China Police Database Was Left Open Online for Over a Year, Enabling Leak (wsj.com) 22
What is likely one of history's largest heists of personal data -- and the largest known cybersecurity breach in China -- occurred because of a common vulnerability that left the data open for the taking on the internet, say cybersecurity experts who discovered the security flaw earlier this year. WSJ: The Shanghai police records -- containing the names, government ID numbers, phone numbers and incident reports of nearly 1 billion Chinese citizens -- were stored securely, according to the cybersecurity experts. But a dashboard for managing and accessing the data was set up on a public web address and left open without a password, which allowed anyone with relatively basic technical knowledge to waltz in and copy or steal the trove of information, they said. "That they would leave this much data exposed is insane," said Vinny Troia, founder of dark web intelligence firm Shadowbyte, which scans the web for unsecured databases and found the Shanghai police database in January.
The database stayed exposed for more than a year, from April 2021 through the middle of last month, when its data was suddenly wiped clean and replaced with a ransom note for the Shanghai police to discover, according to Bob Diachenko, owner of the cybersecurity research firm SecurityDiscovery, which similarly found the database -- and later the note -- through its periodic web scans earlier this year. "your_data_is_safe," the ransom note read, according to screenshots provided by Mr. Diachenko. "contact_for_your_data...recovery10btc," meaning the data would be returned for 10 bitcoin, roughly $200,000. The ransom amount matches the price that an anonymous user began asking for last Thursday on an online cybercrime forum in exchange for access to a database the user claimed contained billions of records of Chinese citizens' information stolen from a Shanghai national police database.
The database stayed exposed for more than a year, from April 2021 through the middle of last month, when its data was suddenly wiped clean and replaced with a ransom note for the Shanghai police to discover, according to Bob Diachenko, owner of the cybersecurity research firm SecurityDiscovery, which similarly found the database -- and later the note -- through its periodic web scans earlier this year. "your_data_is_safe," the ransom note read, according to screenshots provided by Mr. Diachenko. "contact_for_your_data...recovery10btc," meaning the data would be returned for 10 bitcoin, roughly $200,000. The ransom amount matches the price that an anonymous user began asking for last Thursday on an online cybercrime forum in exchange for access to a database the user claimed contained billions of records of Chinese citizens' information stolen from a Shanghai national police database.
Are they subject to their own laws? (Score:2)
Of course the government regulates everyone else, not themselves: https://techcrunch.com/2021/08... [techcrunch.com]
Re: (Score:2)
Hmm... I'm trying to decide if that's a better situation than being able to make any sort of error in your program without being liable just because your lawyers have crafted a sufficiently clever EULA. You know that software would be SO much different if the companies were liable for their programmers' mistakes.
But mostly I think it's a funny story of getting hoisted by their own petard, even though it also has elements of tragic inevitability. Who thought it was a good idea to put so much data in one plac
Re: (Score:2)
But with those who "committed the offense"/"made the mistake" suffer as the result of it? Or is it just others who will suffer?
If those who did the deed don't experience unpleasant consequences, why shouldn't they do it again the next time it's convenient?
Re: (Score:2)
I'm not following your point? Are you agreeing and saying that programmers should be liable for their harmful mistakes? If so, I think that you'd have to show malice or something to make it stick, but it doesn't really matter if the programmer isn't making a lot of money. Kind of a "unpaid user beware" situation?
But it's the companies that publish millions of copies of the mistakes that make the big money and my position is that the big money should be at risk when they propagate big damage.
However it's har
Re: (Score:2)
I don't think either the programmers, their managers, or the CEOs should get off free, but how much each should suffer depends on what their "guilt" is. Unfortunately, this is unlikely to be fairly determined. (And I'm not even sure how "fair" could be decided.)
Certainly companies that push unsafe products should lose more than the cost of repairing the damage that they have done. More because every system has friction, and many will get away, so to discourage the action one needs to ensure that on the a
Re: (Score:2)
Well, now it sounds like we're mostly in agreement, though you aren't expressing your opinion very clearly. So I'll "retaliate" by trying to express my position more clearly?
I think liability for your mistakes is basically a good thing. It encourages you to be careful and try hard to avoid making mistakes that harm other people.
But that's not how software works and I mostly blame Microsoft and their clever EULAs. They created extremely powerful tools and toys, but separated the company from the harms. The o
Well (Score:5, Funny)
Why would a Chinese citizen care? Whatever the hackers do with it is going to be milder than what the Chinese police do with it. In fact it might be an improvement.
Re: (Score:1)
But it doubles the spam you get.
Re: (Score:2)
Social credit scores give a whole new reason for identity theft.
Re: (Score:3)
Good. Let's tank everyone who has a good social credit score. The only way to get anyone to understand why it's a shitty system is for those in power to experience why it's a shitty system.
Heck, maybe if it causes enough trouble for the people with means, it can tank the Chinese economy as well.
The system is meant to keep down "undesirables". It's India's caste system reinvented for a modern age.
Re: (Score:2)
It's whoever they sell the information to that they'd be worried about. For example, I'm sure organized criminals would love to know who's informing on them, if that information is in the database.
mafia billfold (Score:2)
Re: (Score:2)
It isn't illegal to ask for a woman's necklace, just like it isn't illegal to ask for all the money in a bank teller's drawer. But juries are regular people who don't want their stuff stolen, so getting a conviction based on her testimony wouldn't be a huge problem if they guy didn't plead out.
The biggest problem is finding the guy, which the police have almost no chance of doing unless he does the same thing over and over again and wears the jewelry himself. (And this would make conviction easier.)
Could have been great (Score:1)
I have to think they can probably get back most of the data with a backup....
Would have been a lot better to delete 1% of the database per day, maybe doing the last 30% all at once with the note. Then who knows if they would have had enough backup to get it all back.
Then again, maybe that is what they did, we don't know.
Sounds like Little Bobby Tables strikes again (Score:3)
Link without paywall (Score:5, Informative)
https://edition.cnn.com/2022/0... [cnn.com]
But... (Score:2)
Therefore the data were NOT stored securely.
Even the cops' personal data (Score:2)
I got the file... (Score:1)