The two major security platforms of Internet finance are more favored by hackers

The two major security platforms of Internet finance are more favored by hackers
Source : Xin Finance


For the generation "living" on the Internet, most of the information about us has been "recorded" unknowingly. And there are more and more data left in the virtual world, and they are combined into a personal "portrait". Even if we don't meet each other, this information is enough to tell everyone: who we are, what kind of people we are, and what we are What to like, what to hate...
"Data is everything", this cognition is regarded as a god by all enterprises in this era. Those companies that control the most of our data have become the most valuable companies, but the scary thing is that such an important asset is not properly protected, and our data is still leaked, stolen, sold, and misused.
JD.com's 12G data breach is just the tip of the iceberg of the cybersecurity crisis, and it may not be the company with the worst crisis. However, as one of the most well-known Internet companies in China, as a company that is already in the technology export business (JD Finance), it still has such serious network security problems, which is worth causing everyone and the entire industry. vigilance and attention.
According to JD.com's response, the data originated from a security vulnerability in Struts 2 in 2013, which was caused by the framework's own security issues that made the system vulnerable to attack. So, here comes the question: what is Struts 2? Why is there a problem with the security of the framework itself, including companies like JD.com adopting it? How can we better protect personal information security?
Today, I specially invite my friends to answer your questions. They are Yuan Jinsong, the founder of Internet security service provider Douxiang Technology, and Zhang Tianqi, the co-founder. These two are also domestic network application security, security research and development, security architecture, and vulnerability. Experts in mining and other fields, here is what they share:
01
Struts and its security holes
Struts is the most commonly used open source MVC framework in Java EE application development. It has been 16 years since Struts1 was released to Struts 2. It is currently a project sponsored by the Apache Foundation. Struts2 is the next generation product of Struts. Similar frameworks are also There is Spring etc.
In the official history of Struts2, there are more than 40 vulnerabilities, most of which are related to OGNL expressions. OGNL expression is one of the core mechanisms of the Struts2 framework. It is a powerful expression language used to GET and SET properties of Java objects. It aims to provide a higher abstraction syntax for navigating Java Objects Map. OGNL has applications in various parts of logic.
The vast majority of OGNL-related security vulnerabilities are due to the fact that the bottom layer of the framework does not perform complete and effective filtering and verification of user input, resulting in attackers directly executing malicious user input as expressions, which is convenient for the control system to execute arbitrary code and arbitrary commands. Such vulnerabilities generally have a high hazard level.
Although the official repair time and time again, but every time it is a temporary solution. In addition, the official team's awareness and understanding of security also has a certain deviation, resulting in the repair being bypassed again and again. When this vulnerability was disclosed at that time, due to the low difficulty of exploitation, and many attackers released automated detection and exploitation tools on the Internet, this also greatly lowered the threshold for exploiting the vulnerability.
Coupled with the popularity of the Struts2 framework, a large area of ​​the website was attacked in an instant. This time, according to JD.com's description, its data leakage incident originated from a high-risk vulnerability that broke out in July 2013. At that time, many well-known websites in China were affected by this vulnerability to varying degrees.
From the perspective of enterprises, many businesses that apply the Struts 2 framework may not necessarily upgrade directly according to the official upgrade due to the consideration of business risks that may be caused by the upgrade, and not all teams have such technical capabilities to carry out their own business lines. Overall upgrade so that the problem is left behind.
According to our statistics, most enterprises do not have a full-time security team, and the security responsibilities are often performed concurrently by operation and maintenance. This also makes it difficult for many enterprises to be informed of such security notices at the first time, and also lack the corresponding technical ability to judge the severity of the incident, making it difficult to make timely and effective decisions.
At present, many large Internet companies like to develop their own frameworks based on open source frameworks and define their own security models according to business conditions. For example, Alibaba has a set of general WebX framework based on Spring and has made many improvements.
Teams capable of secondary development on the basis of open source frameworks will consider security when selecting models, and will also customize and improve some security mechanisms, such as common ones: input verification, output encoding, authentication, session management, Password management, access control, error handling and logging, data encryption, resource management, etc. These common functions are abstracted into concrete security APIs at the framework level for consumption by business developers in order to strengthen the overall line of business security.
02
Internet finance has become the hardest hit area for data leakage The
financial industry has always been the hardest hit area for network security, and it is also an important target of hacker attacks, which is mainly driven by interests.
In the financial platform, the authentication information, transaction data, asset data, credit card, identity information of ordinary users are more concerned by attackers. Once this information is used by malicious groups, on the one hand, it leads to money laundering and is sold to zhapian gangs, and on the other hand, it is sold to competitors for analysis of purchasing power and potential customers.
In addition, once the mutual gold platform is attacked by hackers and information leakage occurs, the reputation of the platform may be affected, which will lead to a decrease in investors' trust in the platform, which in turn will cause investors to withdraw funds, the platform's capital chain will break, or even collapse. risks of. Therefore, mutual gold companies are particularly nervous about this. Many companies will accept blackmail from hackers and would rather spend money.
In the past few years, Internet finance companies have developed rapidly, and some relatively large companies still attach great importance to network security construction. But it is true that many companies are too focused on the business area and do not pay attention to security. What's more, it is a temporary platform for "one-shot" trading, and security is not taken into account.
However, everyone should not be biased. The safety and health of an enterprise is like a barrel effect, and any short board will cause irreparable losses. Therefore, it cannot be said that large enterprises are safer than small and medium-sized enterprises or other Internet financial enterprises in terms of offense and defense.
On the contrary, some large mutual gold companies will be more favored by hackers due to their numerous assets and business lines. Because, when enterprises frequently update new business lines, each business line and each version release may have security risks to a certain extent. From the perspective of security operation and maintenance, there are more assets that need to be detected and protected, monitored and responded to.
Therefore, the key is to see whether the company's attitude towards safety is rigorous, whether the safety process management is standardized, the strength of the technical team, and the leadership's emphasis on and investment in safety, and other factors cannot be generalized.
Enterprise application software also develops with the Internet, and serious vulnerabilities may break out all the time, such as the previous Struts2 vulnerability.
The common problems in the Internet finance industry can be roughly divided into two categories:
1. Financial business-related security issues, such as scouring wool, business risk control (credit investigation), etc. There are many types of wool, such as false registration to defraud cashback, submitting false information to defraud loans and so on. Many Internet finance companies are also inadequate in credit reporting and cannot effectively judge the legitimacy of the borrower's identity.
2. Security issues related to user information, such as unauthorized access, injection, etc. For the former, for example, I can use my account authority to view other people's investment and financial management, modify other people's account passwords at will, and even drag the library.
03How
to protect your own data security
Now everyone is concerned about the theft of some company data, which mainly depends on the company's risk control mechanism. Many companies we have come into contact with do not have adequate control over sensitive data. Ordinary employees have the opportunity to access the company's core data. Internal personnel use imperfect information security management systems to steal and sell core data, resulting in sensitive information. Give way.
But in fact, the exposure of data leakage incidents is only the tip of the iceberg, and the bigger crisis stems from our daily life.
All kinds of data we can think of now, including basic personal information, family composition information, personal health and financial information, have been leaked through various channels. Lawless elements can use this kind of information to carry out various malicious actions, such as telecom zhapian and so on. Or use the leaked data for data analysis, such as targeted marketing.
In fact, at present, the user's account and secret information is not necessarily the most valuable, but some of the user's clothing, food, housing, transportation, health, financial information and other information are more valuable. Because through these consumption data, a person can be completely tracked and a person can be comprehensively analyzed.
Many people do not realize that your personal information and data are often leaked inadvertently. For example, connecting to free wifi in public places, scanning promotional QR codes, etc., may result in your traffic being hijacked, man-in-the-middle attacks, and handheld terminal intrusions.
There are also some common scenarios, such as personal information filled in promotional activities, website registration, rental information release, etc., as well as air tickets, bus tickets, ID cards and other seemingly harmless behaviors in the circle of friends, as well as express packages The courier information on the list, etc.
In the Internet age, personal privacy is relative. In other words, as long as you live online, a lot of your personal information will inevitably be exposed. So there is no way to completely protect privacy. However, ordinary users can pay attention to the following points in the process of daily Internet access:
1. Prepare two mobile phone numbers, one to fill in when dealing with various non-important matters, and one for relatives and friends only, not for any registration and business processing.
2. Do not disclose your personal information, especially when registering on many websites, do not use real personal information.
3. Try not to publish personal-related information, such as home addresses, photos of relatives, etc., when using social media products and websites.
   Zhiwei Technology was established in 2014 and is headquartered in Beijing. It was co-founded by UFIDA Finance, CreditEase and Sunco China executives and financial professionals. It currently has 60 employees. Zhiwei Technology is committed to Internet financial enterprise services, mainly engaged in the development and service of financial enterprise operation management software. The P2P online loan platform, property crowdfunding platform, wealth management system, and loan management system provided by the company have been successfully applied to hundreds of companies and tens of thousands of end users. The main customers of Zhiwei Technology include Guanqun, Zhongzhou Weiye, Puda, Zhongsheng Assets, Anxin Excellence, Weilian Wealth, Jiaye, Tongxin Finance, Zhongrong Guohua, Profit Finance, Huaxia Wanjia, etc. enterprise.
　　With the government's increasing supervision of Internet finance, the Internet finance industry is facing unprecedented development opportunities. Internet technologies represented by cloud computing and big data technologies are changing the future of financial services. Technology is the primary tool and driver that supports the prosperity and development of financial markets.
　　The integration of technology and finance enables enterprises to form a healthy competition form in the process of participating in competition. Zhiwei Technology has always been compliant in operation and technological innovation, and it has also demonstrated the appearance of a responsible enterprise. Technological innovation refers to the foundation of Dimension Technology's life. Through this advantage, Dimension Technology will continue to do a good job in financial services and use its own strength to reshape the favorable image of Internet finance.
　　Address of Smtcloud Technology Headquarters: 6th Floor, Block A, Huateng Century Headquarters Park, Chaoyang District, Beijing
　　Website : www.smtcloud.com
　　Tel: 010–53688599