[经验] [WSJ独家]阿里巴巴高管因警方数据泄露事件被中国当局约谈

moe

2年前

本帖最后由 spotlight 于 2022-7-15 10:24 编辑

今日国际头条新闻

WSJ中文版：https://cn.wsj.com/articles/%E9%98%BF%E9%87%8C%E5%B7%B4%E5%B7%B4%E9%AB%98%E7%AE%A1%E5%9B%A0%E8%AD%A6%E6%96%B9%E6%95%B0%E6%8D%AE%E6%B3%84%E9%9C%B2%E4%BA%8B%E4%BB%B6%E8%A2%AB%E4%B8%AD%E5%9B%BD%E5%BD%93%E5%B1%80%E7%BA%A6%E8%B0%88-11657841106

路透社头条转载 https://www.reuters.com/technology/alibaba-execs-summoned-by-shanghai-authorities-over-data-theft-probe-wsj-2022-07-14/?utm_source=newsletter&utm_medium=email&utm_campaign=technology-roundup&utm_term=Technology%20Roundup%20-%202021%20-%20Master%20List

WSJ英文版全文：https://www.wsj.com/articles/alibaba-executives-called-in-by-china-authorities-as-it-investigates-historic-data-heist-11657812800?mod=latest_headlines

"该云所使用的技术已经过时数年，且缺乏基本的安全功能，他们在该公司托管的其他十多个数据库中也发现这一情况。"

请问各位MJJ，你们托管在阿里云上的数据还安全吗？

edit: 中文版不全，很多人问为什么阿里有责任，我把英文版的部分放上来

As the investigation continued, Alibaba Cloud ordered staff to review details such as the database architecture and configurations in contracts with key clients, especially those with dedicated private cloud resources such as ** agencies and financial institutions, according to employees familiar with the matter and a cloud customer.

Neither Alibaba nor the Shanghai police have commented on the discovery by cybersecurity researchers last week that the dashboard for the stolen police database had been left without a password.

According to researchers at LeakIX and SecurityDiscovery, two cybersecurity companies that scan the web for unsecured databases, the dashboard lacked a password, and there wasn’t a way to add one.

Both the database that Alibaba provided for storing the data and the dashboard for accessing and managing it were using versions of the products that were several years outdated, the researchers said. Those versions didn’t include any security features, such as password protection, without a separate add-on that was never installed, they said.

The missing add-on didn’t matter for the database, which was kept on a secure private server, but the dashboard was set up on the public internet, acting like an open door to the data vault and allowing the information inside to be exported unencumbered.

The database was also missing an up-to-date security certificate, a unique digital identifier used to encrypt web traffic that has become standard practice. Alibaba last deployed a new certificate in September 2017, which expired a year later and was never renewed, according to the researchers.

The reliance on an expired certificate didn’t increase the vulnerability of the database but indicates that upkeep had been neglected, said Gregory Boddin, LeakIX’s chief technology officer. “There was no maintenance whatsoever on it,” he said, for at least the past four years.

LeakIX and SecurityDiscovery both said they found 13 other Alibaba-hosted databases that used the same outdated version of the database and dashboard products, and that had been set up identically with the database on a private server and the dashboard on the public internet. All 13 also shared the same certificate that then expired, which bucks best practices for security, Mr. Boddin said.

Nearly all had been left open upward of a year, according to LeakIX’s records. Two contained even more data than the 23 terabytes stolen from the Shanghai police: One had over 60 terabytes, while the other had over 92 terabytes.

“Even one day is enough for a database of such size to be grabbed and collected by malicious actors,” said Bob Diachenko, owner of SecurityDiscovery.

In early July, shortly after the leak began gaining widespread attention on social media, Alibaba cut public access to all 14 databases, Messrs. Boddin and Diachenko said.

Alibaba founder Jack Ma was an early evangelist of the use of data in policing and social control. In 2016, he delivered a speech to 1.5 million political and legal officials in which he said analysis of vast quantities of data would help the public security agencies track down thieves and predict terrorist attacks before they happened.

Alibaba Cloud is the biggest public cloud-service provider in China, but it lags far behind competitors like Huawei Technologies Co. in catering to clients who demand their own private cloud systems, according to **-backed think tank CCW Research. Alibaba’s cloud business turned a profit in the quarter ended March, making it the first Chinese cloud-service provider to make money from the cash-burning sector.

Alibaba previously has faced scrutiny over its data-security practices. In December, the Chinese ministry in charge of technology suspended a cybersecurity partnership with Alibaba’s cloud-computing unit for six months after Beijing alleged the company failed to report a global software vulnerability to it in a timely manner.

Last year, under pressure from a local telecom regulator, the company disclosed a 2019 incident in which an employee had leaked client contact information to a distributor.

Earlier this week, the Shanghai authorities announced a cybersecurity review of key websites and platforms belonging to ** agencies, state-owned companies, big tech firms and other entities, with a particular focus on any that contained personal data on more than one million people.

据知情人士和一位云客户透露，随着调查的继续，阿里云命令员工审查与关键客户签订合同中的数据库架构和配置等细节，特别是那些拥有政府机构和金融机构等专用私有云资源的客户。

阿里巴巴和上海警方上周都没有对网络安全研究人员发现被盗警察数据库的仪表板没有密码发表评论。

根据LeakIX和SecurityDiscovery的研究人员的说法，两家网络安全公司扫描网络上的不安全数据库，仪表板缺少密码，并且没有办法添加密码。

研究人员表示，阿里巴巴提供的用于存储数据的数据库以及用于访问和管理数据的仪表板都使用了已经过时数年的产品版本。他们说，这些版本不包括任何安全功能，例如密码保护，而没有从未安装过的单独附加组件。

缺少的附加组件对于数据库来说并不重要，数据库保存在一个安全的私有服务器上，但仪表板是在公共互联网上设置的，就像一扇通往数据保险库的敞开大门，并允许内部信息不受阻碍地导出。该数据库还缺少最新的安全证书，这是一种用于加密Web流量的唯一数字标识符，已成为标准做法。

研究人员表示，阿里巴巴上一次部署新证书是在2017年9月，该证书在一年后过期，从未续签。对过期证书的依赖并没有增加数据库的脆弱性，但表明维护工作被忽视了，LeakIX首席技术官Gregory Boddin说。“至少在过去四年里，它没有任何维护，”他说。

LeakIX和SecurityDiscovery都表示，他们发现了其他13个阿里巴巴托管的数据库，这些数据库使用了相同过时版本的数据库和仪表板产品，并且与私人服务器上的数据库和公共互联网上的仪表板设置相同。博丁说，这13家公司还共享了一张当时已经过期的证书，这违背了安全方面的最佳实践。

根据LeakIX的记录，几乎所有的开放都持续了一年以上。其中两个包含的数据甚至比从上海警方窃取的23TB数据还要多：一个超过60TB，而另一个超过92TB。

即使有一天也足以让恶意行为者抓住和收集如此规模的数据库，“SecurityDiscovery公司的所有者Bob Diachenko说

7月初在泄密事件开始在社交媒体上引起广泛关注后不久，阿里巴巴切断了公众对所有14个数据库的访问，博丁和迪亚琴科说。

阿里巴巴创始人马云是数据在警务和社会控制中使用的早期传播者。2016年，他在向150万政治和法律官员发表讲话时表示，分析大量数据将有助于公安机关追踪小偷，并在恐怖袭击发生之前预测。

阿里云是中国最大的公共云服务提供商，但根据政府支持的智库CCW Research的数据，它在迎合需要自己的私有云系统的客户方面远远落后于华为技术公司等竞争对手。阿里巴巴的云业务在截至3月的季度实现了盈利，使其成为第一家从现金燃烧领域赚钱的中国云服务提供商。

阿里巴巴此前曾面临对其数据安全实践的审查。去年12月，中国负责技术的部门暂停了与阿里巴巴云计算部门的网络安全合作伙伴关系六个月，此前北京方面指控该公司未能及时向其报告全球软件漏洞。

去年，在当地电信监管机构的压力下，该公司披露了2019年的一起事件，其中一名员工将客户联系信息泄露给分销商。

本周早些时候，上海当局宣布对属于政府机构、国有企业、大型科技公司和其他实体的关键网站和平台进行网络安全审查，特别关注任何包含超过一百万人的个人数据的网站和平台。

阿里巴巴：自己把密码贴到csdn，关我屁事！

这个不是管理的漏洞吗？怪阿里巴巴吗？

神秘北极圈发表于 2022-7-15 10:09
这个不是管理的漏洞吗？怪阿里巴巴吗？

数据存在你阿里云，泄露了你就要负责，不需要解释。

这个好象是公安的问题吧

约谈而已。。。又不是什么问题。气氛都烘托到这了。不处理又不行。。交点罚款。罚酒三杯吧

我想看国内媒体版，最好是胡叼盘版。

本帖最后由 logic90 于 2022-7-15 10:43 编辑

88232128 发表于 2022-7-15 10:16
阿里巴巴：自己把密码贴到csdn，关我屁事！

那个是谣言。。。wsj说，是软件问题造成的泄露，数据库和面板根本就没有密码，也不支持密码功能。。。所以不存在泄露密码

果然铁拳打起来是毫不讲理的。银行卡被盗是不是可以捶银行。

larry 发表于 2022-7-15 10:15
数据存在你阿里云，泄露了你就要负责，不需要解释。

你自己把密钥放csdn，数据被别人偷了，还怪阿里吗

办事不行，甩锅最在行

哪里都不安全听天由命吧

安全是相对的，没有绝对的安全。。。。

套路云狗都摇头