文? | 棘轮
Wen, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee, wee.
日前,一本财经记者发现,在暗网中有黑客称盗取了汽车金融平台玖融网的后台权限,可以入侵所有的服务器。
Today, a financial journalist discovered that there were hackers on the dark web who claimed to have stolen back-office privileges from the car finance platform and could hack into all the servers.
而黑客称,他已获得该平台上30万的用户数据,并以一个比特币(现价值人民币3.5万元)的价格出售。
The hacker, on the other hand, stated that he had obtained data on 300,000 users on the platform and sold it at a price of one bitcoin (current value RMB 35,000).
而该数据包,详细到可怕的程度。
And the data package, to a terrible degree of detail.
里面共有65个数据维度:除了身份证、银行卡、住址和电话等基本信息外,甚至还有工作单位、月薪、车型号和担保人手机号码。
There are 65 dimensions of data: in addition to basic information such as identity cards, bank cards, addresses and telephones, there are even work units, monthly salaries, model cars and mobile phone numbers for guarantors.
更可怕的是,如果后台权限被获取,就等于整个后台在裸奔……
Even worse, if backstage access is obtained, it's as if the whole backstage was running naked...
01?暗网出售
It's for sale on the dark web.
在互联网世界,暗网(Dark Web)如同沉入水中的冰山。
In the Internet world, Dark Web is like an iceberg sinking into water.
毒贩、黑客、杀手,在这个暗无天日的虚拟世界中,肆无忌惮地自由穿行。
Drug dealers, hackers, killers, in this dark virtual world, walk freely and with impunity.
11月4日下午4点,黑客孤狼(化名)在暗网发布一个帖子,称拿下了汽车金融平台玖融网的所有权限。
On 4 November, at 4 p.m., the hacker lone wolf posted a post on the dark web stating that it had taken all the rights of the car finance platform to melt the net.
“包括服务器、后台、数据库。”孤狼在帖子中写道,“至于这些权限和数据有什么用处,懂的人自然明白。”
"including servers, backstages, databases." The lone wolf wrote in the post, "As to what use these rights and data can be, the person who understands will understand it."
30万用户数据,与后台服务器的全部权限,仅售价1个比特币。
300,000 user data, with full access to the back-office server, sold for only one bitcoin.
“如果有老板买了,我可以提供全程技术支持。”孤狼说道。
"If a boss buys it, I can provide full technical support." The wolf says.
为了验证数据的真实性,他晒出了玖融网的业务管理后台界面。而他的登录身份,则是“超级管理员”。
In order to verify the authenticity of the data, he tanned the business management back-office interface of the melt net. His login ID is the SuperManager.
孤狼晒出名为玖融网的管理后台,涵盖“运营管理”“审批管理”“数据报表”“财务管理”等一系列内容。
The Lone Wolf has come out of the management backstage, known as the Xianxing Network, and covers a range of elements such as “Operational Management”, “Managing approval management”, “Data statement”, “Financial management”.
该后台数据显示,玖融网的平台累计成交额为44亿元,当月成交额1995万元,待收总额则为6.4亿。
The data from the backstage show that the sum of $4.4 billion has been transferred to the platform for the integration of the net, compared with $5.5 million for the current month and $640 million for the total amount to be collected.
除此之外,玖融网用户的手机号、身份证号、登录次数等隐私信息,也清晰可见。
In addition to , privacy information such as cell phone numbers, ID numbers, login numbers, etc. is also clearly visible.
玖融网是什么公司?
What kind of company is it?
这是一家总部位于武汉的汽车金融平台,给用户提供汽车抵押贷款与理财服务。
This is a vehicle finance platform based in Wuhan, which provides vehicle mortgages and financial management services to users.
有趣的是,这家公司还有上市公司背景。2016年1月,玖融网曾宣布获得来自香港上市公司天鸽互动的A轮融资。
Interestingly, the company also has a listed company background. In January 2016, Juninet announced an A round of financing from Hong Kong’s listed company, the Pigeon.
02?65个维度
02? 65 dimensions >
据孤狼介绍,他手中的数据涵盖多个维度,数据总量在30万到40万之间。这一数字,甚至超过了玖融网对外公开的注册用户数量24万。
According to the Lone Wolf, the data in his hands cover multiple dimensions, ranging from 300,000 to 400,000. This number exceeds even the number of registered users of the Lengnet open to the public.
“我这里的数据,不仅有玖融网车贷用户的,还有他们的P2P投资用户的,以及内部渠道数据。”孤狼解释道。
"I have the data here, not only for the loan users, but also for the P2P investment users, as well as for the internal sources." The lone wolf explains.
孤狼一共提供了三份数据。
The Lone Wolf provided a total of three figures.
第一份电子表格,是车贷用户的个人数据信息。
The first spreadsheet is personal data information for loan users.
这份异常详尽的个人数据,不仅涵盖了用户的姓名、手机号、身份证号、银行卡号,还有户籍地址、居住地址、工作单位、职务、月薪等。
This unusually detailed personal data covers not only the user's name, cell phone number, identity card number, bank card number, but also the domicile address, residence address, work unit, position, monthly salary, etc.
孤狼提供的数据,维度多达65个
The Lone Wolf provides up to 65 dimensions.
令人震惊的是,车贷用户的车辆信息,包括车型、车牌号、颜色、排量等信息,甚至两位贷款担保人的姓名、手机号,也被收录在了这份电子表格内。
Astonishingly, vehicle information from loan users, including type, number, colour, volume, etc., even the names of the two loan guarantors, cell phone numbers, have been entered in this spreadsheet.
这些数据,多达65个维度。
These data are up to 65 dimensions.
据多位黑客称,65个维度的数据,极为详尽,他们都不常见到。
According to several hackers, 65 dimensions of data are extremely detailed and are not common to them.
那么这份数据是出自玖融网吗?
So, is this data from the Internet?
一本财经致电上述数据中的多位当事人。他们均证实,自己曾在玖融网注册账户,且数据全部属实。
They all confirm that they have registered their own accounts online and that the data are all true.
只有一位当事人杨某例外。杨某称,他并未在玖融网办理车贷或投资理财,但曾在2015年在4S店以分期的方式,购入一辆大众轿车。
There is only one exception. Yang says that he did not borrow or invest in money on the net, but bought a bus in a phased way at the 4S store in 2015.
据杨某回忆,其当年按揭购车时选择的金融公司是“玖信”。而玖融网的公司全名,即是“武汉玖信普惠金融信息服务有限公司”。
According to Yang's memory, the financial company that he chose to buy the car at the time of the mortgage was “Kind Letter”, while the company that became part of the network was known as “Wuhan's Trust for Inclusive Financial Information Services Limited”.
而第二份数据,孤狼号称是“玖融网的内部渠道数据”,显示了每一笔业务的客户来源、门店信息等内容。
The second, known as the Lone Wolf, is called the “Inner Channel Data of the Melting Network”, which shows, for example, the customer sources of each operation, the information about the store.
第三份数据,则涵盖注册用户的用户名、注册邮箱、注册手机号等信息。其中,两行乱码格外引人注目。
The third data covers information about the user’s name, the registered mailbox, the registered mobile phone number, and so on.
孤狼提供的第三份数据,乱码是加密后的密码
The third data provided by the Lone Wolf is a encrypted code 多位安全人士指出,这是MD5加密的登录密码和交易密码。他们尝试用解密软件验证,发现可以轻易破解密码。 Multiple security sources say this is MD5 encrypted login and transaction codes. They try to authenticate them with decryption software and find it easy to decipher the passwords. 而安全人士根据破解的密码,登录玖融网,发现账户和密码正确,可以正常登录。 And the safe person logs into the net based on a deciphered password, finds that the account and password are correct and can log in properly. 该用户账户中,尚有余额2246元 There's still a balance of $2246 in the user account 更可怕的是,黑客提供的第三份数据中,也包含了用户的投资金额。数据文件中的投资余额,与APP内显示相符。 Even worse, the third data provided by hackers also includes the amount invested by the user. 泄露数据中,同样显示该用户仍有余额2246元 The same data leak indicates that the user still has a balance of $2246 也就是说,数据包括了资产端和资金端的所有维度,整个平台的业务一览无遗。 In other words, the data cover all dimensions of the asset and fund end, and the entire platform's operations are exhaustive. “对于6位数字的短支付密码,现在业界的通用保存方式,是‘加盐加密’。用MD5二次加密保存短密码,是对用户的不负责任。”安全工程师张宏文称。 "For short payment passwords for 6-digits, the industry now uses the generic method of saving `saline encryption'. Saving short passwords with MD5-second encryption is irresponsible for users. 一本财经就数据外泄一事致电玖融网客服。客服表示,对此并不清楚,会向技术部门反馈。 It is not clear, according to the customer service, that feedback will be provided to the technical sector. 03?“你来晚了” 03? "You're late" 而数据的外泄,还不是最可怕的。 And the data leak is not the worst. 黑客孤狼称,他不仅攻克了数据库,还拿到了包括服务器在内的全部权限。 The wolf, the hacker, claimed that he had not only seized the database, but also had full access, including to the server. 一本财经尝试联系孤狼时,他说了四个字:“你来晚了。” When a book tried to contact a lone wolf, he said four words: "You're late." 他称:“玖融网的权限,已有老板买走了。” he said, "The owner has bought the permission to melt the net." 对于一家互联网公司,“权限”意味着一切。 For an Internet company, “access” means everything. 有了权限,黑客便可以为所欲为。 With permission, hackers can do whatever they want. “如果服务器都被攻破,就意味着这个平台已经完全裸奔了。”网络安全工程师张宏文对一本财经表示,“黑客只要愿意,甚至可以把自己的自拍照挂在官网首页。” “If the server is breached, it means the platform is completely naked.” The cyber-security engineer, Zhang Hongwen, said to a book, “Hackers can even hang their own photos on the front page of the network if they want to.” 权限外泄会给用户带来什么? What does the leak of permission bring to the user? “如果只是数据外泄,最严重的后果是被诈骗分子利用。”张宏文说,“但如果是权限被买走——竞争对手篡改数据、平台用户删除贷款记录,一切皆有可能。” “If only data leaks, the most serious consequence is being used by fraudsters.” Zhang Xuan said, “if privileges are bought - it is possible for competitors to tamper with data and platform users to delete credit records.” “我只管卖权限。至于客户拿来做什么,一概不问。”孤狼称。 "I'll just sell the rights. I don't care what customers do with it." "I'm a wolf." 到底是谁泄露了数据和权限? Who the hell leaked data and access? “这次数据外泄,应该是黑客攻击行为,不应该是内鬼。”张宏文推断。 "This data leak should be a hacker attack, not a mole." Zhang Xuan infer. 支撑他下这个判断的原因是,黑客使用了远程桌面登录数据库。如果是内鬼泄露,根本不需要远程桌面。 The reason why underpinned his judgment is that hackers use remote desktop access to databases. If the mole leaks, remote desktops are not needed at all. “对于这样的平台,权限外泄并非无计可施。只要更换所有超级管理员账号与服务器密码,就可以让黑客盗走的‘权限’失效。”张宏文解释道,“下一步,就是检查漏洞,避免黑客下一次入侵。” “Exploitation of permissions is not beyond the reach of a platform like this. By replacing all super admin accounts and server passwords, the ‘authorities’ stolen by hackers will be disabled.” Zhang macro explained, “The next step is to check the loopholes to avoid the next hacking.” 漏洞好补,但数据已然泄露,修补已是亡羊补牢。 The gaps were filled, but the data had been leaked and repair had been made up for the dead. 最近,大数据行业正在严打。 Recently, the big data industry has been fighting hard. 多家数据公司的人被调查,行业九成以上的公司都停工观望。 Multiple data companies were surveyed and more than 90 per cent of companies in the industry stopped working. 数据到底从哪里泄露? Where exactly did the data leak? 大数据的运用是一张纵横交错的网络,从源头、存储、调取的各个环节,都可能存在漏洞。 The use of big data is a cross-sectional network, with possible loopholes at source, in storage and in access to various links. 一个环节出现纰漏,都会功亏一篑。? If there's a missing link, there's a loss? 安全,已成为所有金融科技公司的命门。 Security has become the lifeblood of all financial technology companies. 在金融安全、资产安全之外,技术安全,同样是重中之重。 In addition to financial security, security of assets, technical security is also a top priority. 在大数据整治的大背景下,数据安全已成为企业存活的第一步。 In the broader context of big data correction, data security has become the first step in the survival of an enterprise. (应受访者要求,文中部分人物为化名) (As requested by the interviewer, some of the characters in the text are aliases)
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论