China may be abusing Internet security processes to steal data, cyber experts warn

The Chinese Communist Party (CCP) may be abusing a universal authentication process that is believed to be secure in order to access data from unsuspecting users, but in reality it may not. There is sex.

Encryption is still the preferred method for protecting digital data and protecting computers, but in some cases, the highly digital certificates used to authenticate on the Internet have allowed the Chinese administration to move to various computer networks. They said they were invading and causing havoc.

Authorities around the world, known as “Certificate Authorities” (CAs), issue digital certificates that verify the identity of digital entities on the Internet.

Digital certificates can be compared to passports and driver’s licenses. Andrew Jenkinson, CEO of cybersecurity firm Cybersec Innovation Partners (CIP) and author of the book Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyberwarfare, told The Epoch Times. rice field.

“Without it, users and devices would not be able to comply with industry standards, bypassing critical data encryption and leaving what was supposed to be encrypted in plain text format. You can, “he said.

Through encryption, digital certificates are used to encrypt internal and external communications that prevent hackers from intercepting or stealing data. However, invalid or “illegal certificates” can manipulate the entire cryptographic process, resulting in “a false sense of security for millions of users,” Jenkinson said. ..

A layer of false trust

Michael Duren, executive vice president of cybersecurity firm Global Cyber ​​Risk LLC, explained that digital certificates are typically issued by trusted CAs and an equivalent level of trust is passed to intermediate providers. However, he said, Communists, villains, or other untrustworthy organizations have the opportunity to issue certificates to other “malicious people” who appear to be credible but not.

“When a certificate is issued by a trusted entity, it becomes trusted, but what the issuer can actually do is pass that trust to someone who shouldn’t be trusted. “

Durene said he would never trust a Chinese certificate authority for this reason, adding that he knows many companies that ban the issuance of Chinese certificates to untrusted entities.

According to Jenkinson, Chinese certificate authorities make up a small percentage of the total sector, and the certifications issued are typically limited to Chinese entities and products.

Epoch Times Photo
Prince, a member of the Red Hacker Alliance, a hacking group who refused to reveal his real name, is using his computer at an office in Dongguan, Guangdong Province, southern China, on August 4, 2020. (NicolasAsfouri / AFP via Getty Images)

In 2015, a certificate issued by the China Internet Network Information Center (CNNIC), the state-owned agency that oversees China’s domain name registries, was questioned. Google and Mozilla have banned CNNIC certificates for unauthorized digital certificates connected to multiple domains. Both internet companies opposed CNNIC’s delegation of authority to issue certificates to Egyptian companies that issued unauthorized certificates.

According to Jenkinson, CNNIC certificates were banned because “there was a backdoor.”

“What is a backdoor? [the Chinese certificate authority] You can literally take over administrative access and send the data back to your mothership, “he said.

Since 2016, Mozilla, Google, Apple, and Microsoft have also banned Chinese certificate authority WoSign and its subsidiary StartCom because of unacceptable security practices.

Security flaw

Despite these bans on Chinese digital certificates in recent years, CCP has not been deterred and has been playing long games, Jenkinson warned.

He pointed out the surprising discovery that his cybersecurity company influenced a multinational consulting firm two years ago.

Digital certificates usually vary by certificate authority, but he said they are valid for several years and need to be renewed to keep them valid and to keep the data they are supposed to protect safe.

“But in 2019, CIP Chinese discovered a certificate that was valid for 999 years,” Jenkinson said.

His company made this discovery when examining laptops from a well-known global consulting firm.

Four members of the indicted Chinese army
Attorney General William Barr was charged with hacking Equifax Inc. and stealing data from millions of Americans shortly after holding a press conference at the Washington Department of Justice on February 10, 2020. There are signs of depicting four members of the Chinese army. (Sarah Silbiger / Getty Images)

Jenkinson drew the company’s attention to this security flaw and provided services to protect computers and customer networks. But the company refused.

“Are they incredibly complacent or colluding,” he said, adding that the company’s customers include US government agencies.

According to Jenkinson, the failure of the billion-dollar company to solve the problem could expose hundreds of thousands of people to China’s invasion through the company’s loose security. about it.

He added that the company puts customers at risk every time someone uses one of their laptops. For example, a company or a client using a company’s services may be required to pay a ransom, have their intellectual property stolen, or receive malicious code for later use.

The company “violates all regulations of privacy known to humans and they just want to dismiss it,” said cybersecurity experts, especially the strict data protection laws of the European Union. Pointed out.

And if this information were released, Jenkinson said the impact would be widespread.

“Imagine a watering hole attack or a drive-by attack. Cyber ​​criminals can easily get access to capture data without having to sit there and think or decrypt the data. Because it’s all plain text. [due to a rogue certificate or configuration error],” He said.

Jenkinson said it was “crazy” for such a large, reputable company to choose not to protect its clients.

“Slippery slope”

The financial losses of cybercrime are far from the right direction, Jenkinson said.

Global losses from cybercrime exceeded $ 1 trillion in 2020, according to a report from computer security firm McAfee. According to research firm Cyber ​​Security Ventures, losses are expected to exceed $ 6 trillion in 2021.

Jenkinson predicts that by 2025, economic losses will exceed $ 10 trillion. At this pace, “this will affect all men, women and children,” he said. “Well, the slippery slopes we’re on are greased ourselves.”

To reverse this trend, first, “people should not use CNNIC digital certificates,” Jenkinson said.

“Everything that comes out of a state-owned company like China, the Communist Party that acts as a certificate authority, shouldn’t be trusted,” said Durene of Global Cyber ​​Risk.

According to Jenkinson, CAs need better management and oversight. “Without this, given that a standard laptop contains hundreds of thousands of digital certificate instances, there is no chance of knowing which digital certificate is being used.”

He said that Chinese computer products mainly use Chinese digital certificates. Therefore, users of such products need to be aware that security can be compromised as a result, he said.

JM Phelps

JM Phelps

Freelance reporter


JM Phelps is a writer and researcher of both Islamist and Chinese threats.

Posted on