一个大洋彼岸的美国人被捕,你也脱不了干系。
An American on the other side of the ocean is arrested, and you can't get away with it.
2023 年 3 月 15 日,康纳·布莱恩·菲兹帕特里克(Conor Brian Fitzpatrick)在纽约被 FBI 逮捕。年仅 21 岁的他,运营着世界上最大的黑客论坛 BreachForums。
On March 15, 2023, Conor Brian Fitzpatrick was arrested by the FBI in New York. He was 21 years old, running the world's largest hacker forum, BreachForums.
黑客们聚集于此,贩卖手头来路各异的数据。2022 年 7 月,就有一名黑客 ChinaDan 在 BreachForums 上声称,自己取得了近 10 亿个人资料,并以 10 比特币(当时约合 140 万元人民币)的价格出售。
The hackers are gathered here, and the numbers of traffickers vary. In July 2022, one hacker, ChinaDan, claimed on BreachForums that 这些数据包含了近 10 亿公民的姓名、地址、出生地、身份证号码、手机号码等关键的个人隐私信息。 These data contain key personal privacy information such as the name, address, place of birth, identity card number, mobile phone number of nearly 1 billion citizens. 不同化名的人在下方跟帖,讨论着数据的新鲜程度,是否包含人脸信息,还有人要求发帖者提供样本,以验证数据是否真实。 Different aliases follow the post below to discuss the extent to which the data is new, whether they contain face information, and requests for samples from senders to verify that the data is true. 这其中,会不会有你的数据? One of these, is there any data on you? 黑客都是怎么卖信息的? How do hackers sell information? 通常,黑客成功盗取你的信息后的第一步(后面会讲他们是如何盗取的),是清点其中有价值的数据,包括姓名、电话号码、住址、身份证、财务信息等,并将它们录入到数据库中。 Normally, the first step after hackers have succeeded in stealing your information (and then how they have stolen it) is to take stock of the valuable data contained therein, including names, telephone numbers, addresses, identity cards, financial information, etc., and record them in the database. 他们首先会私下交易这些数据。当线下交易到达瓶颈时,就会在黑客论坛上发布,寻找更多买家。 They first trade these data in private. When below-line transactions reach bottlenecks, they release them at hacker forums, looking for more buyers. 通过搜索引擎,你可以很轻松地进入类似 BreachForums 这样的公开黑客论坛——是的,它就摆在明面上任由每个人进入(但目前 BreachForums 已关停)。也有一些更隐蔽的入口,比如所谓的暗网,需要通过洋葱浏览器这类匿名工具才能进入。 Through the search engine, you can easily access open hacker forums like BreachForums -- yes, it's open to everyone (but currently BreachForums are closed). There are also more hidden entrances, such as so-called dark webs, that require anonymous tools such as onion browsers. 互联网多得是你还不知道的地方|wikimedia commons The Internet is a lot of places you don't know yet. 为了保证交易的公平,菲兹帕特里克制定了一整套交易规则,例如不能出售本来就公开的数据库;必须说明数据的来源是买来的还是自己盗取的;必须提供至少十个明文样本——即使在黑客论坛这种地下交易中,钱货两讫、买卖公平的原则也是不变的。 In order to ensure the fairness of the transaction, 在任何国家,大规模偷取公民信息并转卖的行为都是违法的。这也是为什么论坛上的大部分交易都使用比特币来结算的原因——虽然比特币的所有交易记录都是透明的,但你只能知道某个地址的交易情况,而不知道地址背后的人是谁。同时,一个人还能拥有很多地址。 In any country, it is illegal to steal and resell citizen information on a large scale. That is why most of the transactions in the forum are settled in bitcoin — although all the transactions recorded in bitcoin are transparent, you can only know about the transactions at one address and not who is behind them. 数据都是怎么定价的? What's the price on the data? 整体而言,个人信息越完整,价格也就越高——毕竟后续买家实施诈骗也就更方便。 Overall, the more complete the personal information, the higher the price — after all, it is easier for subsequent buyers to commit fraud. 比如黑客 ChinaDan 后续又卖了一次数据,这次它将数据分为了公民数据、交易记录数据等不同的数据库,获取全部数据库的价格为 9 万美元,其中公民数据库的单独标价是 7.5 万美元。 For example, the hacker ChinaDan sold the data one more time, and this time it divided the data into different databases, such as citizen data, transaction log data. The price of 后来这个数据库更新了个人电话号码信息,打包价格涨到了 14 万美元。 The database subsequently updated the personal phone number information and the packing price increased to $140,000. 非法数据交易还能促销|网页截图 Illicit data transactions can also promote web screenshots. 非法数据的定价也遵循供需关系的原则。2015 年,由于美国大量的个人信息被盗,每个公民的信息价格从 4 美元降到了 1 美元。当一个数据库卖得足够多时,它就无限趋近于免费,因为随手就可以通过搜索引擎获得。 The price of information for each citizen fell from $4 to $1 in 2015 as a result of the theft of a large amount of personal information in the United States. When a database is sold enough, approaches free of charge , because it can be obtained with a search engine. 2005-2020,美国数据泄漏和曝光记录统计|PBS 2005-2020, U.S. Data Spill and Exposure Records Statistics PBS 买卖还遵循“嫌贫爱富”的原则。通过地理位置、网购记录、银行账户等信息,可大致描绘出一个用户画像,其中越富裕的用户能够榨取的利益越多。根据安全公司 Armor 2019 年的的黑市调查报告,美国地区的数据为 30-40 美元/人,意大利为 20-25 美元/人,而墨西哥仅为 15-20 美元/人。 According to the security company Armor 2019 black market survey, data for the US region are $30-40 per person, 20-25 per person in Italy, and 15-20 per person in Mexico. 亚洲地区的数据也便宜|Armor 2019? Asia's data are cheap, too. Armor 2019? 买家都拿这些数据干嘛? What do buyers do with these data? 有卖家自然就有买家。在数据黑市交易中,买家通常会拿这些信息进行电信网络诈骗,例如“购物退款”、冒充“公检法”、“交通违章提醒”等。由于买家已经掌握了你的很多基本信息,这类诈骗会显得相当可信。 In data black-market transactions, buyers typically use this information for telecommunications network frauds, such as “shopping refunds”, pretending to be “public inspection laws”, “traffic irregularities alerts,” etc. can be quite credible because the buyer already has a lot of basic information about you. 一些注册备案的正规公司也是泄漏信息的买家。由于通过正规渠道打广告获客成本相对较高,黑市的数据交易可以有效降低成本。根据《证券时报》2021 年的报道,百度竞价排名的获客成本在 60-80 元/人左右,而通过地下黑市购买用户数据,可以将这个成本缩减十分之一。 Some registered regular companies are also buyers of leaking information. Black market data transactions can effectively reduce costs because of the relatively high cost of advertising customers through formal channels. 此外,很多买家会进行所谓的“撞库攻击”:拿 A 网站的帐号密码,去 B 网站上尝试登陆。很多用户喜欢在不同的平台使用统一的帐号密码,所以往往一个网站的信息泄漏会暴露用户的整个网络。 In addition, a lot of buyers do so-called "crash strikes": take the account code of the A site and try to access it on the B site. Many users like to use a single account password on different platforms, , so often one site leaks information that exposes the user's entire network. 还有一种广撒网的方式。最典型的例子就是尼日利亚王子诈骗短信。骗子会谎称自己是迪拜/尼日利亚/各种国家的王子,因为政变或者其他原因,他的巨额银行账户被冻结了。只要你汇款几百美元给他解冻账户,他会给你巨额账户金额中的相当一部分作为报答。 There is also a way to spread the net. The most typical example is the Nigerian prince's swindling of text messages. Liars will lie about being princes of Dubai/Nigeria/various countries, whose large bank accounts have been frozen because of a coup d'état or otherwise. 回复邮件,赢千万巨款|Wikipedia Answer the e-mails and win millions of dollars for Wikipedia. 这种骗术看起来非常低劣,但正好可以帮骗子筛选出连这类信息的真假都分辨不出来的目标客户。而且这些邮件往往都是群发的——只要基数足够大,就一定会有上当的人。 This trick looks very low, but it's a good way to help a con man sift out a target client who can't even tell the truth about this type of information. And these mails are often massed – if the base is large enough, there's always someone who's right. 黑客都是怎么偷取这些信息的? How do hackers steal this information? 在准备对策之前,你需要先知道自己的信息是如何泄漏的。 Before preparing a response, you need to know how your information is leaking. 一种常见的手段是暴力破解。假设一个密码只有四位数,那黑客最多只要试 9999 次,就一定能找到正确的那个。这听起来是一种非常低效的破解方式,但以网民们对自己密码的不上心程度,黑客们可能真的在偷笑。 One common means is violent cracking. Assuming that a code has only four digits, the hacker will find the right one only 9999 times at most. That sounds like a very inefficient way to crack, but the hackers may actually laugh at their passwords to the extent that they are not interested in them. 根据密码管理工具 NordPass 公布的名单,2022 年互联网上最常用的密码还是“password”,而排名第二位和第三位的分别是“123456”和“123456789”。不到一秒钟,黑客就能破解这些密码。在全世界最常见的 20 个密码中,有 18 个都可以在一秒钟之内被破解。 According to the password management tool Nordpass's published list, the most frequently used password on the Internet in 2022 was "password", while the second and third rankings were "123456" and "123456789" respectively. In less than a second, hackers can decipher the passwords. Of the 20 most common passwords in the world, 18 can be decoded in one second. 2022年最常用的10个密码|HelpNetSecurity The most commonly used 10 passwords in 2022: HelpNetSecurity 如果使用这些密码的是个人用户还好说,倘若连管理员的密码都如此草率的话,后果不堪设想。例如 22 端口常用于 Linux 系统的 SSH 远程连接服务,黑客可以通过它连接到服务器。如果管理员的密码设置得很简单,黑客便可以轻松破解管理员账户,直接远程登录服务器,获得和管理员相同的权限。 If the passwords are used by individual users, the consequences of would be difficult to imagine if even the administrator's password were so hasty. For example, 22 ports are used for the Linux system SSH remote connection service, with which hackers can connect to the server. If the administrator's password is simple, hackers can easily decipher the administrator's account, log directly into the administrator's server and get the same privileges as the administrator. 实际上,API 接口数据泄漏是近年来数据泄露最严重的方式。正常情况下,网页或者 app 可以通过对应的 API 接口调取数据。但由于接口常暴露于公网(WAN),若管理员没有对请求 API 接口的数据作出限制,就会导致一些数据越界请求。例如 A 向服务器请求用户的电话号码,但服务器不但返回了电话号码,还返回了身份证号码、家庭住址等敏感信息。 In fact, API interface data leaks are the most severe way to leak data in recent years. Normally, the web page or app can access data via the corresponding API interface. Since interfaces are often exposed to the public network (WAN), managers who do not limit the data requested for API interfaces may request some data across borders. For example, A requests the user's phone number to the server, but the server not only returns the phone number, but also sensitive information such as the identity card number, home address, etc. 因为这类请求种没有任何攻击语句,所以很难被发现。 Such requests are difficult to detect because they do not contain any offensive language. 腾讯安全把在黑客事件中出现频率比较高的端口划分为高危端口。根据 2018 年的数据,在 3000 多个抽样的 Web 服务器中,开放中的高危端口仍占比 36%。 Steam security classifies high-risk ports as high-frequency ports in hacker cases. According to 2018 data, 36% of high-risk ports in are still open in more than 3000 sample web servers. 另外一种常见的攻击方式是低技术的社会工程学骗局,最典型的例子就是伪装成熟人,诱骗你进入指定页面下载恶意程序,或是输入账户密码等信息。还有一些人习惯把比特币的密钥贴在键盘后面。这个时候,都不需要黑客出马,一个小偷就可以让你欲哭无泪。 Another common attack is the low-tech socio-engineering scam, the most typical example of which is the disguise of a mature person who lures you into a designated page to download malicious programs or to enter information such as account passwords. Some people are used to putting bitcoin keys behind keyboards. At this point, no hacker is needed, and a thief can make you cry. 如果你疑心自己的信息是否已经被泄漏的话,可以到 haveibeenpwned.com 查看一下。 If you wonder if your information has been leaked, check it out at the somewherepwned.com. 我的 500px 和京东账户就泄漏了。 My 500px and Kyoutung account leaked. 一些危险|网页截图 Some dangerous web screenshots. 保护好你自己 Protect yourself. 其实数据是可以被合法交易的,它被称为数字时代的生产要素,合理的利用能产生巨大价值。目前,中国已经先后在贵州、北京、上海等城市设立了大数据交易所。 In fact, data can be legally traded, known as the factors of production in the digital age, and their rational use can be of great value. China has now set up major data exchanges in cities like Guizhou, Beijing, Shanghai, etc. 在正规交易中,所有数据都经过脱敏处理,无法反向追溯到个人。 in formal transactions, all data are de-esensitized and cannot be traced back to individuals. 而面对防不胜防的非法侵入,首先能保护自己的,还是设定一个“好”密码。 In the face of impeccable illegal incursions, it is first possible to protect itself or to create a “good” code. 当然也要好好记住密码哦|giphy And remember the code, of course. 为了规避弱密码的风险,安全专家通常建议用户使用包含大小写字母、数字和特殊字符的复杂密码,并且越长越好。 In order to avoid the risk of weak passwords, security experts usually recommend that users use complex passwords containing case letters, numbers and special characters, the longer and the better. 随着密码长度的增加,这些字符的组合方式会以指数级别增加。例如,一台每秒可以运算 3500 亿次的计算机,破解一个 6 位密码只需要 4.08 秒;7 位密码只需 6.47 分钟;8 位密码需要 10.24 小时;9 位密码需要 40.53 天;10 位密码就需要 10.55 年了。 increases the combination of these characters at index level as the password length increases. , for example, a computer that can operate 350 billion times a second, breaking a 6-bit password requires only 4.08 seconds; 7-bit passwords require only 6.47 minutes; 8-bit passwords require 10.24 hours; 9-bit passwords require 40.53 days; 10-bit passwords take 10.55 years. 而 macOS 内置的密码管理器,默认生成 20 位的强密码,例如“guhxig-mugca4-tydDon”。暴力破解这个密码所需要的时间,可能比人类的文明史还要长。 And the password manager built in macos, by default, produces a strong 20-bit password, such as "guhxig-mugca4-tyddon." The time it takes to decipher the password may be longer than the civilizational history of humans. 如果你使用 Chrome 浏览器的密码管理器的话,它还会提醒你有哪些密码已经被泄漏了。 If you use the code manager for the Chrome browser, it will also remind you of which passwords have been leaked. 我泄漏的密码|作者提供 The password I leaked from the author. 无论如何,牢记密码安全三原则总是没错: In any case, it's always right to remember the three principles of password security: 1、使用包含字母、数字和符号的复杂密码 2、避免多账号使用同一密码 2, avoid multiple accounts using the same password 3、定期更换密码 3, regularly replace password 好了,我要赶紧去修改我泄露账户的密码了。 Well, I'm about to change the code for my leak account. 参考文献 References [1]?https://www.pbs.org/newshour/science/heres-how-much-your-personal-information-is-worth-to-cybercriminals-and-what-they-do-with-it [2]?https://cdn.armor.com/app/uploads/2018/10/2019-Q3-Report-BlackMarket-SinglePages-1.pdf [3] https://data.hackinn.com/ppt/2019第五届互联网安全领袖峰会/信息泄露:2018企业信息安全头号威胁报告.pdf [3] https://data.lackinn.com/ppt/2019 Fifth Internet Security Leaders Summit/Information Disclosure: Business Information Security First Threat Report 2018.pdf [4]?https://news.stcn.com/sd/202103/t20210324_2944755.html 作者:ttt Author: ttt 编辑:睿悦 Editor: Wise Happiness 题图来源:图虫创意 Source of the map: Ideas of the bug 
注册有任何问题请添加 微信:MVIP619 拉你进入群
打开微信扫一扫
添加客服
进入交流群
发表评论