Click Here 101. Bug bounties with Chinese characteristics
Jan 9, 2024
This podcast explores how China is flipping the script on vulnerabilities and exploits. It discusses the importance of pen testing in identifying software vulnerabilities and the existence of a potentially dangerous Chinese vulnerability database. The episode also delves into China's manipulation of vulnerability databases and its targeting of critical national infrastructure. Lastly, it covers the settlement of the NotPetya cyber attack and Taiwan's analysis of China's election interference.
AI Snips
Chapters
Transcript
Episode notes
Kristen Finds Hidden Vulnerabilities
- Kristen Delrault discovered unusual penetration testing activity targeting over 50 energy facilities in China during a weekend threat hunt.
- She identified four vulnerabilities being tested, with one uniquely listed in the Chinese National Vulnerability Database.
China Conceals Vulnerabilities
- The Chinese National Vulnerability Database (CNVD) is difficult to access and cloaked in secrecy compared to other global databases.
- China appears to obfuscate vulnerabilities with different identifiers to hide them from international researchers.
China Weaponizes Vulnerabilities
- China has shifted from openly sharing vulnerabilities to weaponizing them through controlled domestic contests like the Tianfu Cup.
- Vulnerabilities are treated as a valuable national resource rather than being shared freely with the global community.