In the Internet age, each of us is [little transparent]

A few years ago, I filed a loophole: the plaintext passwords of the usernames of millions of air tickets and train tickets were leaked.

Important fields such as email, user ID, name, password, and mobile phone number can be read directly in plain text. At that time, it was using an unauthorized access script of the mongodb database, slightly modified, and the vulnerabilities found after batch scanning were found in many domestic technology media. Following the report, I was under a lot of pressure because the data was not leaked, but there was a loophole and I submitted it to 360.

This is a failure to follow the simple and basic safety principles, and the pot can be carried by the merchant.

But in many cases, the pot cannot be simply carried by the merchant. Because there is no system without loopholes in this world, many basic open source protocols or software itself have a large number of loopholes. They are considered safe before they are discovered. But once a loophole is discovered, the impact will be huge.

For example, the well-known OpenSSL Heart Bleeding Vulnerability (OpenSSL Heart Bleeding Vulnerability Review), this vulnerability allows an attacker to read up to 64KB of data from the memory, and openssl, as an open source implementation of the secure socket layer protocol ssl, is available in major online banks. , Online payment, e-commerce websites, portal websites, e-mail services and other important websites are widely used.

In this case, it is difficult to define who will bear the pot, because no one can guarantee that the program developed by oneself is free of loopholes.

How serious is the leakage of personal information today?

Most of the websites that everyone feels trustworthy may have been compromised. Related information has been sold at a clear price on the dark web deepweb. For example, here is the data leaked in the early days of Linkedin, which was the first to be cleared at 5 bitcoins on the dark web:

This is data from another well-known blog site Tumblr, sold at a price of 0.188 bitcoin:

For example, the voting data of all 50 states in the previous hot U.S. election, you read it right, it is all 50 states in the United States. . . Was priced at 12 bitcoins (now you know the biggest use of bitcoin, o(╯□╰)o)

From the screenshots of the data displayed by the dark web buyers, the information contained is very rich, such as address, phone number, gender, etc.:

The source code of some private spy Trojan horse software, including ios, android, wp, blackberry platforms, was priced at 12 bitcoins.

After a lot of data was initially priced from the dark web, it was slowly released to the Internet by some groups. The time interval between this period may be as long as several months or even years. So I don't trust the unilateral promises of websites, because such promises are inherently fragile.

How much influence does it have on ordinary people's lives? How to protect?

Simply put, it can be light or heavy. If you fall into the hands of a scam gang, it will be heavier, but if you are vigilant enough and have a basic sense of protection, then it’s okay. If you fall into the hands of a salesperson, it’s basically not a big deal. It’s nothing more than a few more harassing advertising text messages. . It is a bit unlucky to be afraid that oneself will fall into the hands of fraud gangs while not having basic protection awareness. Therefore, it is very important to have a little sense of protection in daily life.

Briefly cite a few more widespread fraud examples:

1. Accurate ticket refund and

Ms. Zeng received the flight cancellation text message from Guiyang to Sanya purchased two days ago on her mobile phone. The content of the text message not only stated her name in detail, but also the flight information was accurate. Ms. Zeng thought it was a text message from an airline, and immediately dialed the phone number in the text message to change the booking. After the guidance of the "customer service", Ms. Zeng was defrauded of 29,500 yuan from the ATM cash machine.

2. Accurate Taobao order refund fraud

Xiaoding said that two days ago, she fancyed a pair of shorts at a store in Taobao Mall, worth 39.2 yuan. Less than 20 minutes after placing the order, she received a call from Fujian, who claimed to be from the Taobao store Ali Wangwang. customer service:

"Hello Ding××, did you buy a shorts worth 39.2 yuan at 6:30 this afternoon? Due to the upgrade of the Alipay system, the order you submitted was abnormal and the funds were frozen, so you need to log in again and confirm the purchase, and temporarily Don’t log in to Taobao and Ali Wangwang, log in to QQ, and I will teach you how to operate."

After receiving the call, Xiaoding said that the other party knew her name and phone number, and the information she said was accurate, so she believed it.

After logging in to QQ and adding as a friend, "Customer Service" said a series of things to teach Xiaoding how to operate. Because he was anxious to go to self-study, Xiaoding didn't know how to operate those mentioned by "Customer Service". At this time, the "customer service" said to help Xiaoding use QQ remote operation, but he did not expect that in the end "customer service" was cheating her of her money.

After Xiaoding's computer was controlled remotely, the "customer service" asked her to enter the dynamic password of the Alipay account to confirm the payment. After inputting, "Customer Service" asked Xiaoding to confirm the amount of the account. She said that she had six to seven hundred yuan on the card. After exiting the remote control, Xiaoding saw that the payment confirmation interface showed that -0.01 yuan had been paid. She thought that the payment was wrong and repaid.

At the same time, her mobile phone received a text message alert, and the account was deducted 627 yuan. In a hurry to go to class, Xiaoding turned off the computer and hurried to the classroom without noticing the information on the phone. After studying at half past nine in the evening, Xiaoding felt that things were not good after reading the information carefully. Called the shop where she was shopping, and the customer service staff of the shop told her that there was no such thing.

Specific analysis: The above two are actually similar methods. The intercepted user order information is used to obtain the trust of the user to implement fraud. Here, the user order information is obtained by using system loopholes in many ways, and some are obtained with internal employees of the company.

For ordinary users, it is particularly important to verify whether texting and calling are official calls. In addition, transactions that leave the platform need to be eliminated, such as leaving Taobao’s own refund process and not using Alipay for refunds. QQ Li ghost fraud QQ account stolen ?

[Network Security Technical Documents]

bigger scam is yet to come!

The Public Security Department of Guangdong Province reported that in the recent "3+2" special crackdown by the public security organs in the province, the country's largest QQ fraud group was cracked. The QQ account was stolen for long-term monitoring, and then pretended to be the boss to request a transfer. Finance of a Shenzhen joint-stock company Li was defrauded of 35.05 million yuan. At present, the police have detained 39 suspects and frozen funds of more than 48 million yuan. It is understood that this case is currently the largest case involving QQ fraud in the country, and it is also the largest fraud case involving freezing of funds.

Specific analysis: Many of these are imitating the target qq, from the avatar to the signature to the talk, using other social work data to analyze the target qq, and then implement fraud. In short, everyone needs to have some basic protection awareness, so that it is difficult to be deceived, and there is no need to worry too much.