Friday, July 29, 2016

Wooyun management arrested in China for disclosing vulnerabilities to the gov

I blogged earlier that Wooyun was forced to shut down with rumors that the management was arrested for reporting vulnerabilities of government's assets.

This has been confirmed by Southern Weekly. This marks a huge step backwards for information security in China. Rather than rewarding white hats to submit issues to vulnerability disclosure platform, the government took the shocking approach to shut down the platform. Arresting the white hats for penetrating the system regardless of his intent might be justified in a legal sense, but shutting down a platform that itself doesn't perform any hacking is just ridiculous. Without the vulnerability disclosure platform, white hats, let alone black hats are more likely to sell the vulnerability in the grey markets.  Even if the white hats trying to contact the asset owner to patch the vulnerability, such notifications are commonly ignored in China. The end result is that many more vulnerabilities will be unpatched due to the government's hostile attitude.

In China, we have a saying that it's much easier to solve the people who raise the issues rather than the issue itself. You can see such attitude in many political events and I won't be surprised by this attitude at all. But this time, the gov takes one step further: The gov is not even solving the people who raise the issues, but the messenger. This is truly 掩耳盗铃.

Thursday, July 21, 2016

Wooyun,the most famous white-hat vulnerability disclosure website in China, forced to shut down

On July 20, Wooyun, the most famous white-hat vulnerability disclosure website in China cannot be accessed. Later in the day, the site posted a bizarre notice saying that Wooyun system is undergoing some update and that people should listen to Wooyun rather than rumors. 

As most Chinese know, system update or system maintenance very often times mean that the site is shut down temporarily or permanently by the government.  Rumors are the high level management of Wooyun were taken away by the police. Such rumors are censored on the sites such as Zhihu. 

But the reason for it is not clear and there are several guesses. 

Information analysis platform in the public security bureau 

On July 19, someone submitted a vulnerability regarding arbitrary code execution in the analysis platform of 公安部一所 (Ministry of Public Security research institute) 

The Baidu cache is reset by GFW indicating some possible government action

SQL Injection on the United Front Work Department

On July 18, someone submitted a vulnerability regarding SQL Injection of 中央统战部 (
the United Front Work Department.) 

This vulnerability disclosure page is not index by Baidu, indicating possible censorship.

SQL injection on Center for Disease Control and Prevention and hospitals in Beijing

On May 20, someone submitted a vulnerability regarding SQL injection of 北京疾控中心 (Center for Disease Control and Prevention and hospitals in Beijing). The hacker has obtained sensitive data on various hospitals as shown below.

Vulbox, another famous platform has stopped to receive new vulnerabilities.