On April 8 message, according to ZDNet report, researcher discovery, information of the resume since occurrence number of before this year 3 months reveals Chinese business incident involves 590 million resume.
The reason that most resume divulges is MongoDB and ElasticSearch server safety precaution are less than, need not the password can see information on the net, or because firewall appears,the mistake is brought about.
In a few months in the past, ZDNet receives partial server to divulge the relevant content of information, these servers belong to Chinese HR enterprise. The safe investigator Sanyam Jain that discovers information is divulged expresses, in the past a month, its discover and reported 7 cases divulge incident, among them 4 already repair.
On March 10, jain discovers an ElasticSearch is insecure, its put the resume that has user of 33 million China. Subsequently, he gives lash-up of Chinese country computer to answer a group problem report (CNCERT) , the database after 4 days gets repair.
On March 13, jain discovers an ElasticSearch is insecure again, put have 84.8 million resume, below the help of CNCERT, the problem is able to solve.
On March 15, jain finds server of ElasticSearch of a problem, put have 93 million resume, already reported to CNCERT, did not get a response.
The 4th server deposits the resume data that comes from Chinese enterprise, put have 9 million resume, the server comes from ElasticSearch likewise.
Dew point of the 5th discharge is ElasticSearch server group, even more is deposited inside 129 million resume. Jain cannot affirm possessory, but the database still is open position.
The dimensions of dew point of additionally two discharge is lesser. An ElasticSearch server deposits 180 thousand resume, another deposits 17000 resume.
In addition, two Zhou Qian, devin Stokes of another safe researcher discovers, an ElasticSearch server contains the resume of user of 19 million China, all be administrative position.
Besides resume, this server still has the complete configuration file of every user, include the closest dialog between personnel of current job, invite applications for a job and tall canal to reach among them groom course.
Today, more and more users hope to be able to pass computer, PDA and smartphone to browse Internet at any time and place, also cause more and more data to divulge the happening of the problem.
The website uses the method of HTTPS agreement to install SSL certificate namely. At present SSL certificate has a lot of classification, it is OK to will divide from attestation grade cent is domain name certificate (DV SSL) , enterprise certificate (OV SSL) and increase model certificate (EV SSL) , can choose appropriate certificate according to website type.
SSL certificate technology through adding secret information is mixed provide power of ancient bronze mirror, can show the authenticity of the website not only, still can input in website user undertake adding to these information when password and user name close, and not by hacker intercept, although intercept arrives,also be close article, also cannot see real user name and password. And the network attack that we often encounter, if data is hijacked,wait with fishing attack, cause below the protection that does not have SSL certificate. This lets user information extremely likely divulge cause severe pecuniary loss even, and can avoid effectively through SSL certificate attestation, because have accredit user only,ability can read access to occupy.