Is Telecom fraud behind the death of female college students: school data reselling serious-fraud, telecommunication scams-IT information
Linyi girl suffering Telecom fraud behind the large gaps in the information security industry is education.
On August 19, has just been girl Xu Yuyu in linyi, Shandong, Nanjing University of posts and telecommunications hit Telecom fraud, 9900 Yuan for tuition from being cheated away. Direct factor leading to Xu Yuyu cheated, their contact details and an education grant information is compromised.
According to the yimeng evening news reported, on August 18, cheated the day before Xu Yuyu grants phone notifications received from the education sector. Fraud suspect as "scholarships" for easily gain the trust of Xu Yuyu, savings and defrauded the family scrimped and saved six of the 9900 Yuan tuition fees.
19th evening, Xu Yuyu and his family made a report to the police station, on the way home, Xu Yuyu suddenly fainting, though hospital after two days of rescue, but have still failed to save the life of her 18 year old. The event has attracted wide attention. To date, micro-letter on a public platform to discuss the matter of articles about 4,400, under people's daily Twitter client Twitter, there have been more than 20,000 comments.
The evening of 23rd, linyi police microblog publishing "opening is coming beware of scholarship scams in the name of" warning at the same time, linyi police set up a task force to investigate the case.
Have to be wary of is, according to the Ministry of education to publish information, national grants covering 20% of the college students across the country. According to the National Bureau of information, in 2015, the National College undergraduate admissions 7.378 million, 26.253 million students, and on this basis, the freshman enrollment, scholarships this year about 1.5 million people, and about 5 million people in scholarships for college students. They are possible because financial aid fraud risks to information disclosure.
At present, it is not clear disclosure of grants information reasons. Nanjing University of posts and telecommunications has contact with the police and said, "have not been contacted grants issues." People familiar with the briefing, "grants from application to issuance of multiple links, each link may reveal more information. "Upon request, grant application information containing names, identity card information, contact, address of 26 items.
Endemic reselling student data
Due to generally do not have the economic ability, and the funds are not sufficient, the student groups not specifically in reference to Telecom fraud. But that does not mean students high safety factor. In fact, at a press conference in the contact group, student information, is a "lack of security" category.
Recently, this reporter access to several industry reselling user data, including 3 told reporters: "as long as you've heard, regardless of University, secondary, primary, and (their data). ”
One of the people showed reporters a famous Shanghai University data, include the student's name, student number, sex, age, height, weight, contact information, professional and other detailed information. In addition, the people can get "national primary school information management system", including school, school, school, address, family members, and so on. The source said that "school, half of the data I have. Even if you do not have, as long as you tell me the name and I can get. ”
National primary school information management system, the system was implemented by the Ministry of education beginning in 2012 online, aimed at national student registration, student information, graduate student status changes implementation of upgrades, information management, more than 140 million primary and secondary school on the information stored in the system.
According to the number of people offer "fresh", "no selling" of first-hand student data, price about 1-2 Yuan/article, bulk purchase at a special rate. Secondary data is less than 1, if buying in bulk, 10,000 secondary data about 300-500 Yuan. Black industries throughout the data, student data is low price, in contrast, some from Taobao, Jingdong, vipshop, e-commerce platform out of first-hand data, cost more than 3-5, the peak price reached 20-30 yuan/article. In addition, the data in the black, e-commerce, banking, stock market, vehicle trade data are available. In the industry, "data, is to deceive people, students cheat less money, data on the sell price, municipal school data such as selling out. ”
10 years ago, student data is worth more than it is now. A Beijing school teacher told reporters: "the selling source of vulnerability data persistence. Many private universities would borrow on behalf of the legal profession engaged in illegal teaching and network teaching to students. A year after the entrance, they bought from the provincial candidate data, when a provincial candidate data costs hundreds of thousands of Yuan. Sell lists of more than 100,000 each year. ”
For courses in adult education, school of network education, the "high student data worthless, are white, and scores low is valuable. After getting the data, call traffic group arranged by the school, a few days will be able to hire 50-60 people. "The teachers told reporters:" some tens of billions of Yuan in profits, around 2006, rough estimated more than 200,000 people who eat this bowl of rice. ”
"Schools, teachers, education, admissions, can get a student data sector too much, many people are likely to be the source of leaked data. Selling not just student data, data of school teachers were also sold out, teachers have many sales calls every day ", the people said:" after 2008, authorities issued a document specifically to resell student data is illegal, but there is no control. And then, because source reduction, public professional recruit, private hire to students, before light down the business. ”
A few minutes break school vulnerability
The market decline in the industry, Telecom fraud outside the industry, the advertising market was starting to rise, and a large number of student data into the black.
"There are three ways of data flows into the black," enterprise database security anhuajinhe security experts told reporters, "a staff leaking data to is access to data, one is hacking target acquisition data, there is also a third party IT service companies in providing the services data leaks. ”
A veteran of education information told reporters: "the student data is stored in many places, schools, admissions, educational institutions, and so on. Ministry of education of secondary and primary data will provide a unified platform, but the University data, is stored in the universities into their own hands. "Data storage channel diversity, increased the number of contact data, unlimited also magnifies the risk of leaks of internal staff.
The other hand, many from the field of information security authorities told the 21st century business Herald press: "the ability of information security education is very low. "Sky holes owned by 360 platform, within the past two years, loopholes in the relevant educational institutions submit more than 1100," are actually far more than that, mostly educational institutions too many loopholes, white hats are too lazy to go to the test, because there is no sense of achievement. Introduction to any hacker, can fix most of the school system, almost no time, or even just need to knock on a few carriage returns can be. ”
An information security veteran who tested a University directly under the Ministry, found only in a few minutes the vulnerability of the University, now the University has fixed the vulnerability. It should be noted that, according to the sky vulnerability information, presented by the platform within the last two years, Tsinghua University, Peking University, also in the 50 or so. In addition, in recent years, as "education", "academic fraud" events such as the query specified by the Ministry of education only site network has been repeatedly questioned, however, emphasized in the Education Ministry repeatedly refused to "network security" and "no loopholes".
In 2014, 2015, the Ministry of education jointly with the Ministry of public security has issued guidance for the education industry information system classified security protection rating (for trial implementation), the Ministry of education, Ministry of public security on comprehensively promoting education industry information security classified protection notice, rating record for the security level of the information system in the country. Two notifications, student status, degree in information management systems are included in the third-grade protection. Maximum security rating for third-level education industry.
In accordance with the relevant requirements, privacy level, top secret levels, secret level information system security protection level is not lower than the third grade, fourth grade, fifth grade. Publish the files according to the people's Bank, Bank part of the system the maximum protection level for fourth grade.
Foregoing educational information industry told reporters: "from this two-year analysis of results, information security, is a disregard for the problems of the whole society, all enterprises and institutions to increase emphasis on citizen security awareness, useless. ”
女大学生遭电信诈骗离世背后:学校数据倒卖现象严重 - 诈骗,电信诈骗 - IT资讯
临沂女孩遭遇电信诈骗的背后,是教育行业信息安全存在巨大漏洞。
8月19日,刚刚被南京邮电大学录取的山东临沂女孩徐玉玉遭遇电信诈骗,9900元学费被骗走。导致徐玉玉被骗的直接原因,系其联系方式以及领取教育助学金的信息被泄露。
根据《沂蒙晚报》报道,8月18日,被骗前一天,徐玉玉接到了来自真实教育部门的助学金电话通知。诈骗嫌疑人则以“领取助学金”为由,轻易博取了徐玉玉的信任,并骗取了全家省吃俭用大半年节省下来的9900元学费。
19日晚,徐玉玉及其家人前往派出所报案,在回家的路上,徐玉玉突然晕厥,虽经医院历经两日的全力抢救,但仍没能挽回她18岁的生命。该事件已经引起广泛关注。截至目前,微信公众平台上讨论此事的文章约4400篇,人民网微博客户端相关微博下,已经有超过2万条评论。
23日晚,临沂公安微博发布“开学在即谨防以助学金为名的诈骗方式”的警示内容,同时,临沂警方成立专案组调查此案件。
需要警惕的是,根据教育部公布信息,国家助学金覆盖了全国20%的本专科生。根据国家统计局信息,2015年,全国普通本专科招生737.8万人,在校生2625.3万人,按此比例计算,今年刚刚入学、领取助学金的大一新生约150万人,而在校领取助学金的大学生约500万人。他们,都有可能因为助学金信息泄露面临诈骗风险。
目前,并不清楚助学金信息的泄露原因。南京邮电大学已经与警方联系,并称“未联系过发放助学金事宜”。知情人士介绍,“助学金从申请到发放存在多个环节,每个环节都可能泄露信息。”根据要求,助学金申请信息包含姓名、身份证信息、联系方式、住址等26项内容。
倒卖学生数据成风
由于普遍不具备经济能力,且资金不充裕,学生群体并非电信诈骗的重灾区。但这并非意味着学生群体安全系数高。事实上,在记者接触的多类群体中,学生信息堪称“最没有安全保障”的一类。
近日,记者接触到数个倒卖用户数据的业内人士,其中3人告诉记者:“只要你听说过的学校,不论大学、中学、小学,(它们的数据)都有。”
其中一位人士向记者展示的上海某知名大学数据,包含了学生姓名、学号、性别、年龄、身高、体重、联系方式、专业等详尽信息。此外,该人士表示可以拿到“全国中小学生学籍信息管理系统”,包括学籍号、学校、入学方式、住址、家庭成员等等。该人士表示,“国内学校,有一半数据我都有。即使手头没有的,只要你告诉我名字,我也都能拿到。”
全国中小学生学籍信息管理系统,是由教育部在2012年开始实施上线的系统,旨在对全国范围内的学生注册、学生信息维护、毕业升级、学籍异动实施信息化管理,全国超过1.4亿名中小学信息存储在该系统上。
根据多位人士报价,“新鲜出炉”、“没有卖过”的一手学生数据,售价约1-2元/条,大量采购还有优惠。而二手的数据,基本低于1毛,如果批量购买,1万条二手数据约300-500元。在整个数据黑色产业领域,学生数据售价偏低,相比之下,一些从淘宝、京东、唯品会等电商平台流出的一手数据,售价在3-5元以上,高峰期售价一度达到20-30元/条。除此之外,在数据黑产中,电商、银行、股市、车辆交易等数据应有尽有。在上述业内人士看来,“买数据的,都是拿来骗人的,学生基本骗不到钱,数据卖不上价,乡镇之类学校的数据都卖不出去。”
10年前,学生数据要比现在值钱。一位北京某学校教师告诉记者:“倒卖生源数据的漏洞长期存在。很多民办大学会借合法专业的名义搞非法成教、网教来招生。每年高考之后,他们就从各省买考生数据,当时一个省考生数据售价几十万元。每年卖出十多万的名单。”
对于开设成教、网教教育的学校而言,“高分学生数据不值钱,都是白送,分数低的才值钱。拿到数据之后,学校安排话务组开始打电话,几天就能招50-60人。”该教师告诉记者:“有的学校每年因此盈利上亿元,2006年左右,吃这碗饭的人粗略估计有20多万。”
“学校、教师、教育局、招生办,能拿到学生数据的部门太多了,很多人都可能成为泄露数据的源头。不光卖学生数据,学校教师的数据也都被卖出去了,老师天天都接好多推销电话”,该人士回忆称:“2008年之后,主管部门发文明确倒卖生源数据是违法行为,但也没有控制住。后来,因为生源减少,公立专业都招不满,民办的招不到生源,这个生意才淡下来。”
几分钟攻破学校漏洞
行业内市场衰落,行业外的电信诈骗、广告推销市场则开始兴起,而大量的学生数据流入黑色产业。
“数据流入黑产的途径有三种,”数据库安全企业安华金和的安全专家告诉记者,“一种是接触到数据的工作人员泄露数据,一种是黑客入侵目标获取数据,还有一种是第三方IT系统服务公司在提供服务时获取数据并泄露。”
一位教育信息化资深人士告诉记者:“学生数据存放在很多地方,学校、招生办、教育机构等等。目前中小学数据教育部会提供统一平台,但大学数据,则存储在各个大学自己手中。”数据存储渠道的多样,增加了接触数据人员的数量,也无限放大了内部人员泄密的风险。
另一方面,多位来自信息安全领域的权威人士告诉21世纪经济报道记者:“教育行业的信息安全能力普遍极低。”在360旗下补天漏洞平台上,最近两年内提交的相关教育机构的漏洞超过1100条,“实际上远比这多,主要是教育机构漏洞太多,白帽子都懒得去测试,因为没有成就感。随便一个入门的黑客,都能搞定绝大多数学校系统,几乎不耗时间,甚至只需要敲几下回车就可以。”
一位信息安全资深人士对某部委直属大学做了测试,仅用几分钟即发现了该大学的漏洞,目前该大学已经修复该漏洞。需要指出,根据补天漏洞平台信息,该平台上最近两年内提交的清华大学、北京大学也均在50个左右。此外,近年来,因为“套号学历”、“学历造假”等事件,教育部指定的学历查询唯一网站学信网被屡次质疑,不过,教育部多次回应中强调“学信网安全”、“没有漏洞”。
2014年、2015年,教育部与中国公安部先后联合印发《教育行业信息系统安全等级保护定级工作指南(试行)》、《教育部中国公安部关于全面推进教育行业信息安全等级保护工作的通知》,在全国开展信息系统安全等级定级备案工作。两份通知中,学生的学籍、学位等信息管理系统大多列入第三级等级保护。教育行业最高安全保护等级为第三级。
根据相关要求,私密级、绝密级、机密级信息系统的安全防护水平分别不低于第三级、第四级、第五级。根据人民银行发布文件,银行部分系统最高防护等级为第四级。
前述教育信息化行业人士告诉记者:“从这两年分析的结果来看,信息安全,是一个全社会都漠视的问题,需要所有企业、机构去提高重视程度,靠公民提高安全意识,根本没用。”