FBI Investigating Major Chinese Firm for Selling Spy Gear to Iran

The FBI has launched an investigation into allegations that a top Chinese maker of phone equipment supplied Iran with U.S.-made hardware and software, including a powerful surveillance system, in violation of federal laws and a trade embargo, according to The Smoking Gun.

Investigators, who began their probe earlier this year, have also found evidence that the company planned to obstruct a Department of Commerce inquiry into the contract behind the sales.

Last March, Reuters reported that the Chinese firm had sold the Telecommunications Company of Iran (TCI) a powerful surveillance system as part of a $130 million contract in 2010 and that the equipment was capable of monitoring landline, mobile and internet communications.

Reuters had obtained a 907-page packing list of equipment shipped to Iran, which named hardware and software products from top U.S. firms, including Microsoft, Hewlett-Packard, Oracle, Cisco Systems, Dell, Juniper Networks and Symantec.

According to a non-public FBI affidavit obtained by The Smoking Gun, after Reuters broke the news about the sale of equipment to Iran, ZTE lawyers went into panic mode and allegedly began hatching a plot to shred documents and alter records to cover up the illegal transactions.

ZTE designs and manufactures fixed and mobile communications and is the second largest maker of telecommunications equipment in China.

TCI, which is jointly owned by the Iranian government and a consortium of private entities, has a near-monopoly over Iran’s landline phone and internet services.

Mahmoud Tadjallimehr, a former telecommunications project manager in Iran, told Reuters that the ZTE monitoring system was “countrywide” in Iran and was “far more capable of monitoring citizens than I have ever seen in other equipment” Iran had purchased. He said the system could be used to intercept voice calls, text messaging, e-mails and chats, as well as to locate users.

Inside information about ZTE’s alleged plan to cover up its illegal activity came from a whistleblower named Ashley Kyle Yablon who spoke to the FBI and allowed the agency to copy files from his work computer in the course of their investigation, according to The Smoking Gun. Yablon is a 39-year-old attorney who was hired as general counsel by ZTE’s U.S. subsidiary in Dallas last October. He came to the company from a ZTE rival firm, Huawei Technologies.

Yablon, who still works for ZTE, was exposed as a whistleblower only after The Smoking Gun published the FBI affidavit on Thursday. He told investigators that after the Reuters story published, he saw a copy of the contract for the sale of the surveillance system to Iran and told investigators that it “essentially described how [ZTE] would evade the U.S. embargo and obtain the U.S.-manufactured components specified in the contract for delivery.”

He also told the FBI that he believed ZTE had set up a company named 8 Star Beijing solely to buy “U.S.-made goods subject to the U.S. embargo,” as well as another firm named ZTEC Parsian whose job was to “integrate the equipment for delivery to and installation in Iran.” He learned that the company planned to tell investigators that the equipment either had never been shipped to Iran and was still in warehouses or had been shipped to non-embargoed countries.

When Yablon was told about the alleged plan to coverup ZTE’s dealings, he told the company that he would resign rather than participate in a coverup and was later cut out of internal discussions about the issue.

Several of the U.S. companies whose products were allegedly sold to Iran told Reuters that they were unaware of the sales and were investigating their partnership with ZTE.

An FBI spokeswoman in Dallas declined to comment. ZTE did not immediately respond to a call for comment.

It’s not the first allegation of a company selling surveillance equipment to Iran. In 2009, the Wall Street Journal reported that Nokia Siemens Networks had also sold sophisticated surveillance equipment to Iran.

According to the Journal, Nokia Siemens Networks — a Finland-based joint venture between Nokia and Siemens — provided Iranian authorities with the ability to conduct deep-packet inspection of online communications to monitor the contents and track the source of e-mail, VoIP calls and posts to social networking sites such as Twitter, Myspace and Facebook. The newspaper also said authorities had the ability to alter content as it intercepted the traffic from a state-owned internet choke point.

A spokesman for Nokia Siemens Networks, later told Threat Level that although the company had sold equipment to Iran, the system was incapable of conducting deep-packet inspection of internet communications — or conducting any internet surveillance at all. The company said it installed a cellphone network in Iran, and like all modern telecom switches, the equipment included capability that allows the government to conduct wiretaps of telephone calls made from targeted numbers.

Telecommunication companies in the United States and other countries are required to provide so-called “lawful intercept” capability so that domestic law enforcement agencies can eavesdrop on calls to investigate criminal activity. In the United States, however, such interception generally requires a court order.

Latest Yahoo Data Breach Restates Need for Basic Security

News broke today of a large data breach against Yahoo Voices, resulting in more than 400,000 username/password combinations being posted in clear text. The compromise involved a basic SQL-injection attack against an exposed Yahoo server (dbb1.ac.bf1.yahoo.com).  Similar to other recent events, the account data was reportedly stored in an unencrypted state.

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.”
 

D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:

 

Yahoo! Breech top 20 domains

Yahoo breach Top 20 domains

I’ll leave you with several McAfee resources for understanding SQL injection:

 

Microsoft Releases a Security Advisory for Windows Sidebar and Gadgets

Microsoft has released security advisory 2719662 to address a vulnerability in Microsoft Windows Sidebar and Gadgets. This vulnerability may allow an attacker to execute arbitrary code, take control of an affected system, or disclose sensitive information.

US-CERT encourages users and administrators to review Microsoft Security Advisory 2719662. This advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate the risk against known attack vectors by disabling the Windows Sidebar and Gadgets.

US-CERT will provide additional information as it becomes available.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases a Security Advisory for Microsoft Digital Certificates

Microsoft has released security advisory 2728973 to replace a number of certificates that did not meet Microsoft's high standard of Public-Key Infrastructure (PKI) management. This update places the intermediate certificate authority (CA) certificates in the Untrusted Certificate Store and replaces them with new certificates that meet Microsoft's PKI standards.

US-CERT encourages users and administrators to review Microsoft Security Advisory 2728973 and take any necessary action to help mitigate this risk.

This product is provided subject to this Notification and this Privacy & Use policy.