By By Zhang Yong, Shen Xing
Cover story, issue 371 June 9 2008
Translated by Liu Peng, Zuo Maohong
Original article: [Chinese]
Site-wide blackouts, network intrusions, viruses, and other security
breaches... it's been a busy several weeks for many Chinese fund
companies who have had to demonstrate their resilience to these and
other digital threats.
After a hacking incident this past March halted trading for one firm, ,
the China Security Regulatory Commission (CSRC) launched an assessment
of the industry's IT defenses.
After completing the exercises and inspections, which began in April,
the Commission has identified at least ten firms that have sub-par
A Surprise Attack
Investigators discovered that many firms had unstable, vulnerable
networks, said a source involved. He gave the example of two companies
in Beijing, which were easily hacked into due to their simple
Watchdogs were apparently dissatisfied. In a speech by a CSRC official
on May 30, fund companies were criticized as having failed to attach the
necessary importance to network security. The official also claimed that
guidelines on information security management would be studied and
issued by the Commission later.
In fact, the maneuver was just a part of the Commission's inspection
work, which was started in late April by local securities regulatory
bodies, according to a source from the CSRC. Data backup and separation
of intranet and the external net were the main focus, he said. Local
watchdogs would launch a second round of spot inspections later, the
One fund company in Shenzhen had recently been busy preparing for the
spot inspection. "There have been regular inspections before, but much
less strict than this time," said a technical staffer of the company.
Upgraded Hacker Attacks
According to an official who wishes to remain anonymous, the inspection
was triggered by a hacker attack to the trading system of a securities
company in Beijing in early March. Though it didn't lead to significant
losses, it aroused great concern from the CSRC.
The EO has learned that the attack disabled the trading system for at
least half an hour. Transactions were thus interrupted and clients were
forced to make trades by phone. Reportedly, some investors had appealed
to the government, and the police had investigated the matter.
Actually, this wasn't the first case of its kind. According to the chief
of the technical department of a CITIC Security Shanghai branch,
securities firms had encountered network security problems early in
2004, mainly in online transactions. The application of non-spot trade
also brought potential risks, he added.
On May 15 2007, a virus named "Trojan/PSW.Soufan" invaded many
investors' computers and revised their stock trading data.
In this case, said the above-mentioned source, it would usually be the
investor who assumed responsibility. Before an online trade was made,
the security trader would sign a contract with the client, warning of
such potential risks and declaring no responsibility for them.
So far, the CSRC has not received any reports about serious internet
invasion cases, a source close to the Commission told the EO. However,
considering potential social impacts such cases could have and the
sensitive period China is in, the CSRC ultimately decided to strengthen
the information security system among fund companies and securities
Wang Yu, Zhao Juan and Chen Zhe also contributed to this report.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com