Re: DingTalk software concerns?

[Henry Wojteczko <hank.wojteczko () CLASSEDESIGNUSA COM>]

Robert:

Chinese government sponsored cyber-hacks are very aggressive and highly sophisticated. I strongly agree with an 
approach of a high degree of segmentation with zero access to applications that contain sensitive data residing in the 
USA. Bear in mind that smart phones are also a risk. Consider loaning the person a tablet and flip phone. Have in place 
an intruder response plan in preparation for the inevitable attack.

I have direct experience with an intrusion event from China during an engagement with a large corporate client. This 
client had a policy of loaning employees and contractors a loaner device that was highly hardened. Persons traveling to 
China for this company were not permitted access to sensitive data. Nor were they permitted to carry any corporate or 
personally owned devices into China of any kind. In this particular case, I witnessed an intrusion attempt from an 
employee’s compromised loaner device into the corporate network. The hackers did not get any data, but the intrusion 
attempts were very targeted in a failed attempt to steal vital company intellectual property.

Best of luck.

Thanks;

Hank Wojteczko
Practice Manager – Cloud Professional Services
David Kent Consulting, Inc.
832.226.4432(m)
hankwojteczko () davidkentconsulting com<mailto:hankwojteczko () davidkentconsulting com>
www.davidkentconsulting.com<http://www.davidkentconsulting.com>

Notice of Confidentiality:  This E-mail message and attachments (if any) are intended solely for the use of the 
intended addressee(s) hereof.  In addition, this message and the attachments may contain information that is 
confidential, privileged or otherwise exempt from disclosure under applicable law. If you are not one of the intended 
recipients of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or 
otherwise using this transmission.  Delivery of this E-mail to any person other than the intended recipient is not 
intended to waive any right or privilege. Unauthorized use of distribution is prohibited and may be unlawful.  If you 
have received this E-mail in error, please notify the sender by reply E-mail and immediately delete this E-mail from 
your system and destroy any and all other copies.  Thank you.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Barton, Robert 
W." <bartonrt () LEWISU EDU>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, February 11, 2021 at 10:27 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] DingTalk software concerns?

I've had this conversation about our services in other countries, but China is even a little more different.  Please 
see this from Stanford.
https://uit.stanford.edu/security/travel/high-risk-countries-recommendations

I know some recommendations that I have heard are to send new equipment and expect it to come home corrupted (don't 
even allow it back until 100% wiped), don't use your normal services (segment this group specially), rely more on 
manual process (if small group, email back grades to be input, etc.), and beware of physical security issues (not 
physical danger, but theft).

Recommendations for Travelers to High Risk Countries - University 
IT<https://uit.stanford.edu/security/travel/high-risk-countries-recommendations>
High risk countries Travel to High Risk Countries requires special consideration and preparation. Let’s start with what 
you’re taking with you. It’s important to take the minimum you need in order to get your work done while you’re gone. 
There are a range of options starting with the most secure and going down the minimum required actions.
uit.stanford.edu


Robert W. Barton
Executive Director of Information Security & Policy
Lewis University
One University Parkway
Romeoville, IL  60446-2200
815-836-5663

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ramon Rentas 
<rentas () MACALESTER EDU>
Sent: Thursday, February 11, 2021 10:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] DingTalk software concerns?

I never heard of that app until now, so I did some google searches and found lots of articles warning about the app's 
weak security that would allow the Chinese Government to spy in the app's users.  Below is one of such articles.

https://www.cnbc.com/2019/10/14/china-xi-jinping-ideology-app-has-backdoor-that-could-let-beijing-snoop-on-users-report.html

Good luck,

Ramón
---

Ramón Rentas

Associate Director for Infrastructure, Security & Enterprise Services

Information Technology Services

rentas () macalester edu<mailto:rentas () macalester edu>

1600 Grand Avenue

Saint Paul, MN 55105 USA


[cid:~WRD0001.jpg]
                                                        Never email your password to anyone!

The information transmitted may contain confidential material and is intended only for the person or entity to which it 
is addressed.  Any review, retransmission, dissemination or other use of, or taking of any action by persons or 
entities other than the intended recipient is prohibited.  If you are not the intended recipient, please delete the 
information from your system and contact the sender.  The opinions expressed are those of the sender, and not 
necessarily those of Macalester College.


On Thu, Feb 11, 2021 at 8:09 AM Bole, Jim A <jbole () albany edu<mailto:jbole () albany edu>> wrote:

We have a faculty group planning to teach students at a Chinese university. The university, as well as a lot of folks 
in China, use DingTalk.



Our faculty wants to install it to conduct classes, much in the same manner as they use Zoom.



Anyone have any experience with this?



I do have some privacy concerns for the faculty members using the software. It’s entirely possible that their 
activities would be tracked by someone in China. And that tracking could potentially include things like our network 
ranges, etc.



But it looks like the software itself isn’t malicious. The mobile app has been vetted by Apple and Google.



I’ve reviewed their privacy page: https://page.dingtalk.com/wow/dingtalk/act/privacy-en-lite?



I’ve reviewed their security whitepaper (attached). First time I’d heard of ChaCha20 encryption.



While it does have some interesting language, it covers most of the basics.



It’s an interesting use case and I’d appreciate any feedback.



Jim Bole

Chief Information Security Officer

Information Technology Services

University at Albany





**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community