A leaked hotel opening record is forming a cloud that has been caught unawares by well-known hotel chains such as home, Wah-hang and Jinjiang Inn, which were busy writing statements last weekend.
A few days ago, the domestic security leak monitoring platform Cloud Network issued a report, such as home, Han court, such as a large number of hotel opening records due to third-party storage and system vulnerabilities were leaked. Yesterday, such as home, China Live, Hong Kong travel, Jinjiang Star and so on have issued a statement, said that does not involve the disclosure of information.
The legal profession said, the cloud net's technique swims in "the gray area", suspected infringement, at present, the hotel customer data security management is indeed a problem, but should not through the public way.
Open room record is operated by process
Cloud Network reported that, such as home, Xianyang World Trade, Hangzhou Metropark International and Yi Home 365 fast and so on all or part of the use of Zhejiang Hui Tatsu Station Network Limited (hereinafter referred to as "Zhejiang Hui Tatsu") Hotel WiFi management, certification management system. and Zhejiang Hui Tatsu on the server real-time storage of these hotel customer records, including customer name, ID number, open room date and room number and other privacy information. Because of the loopholes in Zhejiang Hui da system, the risk of this information being leaked.
May 2010 on the line of Cloud network, is a network vulnerability reporting platform, the user here to upload the vulnerability information, waiting for vendors to verify and repair, because has been exposed csdn, Tianya, when, Jingdong Mall and other sites have security vulnerabilities, in 2011 fame.
Industry insiders "Don't drink cola Man" told "First financial daily", it is well-known in the circle, Cloud Network is a "hacker" gathered. However, they are all "white hats". "White hats" are the way to fight: Mining the site's security vulnerabilities, in the "Black Hat" before using them, submitted to the platform, or to the manufacturer report, I hope the manufacturers timely repair.
In the "hacker" world, there are three types that can be divided into the first category: White Hat, also known as the positive "hacker", he can identify the computer system or network security vulnerabilities, but not malicious to use, but to disclose their vulnerabilities, so that the system is used by others before to fix the loophole; the second category: Grey They are good at attacking technology, but not easy to destroy, they are proficient in attack and defense, while the mind has a macro-consciousness of information security system; The third Category: black hats, they study attack technology, the only purpose is to cause trouble.
"We are not an organization, just a platform that brings together some people who are safe-loving technologies." Many white hats come here to share the loopholes, and only if they are verified and have taken precautions to solve the problem will they be made public. Yesterday, the cloud net related person confirmed to the reporter, this loophole had been discovered as early as August 21, after informs the manufacturer, according to the process on October 5 made public, and the message was spread to the mass network on October 10.
"Although Zhejiang Hui said the system has been upgraded to a loophole, the opening records still have the risk of being compromised in the period before the leak is discovered." "The announcement actually revealed a concern--since they were able to get the hotel's accommodation information," the source said. Then you can't rule out that anyone else would have stolen the information before, "We're actually protecting the manufacturer's users, but many vendors are trying to avoid these problems based on PR considerations, So we want to use this platform to better do this thing. ”
Cloud network legal Adviser Zhao occupation lawyer also said that the leakage incident is in fact only a general release of the process.
The head of the Cloud Net said that all or part of the hotel has used the hotel WiFi management and certification management system developed by Zhejiang Hui-da. And that's what happens--simply, because hotels use this system, the company on its server real-time storage of these hotel customer records, because the customer information in the data synchronization of the authentication username, password is transmitted in clear text (this is what makes the leak possible), It is easy for professionals to get customer information from their data servers on the hotel uploads.
Safety and the hidden danger of infringement
At present, the wireless IT system of hotel chain has two kinds of management mode, one is research and development, the other is to use the third party system. The former needs a lot of research and development funds and manpower, relatively safe control is high, the latter research and development investment is low, but there are security risks.
The key party to the leak is the alleged loophole in Zhejiang Hui-da.
Zhejiang Hui Tatsu aspect indicated that, after verifying, the wireless portal system has the information security encryption level low question, has the information leakage security hidden danger, Zhejiang Hui DA's technical team has completed the comprehensive upgrade for the existing Wireless portal authentication system, thanked the dark cloud net to the Zhejiang Hui Tatsu to enhance the product safety the help. Regarding the security of the wireless portal system, it is the responsibility of Zhejiang Hui DA, which has nothing to do with any hotel customers. Zhejiang Hui Tatsu at the same time stated that in the wireless portal business with Hanting Hotels, Xianyang International Trade Hotel, Hangzhou Grand Metropark Hotel, Yi Jia 365 Express hotel, Dongguan Humen Oriental Hotel customers do not have a partnership.
Yesterday, such as home to reporters, and its cooperation with the wireless information Technology service providers are indeed Zhejiang Hui Tatsu, the hotel attaches great importance to, and Zhejiang Hui Tatsu to cooperate with the loopholes to check and repair. As home also said, will learn the lesson, the establishment of a long-term mechanism, the future will "ensure customer safety."
And the Hua Live and Jinjiang star aspect all said, in the wireless project and Zhejiang Hui Tatsu did not cooperate. The Chinese house also said that it retains the right to further prosecute the cloud.
Zhejiang Hui Tatsu Marketing Director, Mr. Han in an interview, said that for the loss caused by pure technical level, there is no direct result of customer information leakage. At present, its security level has reached the National Emergency Center detection standards, and confirm the repair of the vulnerability.
Mr. Han reiterated that the cooperation with hanting and other hotels did not certify this piece in the WiFi portal system, but other products.
Reporter yesterday to visit Zhejiang Hui da website, click on its partner column, show "System is in maintenance" and inaccessible.
In addition, in response to cloud network issued on the Zhejiang Hui Tatsu Wireless Portal certification loopholes, the National Internet Emergency Center (CNCERT) Operation Management Department of Zhejiang Hui Tatsu Implementation of the repair measures carried out a targeted inspection, confirmed that the vulnerability has been repaired.
"According to industry reflects, and Zhejiang Hui Tatsu Wireless Cooperation of the hotel is not much, but the country thousands of hotels, there are always some hotels have used Zhejiang hui Tatsu computer rental, and the use of its computer also exists risk, so security risks need to pay attention to." "One of the budget hotel operators pointed out.
"From a legal point of view, cloud nets are considered by the industry to be through a number of ' hacker ' means to find loopholes, according to this argument, the cloud network itself is suspected of infringement, because it through improper means to obtain data to find loopholes. If the cloud is a ' well-meaning hacker ' whose goal is only to help companies fix vulnerabilities, the cloud should be able to communicate with businesses privately, rather than publicly. To know that the hotel registration involves personal privacy and information, once the information was leaked not only suspected of infringement on the enterprise, but also suspected of infringement of the individual, if the guests therefore sued the hotel and the hotel again to tort lawsuit against Cloud NET, then cloud network will be very troublesome. "Shanghai Shang law firm Chen Lawyer analysis.