Reported on October 27, a young man named Li Xiaoqiang was criminally detained by the Beigou Police Station of Huancui Public Security Bureau for allegedly using "hacker technology" to intrude into the management system of an internet cafe in the urban area.
Over the course of a year, the suspect used remote control software to secretly recharge thousands of hours (the membership recharge rate at the internet cafe is 1 yuan per hour), causing a loss of more than ten thousand yuan to the internet cafe.
According to one of the investigating police officers, this was also the first case involving computer systems handled by the Huancui Beigou police in recent years.
Generally speaking, the authority to cash-recharge memberships is possessed only by the internet cafe administrators who sit beside the management host.
However, once such "authority" is stolen by someone with ill intentions, the consequences are self-evident.
Recently, our reporter conducted an interview regarding this matter.
Event: The Recharge Management System Was "Intruded"
On the afternoon of October 23, I went to the Beigou Police Station of Huancui Public Security Bureau and interviewed the relevant personnel involved in handling this case.
"The occurrence of such cases is rare in our city," said the investigating police officer. According to the introduction, the suspect, Li Xiaoqiang, used to be a network administrator at this internet cafe but resigned after working there for more than a month.
Due to his position as a network administrator, he managed and maintained the entire microcomputer system of the internet cafe, making him well-aware of any potential or existing vulnerabilities within the computer system.
These vulnerabilities became a secret channel that he could exploit later, partly because his boss lacked much knowledge about computers.
After leaving the internet cafe, after some time, Li Xiaoqiang returned to surf the web and during this period, he used his technical knowledge to set up a "backdoor" in the system.
By setting up this "backdoor," he could use it to launch remote control software to manage the internet cafe's mainframe in a "secret state." He could browse various data saved on the mainframe and tamper with them without being discovered.
Subsequently, Li Xiaoqiang began using remote control tools to recharge the membership cards of some of his friends, allowing them to enjoy "free internet access." The largest amount exceeded two thousand yuan, while the smallest was nearly a hundred yuan.
This situation continued for almost a year, and he gradually indulged in the "pleasure" of effortless gains. Meanwhile, the managers of the internet cafe, despite sometimes noticing a mysterious decrease in revenue, remained unaware of the abnormal situations quietly occurring on the internal microcomputers due to their unfamiliarity with computer-related knowledge.
It wasn't until mid-October this year that his actions were reported by an informant. After investigation and deployment, the Huancui Beigou police captured Li Xiaoqiang.
After interrogation, Li Xiaoqiang confessed to his criminal acts.
Revelation: Hacker Tools Originate from the Internet
According to the police officer’s introduction, the tools used by the suspect to "intrude" into the internet cafe were downloaded from the internet. Due to his basic knowledge of computer operations and the fact that the tools downloaded from the internet were bundled with related "tutorials," following the steps allowed him to complete the intrusion.
During the interview, we learned that these intrusion and cracking tools are mostly created or rewritten by computer enthusiasts passionate about "hacker technology," which is no longer a secret in the networking world. They upload these processed "works" onto the internet under the guise of "technical sharing," enabling anyone visiting the site to download and use them.
Through several search engines, I found that many cracking tools originate from websites labeled as "hacker" sites, and they come in all sorts of varieties. Software for cracking internet cafe systems is just one type among them.
One can imagine the consequences if these tools fall into the hands of people with malicious intent.
An insider in the Weihai networking community told our reporter that the operating systems of current internet cafe hosts are mostly service-oriented systems like Win2000/2003, which provide many management methods themselves, such as IPC$ and Remote Desktop. These are inherently secure, but if the administrator account has no password or security patches are never installed... then there exists a certain security risk.
Due to the weak security awareness of internet cafe managers, some machines even lack necessary administrator passwords, and some rarely or never upgrade their security patches, leading to "numerous flaws" in the system. These security vulnerabilities give those with ill intentions an opportunity to secretly download and run Trojan programs to achieve remote control, theft, or other purposes.
According to a local network technology enthusiast, there are currently many popular methods for intruding into internet cafe hosts. For example, take "IPC$" as an instance. "IPC$" itself is a command-line pipeline used for system management, and intruders need only obtain the administrator's account and password through illegal technical means. Through this pipeline, they can directly gain "authority" to achieve undisclosed purposes. Therefore, if your host does not have a set administrator password, it is indeed very dangerous.
Moreover, he believes that people who use tools written by others to commit illegal activities should not be called hackers. In the industry, the term "black hacker" is used to describe those who act recklessly. The true historical definition of a hacker refers to computer enthusiasts who specialize in researching and discovering vulnerabilities in networks and computers. The existence of hackers stems from the imperfections of computer network technology.
Regardless of how professional hackers' ethics may be, the proliferation of software tools used for vulnerability scanning, penetration testing, encryption cracking, and secret remote control on the internet is now an undeniable fact.
Undercover Investigation: Vulnerabilities Exist in the System
Starting from October 24, I visited multiple internet cafes in the urban area for undercover investigations. The purpose was simple: to conduct a basic "test" to find out the presence of viruses in the computers.
On the morning of October 24, at an internet cafe near Wenhua Central Road in the urban area, capable of accommodating dozens of people surfing the web simultaneously, I swiped my card at the cashier and randomly chose a machine to open.
The machine used the WINDOWSXP system, and the internet speed was quite fast. However, whether on the desktop icons or in the system partition disks, I did not find any security software capable of scanning and eliminating Trojan viruses.
A few minutes later, I downloaded a well-known free antivirus software from a domestic legitimate website. After installation and initiating real-time protection, the software window indicated: "Your computer has never been scanned for Trojans." Subsequently, I executed a scan of the partition disks.
Within a short period, I saw the antivirus software detect multiple Trojans and viruses. When using a network engine to find the source of the Trojan types, I discovered that it was a Trojan program used to steal accounts from a popular online game. According to relevant introductions, this Trojan runs with WINDOWS startup, remains latent in the computer, injects into processes, acquires accounts and passwords via memory reading, and then sends them to a designated address according to the instructions of the Trojan planter.
There are also Trojan programs whose names alone allow direct judgment, such as Chinese-named Trojans like "XXQQ Thief," which internet users who frequently use QQ communication tools know are used to steal QQ accounts and passwords.
After clearing these potential risks using the antivirus software's functions, I checked the system vulnerabilities again using a security tool. This machine obviously hadn't had its patches updated for a long time.
Using just a simple detection tool could reveal numerous unfixed system vulnerabilities on the machine, which could be exploited by others to execute remote code, thus making it vulnerable to attacks. Subsequently, I switched to another machine, repeating the process, and still detected various kinds of Trojan viruses.
It is understood that these potential Trojan viruses are embedded into computers when netizens browse malicious web pages unknowingly, infected when remotely receiving virus-laden files, or even "locally downloaded" by malicious internet users planting them in the system.
On the afternoon of October 25, I came to a large internet cafe in the urban area. According to security experts, no single antivirus software can find and eliminate all viruses. Thus, I downloaded two antivirus softwares online and performed simple detections. The results revealed different types of Trojan viruses, such as Trojan packer and Trojan-psw.win32.lmir.bcl stealing programs.
During the interview, I learned that most netizens don't care whether the machine has installed any virus defense software when surfing the internet. They either chat online or play games. Therefore, in individual machines in internet cafes, it's rare to install antivirus or anti-Trojan detection tools.
According to insiders, internet cafes currently have hardware "restore cards" or some "restore software." Regardless of whether through software or hardware, the system saves a fixed system image at a certain time. Once the computer restarts, it automatically reverts to the state when it started, meaning that even if a virus program is downloaded, it will be automatically cleared upon system restart, so usually, individual machine antivirus isn't necessary; otherwise, managing would be cumbersome.
Regarding the doubt that viruses were found after booting up in some internet cafes, and even after restarting the system, viruses still existed, he explained that restore cards generally provide full-disk protection. If viruses still exist after restarting the system, it indicates that the machine might have already been planted with Trojans before the system backup.
Internet cafe machines generally don't patch updates because it's commonly believed that even if infected with viruses, the machine will be "restored" upon restart, so the security risk remains but isn't high. However, internet cafe hosts store a lot of critical data and cannot be configured with restore protection, so it's understandable that other machines don't patch updates, but if the host doesn't promptly patch vulnerabilities, it becomes fragile and easily attacked.
Analysis: System Vulnerabilities Ultimately Stem from Human Vulnerabilities
A famous hacker in China's security industry, Lan Xuanxingkun, once told me: "In today's increasingly prominent security defects, the confrontation between attack and defense has become unprecedentedly intense. System security primarily requires safety awareness, but unfortunately, this awareness is often overlooked by many managers. Therefore, the weakest link in network security is not system vulnerabilities but human vulnerabilities."
System vulnerabilities, ultimately, stem from human vulnerabilities.
Network administrators, by name, should first possess corresponding network management operation knowledge.
Regrettably, during interviews, I found that some internet cafe "network administrators" are almost equivalent to cashiers, knowing only how to turn the machine on and off, recharge, and charge fees, while being unclear or unaware of other technical issues...
At noon on October 25, at an internet cafe in the urban area, when I settled my bill after logging off, I casually chatted about computer topics with the young and pretty female network administrator sitting behind the counter, who looked confused.
Some internet cafe managers seem to suffer from "software dependency syndrome," thinking that installing a protective software makes everything fine, thus ignoring the repair of various system vulnerabilities.
But can hardware protection alone ensure that "authority" always remains in your hands?
Take a simple example: Even if the machine is equipped with common restore protection, it can be uninstalled or the default management password of the restore can be cracked by someone with ill intentions, then downloading a Trojan... Such methods are also "public secrets" on the "information-developed" internet. According to relevant personnel from the Weihai Municipal Public Security Bureau's Network Supervision Brigade, according to national computer management regulations, cracking network management software is an illegal act.
During the interview, I found that some large internet cafes in the urban area are relatively focused on security management. An internet cafe located on a bustling road hung a red warning sign above the bar to remind people to surf safely, in order to restrain internet users from exiting the network management software at will and downloading and running unknown files.
According to industry insiders, a competent and qualified network administrator should not only maintain good internal internet order but must also have a "think-ahead" safety awareness. With the rapid development of network technology today, the update speed is very fast. Hardware and software can lag due to cost issues, but if safety awareness doesn't improve, losses will be regrettable.
From a purely technical perspective, passwords should be set for the internet cafe router, complex passwords should be set for the internet cafe host, all security patches should be applied, firewalls and antivirus software should be installed and updated regularly, and regular vulnerability checks should be performed on the host.
And these simple little fixes are easy for experienced network administrators to handle well.
Quoting hacker Lan Xuanxingkun's understanding of network security management: "As long as you make a 1% effort, you can leave 99% of intruders helpless." (The characters in the article are pseudonyms.)