China’s Web security comes under fire after a massive security breach By Liu Xinlian

Plugging an Information Leak

China’s Web security comes under fire after a massive security breach By Liu Xinlian

W ang Lianjun, manager of a real estate website based in Suzhou,Jiangsu Province, stared at his computer screen in disbelief. Neatly listed on a download manager website was his personal information—usernames, passwords,e-mail addresses and other aspects of his online and offline life posted for the world’s billions of Internet users to see.

Early on December 21, 2011, the Chinese Software Developer Net (CSDN), the country’s largest online community for computer programmers, was hacked and the information of 6 million users leaked. Wang was a registered user of CSDN.

The CSDN breach was the fi rst of a wave of Internet information leaks caused by irresponsible websites and a lack of laws to protect users and hold the negligent parties accountable to sweep the country.

Within days, information leaks escalated,with millions of subscribers to several popular social networking and gaming websites seeing their information posted online.

A glitch in the official website of the Division of Exit and Entry Administration of Public Security of Guangdong Province was reported on December 29 by Wooyun.org, an online software loophole reporting platform.The personal information of some 4 million users, including their names, telephone numbers and dates of birth, was available to anyone visiting the administration’s website,according to theShenzhen Evening News.

“The main reason for the leak is insuf ficient protection the websites have provided,”said Jiang Qiping, Secretary General of the Information Research Center under the Chinese Academy of Social Sciences.

In the first half of 2011, 217 million Chinese Internet users, or 44.7 percent of the country’s total online population, were attacked by malware, including viruses or Trojan horses, and 121 million had their accounts or passwords stolen, according to the China Internet Networks Information Center.

China has the world’s largest online population: roughly 500 million users. It is also one of the biggest victims of Internet attacks in the world and has faced serious network security problems in recent years, said Du Yuejin,Director of the National Network Information Institute for Security Technology.

“While the country’s Internet industry soars, its security has fallen to the wayside,”Du said. “If we don’t enhance security, we’re going to see a lot more leaks in the future.”

Security neglected

A factor of the severity of the data leaks is that much of the users’ information in the companies’ databases was stored as unencrypted plain text.

Plain text is the contents of an ordinary sequential file readable as unformatted text.It can be opened, read and edited with almost any text editor.

Jiang Tao, President of CSDN, admitted that old passwords in a backup fi le were saved in plain text until 2009, when they started to encrypt all users’ information.

A similar incident happened at Tianya.net,one of the country’s largest Internet forums.The information of more than 40 million forum users became available for downloading on the Internet, according to Wooyun.org.

“Tianya.cn used plain text passwords in the early days,” Tianya.cn said on its micro-blog page. “The stolen data were the back-up data before 2009. We adopted an encryption algorithm to tackle the security issues in 2010.”

Plain text is the least secured way to save data. Once the website was hacked, users’information was easily accessed, said Wang Huabin, an independent Internet analyst in Guangzhou, Guangdong Province.

According to Wang, recent years have seen a dramatic increase in hacking enterprises’ core data.

“User data can be sold to advertisers. And since hackers have improved their skills on getting this information, websites need to be more prepared to protect their users’ information,” Wang said.

The information of 10 million users could be worth 10 million yuan ($1.57 million) in China,so the hackers spared no efforts to steal it, said Wang.

Aside from encrypting information,websites should also require users to change their passwords every few months, said Zhou Yonglin, Director of Operating Department of the National Computer Network Emergency Response Technical Team/Coordination Center of China.

“Users should enhance the protection of their personal information by not providing too much real information in online registrations and creating dif fi cult passwords that will be hard for hackers to crack,” Zhou said.

Insufficient measures

Even though the information leak only happened on a few popular websites, the fact is that Chinese websites are grossly ineffective at protecting their users’ information.

Shi Xiaohong, Vice President of Qihoo 360 Technology, a security software maker,said that 83 percent of Chinese websites had security loopholes and about one third were vulnerable to attacks.

“The industry as a whole doesn’t grasp the importance of securing data,” Jiang said.

Jiang admitted that CSDN only had three people responsible for the maintenance of 100 servers that stored information of 20 million registered users.

“The situation in China is that most of the websites don’t have professional technicians responsible for data security. Even those who have professional security technicians do not invest enough in security issues,” Wang said.

The users’ information leak last December was the largest in China’s history,but it wasn’t the fi rst.

At the end of 2007, personal information of more than 40,000 pregnant women in Shenzhen, Guangdong was leaked after hackers breached the municipal health bureau’s network. In March 2011, personal information of 14 million cellphone users was leaked in Shaanxi Province.

“The government should focus on new security issues arising from the application of various new technologies and intensify its crackdown on illegal industry chains of selling personal information,” Zhou said.

“Internet operators should also strengthen their management, self-discipline, security guarantees and emergency response capabilities,”he added. While websites become the target of outside hackers, most cases are inside jobs. The official investigation showed that the leak of YY.com, a Guangzhou-based provider of online and mobile gaming services, was done by its own staff.

Legal issues

Official investigation results of the information leak were released on January 10, 2012 by the National Internet Information Office,the country’s Internet watchdog. Four people were placed in criminal detention and eight others received administrative penalties.

While the country hailed the timely investigation and imprisonment of the hackers involved, the victims did not know where they could turn to claim compensation.

Legal experts said that the massive leak also revealed shortcomings in Chinese Internet security laws and online ID protection.

Individual users’ privacy rights have been violated, but it is hard for them to defend their rights, said Li Yuxiao, a professor of School of Economics and Management with the Beijing University of Posts and Telecommunications.

“Both websites and hackers are responsible for the loss of information, but it is very hard to hold them accountable because there is no law that states what kind of legal responsibilities websites have in terms of protecting users’ data,” Li said.

Zhang Qihuai, Director of the Beijing Lanpeng Law Firm, said there are currently“many holes” in the laws that should protect Internet users.

“It’s impractical to use the law to protect users because legislators have yet to clarify how exactly the rules should be applied,” Zhang said.

Li said that individual users may pursue civil compensation in court, but that it would be difficult for them to prove that hackers were to blame for their financial losses online.

“We are also in dire need of information security legislation to perfect the Web security system and strictly carry out the responsibility system,” said Shi.