Meet “Great Cannon,” the man-in-the-middle weapon China used on GitHub

Researchers have uncovered a powerful and previously unknown weapon that China's government is brazenly using to knock sites out of commission. Dubbed the Great Cannon, the tool has been used to bombard two anti-censorship GitHub pages with junk traffic, but it just as easily could be used to wage stealthy attacks that silently install malware on the computers of unwitting end users.

As Ars explained previously, the attacks on the pages of anti-censorship service and a mirror site of the New York Times Chinese edition had some novel characteristics. The junk traffic came from computers of everyday people who browsed to websites that use analytics software from Chinese search engine Baidu to track visitor statistics. About one or two percent of the visits from people outside China had malicious code inserted into their traffic that caused their computers to repeatedly load the two targeted GitHub pages. The malicious JavaScript was the product of the Great Cannon, which China uses to alter traffic passing over its backbone and takes no steps to conceal.

"The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users," the researchers from the University of California at Berkeley and the University of Toronto wrote in a report published Friday. "Specifically, the Cannon manipulates the traffic of 'bystander' systems outside China, silently programming their browsers to create a massive DDoS attack."

Read 3 remaining paragraphs | Comments

DDoS attacks that crippled GitHub linked to Great Firewall of China

Earlier this week came word that the massive denial-of-service attacks targeting code-sharing site GitHub were the work of hackers with control over China's Internet backbone. Now, a security researcher has provided even harder proof that the Chinese government is the source of the assaults.

In Tuesday's story, Ars explained that the computers pummeling GitHub pages all ran a piece of JavaScript that surreptitiously made them soldiers in a massive DDoS army. The JavaScript was silently injected into the traffic of sites that use an analytics service that China-based search engine Baidu makes available so website operators can track visitor statistics. When everyday Internet users visited a site using the Baidu-supplied tracker, the injected code caused their browsers to constantly load two GitHub pages, one a mirror of anti-censorship site the other a copy of the China edition of The New York Times.

Besides the motive of taking out pages the Chinese government doesn't want its citizens to see, there was technical evidence supporting the theory the attack had the support of China's leaders. To wit, the packets transmitting the malicious JavaScript had vastly different TTL, or time to live limits, from 30 to 229 compared with 42 for legitimate analytics code. This technical detail all but proved the DDoS code was coming from a sources inside China other than the visited website.

Read 5 remaining paragraphs | Comments

Hack most likely not the reason Chinese traffic bombarded US addresses

Network and security experts are still trying to nail down the cause of an outage on Tuesday that briefly redirected huge amounts of China's Internet traffic to US destinations.

The incident left a large portion of China's 500 million Internet users unable to visit websites ending in .com, .net, and .org. Requests for addresses ending in those top-level domains were instead sent to IP addresses operated by US-based Dynamic Internet Technology or, according to The New York Times, a 1,700-square-foot house in Cheyenne, Wyoming.

Local officials in China said the incident was the result of a malfunction in the country's domain name system. They called on authorities to do more to protect China's DNS servers. US-based security researchers, however, said a DNS outage or hack was most likely not the cause. A public DNS server operated by Google returned the same faulty IP addresses generated by China's official servers, these researchers said. They pointed out that Dynamic Internet Technology operates services designed to circumvent China's censorship regime, which is often referred to as the Great Firewall of China (GFW).

Read 2 remaining paragraphs | Comments


High court bans publication of car-hacking paper

A high court judge has ruled that a computer scientist cannot publish an academic paper over fears that it could lead to vehicle theft.

Flavio Garcia, from the University of Birmingham, has cracked the algorithm behind Megamos Crypto—a system used by several luxury car brands to verify the identity of keys used to start the ignition. He was intending to present his results at the Usenix Security Symposium.

But Volkswagen's parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands, asked the court to prevent the scientist from publishing his paper. It said that the information could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car."

Read 4 remaining paragraphs | Comments