Chinese bank requires foreign firm to install app with covert backdoor

A multinational tech company gets schooled in the risks of doing business in China.

Read the whole story

 

[ianstar]

You would have to be a complete fool to not purchase a cheap laptop and mobile data brick to install this software (and nothing else except for lots of dummy files saying "fuck you chinese hackers!") on.

Air-gapping this software from your network makes sense in theory, but at some point you need to have the legitimate software do its job, thats going to involve giving it sensitive data. That data is then exposed to the risk....

That depends on who the attacker is. If the attacker is the government, then it doesn't matter because because software's intended purpose is for taxpayers to report data to the government. If the attacker is some third party, then you have a problem.

Also you can't air-gap software that is intended to communicate with outside parties. Like the possibly legitimate tax paying portion of the software that this organization was trying to install to work with the local Chinese bank. The decision to work with a Chinese bank can be called into question but once you have made that decision then you can't air-gap the network.

 

[ianstar]

Also you can't air-gap software that is intended to communicate with outside parties. Like the possibly legitimate tax paying portion of the software that this organization was trying to install to work with the local Chinese bank. The decision to work with a Chinese bank can be called into question but once you have made that decision then you can't air-gap the network.

Stand up a new vlan or new physical network if needed, with a router that only allows packets from this computer to get to the gateway and nowhere else.

<snip>

Sneakernet files the tax software needs from the accounting software. Point the tax software at that folder. Use cheap disposable flash drives for delivering the files, or a write protected flash drive with a physical write protect switch.

<snip>

Or, avoid all that and don't do business in China!

In theory what you describe might work but it is not scalable and could not be implemented in a bank. No banking processes in this day and age can be run based on an employee manually copying data to a USB drive and then walking it over to a different system. (Never mind that transferring data using USB drives is a great way to compromise your otherwise air-gapped network)

Your comment about not doing business in China I agree with completely.