Behind the leaky door: Some hackers or corporate security engineers

Core Tip: January 12, from the Beijing Municipal Public Security Bureau learned that CSDN (China Software Development Association) leaked two suspects have been under criminal detention.

Tang Yufang's report on Beijing's sensational user information leakage event finally had a "payer."

On January 12, our reporter learned from the Beijing Municipal Public Security Bureau (Weibo) that the two suspects who have been leaked by the CSDN (Weibo) (China Software Development Alliance) have been under criminal detention. One is a Beijing-based hacker and the other is a foreign hacker.

"The two suspects are suspects of the piracy database. After the public security authorities catch it, we compared the user libraries it has." Founder and President Jiang Tao of the CSDN also confirmed to this reporter.

Including these two people, as of now, the public security organ has investigated and dealt with 9 cases of invasion, theft, and reselling of data, fabricated and speculated 3 cases of information disclosure, and 4 people have been detained by criminals. They have been sentenced to 8 by public security.

On the previous 10th, the National Internet Information Office reported that information on websites such as CSDN and Tianya was leaked, and the public security organs are currently tracing the source.

Among them, Jingdong Mall was invaded, but the data did not leak. The data leaked by the YY voice chat website was stolen by the company’s employees from the internal database; the systems of financial institutions such as ICBC were not invaded. Sina Weibo, Kaixin (Weibo), Dangdang (Weibo), Renren (Weibo), Vanke and other websites have not been invaded. Some account passwords were obtained by using open libraries to crack.

The internal and external control failure of the employee who stole the CSDN user database may be suspected of 'illegal invasion of computer systems'. Zhao Tao, a well-known IT lawyer, told the reporter that “Section 285 of the Criminal Law shows that illegally invading the computer system or adopting other technical means to obtain data from the computer system, the person with serious feelings will be sentenced to 3 years of fixed-term imprisonment. If the circumstances are particularly serious, he will be sentenced to 3 Year to 7 years. ”

Moreover, the provision of user data, the dissemination of user information, the sale of personal information, etc. also violate the law, "illegal sale, provision of personal information, sentenced to three years imprisonment."

In fact, the newspaper learned that due to weak legal awareness and a playful attitude, many of the technical staff engaged in security in Internet companies and technical staff of security companies have more or less stolen and transmitted user information. Library.

In hacker circles, hackers often think that stealing user information does not bring much harm. As long as they feel instinctively that they do not want to make obvious profitable behaviors such as selling or fishing, then it is not illegal.

"Everyone will feel that it's okay. Because before that, on the Internet, nobody was caught because of the leakage of user information."

According to Ma Jie, security vendors will sign relevant agreements with their employees, Internet company associations, and employees of the security system. The agreement will be written one by one clearly that during the service period it is not allowed to do anything that would endanger public safety.

"But this ban is basically ineffective, because in the end it doesn't do anything that jeopardizes public safety. It also depends on the employee." Ma Jie told reporters that security practitioners generally serve different companies and their relationship is not close. Hackers in this industry do not have industry "hidden rules" to regulate the behavior of hackers.

"Daytime Security Engineer, Hackers at Night"

"CSDN is not sensitive to sensitive information, but also lacks security awareness." Jiang Tao admitted that the security awareness of large domestic websites, including CSDN, is very weak.

According to Jiang Tao, at present, the status quo of the security of the entire Internet is extremely unoptimistic: more than 70% of encryption algorithm password databases can be cracked through high-frequency collisions, more than 80% of Internet companies have loopholes, and more than 60% of companies have security policies. There are also loopholes, and underground databases show that even more problems are exposed on the site.

These vulnerabilities are the basis of hacking.

Numerous hackers lurk in IT internet companies. In this leaked door incident, the information leakage of YY voice chat was leaked by its own employees, and stealing the CSDN user data was also done by technical personnel of the Internet company.

"This is the self-distribution of corporate employees. It has nothing to do with companies. But it also illustrates the multiplicity of the identity of the security industry." A hacker told reporters that these people may be a company's security engineer during the day and hackers at night.

Two suspects were arrested during the day: During the day Engineers at night Hackers According to a senior hacker, these user databases have long been secrets of the hacker community; but this time the user information of the entire Internet industry was leaked, and there may be certain business organizations behind In the promotion.

"At home, the circle of hackers is small, but most of them are individuals, and the organization is loose, and the industry also has self-discipline. Generally speaking, there will not be such a big explosion," the hacker said.

Under normal circumstances, the user base is only spread in the hacker circles, but once it enters the public view, the impact can not be controlled, because there are many channels to spread. For example, Thunder (microblogging), hacker circles QQ group, forum FTP download.

According to the relevant departments of the Beijing Municipal Public Security Bureau, the two websites CSDN and Tianya were hacked before 2009, and data leakage also happened two years ago. The two websites have not been attacked recently.

"This time, the hackers were well-intentioned, and all the explosions were from the previous library." An engineer in the security industry who declined to be named revealed that, in fact, they have the latest libraries in their hands, but due to the consideration of the industry environment, Did not burst these libraries out.

The secret door had warning In the password leak incident, a platform called the Wuyun Vulnerability (Wooyun.org) jumped into public view from a well-known professional platform. The cloud attracted a large number of hackers who, when discovering corporate vulnerabilities, transmitted these vulnerabilities and patches to these sites.

However, this platform has not been seen by companies. Jiang Tao also admits that prior to the incident, the cloud vulnerability platform made warnings for most of the loopholes and told related companies. However, each company did not pay enough attention to it and did not prompt users to change their passwords, resulting in later outbursts.

Why are companies so neglected for early warning?

This is due to the delicate relationship that has developed between hackers and businesses for many years. These companies are often angry and annoyed with hackers. In the face of hackers, the enterprise is like a student. The hacking teacher picks up the problems of students every day. At first, the hackers may feel that they are positive incentives. Over time, they naturally have no good faces for hackers.

Some companies even think that if there is no hacking, the loopholes in the enterprise will not exist to some extent. "If it does exist, it does not matter. As long as it is not exposed, it can be ignored."

However, companies cannot "ignore" hackers. Because, hackers will give a "soft knife." Some large Internet companies even directly "enroll" hackers and include them. Some small websites pay hackers monthly "protection fees" ranging from 10,000 yuan to 20,000 yuan.

"Actually, what hackers need is affirmative." The above-mentioned security industry engineer told reporters that on the platform of the cloud, enterprises will give points for hackers who submit loopholes to encourage them. Hackers are also willing to submit the discovered loopholes selflessly. This has formed a virtuous circle.

Countermeasures: “In the future, each website should cooperate with a platform similar to a cloud vulnerability.” Jiang Tao suggested that in the future, the domestic security and technology communities should not be isolated.

CSDN began to make up for all-out fatalities. On January 11, CSDN and Alibaba Cloud launched a strategic cooperation on website security. According to Jiang Tao introduction, CSDN will use Ali cloud mailbox, and the mailbox is isolated from other mailboxes, to avoid a mailbox leak, "all cities are lost" situation. And, it will also accept other services provided by Alibaba Cloud.

"We should cooperate with those companies that do well in security." Jiang Tao said that in addition to Baidu, Ali, Tencent and other large companies, as well as some game manufacturers, many domestic Internet companies, including CSDN, not too much, The strength to set up a dedicated team of security engineers.

Jiang Tao told reporters that CSDN will strengthen its own security strategy to isolate the non-core data of the site from the core data and reduce the interface for valuable data; it is also applying to the security department for hierarchical protection of information systems and accepting information security supervision departments. Related management. And, CSDN will also introduce a corresponding security audit mechanism to prevent data leakage from the inside.