JD.com data leaks, information black industry chain is too arrogant

　　#Laogao E-commerce Online Information#  According to relevant information, on the 10th of this month, suspected JD user data was sold online at a price. On the 11th, JD.com officially responded and confirmed the facts of the data breach, and also revealed that the problem of this data breach was due to the security vulnerability of Struts2 in 2013, and the system repair has been completed. In fact, this is not the first time that JD has experienced a data leakage problem. Judging from the entire black information industry chain, JD data leakage is just the tip of the iceberg.

　　In the Internet era, the value of information data is becoming increasingly prominent. However, there are more and more channels for personal information data leakage. Although there are currently relevant laws and regulations to protect information, due to the high cost of filing a case and the large number of information circulation, it is difficult to trace the root cause and find the organization selling data.

　　JD.com has communicated with the police

　　Amid the doubts of a large number of netizens, on December 11, JD.com released a entitled "Statement on the Media Reporting of JD Data Security Issues" on its official WeChat official account "JD.com Blackboard Newspaper", confirming the authenticity of the data leakage. JD.com said that according to preliminary judgment by the information security department based on the reported content, the data breach was caused by the security vulnerability of Struts2 in 2013 and the system repair has been completed. At the same time, security upgrade prompts were issued for users who may have information security risks. In addition, JD.com also recommends that users attach great importance to information security and privacy protection, and use high-strength passwords, etc. to improve account security levels.

　　It is understood that Struts2, which has security vulnerabilities, is a web framework that is widely used in Internet, government and enterprise portals such as Alibaba and JD.com. On December 13, Chen Jing, a professor at the School of Computer Science at Wuhan University, explained: "Struts comes from supporting metal frames used in buildings and old-style aircraft. This framework is called 'Struts', and is intended to remind us to remember the basic support that supports houses and bridges. This is also a wonderful description of the role Struts plays in developing web applications. When building a physical building, construction engineers use pillars to support each floor of the building. Similarly, software engineers use Struts to support every floor of the business application. Its purpose is to help us reduce the time we use MVC (Model-View-Controller) design models to develop web applications."

　　Chen Jing pointed out: "Since most users are accustomed to remembering several common passwords to log in to different applications, the impact of leaked passwords is not only in the JD application." He said that vulnerability patching can only ensure that data will not be leaked through the vulnerability, and once the data flows into the black market, it is difficult to avoid repeated trading. "The key to the problem is that companies should increase their investment in security to prevent data from flowing out."

　　Chen Jing said that Struts2 is an open source architecture widely used in web development. Although it is safer than Struts, it still has various security vulnerabilities. With the release of various patches, current security has improved. However, enterprises cannot attribute all security issues to the security issues of the Web development framework, but should adopt various protection methods such as firewalls, intrusion detection systems, encrypted storage, etc. to ensure the security of users' data.

　　It is worth noting that the "security vulnerability issue of Struts 2 in 2013" mentioned in JD's statement refers to the high-risk vulnerability that occurred in Struts 2 on July 17, 2013. Attackers can use this vulnerability to execute malicious Java code, which ultimately leads to serious consequences such as website data being stolen and web pages being tampered with.

　　Data breaches are common

　　This is not the first time that JD.com has been in a data breach crisis. On the eve of "March 15" in 2015, JD.com was exposed that a large number of user privacy information was leaked. Until April 2016, the data leak was found: three employees in JD.com overreached their authority and logged into the company's database system and illegally obtained user names, phone numbers, addresses, and other information, with a total of 9,313 items. Then the three sold the information, making an illegal profit of nearly 40,000 yuan.

　　On December 13, Wang Zhenhui, senior vice president of JD.com, said: "Everyone attaches great importance to information security. Now JD.com attaches great importance to information security in both organizational and internal systems, because there are hundreds of millions of consumers on the platform, and information security protection is the company's top priority."

　　It is worth noting that the current data breach problem is not an individual case, but a relatively common phenomenon. In 2016, there were countless security incidents in data breaches, including data leaks of 300,000 Time Warner, customer information of 318 Hyatt Hotel chains, customer information of more than 1,000 apps in Apple App Store, information security exposure of Xincheng Life Insurance, 1.5 million Verizon customer records were leaked, and data leaked from Xuexin.com...

　　Information data is often sold repeatedly

　　With the popularity of the Internet, data leakage has become a pain point for Internet security. It is undeniable that the black industrial chain of personal information has been formed, including three links: data providers, data middlemen and data buyers. In addition, specialized people are responsible for all links such as Trojan production, attack infiltration, personal information acquisition, information transactions, etc.

　　Many industry insiders revealed that because personal information is often sold repeatedly, buyers often do not share information before due to competition, so it is difficult to trace the root cause to find the organization that sells data, which indirectly increases the cost of filing and increases the difficulty of investigation.

　　Thank you for your attention and support to Laogao Crown Club . Please indicate the source for reprinting by Xuanming Network www.shxuanming.net