Online Validation: Making eGovernment Work for Hackers

Posted on August 20, 2008
Filed Under China Hackers, China Internet, Security |

TEN people accused of hacking into government databases to add false information were caught by police in Jiangxi Province, Legal Daily reported today.

Alleged leaders of the hacker group have been arrested, the report said. One alleged gang leader, surnamed Li, had made more than 2 million yuan (US$294,118) profit in only four months.

The suspects sold fake certificates to make money. Since authentic certificates can be checked on government Websites, they allegedly attacked databases and added false information, the report said.

After forging a certificate it makes perfect sense to subvert the validation authority for it. Especially if it’s a poorly protected database with some crap web server front end.

The scheme was discovered after someone purchased a fake doctor’s certificate to apply for a business license in Zhejiang Province in June. Zhejiang authorities found the certificate was faked even though the information on the Jiangxi Public Health Department’s Website matched it, the report said.

The Jiangxi Public Health Department checked the database and found it was attacked several months and that many statistics were distorted. It reported the case to police.

At the root of all this lies incompetence. It was only after someone noticed that a fake physical certificate showed as valid online and contacted the Jiangxi health department did they investigate the problem. Apparently Mr. Li’s friend hacked the databases and sold him an administrative (or equivalent) account.

Police caught six suspects on June 24 and four suspects later. The gang leader surnamed Li confessed he got the idea to make false certificates in 2007, after he failed to earn his own certificate at university, the report said.

Li said demand for fake certificates was strong, according to the report.

He contacted his friend surnamed Wang to attack the government databases and validate his false certificates, the report said.

The investigation showed Wang attacked more than 10 government databases in Jiangxi, Hubei, Guizhou, Sichuan, Jiangsu and Liaoning provinces from March this year. Wang sold the user rights of every database to Li for 5,000 yuan to 8,000 yuan, the report said.

Li charged clients 1,000 yuan to 2,500 yuan and had earned more than 2 million yuan, according to the report.

Once Mr. Wang started on Jiangxi, it would seem he found it easy enough to troll through a few more provincial targets.

That the vulnerabilities exploited (whatever they were) were so widespread points to a fundamental problem with systems administration. Not only were the sites poorly protected, they clearly weren’t monitored for unauthorized changes. In the rush to be all modern and egovermental, no one bothered to think through the security requirements and how to audit the systems.

It’s also a tidy little example of the commercialization of hacking in China. Given all the money that Mr. Li made, I wonder if Mr. Wang is thinking of revising his rates. He’ll have plenty of time to think about it in the pokey.