14 DAY TRIAL // A security expert has identified a large number of vulnerable Internet-facing systems operated by the Chinese government and local administrations, including an official job applications site and an email server.
A few days ago, Dillon Beresford, a security researcher with NSS Labs, has notified China's Computer Emergency Response Team (CN-CERT) about a serious security hole in the official mail sever of the Guizhou Province administration.
The issue was the result of a misconfiguration which allowed unauthenticated users to create email accounts with the province's official domain name.
"The ramifications behind the security hole are extremely serious. An attacker could represent themselves as an official from the Chinese Government and use the accounts to socially engineer and attack other Government workers in the People's Republic of China," the security researcher wrote in his email to CN-CERT, according to threatpost.
Furthermore, the webmail portal's pages were vulnerable to SQL injection attacks that could give hackers access to the emails of other registered users.
Beresford claimed he wasn't able to reach the person listed as administrative contact because his email bounced back.
This isn't the first time when the researcher was unable to contact affected parties in China. Back in January he had to resort to full disclosure in order to get a Chinese SCADA vendor to acknowledge and patch a critical vulnerability.
Beresford believes many of the official websites in China are vulnerable. "Its safe to say that these government sites aren't using Joomla. They're using software developed in house, in China and its very, very vulnerable," he said.
According to threatpost, yesterday the researcher found a vulnerable website exposing the usernames and passwords of over 10,000 job applicants to China's State Administration of Foreign Experts Affairs (SAFEA). The credentials could be used to access those people's personal information in SAFEA's Experts Online database.
Beresford also claims to have identified 11,762 vulnerable devices in China running the VxWorks embedded operating system. These range from VoIP phone systems, to telecommunication switches, routers and even SCADA systems.