one、 upper reaches (of a river) information leak
The problem of information leakage belongs to the upstream stage of the black and grey industry. In practice, network security is not a must but an option when developing systems or software, for example, when developing a game, the attractiveness of the game content and the number of active users is the key concern, while the content related to network security is often ignored, and the game developer emphasizes what it is important and what it is light, and even does not even consider how to dispose of and manage the real name information, mobile phone numbers, bank accounts and other content of all the game players collected in the game, which has laid a hidden danger for information leakage. On the other hand, management gaps in leadership are also a major cause of information leakage. In reality, many enterprises invest only a small amount of personnel and funds in this area of network security, and the phenomenon of inadequate management systems and regulations abounds. In order to avoid the regular change of secrets and daily protection to business disruption, the relevant leaders refuse to patch the system knowing that there are vulnerabilities, and do not take any simultaneous construction of security measures, which is another major cause of information leakage as an upstream.
With regard to the problems that arise upstream, regulation can currently be carried out in two ways.
First, intensify the fight. To educate relevant enterprises and relevant personnel about the crime of refusing to fulfil the obligations of information network security management added by Amendment (IX) to the Criminal Law and the compliance obligations involved in the Cybersecurity Law, so that they understand that in the process of building critical information infrastructures, they need to bear the corresponding penalties for failing to synchronize the planning, construction and use of the three synchronizations.
Second, increase positive incentives and protections for white hat hackers. The so-called white hat hackers are the civilian forces engaged in mining cyber vulnerabilities and fighting cyber hacking. For a long time, the group wandered into the zone between gray and white. Although white hat hackers operate much the same as real hackers as well as the means to do so, the two have very different objectives. White hats alert the relevant personnel to protect their systems in a timely manner by mining vulnerabilities, while the latter are earning high profits by mining vulnerabilities for illegal trading.
The white hat community tends to be younger, most are not highly educated, or even have no formal university education, but have become professionals in the field with their dedication to information systems and their own love of network vulnerability mining. However, the lack of special attention to white hat hackers in the reality of the law has left such a group of technicians facing great temptation to walk on the edge of the law. For example, in the absence of positive legal incentives and protections, when white hats dig up important vulnerabilities, they are likely to be unable to resist the temptation of hundreds of thousands of transactions in the black industry chain and follow a path that harms people and themselves. Accordingly, it can be seen that positive guidance from the law and policy is a major trend to regulate the behavior of the white hat group.
2、 Midstream information flow
Information is leaked upstream and then flows through certain channels， The intermediaries and platforms that are used by hackers to trade information are the midstream part of the chain。 The division of labour in the midstream segments is very clear—— theft of information、 Flow Information、 Illegal use of information and other interlocking。 nevertheless， Not all compromised information can only be used by criminals as a tool for cybercrime， If properly utilized， Instead, it minimizes the damage caused to victims by information breaches。 with“ Social Work Pool” as an example， This is a compilation of leaked user registration information into a database， And make a query site that displays the password by looking up the username， The existence of the site does provide access to some people who want to engage in illegal activities， But it can also have a positive effect。 for example， When the banking system is stolen， While taking timely protective measures， Banks can also inform users of the situation， Let users use social worker databases to check if their banking information has been compromised， This leads to information sharing between banks and users、 Shared resilience purpose。 But for now.， The practice lacks a legal exemption， This results in the positive effect of the social work pool not being used effectively， This makes it impossible to protect the interests of the compromised in the most timely and effective manner.。
III. Downstream precision fraud
After an upstream information leak、 After the midstream flow of information， Downstream, they specialize in using this information to commit precision fraud。 in recent years， Telecom scams happen repeatedly， The traditional view is that， An important reason behind this phenomenon is the damage to the property of the defrauded person as a result of greed for profit。 But the current study shows， In many cases， It's not just the weak will of the person being defrauded that makes telecom scams successful， Rather, it is because the personal information provided by the fraudster is too precise， So much so that the deceived person cannot doubt the authenticity。 for example， Criminals can provide passengers with a variety of detailed boarding information when they impersonate airline staff to inform the scammed person that their flight has been cancelled， Making passengers highly convinced of what the scammer says， thereby falling for a scam。 in response to this situation，360 The company offers product services such as telephone tagging that enable a large degree of information sharing， Let the label of fraudster be permanently affixed， Just in case more users repeat the same mistake。 moreover，360 The hunting network platform built in cooperation with Beijing Net Security also provides security for users。 For cases that cannot meet the criteria for filing a case， Once reported to the platform， It will be noticed and dealt with by the platform。 When these case data are aggregated， Big data will accurately analyze and summarize the source of the scam， This leads to the targeting of those who are substantiated as reported。
However, for industries that provide cybersecurity products and services, the current lack of relevant legal protection and exemption mechanisms is a common legal risk faced by major related companies. The enacted and implemented Cybersecurity Law only provides numerous compliance obligations and prohibitions, but only lacks positive guidance and incentives and protection mechanisms set for cybersecurity service providers. For example, the regulations on the protection of critical information infrastructure stipulate that "no individual or organization shall conduct penetrative or offensive scanning and probing of critical information infrastructure without authorization", which on the one hand clarifies that network security service providers have no legal privilege and restricts and hinders them from making timely detection and assessment of system vulnerabilities and risks, and on the other hand fails to legally restrain the behaviour of hackers, resulting in the group's reckless scanning and probing of critical information infrastructure and endangering network security.
In summary, to combat cybercrime, especially the problem of the network black and grey industry, the legal level has a long way to go, and enterprises and individuals engaged in the network security industry should be given more attention and support, so as to promote the long-term and stable development of the network industry in the direction of a virtuous cycle.
(in China Information Security, No. 12, 2017, image source online)
1、How to identify inaccurate news on tweet I 2、Java Polymorphism of Abstract Classes and Interfaces 3、Do not mess with arguments objects 4、How bad is overtime for programmers
5、ThreadLocal Memory Leak Issue in a Nutshell