Fu Qiang said the thinking and precipitation of an architect Menu

Analysis and enlightenment of data leakage incident in a special department in Shanghai

Wang Fuqiang

2022-07-05

---

• 1 The beginning and end of the event
• 2 try to replay
• 3 Countermeasures

---

The data of this data leak (2022-07-03), for the black production, the key elements are estimated to have been there before, such as the common three elements (name, ID number, phone number), this time it is estimated that it can only be regarded as one The features are supplemented, but the amount of data leaked (23.88TB) and the department where it occurred are quite impactful. Therefore, Mr. Fuqiang wants to try to sort out and analyze the process, and contribute some experience that was still useful seven or eight years ago. See if it helps everyone ;0)

1 The beginning and end of the event

The sample data seems to be the backup data of ElasticSearch, and the backup is placed on the OSS (Object Storage Service) of a cloud service. It is estimated that Xiaobai, who is responsible for the development of the project, is in order to show his “brilliant” technology or other unknown things. For the purpose of , TA posted the code for accessing the OSS service on his personal blog on the CSDN website, and the accessKey hard-coded into the code was also posted in the posted code, which led to people with ulterior motives getting it. This batch of backup data ended up being sold somewhere for 10 bitcoins. In order to convince the buyer, the other party also released three files of sample data of about 75K for potential buyers to check.

The restoration of the whole incident may not be the truth, but it is reasonable, right? ! To put it bluntly, if the keys are thrown away, and things are lost, who is to blame? !

2 try to replay

If you want to grade the fault, it must be a P0-level safety accident.

If you want to be held accountable, the R&D team will definitely not be able to run away. Normally, they will be held accountable from top to bottom.

If the security department is not under the control of the technology or R&D team, then the security team also needs to be held accountable, because traffic monitoring of key services and data, as well as daily security inspections, are not done well.

As for some people who say that operation and maintenance is also responsible, this is a bit of a joke. It is estimated that the blame is usually given to operation and maintenance. In fact, in the “regular army” organization, the operation and maintenance only needs to ensure the supply and smooth operation of the infrastructure. This matter, Mr. Fuqiang feels, has nothing to do with operation and maintenance in principle.

3 Countermeasures

Organizing people to come and go, the level is uneven, this kind of thing is actually difficult to completely eliminate.

If you really do something, you can greatly reduce the probability of similar incidents.

First of all, the R&D process management needs to be strengthened, especially the basic R&D process management, mmp, and code review (Code Review). Further, can you also find code scanning integrated in your CICD pipeline?

In addition, the technical management system and technical culture construction must also be strengthened. I have no security awareness at all, how can I post the accessKey on the external blog? The old bird will definitely not do this~

Secondly, the daily work of the security team must be done well, such as abnormal traffic monitoring, code scanning, and daily inspection. More measures, such as data classification management and protection, can urge everyone to go up, right?

Finally, Mr. Fuqiang wants to say that safety is a continuous process. If it cannot be systematically planned and implemented , it is often “pressing the gourd to make a scoop”. After the enterprise enters the growth period or the prosperous period, it should find the responsible person for safety. People are working hard on information security, and this boss knows it 😉

---

---

---

©Wang Fuqiang Personal Copyright, All Rights Reserved.