The world wide web of deception
Updated: 2011-12-30 08:11
By An Baijie (China Daily)
IT technicians at a power company in Huaibei, Anhui province, discuss Internet security issues on Oct 7. Provided to China Daily
People in Taiyuan, capital of Shanxi province, enjoy their time in an Internet bar in this file photo.
Massive hacking of Web portals, causing leakage of classified information about Internet users, has raised concerns about safeguarding privacy in virtual space
BEIJING - IT engineer Wang Youhua has become "extremely busy" these days, ever since reports of the hacking of some well-known websites surfaced in mid-December. Some of the registered members of these portals had their private information leaked.
"IT engineers in our company feel under pressure after the information leakage," he told China Daily on Thursday. "The leakage has not only put the netizens' privacy at risk, but also undermined the credibility of many websites."
Wang, 29, an employee of a Web portal who has been working in the IT industry for nearly four years, said he had never seen such large-scale private information leakage.
Anti-virus company issues red alert
The Qihoo 360 Technology, an anti-virus company that claimed to offer free Internet security services to more than 300 million netizens, issued a red alert on Dec 22, saying that the databases of many websites were hacked recently, causing the leakage of more than 50 million Internet users' registered accounts and codes.
Chinese Software Develop Net (CSDN), one of China's biggest online communities for IT programmers, admitted being hacked on Dec 21, leaving about 6 million users' information leaked.
The Tianya.cn, one of China's most popular online forums, was also reported to have been hacked, causing exposure of information related to as many as 40 million users.
Ning Caishen, a renowned screenwriter, complained on Sunday on his micro blog that his Tianya account had been hacked. Many other micro blog writers expressed similar concerns on the same day.
Tianya replied to China Daily through an e-mail on Wednesday, admitting that the website was hacked but could not give the figures related to the number of people affected.
"Hackers claimed to have grabbed information about 40 million users, but so far our check shows the actual number is smaller than that," said the e-mail.
The forum said it had reported the case to the police, and the motives, methods and scales of the hacking case were still under investigation.
Apart from Tianya and CSDN, the Sina weibo, the most popular micro-blogging service, was also reported by many of its users as having been hacked on Dec 23, which Sina did not confirm.
China Daily found lots of ads appearing on many verified Sina micro blogs in mid-December, and some of them later claimed to have been hacked. A China Daily reporter's micro blog was abnormally logged in at many different locations, including Henan and Fujian provinces, from Nov 30 to Dec 5, places where he had never been.
The Sina weibo on Wednesday reminded its users to check the logging time and place to judge whether their accounts were being accessed by hackers.
Sina refused to comment on the issue when reached by China Daily on Wednesday.
Dangdang.com, one of China's biggest e-commerce websites, issued a release on Thursday, admitting that some of the company's data was hacked. The company refuted rumors that more than 12 million users' information was leaked, saying that the hacked information in question was six months old, and those hacked users will not suffer a loss.
Alipay, an online payment tool that boasts of more than 550 million registered users, declared on its Sina micro blog on Thursday that all users should rest assured that none of them had been leaked.
No netizens have reported direct economic loss due to the information leakage as of late Thursday.
Leaked information goes on sale
Kang Lingyi, who used to be a senior hacker and was now the editor-in-chief of a military fan website, said that the leaked information was always found being sold on some hacker's website.
"Usually, the private information of several hundred thousand users will be sold as a package at the price of 500 to 800 yuan ($79 to 126)," Kang told China Daily.
The prices fluctuate depending on the contents of the package. "Detailed information with the ID number, the mobile phone number and the real name of netizens will be sold at a higher price, while unclear information with only accounts and codes would cost much less," he said.
The privacy trade on hackers' websites is usually carried out between acquaintances for safety concerns, according to Kang.
Buyers of the leaked information classify the accounts according to their "commercial value", Kang said. Some of the information could directly produce money such as the online game accounts involving virtual money.
Most of the "lower-level" information, comprising only the account, code and e-mail addresses, are purchased by certain public relations companies that would spread advertising information via the hacked micro blogs or send spams through hacked e-mail.
Gong Wei, a veteran hacker who identifies himself online as "Goodwill", said that each click toward addresses included in the junk e-mail will bring the hackers 0.1 yuan income from the advertising companies, according to a report on the IT channel of Tencent.com.
It posed more threats to netizens who used the same set of account and code on different websites. Breaking into one of these websites would give the hacker access to their accounts on other websites as well, according to an Internet security report released by the Qihoo 360 Technology.
Users' online safety ignored
Internet companies were unwilling to spend much on protecting the information on their websites, as they did not have much to gain monetarily from these efforts, Kang said.
While website companies should encrypt the private information of their members before saving them into the database, many of them neglected to do so because of the huge expenses entailed, thereby exposing themselves to the possibility of a massive leakage, Kang said.
Hackers took advantage of the fact that some website companies stored the users' information without encrypting, making it easy for hackers to break into, Kaspersky, an anti-virus company, told China Daily on Thursday through an e-mail.
Netizens should use different e-mail addresses and codes to register on different websites to avoid being hacked, suggested Kaspersky.
The mass leakage showed that many websites ignored having to protect the privacy of their users, said Chen Tao, a member of the Beijing Lawyers' Association.
"Existing laws and regulations fail to specify how Internet companies responsible for information leakage might be penalized," Chen said. "As a result, most of them get away by issuing an apology without being fined or punished by authorities."
The amendment to the Criminal Law rules that hackers could face a penalty of up to five years in jail.
"The Criminal Law should also impose the compulsory responsibilities of protecting information of their users on Internet companies," Chen said.
Stricter rules are needed to keep Internet companies from dereliction of duty, "especially when real-name registration was required by some websites such as the Sina weibo", Chen added.
To make things worse, some small Internet companies even sold the information of their members to public relations companies to make profits, Kang Lingyi, the former hacker, said.
"I always received text messages from unidentified people who said they wanted to pay for the information of our website's users, which I refused all the time," he said.
By Thursday, none of the Internet companies that were reported to have their users' information exposed received any punishment from authorities.
The Ministry of Industry and Information Technology issued a notice on Wednesday saying websites should remind their users as soon as possible to avoid using the same account and code in different websites, and that netizens should change their codes to avoid the possibility of being hacked.
"Internet security is a worldwide question for both the websites and the netizens," Kang said. "Under the current situation, the only way for netizens to protect themselves was to change their logging codes from time to time."
(China Daily 12/30/2011 page5)