by Defense Secretary Robert Gates. In an upcoming 60 Minutes interview, Gates told CBS News anchor Katie Couric that the United States is "under cyberattack virtually all the time, every day" and that his department will more than quadruple the number of experts to battle cyber attacks.

In 2007, U.S. officials recalled melamine-laced pet food that caused the deaths of cats and dogs and lead-coated toys that endangered toddlers. Now, digital photo frames infected with computer viruses are the latest problem import from China.

"That phenomenon apparently has bled over to the digital side as well," Marcus Sachs, director of the Internet Storm Center at the SANS Institute (SysAdmin, Audit, Network, Security), said of the Chinese manufacturing problems that get exported. "Essentially, it's a supply chain problem. We've become dependent on a cheap source coming out of Asia."

The culprit is believed to be poor quality-assurance testing procedures in which one of every 1,000 or so devices is plucked off an assembly line and tested on a computer that is infected with a virus, he said.

Before Christmas, Samsung and Amazon issued alerts warning customers that some Photo Frame Driver CDs for Samsung's SPF line of digital photo frames contained a virus in the frame manager software. Customer PCs running Windows XP are at risk of being infected by the virus, W32.Sality.AE, which drops a keylogger or backdoor onto the system.

Element and Mercury brand frames sold at Circuit City and Wal-Mart, respectively, also were reported to be infected, according to the San Francisco Chronicle.

Sales of digital photo frame are increasing and Chinese suppliers produced more than 8 million in 2007, according to MarketResearch.com. Their plug-and-play use and the fact that they serve as a digital replacement for paper albums make electronic picture frames popular holiday gifts.

A year ago, Insignia digital picture frames were pulled from shelves and online sites after Best Buy learned they could be carrying a virus. Also reported to be infected then were digital frames from Advanced Design System, Digital Spectrum, and Castleton. But digital frames aren't the only electronic items found to carry a hidden payload. Other malware-infected devices have included MP3-playing sunglasses, a flip video camera, and Maxtor external hard drives, according to the SANS Internet Storm Center.

"Anything that has flash storage or bootable storage is exposed to this kind of threat," said Dave Marcus, director of security research for McAfee Avert Labs. "It doesn't mean you shouldn't buy them. You should just realize before you plug it in that you might want to disable the Windows auto-boot functionality and run an antivirus scan on it, just to be safe."

For instance, the ubiquity and convenience of USB thumb drives make them a growing propagation vector. A virus outbreak on a U.S. Department of Defense network prompted officials to temporarily ban the use USB drives, CDs and removable storage devices in November.

Attrition.org offers a long and growing list of malware-infected products that have hit store shelves.

(Credit: Attrition.org)

Security Web site Attrition.org maintains a list of products shipped to customers that were found to be infected with viruses and other malicious or odd programs. The list, which goes back to 1990, includes a credit card terminal that contained a bug to steal credit card information, MP3 players, USB drives, and other hard drives with computer worms, and a Cisco VPN Client CD that had MP3s of Mexican drug-runner folk music known as "Narcocorridos," all in 2008. Then there are the infamous Video iPods that shipped in 2006 with a Windows virus. (And just last April, a colleague bought a re-conditioned iPod Nano that arrived with a virus.)

"This list is not complete, yet it should make you realize that nothing is safe," the Attrition.org site says in a cynical warning. "Every piece of electronics you buy and every piece of software you install may come with malware pre-installed. Rather than manufacturers introducing a higher set of quality controls to prevent such incidents, we will no doubt see companies produce new products that will help keep you 'safe' from such threats. These 'controls' would no-doubt be another band-aid on top of band-aids that make up a lucrative market, which is sad commentary about how customers perceive and receive 'electronic security.'"

The problem is getting serious enough to merit congressional hearings on how to protect consumers against getting harmed from the electronic products they buy, said Sachs of the SANS Internet storm.

Right now the best protection against being infected by viruses in new devices is to keep antivirus software up to date, and disable Windows' AutoRun features and instead manually launch programs and installers when devices are inserted. The CERT security research organization has more information on the risks associated with AutoRun on its Web site.