在人脸识别数据库之后,安全研究人员 Victor Gevers 报告了一个外泄的社交媒体监视数据库,包括了 3.64 亿用户的资料和聊天记录,这些账户还被关联到用户的真实身份。这并不令人感到意外,中国的社交网络已经全面推行后台实名制,通常是关联手机号码,而手机号码已完成了实名制推广工作。这个数据库监视的平台包括了腾讯旗下的 QQ 和微信,这两个服务在中国都有数以亿计的用户。
https://twitter.com/0xDUDE/status/1101909112131080192
Can anyone (from China) identify these Messaging services?
qg <-- QQ_group
qqmesg. <-- https://www.imqq.com/
wwmsg <--. WangwangAlibaban~Taobao
imsg – iMessage
qqmesg – Tencent QQ
wxmsg – Weixin, aka WeChat
yymsg – YY (China’s twitch)
In China, they have a surveillance program on social networks which looks like a jerry-rigged PRISM clone of the NSA.
So this social media surveillance program is retrieving (private) messages per province from 6 social platforms and extracts named, ID numbers, ID photos, GPS locations, network information, and all the conversations and file transfers get imported into a large online database.
Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name
With these "operator databases" the local law enforcement investigate 2600 to 2900 messages and profiles. The name new table per day to keep track of the progress. So they manually review the social media communication (public/private messages).
And the most remarkable part is that this network syncs all this data to open MongoDBs in 18 locations. "r_Capture_Time" : "2019-03-03 02:58:08.0", "r_QQMsg" : "2019-03-03 02:58:08 \"ζ°? 、XXX丶ζ说:!收【【【46--48道士号】】】卖的微信XXXXXXXXXXXぁ"
https://pbs.twimg.com/media/D0woGfKWsAEEDbM.jpg
Victor,in China ISP use this software
https://pbs.twimg.com/media/D0ve-qPV4AA0Tl-.jpg
Massive Database Leak Gives Us a Window into China’s Digital Surveillance State
Earlier this month, security researcher Victor Gevers found and disclosed an exposed database live-tracking the locations of about 2.6 million residents of Xinjiang, China, offering a window into what a digital surveillance state looks like in the 21st century.
Xinjiang is China’s largest province, and home to China’s Uighurs, a Turkic minority group. Here, the Chinese government has implemented a testbed police state where an estimated 1 million individuals from these minority groups have been arbitrarily detained. Among the detainees are academics, writers, engineers, and relatives of Uighurs in exile. Many Uighurs abroad worry for their missing family members, who they haven’t heard from for several months and, in some cases, over a year.
Although relatively little news gets out of Xinjiang to the rest of the world, we’ve known for over a year that China has been testing facial-recognition tracking and alert systems across Xinjiang and mandating the collection of biometric data—including DNA samples, voice samples, fingerprints, and iris scans—from all residents between the ages of 12 and 65. Reports from the province in 2016 indicated that Xinjiang residents can be questioned over the use of mobile and Internet tools; just having WhatsApp or Skype installed on your phone is classified as “subversive behavior.” Since 2017, the authorities have instructed all Xinjiang mobile phone users to install a spyware app in order to “prevent [them] from accessing terrorist information.”
The prevailing evidence of mass detention centers and newly-erected surveillance systems shows that China has been pouring billions of dollars into physical and digital means of pervasive surveillance in Xinjiang and other regions. But it’s often unclear to what extent these projects operate as real, functional high-tech surveillance, and how much they are primarily intended as a sort of “security theater”: a public display of oppression and control to intimidate and silence dissent.
Now, this security leak shows just how extensively China is tracking its Xinjiang residents: how parts of that system work, and what parts don’t. It demonstrates that the surveillance is real, even as it raises questions about the competence of its operators.
A Brief Window into China’s Digital Police State
Earlier this month, Gevers discovered an insecure MongoDB database filled with records tracking the location and personal information of 2.6 million people located in the Xinjiang Uyghur Autonomous Region. The records include individuals’ national ID number, ethnicity, nationality, phone number, date of birth, home address, employer, and photos.
Over a period of 24 hours, 6.7 million individual GPS coordinates were streamed to and collected by the database, linking individuals to various public camera streams and identification checkpoints associated with location tags such as “hotel,” “mosque,” and “police station.” The GPS coordinates were all located within Xinjiang.
This database is owned by the company SenseNets, a private AI company advertising facial recognition and crowd analysis technologies.
A couple of days later, Gevers reported a second open database tracking the movement of millions of cars and pedestrians. Violations like jaywalking, speeding, and going through a red-light are detected, trigger the camera to take a photo, and ping a WeChat API, presumably to try and tie the event to an identity.
Database Exposed to Anyone with an Internet Connection for Half a Year
China may have a working surveillance program in Xinjiang, but it’s a shockingly insecure security state. Anyone with an Internet connection had access to this massive honeypot of information.
Gevers also found evidence that these servers were previously accessed by other known global entities such as a Bitcoin ransomware actor, who had left behind entries in the database. To top it off, this server was also vulnerable to several known exploits.
In addition to this particular surveillance database, a Chinese cybersecurity firm revealed that at least 468 MongoDB servers had been exposed to the public Internet after Gevers and other security researchers started reporting them. Among these instances: databases containing detailed information about remote access consoles owned by China General Nuclear Power Group, and GPS coordinates of bike rentals.
A Model Surveillance State for China
China, like many other state actors, may simply be willing to tolerate sloppy engineering if its private contractors can reasonably claim to be delivering the goods. Last year, the government spent an extra $3 billion on security-related constructionin Xinjiang, and the New York Times reported that China’s police planned to spend an additional $30 billion on surveillance in the future. Even poorly-executed surveillance is massively expensive, and Beijing is no doubt telling the people of Xinjiang that these investments are being made in the name of their own security. But the truth, revealed only through security failures and careful security research, tells a different story: China’s leaders seem to care little for the privacy, or the freedom, of millions of its citizens.
No comments:
Post a Comment