深圳市一博科技有限公司招聘IT高级工程师待遇8k-10k

春运三日:旅客安全防范意识待提升

岗位要求:  (急聘!)
1、计算机管理相关专业,专科以上学历,有一定的公司软件开发管理工作经验。
2、要求有Onlinebox、Lotus、SAP的B1的开发维护经验;主要是从事Onlinebox的开发应用。
3、如还有网页、电商平台的软件开发经验者,优先录用。
4、心态积极向上,主动服务意识、责任感强烈,工作条理性及执行力强;
5、善于思考、发现问题并能提出有效解决方案,团队协作、人际沟通能力、学习能力强。

上班地址:
深圳市南山区科技园康佳研发大厦12H

猜您喜欢

企业安全歌,唱红中国,唱响全球
移动支付中间人攻击防范
为何人们拒绝双重身份验证
中国企业走出去,我们助力国际化人才的培训:
PRIUSDAYS PAWSPUEBLO
动画视频及互动案例式的EMS及OHSMS在线基础课件
包括安全疏散与逃生等在内的在线EHS视频培训课程

媒体聚焦《“十三五”国家知识产权保护和运用规划》解析

公司应该使生产系统应与开发、测试系统有效隔离,确保生产系统安全、稳定运行。

中航电测:华燕顺利通过军工保密资格认证复查
网络空间安全攻防战

EHS文化的建立从针对全员的意识教育培训开始
该文章作者已设置需关注才可以留言

超半数为无效报警 骚扰电话1.7万余起

微信扫一扫关注该公众号

为了防范有意和无意的内部泄密,我们依据等级保护政策制定了安全保密规范,部署了数据防泄漏系统,并且加强了员工的信息安全意识和保密意识培训。

猜您喜欢

SHA-1加密算法破解现已只需要10天
保密意识教育
企业安全意识之歌
佟丽娅首度发声“重新开始”疑似离婚
BEAUTISTAS MNWHIGS
保险业信息安全意识培养电子课件受欢迎

深圳市智创动力科技有限公司招聘java中级开发工程师待遇10k-15k

工作职责:
1.         参与系统的设计工作,并撰写技术文档。
2.         独立完成系统功能模块的开发。
3.         负责J2EE项目的开发。
任职要求:
1.         具备扎实的java基础知识。
2.         熟悉spring mvc等主流的开源框架。
3.         熟悉web服务框架,有服务接口开发经验者优先。
4.         熟悉ORACLE数据库,熟悉SQL,PL/SQL语言。
5.         熟悉Linux,有shell脚本编写能力优先。
6.         熟悉主流的JS框架和前端技术(html,css,javascript,easyui)。
7.         熟悉eclipse和版本管理工具。
8.         有开源ERP开发经验者优先。
9.         熟练掌握面向对象分析、设计、开发过程。
10.     工作细致、团队协作、良好的沟通能力。

上海棚户区将改造 已完成第一轮意愿征询同意率超95%

上班地址:
南山区高新技术产业园威盛科技大厦1905室

猜您喜欢

一分钟快速了解基础信息安全理念
无线环境中的中间人攻击MITM防范
勿让网络安全人才培养走“中国足球”的老路
防范军事间谍活动
PODERMAGICO WICKEREASTREPLACEMENTCUSHIONS
教授海外学术交流遇谍记-国家安全法、保密意识、防间谍宣传
CyberSecurity网络安全宣传——社交工程学攻击防范

深圳开普特企业管理顾问有限公司招聘猎头合伙人(金融互联网)待遇10k-15k

(互联网、金融行业)合伙人
【工作职责】
1、负责公司金融、互联网团队项目管理,项目运营、客户维护等。
2、负责所在团队的员工培养、发展与绩效等团队管理工作。
【任职要求】
1、本科以上学历,3年以上互联网行业招聘、销售、市场、技术管理等相关经验,或2年以上互联网/金融猎头经验;
2、乐于从事有挑战的工作,有志于在猎头行业长期发展;
3、拥有较好的沟通表达能力、团队合作精神,积极阳光。
合作客户:大型金融集团(深圳、上海、北京等)、大型上市互联网公司(深圳、杭州、上海、北京等)、互联网金融机构、创业互联网平台等。
人选年薪:50-200万以上职位超过整体项目80%。
【公司提供】
* 富有挑战和竞争力薪资福利和合伙人制度;
* 工作与生活的平衡,感受职业带来挑战与激情;
* 智慧且友善的工作伙伴,体会专业成长中的喜悦与快乐;
* 系统的培训学习机会,推动自我职业能力的快速提升;
* 与众多知名企业高端优秀人才进行对话,提升表达沟通能力的同时,更可以亲身感知成功人士的人生路径以及人生智慧。

网络安全宣传动画——个人信息安全保护

上班地址:
100个字,请输入详细的上班地址

猜您喜欢

信息安全成了各大公司进行全员培训的热点课程
网络安全意识培训——电信诈骗防范
如何检测Web应用程序的安全
安全生产、职业健康、环境保护
BATPIC BULLETINMEDIA
网络安全公益短片小心披露您的地理位置信息
职业健康、环境保护、安全生产

易拓集团公司(深圳市易拓迈克科技有限公司)招聘高端蓝牙音响电子开发工程师待遇4k-5k

金立M2017领跑支付安全 春节红包放心发

1.性别不限,24-30岁,大学学历,电子、通信、消费类应用电子类相关专业;                  
2.3年以上蓝牙音箱,WIFI音箱等相关产品硬件开发经验,有CSR,ISSC芯片两年以上应用经验者优先;                                                                                
3.熟练操作PADS,PROTEL,power PCB等LAYOUT软件,熟练LAY两层板对四层板,多层板有经验;                                                                                
4.熟悉蓝牙音箱产品测试标准及认证标准,对开发蓝牙音箱产品流程有深刻的理解;            
5.对声学调试有经验,并运用声学对产品结构喇叭提出合理的建议;                          
6.熟悉硬件开发原理和开发流程能及时完成新产品开发项目任务,具有良好的沟通及团队协作能力;
7.能看懂英文技术资料。

猜您喜欢

如何营销信息安全思想
企业安全管理人员该如何进行积极的移动网络安全入侵防御呢?
如何营销信息安全思想
信息安全第一课——丢弃毁坏的U盘
SPIRITUELEWINKEL BIO-CON
一个信息安全动画小故事,随意丢弃损毁的U盘,被保洁员拾走,泄了密……
日韩跨国公司惯用的HSE教育手段

黑客技术之算法

本文转载:五色花
之前看过一本书“从零开始学破解”,文中用到了一个CrackMe程序,我发现程序的注册算法很简单,非常适合破解初学者拿来练习,所以就写下了本文与众人分享,希望大家在新学期里技术都能有所突破。
首先运行程序,试着输入用户名和注册码,会弹出错误提示“u fuckin noobl”,使用PEID查壳,发现程序是使用“Borland Delphi 4.0-5.0”编写的没有加壳。
直接载人OD,查找参考字符串,就会找到错误提示“u fuckin noob!”,双击后就来到了00447F65处,往上找就看到正确的提示了。再往上找我们会看到这一段的段首,也就是“00447EB0 |.55 PUSH EBP”,按F2在此处下一个断点,再按F9运行程序,随手输入一个用户名和注册码后,程序就会被中断下来,我们来看一下这段代码:
这一段的作用就是对我们输入的用户名进行处理,这是一个循环,首先读取用户名,然后把它写入到另一个地方,如果被写入后的值的长度小于6则返回,再次读取用户名并且跟到原来被写入值的后面,再看被写入后的值的长度是否小于6,如果仍小于再跳回去继续,直到长度不小于6为止,比如我输入的用户名是ab,程序就会把它变成ababab。我们再来看下面这段代码:
最新研究调查显示,内部泄密成为企业数据外泄的头号原因,而黑客仅位列第五。
这一段的作用是计算注册码,从这一段我们可以知道不管用户名长度是多少,注册码都是6位的。程序会将用户名的前6位的ASC[]值依次加上5,结果就是我们要的注册码了,继续向下执行看看:
全民网络安全意识教育策略与资源
可以看出程序是明码比较的,这是非常经典的注册验证,许多软件都在使用这种注册验证,方便了我们直接追踪出注册码,在00447F36处可以实现爆破,可以将JNZ修改为JZ或NOP掉,这样输入假的注册码仍会提示注册成功。

中国银联发布2016移动支付安全调查报告 移动安全支付技术不断提…

最后我再总结一下,程序根据输入的用户名来计算注册码,输入的用户名如果小于6位,程序就会将用户名累加直到不小于6位,如ab就会变成ababab,abc就会变成abcabc,如果大于6位则仍是前6位有效,比如abc12变成abc12abc12后仍取前6位有效,然后将前6位分别转换成ASCII码进行相加,再将得到的值转换回来,所以注册码只会是6位的,一个用户名对应一个注册码,当然当前6位用户名相同时注册码也是相同的。比如abc123与abc1234就同时对应注册码fgh678,我们可以借助破解辅助计算工具来计算出真正的注册码,输入注册名abl23和注册码123456,计算注册码的过程是将6个字符分别转换成ASCII值并分别加上5再转换成字符就是注册码了。

有补丁也没用!半数安卓仍暴露于去年漏洞

所以注册码就是fg678f,现在我们来编写注册机,我使用的是Borland Delphi,注册机的代码如下:

谷歌Zero研究人员揭卡巴斯基防病毒软件中存SSL证书验证漏洞

由于本人对此研究不多,文章中难免会有许多不足之处,还希望大家给予指正。
该文章作者已设置需关注才可以留言

微信扫一扫关注该公众号

信息系统的数据安全管理本身并不复杂,处理业务过程也很明确和简单,但是在一个企业里要约束企业的业务人员处理信息的行为,没有明确制度约束是无法实现的。

猜您喜欢

湖北省信息网络安全协会职教工作委员会成立大会在湖北生物科技…
敏感信息保护案例视频——拍照泄密
不限行业的EHS在线网络视频教程
因发型相像 科学家将新发现飞蛾取名为特朗普(图)
IGLOUS CASESOFT
组织应该教育员工小心防范身份窃贼

Management and adjustment of information security environment

随着我国经济建设的快速发展,企业办公和日常生活已离不开互联网络的支撑.但是,部分企业员工对企业网络信息安全环境意识不强,并随心所欲地在企业内上网、聊天和办公等。2013年美国中情局前职员爱德华·斯诺登爆料“棱镜”窃听计划后,中国无论是国家层面还是企业乃至个人层面对网络信息安全环境都上升到一个新的认识高度,积极加强自身的信息安全环境,以抵御外部非法窃听和攻击行为。
华润电力江苏分公司(简称江苏公司)的信息系统安全以等级保护为核心思想,建立科学的信息安全保障体系;通过等级保护的建设,全面识别公司业务系统在信息安全技术层面和管理层面的不足与差距,充分借鉴国内信息安全实践和成熟的理论模型,设计合理的安全管理措施和技术措施,通过建设实践,建立起符合内部需要和外部监管的信息安全保障体系。依据国家信息安全等级保护政策及技术标准,江苏公司开展的公司信息安全环境的架构设计、治理以及调整工作,取得了较好的成效。
企业当前信息安全环境架构及不足
现有架构分析
江苏公司网络采用核心层和接入层两层架构。Cisco6509设备是整个网络的核心设备,下连16台业务交换机,交换机之间互联链路除了Cisco2960-s-18设备外均为千兆链路。
四台cisco 2960(14-15)设备部署在25楼,供该楼层部门使用,其余设备部署在33楼机房,供其他部门使用。cisco 3560设备主要负责连接服务器系统(门户电子商务系统、OA系统、人力资源系统、物资系统、联储系统、财务系统、项目管理系统、燃料系统等),3560下连的2960负责连接服务器(DNS服务器、考试系统服务器)。具体情况如下图所示:
安全问题分析
通过上图可以看出,公司拥有VPN设备及技术,实现了数据安全的通信网络数据传输完整性保护和网络安全的通信网络数据传输保密性保护。但是,公司缺失通信网络安全审计,即对网络中的网络安全设备运行状况、网络流量、用户行为等进行日志记录的安全审计缺失。
公司拥有一定恶意代码防护和入侵防范的能力,但是,公司缺失完整的网络结构体系和访问控制能力,同时缺少对边界安全设备的安全审计功能。
公司缺失主机和应用安全的身份鉴别功能等,缺失主体客体的标识和强制访问控制规则设置和实现。对用户在网络、主机、应用全审计,以确保系统数据完整保护和保密及程序可信执行保护等。
公司在管理体系上缺乏明确的信息安全管理组织机构,没有明确信息安全相关岗位的具体职责;在管理制度上,未建立明确的信息安全原则、方针、总体策略,缺乏安全管理框架;在信息安全人员方面,未建立明确的信息安全三大员,没有明确信息安全相关的人员考核、入职、离职等管理;公司已有管理制度覆盖了少部分系统建设和系统运维的信息安全管理,还需要在整体框架内进行补充,在具体操作层面上进一步细化。
网络安全应急资源调度平台
信息安全环境架构治理与调整
通过上述分析,公司的信息安全环境设计就是基于安全域的划分,在此基础上,实现域与域之间的安全隔离,同时,做好域自身内部的安全加固,使得域无论内外的非法攻击都不可能打破域的安全设计。另外,安全策略是基于逻辑和抽象的方面来实现信息系统安全的,是基于硬件来实现信息安全的另一大重要手段。
网络结构上划分为四个安全域:核心接入域、安全管理域、终端接入域和应用管理域。做到边界和安全管理的清晰化、明了化和结构化。
在各个域的边界加入防火墙来实现基于硬件角度上的区域划分和安全管理以及控制。
加入大量安全控制、检查和防御设备:入侵检测设备、防火墙、防病毒网管、web七层防火墙、上网行为管理设备、危险发现设备、综合审计设备和堡垒机设备。
便于网络安全管理域管理整个网络并可以及时发现网络出现的故障。在安全管理服务器上装载网络管理软件、安全管理平台、梭子鱼防垃圾邮件网关、日志审计软件和终端管理软件来实现对网络安全信息安全控制处理。
为保障信息安全系统,可以在发生故障和被攻击以后进行有效的追溯,时间的准确和一致性将会变得非常重要,所有的事后追踪和分析都需要基于准确的时间。
数据安全传输是信息系统安全环境的重要一环。基于VPN的加密数据传输有效保证数据的源认证、私密性和完整性。重要的企业内部数据在传输中基于VPN的秘钥来加密和解密,man-in-middle攻击和数据窃取都是不可行的。所以VPN的应用有效地解决了企业内部数据传输的安全性,并且相对于专线来说VPN的性价比更加好。建立的架构遵循分公司与各个项目公司之间的访问和数据传输以及数据备份都是通过VPN来实现;同时,与深圳控股公司总部的数据交流也是通过一条专用的VPN来实现。
对于无线网络,无线的接入和无线AP设备自身的安全一直是无线安全信息环境重点关注的。公司采用AC集中控制、集中监控和策略集中下发等模式组建无线局域网络环境。这个模式的好处是当AP设备被盗窃时,AP脱离本无线环境时,AP里的配置将会在一定时间内自动删除,确保了他人无法暴力破解无线AP。
企业信息安全环境组建
信息系统安全是信息系统服务质量的保障。并且,网络主机安全系统应当融于信息网络服务系统之中,它的建设与维护应当与信息网络主机系统的建设和维护保持一致,遵循安全系统化流程的方法。网络安全流程就是应用系统工程建设和维护网络安全系统的规范化的规章制度以及一系列的过程保障体系。
信息安全系统工程应该与被建设的系统特性紧密结合,工程环节与系统生命周期保持同步,安全系统的生命周期也基本如此。安全系统工程典型的基本环节包括信息系统安全需求分析、安全系统设计、安全系统组建、安全系统认证、系统安全运行维护和安全系统改造等。
安全的Internet接入:企业员工网络办公、查找资料、收发邮件和对外联系业务等,都需要通过互联网来实现,这种信息的交流随时随地及时和持续发生。因而对于企业来说,内部局域网络和外部互联网络的接入点的安全性是非常重要的。通过采用防火墙的策略控制以及NAT策略映射来实现节点的安全是信息安全环境的有力保障。
入侵防御系统:系统安全由IPS组成。企业在互联网流量汇聚的出口处部署入侵防御系统,它可实时监控内网中发生的安全事件,使得管理员及时作出反应,并可记录内部用户对Internet的访问,管理者可审计Internet接入平台是否被滥用,同时可以抵御常见的入侵攻击等。
防病毒系统:企业的防病毒系统是由网络出口处的防病毒网关和内部各个服务器与终端上的防病毒软件共同组成一道坚固防御城墙,并且抵御恶意代码等。
网页七层应用的防御系统:企业必须在出口位置部署相应的web七层防火墙,通过其设备可以防御和预警绝大部分网络中常见的http、https和嵌入式等网页攻击。管理人员应及时更新wap的病毒库。
上网行为的监控和控制系统:企业在互联网区域部署上网行为审计设备来对企业内部人员的办公上网行为进行监督和控制。对于员工访问企业规定的非法和非业务网站行为进行制止;管理员也可以为了保证视频会和公共网速对一些下载软件进行整体限定。

成渝公司下属各营运子、分公司积极开展春运安全宣传

VPN加密系统:企业可建立虚拟专网VPN,主要为企业移动办公的员工提供通过互联网访问企业内网OA系统,同时为企业内网用户访问总、分公司的内部业务系统提供VPN加密连接。
定期的安全加固:企业管理员应该定期利用漏洞扫描设备和应用监测设备来对网络设备、主机设备进行渗透测试,及时发现信息系统内部的漏洞并加以补救。对主机应用关闭不需要的协议和端口,删除长期不使用的账号和共享账号。
事后的审计与追溯:企业部署审计设备、日志收集设备并且与时间同步设备联动在一起形成一个信息安全可以追溯的环境。对于一些已经发生的攻击和入侵,以及一些人员的非法操作,能够有效追踪。
人员信息安全管理制度:企业需要制定一份相应的信息安全管理制度。对人员的上网、操作系统、安装和卸载软件等行为作出规范。再则,建立起一套行之有效的应急制度来解决突发事件对企业本身的影响等。
系统备份:企业应制定备份策略,定期对一些重要数据进行备份。
从实际的角度出发,总结已有的信息安全环境,学习当今前沿的信息安全技术,并在国家法规政策的指引下建立以一套适合江苏公司的信息安全环境的网络系统架构和人员管理制度势在必行。
长按识别二维码,关注我们
该文章作者已设置需关注才可以留言

2017 CIO展望:新IT运营模式的5大元素

微信扫一扫关注该公众号
With the rapid development of China’s economic construction, business office and daily life cannot do without the support of the Internet. However, some employees of the enterprise network information security awareness is not strong, and free internet access, in the enterprise to chat and office etc.. In 2013, former CIA officers Edward Snowden broke the prism eavesdropping program, China both at the national level or enterprise and personal level of network information security environment has risen to a new high degree of awareness, actively strengthen their information security environment, to resist external attacks and illegal wiretapping.
Huarun electric Jiangsu branch (Jiangsu company) security information system to the level of protection as the core idea, the establishment of information security system of science; through the construction of the level of protection, comprehensive identification of business system at the technical level of information security and management level is not enough and the gap, make full use of domestic information security practices and mature theory the model, design reasonable safety management measures and technical measures, through construction practice, establish information security system in accordance with the internal and external supervision. According to the national information security level protection policies and technical standards, the framework design, management and adjustment of the company’s information security environment developed by Jiangsu company have achieved good results.
The current information security environment of enterprise
Existing framework analysis
利益的诱惑使不少手机黑客转而开始研制各类盗号手机病毒。在给手机安装防病毒软件的同时,要提高安全防范意识。

Jiangsu company network using the core layer and access layer two layer architecture. Cisco6509 device is the core equipment of the entire network, even under the 16 service switches, the link between the switches in addition to outside the Cisco2960-s-18 device are Gigabit link.
Four Cisco 2960 (14-15) equipment deployed in the floor of the building for the use of the floor, the remaining equipment deployed in the room on the 33 floor, for the use of other departments. Cisco 3560 is mainly responsible for connecting to the server system (portal e-commerce system, OA system, human resource system, material system, the Federal Reserve System, financial system, project management system, fuel system, etc.) 3560 even under the 2960 responsible for connecting to the server (DNS server, server test system). As shown in the following figure:
Security problem analysis
As can be seen from the figure, the company has VPN equipment and technology, the realization of data security communications network data transmission integrity protection and network security communication network data transmission confidentiality protection. However, the lack of communication network security audit, that is, the network security equipment operating conditions, network traffic, user behavior, such as the lack of security audit log records.
The company has some malicious code protection and intrusion prevention capabilities, but the company lacks the integrity of the network structure system and access control capabilities, while the lack of security equipment for border security audit.
The company lacks the identity authentication function of the host and the application security, etc., and the identification of the object and the mandatory access control rules are set up and realized. The user in the network, host, application audit, to ensure the integrity of the system data protection and confidentiality and procedures for the implementation of reliable protection.
The company lacks the mechanism of information security management organization in the management system, the specific responsibilities are not clearly related to information security posts; in the management system, not to establish clear information security principles, guidelines, overall strategy, lack of security management framework; information security personnel, did not establish a clear information security official, no staff assessment, entry and departure management clearly related to information security management system; the company has covered a small part of the system construction and operation and maintenance of information security management system, also need to be added in the overall framework, further refinement in specific operational level.
Information security environment management and adjustment
Through the above analysis, information security environment design company is based on the partition of security domain, based on the realization of security isolation between domains at the same time, to ensure the safety of their own internal reinforcement domain, the domain of the illegal attack both inside and outside can’t break the domain of safety design. In addition, the security policy is based on the logic and abstract aspects to achieve the security of information systems, is another important means to achieve information security based on hardware.
The network structure is divided into four security domains: core access domain, security management domain, terminal access domain and application management domain. Achieve clarity, clarity and structure of boundary and safety management.
The firewall is added to the boundaries of each domain to realize the partition, security management and control based on hardware.
Add a lot of security control, inspection and defense equipment: intrusion detection equipment, firewall, anti-virus, network management web seven layer firewall, Internet behavior management equipment, dangerous equipment, comprehensive audit equipment and found the fortress machine.
It is convenient for the network security management domain to manage the whole network and can detect the network faults in time. Loading network management software, security management platform, barracuda in safety management server anti spam gateway, log audit software and terminal management software to realize the network security information security control.
In order to ensure the information security system, can effectively trace after the occurrence of failure and attack, accuracy and consistency of time will become very important, all follow up and analysis are needed based on the exact time.
Data security transmission is an important part of information system security environment. The encrypted data transmission VPN guarantee source authentication, confidentiality and integrity of data based on. The internal data is important in transmission based on VPN secret key to encrypt and decrypt, man-in-middle attacks and data theft is not feasible. Therefore, the application of VPN can effectively solve the internal data transmission security, and with respect to the VPN line is more cost-effective. The establishment of the architecture between the branch and follow all item company access and data transmission and data backup are realized by VPN; at the same time, the data exchange with the Shenzhen holding company headquarters is through a dedicated VPN to achieve.
For wireless networks, wireless access and wireless AP device security has been the focus of wireless security information environment. The company uses AC centralized control, centralized monitoring and centralized mode to set up wireless local area network environment. The advantage of this model is that when the AP device is stolen, AP from the wireless environment, AP configuration will be automatically deleted within a certain period of time, to ensure that others can not brute force wireless AP.
Enterprise information security environment
Information system security is the guarantee of information system service quality. Also, network security system should host into the information network service system, its construction and maintenance shall keep and maintain consistent with the construction of information network of the host system, follow the method of process safety system. Network security process is the application of system engineering construction and maintenance of the network security system of the rules and regulations and a series of process security system.

谈剑峰:保护手机隐私最关键是提高全民信息安全意识

Information security system engineering should be closely integrated with the characteristics of the system being built, the engineering link and the system life cycle to keep synchronization, security system life cycle is basically the same. The basic aspects of safety system engineering include information system security requirements analysis, security system design, security system, security system certification, system security operation and maintenance and safety system transformation.
Secure Internet access: employee office network, find information, e-mail and contact the business, have to be realized through the Internet, the exchange of information timely and continue to occur whenever and wherever possible. Therefore, it is very important for enterprises to access the security of the internal and external network. It is a powerful guarantee for the information security environment to realize the security of the nodes by using the policy control of the firewall and the mapping of the NAT strategy.
Intrusion prevention system: system security consists of IPS. Enterprise deployment of intrusion prevention system at the exit of the Internet traffic, security incidents which may occur in the real-time monitoring network, enabling administrators to react in a timely manner, and can record the internal user access to Internet, administrators can audit Internet access platform is being abused, and can resist common attacks.
Antivirus system: Antivirus System of enterprise by antivirus software network exit antivirus gateway and each server and on the terminal composed of a strong defensive walls and defend against malicious code etc..
Seven layers of defense system: enterprises must deploy the corresponding web seven firewall in the export position, can be HTTP, HTTPS and other embedded web attacks the common defense and warning most network through its equipment. Managers should update the WAP virus database.
Internet behavior monitoring and control system: the enterprise in the Internet area to deploy Internet behavior audit equipment to the internal staff of the office of Internet behavior monitoring and control. For employees to visit the illegal and non business web site to stop the behavior of the enterprise; the administrator can also be in order to ensure that the video will be a public network and some of the download software for the overall limit.
VPN encryption system: the enterprise can establish virtual private network VPN, provide employees access to the intranet OA system through the Internet mainly for enterprise mobile, while providing VPN encrypted connection for the enterprise intranet users access to the internal business system, general branch.
Regular security reinforcement: enterprise administrators should regularly use vulnerability scanning equipment and monitoring equipment for application of network penetration testing equipment, main equipment, timely detection of internal information system vulnerabilities and remedy. On the host application does not need to close the agreement and the port, delete the long-term use of the account and account.
After the audit and traceability: enterprise deployment audit equipment, log collection equipment and time synchronization devices together to form a information security traceability environment. For some of the attacks and intrusions have occurred, as well as some illegal operations, can effectively track.
Personnel information security management system: enterprises need to develop a corresponding information security management system. Regulate the behavior of people on the Internet, operating systems, installation and uninstall software. Furthermore, establish an effective emergency system to solve the impact of unexpected events on the enterprise itself.
System backup: the enterprise should develop backup strategy, regularly on some important data backup.
From a practical point of view, the summary of the existing information security environment, the study of information security technology advanced, and to establish a set of suitable for Jiangsu’s information security environment network system architecture and personnel management system in national regulations and policies under the guidance of imperative.
Long press to identify two-dimensional code, concern us
The author of the article has set up the need to be able to leave a message
Sweep the concern of the public, WeChat

微博泄密悲剧还会不断上演,要知道多数泄密人员的本意都不想让组织的利益受损,只是安全意识不够,不会把握正确的尺度罢了,所以我们要通过一些容易理解的安全意识培训来加强员工们的保密意识。

猜您喜欢

新华社两度撰文声援IPO:监管层研究再融资政策
信息安全知识评测
信息安全第一课——丢弃毁坏的U盘
乐视酷派回应前华为员工被抓:不存在泄密行为
BLINDSCHALET LACARAVANEPUBLICITAIRE
几人知晓系统及安全日志审查

Criminal protection of citizens’ personal information security in the era of big data

大数据时代公民个人信息安全之刑法保护
Criminal protection of citizens’ personal information security in the era of big data
——基于《刑法修正案(九)》第十七条
Based on the seventeenth amendment to the criminal law (No. nine)
陈建华:法治湖南建设与区域社会治理协同创新中心研究人员、湘潭大学法学院博士研究生、湖南省郴州市中级人民法院研究室副主任,法官。
Chen Jianhua: Hunan construction of the rule of law and the center for collaborative innovation of regional social governance researchers, Xiangtan University Graduate School of law, deputy director of the Chenzhou Municipal Intermediate People’s court, the judge, deputy director of the research center.
【摘 要】大数据时代下,公民个人信息安全越来越受到社会的广泛关注。然而,《刑法修正案(九)》在立法上进步与漏洞并存,公民个人信息安全得不到很好地刑法保护。为此,通过考察司法实践发现,“公民个人信息”的概念难以确定、侵犯公民个人信息罪的“犯罪对象”和“情节严重”司法认定不一。这些问题的存在,亟待通过界定“公民个人信息”的概念以及明确侵犯公民个人信息罪的“犯罪对象”和“情节严重”情形来予以完善。
Abstract: in the era of big data, the citizen’s personal information security has been paid more and more attention by the society. However, the criminal law amendment (nine) in the legislative progress and loopholes coexist, personal information security of citizens can not be well protected by criminal law. To this end, through the investigation of judicial practice found that the concept of personal information of citizens is difficult to determine, the crime of infringement of personal information of citizens, the object of the crime and serious circumstances of the judiciary is not a. The existence of these problems needs to be improved by defining the concept of personal information of citizens and the criminal object and serious circumstances of the crime of infringing the personal information of citizens.
【关键词】大数据时代;《刑法修正案(九)》;公民个人信息安全
Big data era; criminal law amendment (nine); citizen personal information security
引言
Introduction
“大数据时代下,信息传播速度之快、传播范围之广、传播方式之多”,[ 姚辉,张璇:《个人信息保护的多元化法律体系构建——以大数据时代为背景的分析》,载《判解研究》2015年第3期,第1页。]在大数据时代的当下,个人信息安全问题已经成为了我国社会广泛关注的焦点,公民个人信息被非法泄露和使用的情况时有发生,对公民的人身、财产安全和个人隐私都提出了挑战,构成了严重的威胁。追究这类情节严重的犯罪行为的刑事责任,成为了当今刑法的重要任务,也顺应了大数据时代对公民个人信息安全保护的需要,彰显了刑法关注民生和反映社会实际需求的导向。为此,2015年11月1日正式实施的《刑法修正案(九)》第十七条在《刑法修正案(七)》第七条的基础之上进一步完善了相关规定,促使个人信息得到更好地刑法保护。但是由于该法条依然存在一些问题,使得公民个人信息安全在司法实践中仍然得不到真正有效全面的刑法保护,亟待我们去探讨与思考。
Under the era of big data, information transmission speed, wide spread range, mode of transmission, [Yao Hui, Zhang Xuan: the construction of diversified legal system of personal information protection in the era of big data analysis in the context of carrier, judgment research in 2015 third, first pages. In the present era of big data, personal information security has become the focus of attention of our society, personal information is illegally leaked and use cases have occurred, to the citizen’s personal and property security and personal privacy challenges, constitutes a serious threat. Criminal responsibility for the crime is serious, has become an important task in the criminal law, but also conform to the needs of the era of big data on personal information security protection, highlighting the criminal law pay attention to people’s livelihood and reflect the actual needs of the community oriented. To this end, in November 1, 2015 the formal implementation of the criminal law amendment (nine) seventeenth in the criminal law amendment (seven) on the basis of article seventh to further improve the relevant provisions of the criminal law protection of personal information to get better. However, there are still some problems in the law, so that the personal information security of citizens in the judicial practice is still not really effective and comprehensive criminal law protection, we need to explore and think.
一、社会关注之焦点:大数据时代背景下个人信息安全面临重重危机
First, the focus of social attention: the background of the era of big data personal information security crisis
(一)危机之一:个人信息泄漏渠道让人防不胜防
(a) one of the crises: personal information leakage channels make people impossible to guard against
堡垒最容易从内部攻破,大量的安全事件和内部员工的无知和疏忽有关,所以加强内部员工的信息安全意识教育非常重要。
在大数据时代,数据是具有经济效益的宝贵财富,是可以交易的。但是一些不法分子却利用大数据交易的幌子,通过各种渠道,导致公民个人信息泄露。有学者对非法窃取公民个人信息的犯罪进行调研发现该犯罪的主要渠道有五个方面:一是通过网络购买交易公民个人信息;二是发布虚假广告骗取求职者个人信息;三是利用职务便利私自复制公司的客户资料;四是掌握公民个人信息的单位或个人私自倒卖公民个人信息;五是以其他违法手段获取公民个人信息。2016年3月,全国30家消费维权单位联合发布《大数据时代个人信息保护状况调查报告》[为了解消费者对个人信息被采集以及大数据运用的观点、看法,以及消费者对个人信息保护的期望,辽宁、2016年,北京、天津、上海、重庆、河北、吉林、安徽、江西、山东、河南、湖北、广东、广西、哈尔滨、长春、沈阳、济南、南京、杭州、广州、武汉、成都、西安、大连、青岛、宁波、厦门、深圳等29省市消协(消委会、消保委)以及中国消费者报社,共30家消费维权单位开展了相关网络调查,并发布了《大数据时代个人信息保护状况调查报告》。调查数据由中国消费网(http://www.ccn.com.cn)和安全联盟(http://www.anquan.org/)通过网络采集的方式完成。]显示,在对于个人信息泄露渠道的调查中,被认为最容易泄露个人信息的是网站,包括电商平台、搜索引擎、门户网站等,占14%;其次是手机、PAD、智能手表、运动手环等个人信息终端上的APP,占13%;第三是汽车行业,如4S店和电信服务商,都达到12%;第四是类似电子邮箱、微信、QQ之类的通讯软件和房地产行业,包括房地产开发商、租房中介公司,达到11%;第五是快递公司,占9%;第六是银行保险业,有8%;第七是医疗、教育、供电供水供气等公共服务业,约5%;认为其他行业的有3%,最少的是包括机票代理、火车票代理在内的航空公司和行政机关,各约1%(见图1)。
In the era of big data, data is a valuable asset with economic benefits, can be traded. However, some criminals are taking advantage of the guise of big data transactions, through various channels, leading to the disclosure of personal information of citizens. The scholars have conducted the research on the crime of illegal theft of personal information of citizens found the main channel of the crime in five aspects: one is the purchase of personal information of citizens through the network; two is the publication of false advertising job seekers personal information; the three is the use of his office secretly copied the company’s customer information; four is to grasp the personal information of citizens units or individuals secretly reselling personal information of citizens; the five is to obtain personal information of citizens by other illegal means. In March 2016, the national unit of 30 consumer rights jointly issued the report of personal information protection in big data era survey [for the understanding of consumer personal information collection and use of big data views, expectations and consumer protection of personal information, Liaoning, 2016, Beijing, Tianjin, Shanghai, Chongqing, Hebei, Jilin, Anhui, Jiangxi, Shandong, Henan, Hubei, Guangdong, Guangxi, Harbin, Shenyang, Ji’nan, Changchun, Nanjing, Hangzhou, Guangzhou, Wuhan, Chengdu, Xi’an, Dalian, Qingdao, Ningbo, Xiamen, Shenzhen and other 29 provinces case (Council, Consumer Protection Committee) and China consumer newspaper, a total of 30 consumer rights units to carry out investigations related to the network, and issued the report of personal information protection in big data era survey. Survey data from the China consumer network (http:\/\/www.ccn.com.cn) and security alliance (http:\/\/www.anquan.org\/) by way of network acquisition completed. In the survey] shows that disclosure of personal information channels, is considered the most easily the disclosure of personal information is the site, including business platform, search engine, web portal, accounting for 14%; followed by the mobile phone, PAD, smart watches, sports wristbands and other personal information on the terminal of APP, accounting for 13%; third is the automotive industry 4S, such as stores and telecommunication service providers, has reached 12%; the fourth is like e-mail, WeChat, QQ communication software and the real estate industry, including real estate developers, housing intermediary companies, reached 11%; fifth is the courier company, accounting for 9%; sixth is the bank insurance industry, there are 8%; seventh are medical, education, power and water supply and other public services, about 5%; that of other industries was 3%, the least is airline ticket agents, and administrative organs including train ticket agent, each about 1% (see Figure 1 ).
(二)危机之二:个人信息安全风险频遭侵害
(two) crisis two: personal information security risk from infringement
“随着大数据时代的到来,用户数据面临泄露的风险将进一步加大,如果网络服务提供者没有做好技术防范,没有尽到提醒的义务,导致用户在数据泄露前没有防范意识,数据泄露后也不知道,将对用户造成重大损失。”近年来,随着大数据时代的到来,公民个人信息被非法泄露和使用的情况时有发生,对公民的人身、财产安全和个人隐私构成了严重威胁。据相关数据统计,2013 年下半年,约 4.38 亿网民遭遇了个人信息安全问题,占网民总数的75.0%。根据报道,2014年12月25日,12306用户数据泄露事件爆发,多达13万用户的账户、明文密码、身份证号、手机号等个人敏感信息在网络上传播。2015年4月22日,30多个省市的社保系统、户籍查询系统等被新闻媒体报道存在诸多漏洞。中国互联网协会发布的《中国网民权益保护调查报告(2015)》显示,近一年来中国网民因信息泄露、诈骗信息等总体损失约805亿元。
With the advent of the era of big data, user data will further increase the risk of leakage, if the network service providers do not guard, do not try to remind the user does not have the obligation, cause data leakage before the data leakage prevention awareness, also do not know, will cause serious damage to the user. In recent years, with the arrival of the era of big data, the personal information of citizens is illegal disclosure and use of the situation has occurred, the personal safety of citizens, property and personal privacy constitutes a serious threat. According to relevant statistics, in the second half of 2013, about 438 million of Internet users suffered personal information security issues, accounting for about 75% of the total number of Internet users. According to reports, in December 25, 2014, 12306 user data breaches, as many as 130 thousand of the user’s account, password, ID number, phone number and other personal sensitive information spread on the network. April 22, 2015, more than and 30 provinces and municipalities of the social security system, household registration system and other news media reports there are many loopholes. China Internet Association released the China Internet users rights protection survey (2015) shows that in recent years, China’s Internet users due to information disclosure, fraud and other information about the overall loss of about $80 billion 500 million.
(三)危机之三:利用他人信息实施犯罪案件不断发生
(three) crisis of the three: the use of other people’s information to carry out criminal cases continue to occur
在大数据时代背景下,“出售、非法获取公民个人信息的活动之所以越来越猖獗,一个十分重要的原因就在于有一个庞大的市场需求。一些公司、个人出于谋利等目的,以窃取、收买等方法大肆收集公民个人信息,对公民个人信息泄露起到了推波助澜的作用,有严重社会危害性。”在现代社会中,随着信息技术的不断发展,尤其是大数据时代的到来,个人信息作为一种重要的社会资源越来越被人们所重视。由于个人信息具有一定的财产属性,通过各种非法手段收集、使用他人信息从中牟利的案例比比皆是,这样的行为不仅会对信息主体的权利带来损害,同时也严重威胁到了社会的秩序和公众利益。据公安部2012年打击侵害个人信息犯罪专项行动成果显示: 专项行动共打掉近1000 个团伙,抓获犯罪嫌疑人4000余名,查获公民个人信息高达50亿条,并查获下游犯罪上万余起。有学者统计,2015年B市全市法院审结的非法获取公民个人信息罪一审案件138件,近200人获刑,上千万条个人信息遭到泄露。
In the context of the era of big data, the sale of illegal access to personal information of citizens is increasingly rampant activities, a very important reason is that there is a huge market demand. Some companies and individuals for the purpose of profit, by stealing, buying methods such as big collection of personal information of citizens, to promote the leakage of personal information of citizens, have serious social harmfulness. In modern society, with the continuous development of information technology, especially the arrival of the era of big data, personal information as an important social resource has been more and more attention. Because of the personal information has the property attribute, meet the eye everywhere through various illegal means to collect and use information to others and profit from the case, such behavior not only on information rights damage, but also a serious threat to the social order and public interests. According to the Ministry of public security in 2012 to combat infringement of personal information crime special action shows that the special action destroyed a total of nearly 1000 gangs, arrested more than 4000 suspects, seized the personal information of citizens up to 5 billion, and seized more than tens of thousands of lower crime. Some scholars statistics, 2015 B City Court accepted the crime of illegally obtaining personal information of a trial 138, nearly 200 people jailed, thousands of personal information was leaked.
二、刑法保护之现状:《刑法修正案(九)》的立法考察
Two, the status quo of the protection of criminal law: Legislative Review of the criminal law amendment (nine)
《刑法修正案(九)》第十七条关于公民个人信息安全保护的主要内容为:一是将刑法第二百五十三条之一修改为:“违反国家有关规定,向他人出售或者提供公民个人信息,情节严重的,处三年以下有期徒刑或者拘役,并处或者单处罚金;情节特别严重的,处三年以上七年以下有期徒刑,并处罚金。二是“违反国家有关规定,将在履行职责或者提供服务过程中获得的公民个人信息,出售或者提供给他人的,依照前款的规定从重处罚。“窃取或者以其他方法非法获取公民个人信息的,依照第一款的规定处罚。“单位犯前三款罪的,对单位判处罚金,并对其直接负责的主管人员和其他直接责任人员,依照各该款的规定处罚。”
Criminal law amendment (nine) seventeenth citizens about the security of personal information protection is the main content: one is to be one of the 253rd article of the criminal law is amended as: in violation of the relevant provisions of the state, sell to others or to provide personal information, if the circumstances are serious, three years imprisonment or criminal detention, or impose a fine gold; if the circumstances are especially serious, more than three years of fixed-term imprisonment of seven years and shall also be fined. The two is a violation of the relevant provisions of the state, providing personal information obtained in the process of service will perform their duties or sale, or offer to others, in accordance with the provisions of the preceding paragraph shall be given a heavier punishment. Whoever steals or illegally obtains personal information of citizens in other ways shall be punished in accordance with the provisions of paragraph 1. If a unit commits any of the crimes mentioned in the preceding three paragraphs, it shall be fined, and the persons directly in charge and other persons who are directly responsible for the crime shall be punished according to the provisions of this paragraph.
(一)凸显进步的一面:社会大众赋予厚望的《刑法修正案(九)》
(1) to highlight the progress of the society: the criminal law amendment (nine)
1、扩大了犯罪对象的范围。在犯罪对象上,《刑法修正案(九)》将《刑法修正案(七)》的犯罪对象的范围由“国家机关或者金融、电信、交通、教育、医疗等”领域删掉,不再要求。同时,对非法获得公民个人信息的行为,已经将《刑法修正案(七)》规定的前述几类单位在履行职责或者提供服务过程中获得的公民个人信息修改为“公民个人信息”。
1, expand the scope of the object of crime. The object of crime, criminal law amendment (nine) the criminal law amendment (seven) the scope of object of crime by out of state organs or the financial, telecommunications, transportation, education, medical and other fields, is no longer required. At the same time, for illegally obtaining personal information of citizens, will have the criminal law amendment (seven) to obtain the personal information of citizens of several types of units required to perform their duties or to provide services in the process of modification for personal information of citizens.
2、扩大了犯罪主体的范围。在犯罪主体上,《刑法修正案(九)》将《刑法修正案(七)》的犯罪主体“国家机关或者金融、电信、交通、教育、医疗等单位”删掉,不再限制,同时,规定对于在履行职责或者提供服务过程中获得的公民个人信息继续出售或者提供给他人的,予以从重处罚。正如有学者认为,“《刑法修正案(九)》将侵犯公民个人信息罪的犯罪主体从特殊主体扩大至一般主体,可谓在公民个人信息的刑事法律保护上迈出了重大一步。”
2, expand the scope of the subject of crime. On the subject of crime, criminal law amendment (nine) the criminal law amendment (seven) the subject of the crime of state organs or the financial, telecommunications, transportation, education, medical and other units deleted, no restrictions, and provisions for providing duties or service of personal information of citizens in the process of obtaining the continue to sell or offer to others, to be punished severely. As some scholars believe that the criminal law amendment (nine) will be the subject of the crime of infringement of citizens’ personal information crime expanded from the special subject to the general subject, is a major step forward in the criminal law protection of personal information.
3、降低了入罪的前提条件。《刑法修正案(九)》将《刑法修正案(七)》“违反国家规定”修改成“违反国家有关规定”。
3, to reduce the premise of the crime. The amendment to the criminal law (nine) shall amend the criminal law amendment (seven) to violate the provisions of the state to violate the relevant provisions of the state.
4、加重了处罚力度。在自由刑上,《刑法修正案(九)》将《刑法修正案(七)》“处三年以下有期徒刑或者拘役”调整为“处三年以上七年以下有期徒刑”。在财产刑上,将《刑法修正案(七)》“并处或者单处罚金”调整为“并处罚金”。“刑法修正案 ( 九)在保留原量刑档的同时,增加了三年到七年的量刑档,同时明确对特殊主体向他人出售或者提供公民个人信息的行为进行从重处罚,不再沿用原刑法条文对特殊主体和一般主体侵犯公民个人信息处以相同法定刑的条款,使侵犯公民个人信息罪的法定刑的设定更具区分度及合理性。”
4, increased the punishment. In the punishment, the criminal law amendment (nine) the criminal law amendment (seven) three years of fixed-term imprisonment or criminal detention to more than three years of fixed-term imprisonment of seven years. In the property penalty, the criminal law amendment (seven), or impose a single penalty or adjusted to impose a fine. Criminal law amendment (nine) in the original sentencing files at the same time, an increase of three to seven years of sentencing files, while clearly on the special subject to the sale or providing personal information of citizens behavior severely punished, no longer follow the original provisions of the criminal law on the special subject and the main body of the infringement of citizens’ personal information by the same legal the penalty clause, the infringement of citizens’ personal information crime legal punishment setting more discrimination and rationality.
(二)仍有漏洞的另一面:《刑法修正案(九)》存在问题之分析
(two) on the other side of the loophole: an analysis of the problems in the amendment of criminal law (nine)
1、公民个人信息的定义依然缺失。公民个人信息的定义进行界定,是非常必要的,正如皮勇教授所言“这一定义意义重大,不仅直接影响该罪设置的合理性,而且对国家信息化发展有重大影响,应当深入研究。”然而,《刑法修正案(九)》却依然缺失。
1, the definition of citizen’s personal information is still missing. The definition of personal information, it is very necessary, as Professor PI Yong said this definition is of great significance, not only directly affect the rationality of setting up the crime, but also have a significant impact on the development of national information, it should be in-depth study. However, the criminal law amendment (nine) is still missing.
2、“情节严重”依然表述模糊。《刑法修正案(九)》对于“情节严重”依旧使用,但是并没有明确规定什么情形达到了“情节严重”。
2, the plot is still vague expression. Criminal law amendment (nine) for serious circumstances is still used, but did not specify what circumstances have reached the serious circumstances.
3、条文在刑法典中的位置不当。《刑法修正案(九)》将侵犯公民个人信息犯罪规定的最高刑罚是“处三年以上七年以下有期徒刑,并处罚金。”然而,与刑法第四章侵犯公民人身权利、民主权利罪的其他犯罪比较,出现了刑罚失衡问题。因为最高刑期为七年尤其徒刑,超过了非法拘禁罪、侮辱罪、诽谤罪、非法搜查罪、非法侵入住宅罪、刑讯逼供罪、侵犯通信自由罪的三年的最高刑期。
3, the provisions of the criminal code in the wrong position. Criminal law amendment (nine) will violate the provisions of the crime of personal information of citizens is the maximum penalty of more than three years of fixed-term imprisonment of not less than seven years and fined. However, compared with other crimes that violate the civil rights and democratic rights of the criminal law in the fourth chapter of the criminal law, there is a problem of the imbalance of punishment. Because the maximum sentence is seven years imprisonment for more than the maximum sentence especially, the crime of illegal detention, the crime of insult, libel, the crime of illegal searches, trespass, inquisition by torture crime, crime of violation of freedom of communication for three years.
三、司法实践之中的困境:《刑法修正案(九)》适用之中的主要问题
Three, the plight of judicial practice: the main problems in the application of the criminal law amendment (nine)

金联储通过公安部信息系统安全等级保护三级备案证明

笔者通过中国裁判文书网检索了关于非法获取公民个人信息案件的判决情况并进行了统计分析,发现法院对本罪定罪量刑过程当中存在如下三个方面的主要问题:
The author Chinese referee network retrieval judgment about the case of illegal access to personal information and statistical analysis found that the court of this crime conviction and sentencing process has the following three aspects:
(一)问题之一:“公民个人信息”的概念尚未确定
(a) one of the problems: the concept of citizen personal information has not yet been determined
著名法律哲学家埃德加.博登海默:“概念是解决法律问题所必须的和必不可少的工具,没有限定严格的专门概念,我们便不能清楚地和理性地思考法律问题。”一直困扰着司法实务界的一大难题就是“公民个人信息”的概念尚未确定。这一难题严重制约着《刑法修正案(九)》的司法适用。实务界对公民个人信息概念又是如何的呢?为了对公民个人信息概念理解作出正确的估量,笔者对我国中部H省C市从事刑事案件审理工作的法官进行访谈,就“公民个人信息概念”的问题与他们进行沟通、交谈,笔者对他们的观点进行了归纳与整理:
The famous legal philosopher Edgar BODENHEIMER: the concept is to solve legal problems and a necessary tool, no limit special concept strictly, we cannot clear and rational thinking of legal issues. One of the major problems that have plagued the judicial practice is that the concept of citizen personal information has not been determined. This problem seriously restricts the judicial application of the criminal law amendment (nine). What is the concept of citizen’s personal information? In order to make a correct assessment of personal information of citizens understand the concept, the author of China’s central H province C city in the trial of criminal cases of the judges were interviewed on personal information and they communicate and talk, the author summarized and finishing on their point of view:

劳动部关于印发《全国劳动管理信息计算机系统病毒防治规定》…

通过表1,我们看到法官对“公民个人信息”的概念理解不一,表述不一。这其实也来源于理论界的争论。当前,刑法学界对“公民个人信息”的概念界定存在四种学说:第一种是隐私说,第二种是身份识别说,第三种是折中说,第四种是私人生活安宁说。第一种观点认为:借鉴美国隐私法的相关表述,或将个人信息与个人隐私的概念等同,认为隐私权的保障是公民个人信息保护的主要目的和逻辑前提,只要是公民不愿意公开、与公共利益无关、与个人相关的都属于公民个人信息;[ 周汉华主编:《中华人民共和国个人信息保护法(专家建议稿)及立法研究报告》,法律出版社2006年版,第48页。]或将隐私性作为公民个人信息的核心,认为只要在一定程度上体现公民身份、隐私、财产情况的信息,都是公民个人信息,相反,那些无法体现公民隐私性的信息,就不应列入犯罪对象;[ 付强:“非法获取公民个人信息罪的认定”,载《国家检察官学院学报》2014年第2期。]第二种观点认为:借鉴欧盟的身份识别模式,认为公民个人信息的本质属性就在于可识别性,并进一步提出与自然人相关,单独或与其他信息组合可以识别特定个人身份的信息都是公民个人信息;[ 方玉、张燕龙:“非法获取公民个人信息罪的犯罪对象研究——兼论《刑法修正案(七)》第七条之法律适用”,载万鄂湘主编:《建设公平正义社会与刑事法律适用问题研究——全国法院第24届学术讨论会获奖论文集》,人民法院出版社2012年版,第1345页。]第三种观点主张:上述两种观点的折中,对公民个人信息进行罗列,试图穷尽所有信息内容,这些个人信息包括了自然人的姓名、性别、出生日期、家庭住址、身份证号码、联系方式、婚姻、职业、学历、指纹、医疗记录、资产状况等单独或者与其他资料相结合能够将本人识别出来的;[ 井慧宝、常秀娇:《个人信息概念的厘定,载《法律适用》2011年第3,第35—36页。]第四种观点主张:公民个人信息是指:公民的姓名、年龄、有效证件号码、婚姻状况、工作单位、学历、履历、家庭住址、电话号码等事关私人生活领域,泄露后可能威胁到私人生活安宁的各方面信息。[ 胡胜:《侵犯公民个人信息罪的犯罪对象》,载《人民司法(应用)》2015年第7期,第41页。]
From table 1, we can see that the judges have different understanding of the concept of personal information of citizens. In fact, this is also from the theoretical debate. At present, there are four kinds of theories about the definition of personal information in criminal law. The first one is the theory of privacy, the other is the identification of the second, the other is the compromise, the other is the quiet of the private life, said the fourth kind of theory. The first view is that the reference to represent American privacy law, or the concept of personal information and personal privacy is equal, that privacy protection is the main purpose and the logic of the personal information protection of the premise, as long as the citizens do not want to open, independent, and personal and public interests belong to the personal information of citizens; Zhou Hanhua editor: People’s Republic of China personal information protection law (Draft) report and the study of legislation, Law Press 2006 edition, page forty-eighth. Or will the privacy of personal information as the core, as long as the embodiment of citizenship, privacy and property in a certain degree of information, is the personal information of citizens, on the contrary, those who can not reflect the privacy of information, it should not be included in the object of crime; [pay strong: identification of illegal access to personal the information contained on crime, Journal of National Prosecutors College in 2014 second. The second kind of view: from the identification model of the European Union, that the essential attribute of personal information of citizens is the identification of, and put forward the relevant natural person, alone or with other information can identify specific personal identity information is personal information; the jade, Zhang Yanlong: the research object of crime the crime of illegally obtaining personal information — the criminal law amendment (seven) applicable law of seventh, 000 of load editor: construction of social justice and criminal law application research — twenty-fourth National Law Institute Symposium on winning essays , the people’s court press 2012 edition, page 1345th. Third: the view that the above two views the compromise of personal information of citizens were listed, trying to exhaust all the information content, the personal information includes the natural person’s name, gender, date of birth, address, ID number, contact, marriage, occupation, education, medical records, fingerprints, assets alone or with other combination can be identified well [I; Hui Bao and Chang Xiujiao: define the concept of personal information, applicable law set in 2011 third, thirty-fifth – 36 pages. Fourth viewpoints: personal information refers to the citizen’s name, ID number, age, marital status, work, education, curriculum vitae, home address and telephone number and other related to private life, after the leak could threaten the peace of private life in all aspects of information. Hu Sheng: the object of the crime of infringing upon the personal information of citizens, people’s Justice (application) in 2015 seventh, page forty-first. ]
(三)问题之二:对犯罪对象“公民个人信息”的司法认定不一

(three) the problem of the two: the object of the crime, personal information of citizens, the judicial identification of different
对于某项犯罪而言,明确犯罪对象是首先必须解决的问题。[ 吴盛:《公民个人信息的刑法保护宜更为周全》,载《检察日报》2008年9月15日第3版。]同样如此,明确侵犯公民个人信息安全犯罪的犯罪对象也是打击该类犯罪的前提。笔者通过中国裁判文书网检索,对全国四级法院2015年11月1日以后审结的91件非法获取公民个人信息案件进行了统计分析,发现人民法院在对本罪犯罪对象的认定上存在不一的情况,具体情况如表2所示:
For a crime, clear the object of crime is the first problem to be solved. Wu Sheng: the criminal law protection of citizens’ personal information should be more comprehensive, procuratorial daily Third Edition September 15, 2008. Similarly, a clear violation of the crime of personal information security crime object is also a prerequisite to combat such crimes. The author Chinese referee network retrieval, on 91 November 1, 2015 four national court concluded after illegally obtaining personal information of citizens cases were analyzed, the people’s court found there is a situation in the cognizance of the crime object, the specific circumstances are shown in table 2:
从表2所显示的情况来看,法院认定的公民个人信息不一,出现五花八门的情况。从信息的类型来看,被侵犯的信息主要有居住信息、消费信息、通讯信息、车主信息等;从信息内容的排列组合来看,简单的是姓名、电话、家庭住址的组合,复杂的是姓名、电话、家庭住址、消费记录、性别等。由此可见,上述法院认定的公民个人信息是否为该罪的犯罪对象,到底哪些公民个人信息属于该罪的犯罪对象,从立法层面来看,我们不得而知,法院在适用法律过程中也没有统一的尺度。在这种情况之下,如何准确认定“犯罪对象”,涉及到了罪刑法定原则上。正如赵秉志教授认为,“罪状描述的模糊,不仅使司法机关在具体案件的裁量中无所适从,而且有可能引发法官裁量权的泛滥,从而最终有驳罪刑法定原则限制权力、保障人权的宗旨。”[ 赵秉志:《刑法总则问题专论》,法律出版社2004年版,第125页。]因此,对“犯罪对象”的司法认定要进行统一。
From the situation shown in Table 2, the court finds that the personal information of citizens is different, a variety of situations. From the point of view of the types of information, infringement of the information are mainly residential information, consumption information, communication information, owner information; information content from the combination, simple is a combination of name, telephone, address, name, phone, the complex is home address, consumer records and gender. Thus, the object of crime is the personal information of citizens for the court finds that the crime, the crime object which belongs to the personal information of citizens of this crime, from the legislative level, we can make nothing of it, in the application of the law in the process of the court is not a unified scale. In this case, how to accurately identify the object of crime, involving the principle of a legally prescribed punishment for a specified crime. As professor Zhao Bingzhi think, fuzzy crime description, not only the judicial organs at discretion in specific cases, and may cause flooding of the discretionary power of the judge, and finally a barge crime of power, the principle of protection of human rights restrictions on purpose. [Zhao Bingzhi: on problems of criminal law, Law Press 2004 edition, page 125th. Therefore, the judicial determination of the crime object should be unified.
(三)问题之三:对“情节严重”的司法认定不一
(three) the problem of the three: the serious circumstances of the judicial recognition
“情节严重”是侵犯公民个人信息犯罪的客观构成要件,也是区分罪与非罪的重要标准之一。然后,由于《刑法修正案(九)》依然采取了情节犯的立法模式,并没有表述清楚明白,虽然较为灵活地避免了立法时候的争论,但是导致了司法实践中难以合理把握“情节严重”的标准。笔者通过中国裁判文书网检索,对全国四级法院2015年11月1日以后审结的 “非法获取公民个人信息罪”进行了统计分析,发现人民法院在对本罪情节严重的认定上存在不一的情况,笔者举出三个案例进行阐述:
Serious is the objective elements of the crime of infringement of citizens’ personal information, but also one of the important criteria to distinguish between crime and non crime. Then, because of the criminal law amendment (nine) still take the legislative pattern of the circumstance, and not expressed clearly, while more flexible to avoid the legislation debate, but in judicial practice it is difficult to properly grasp the standard of serious. The author China referee network retrieval, on the four national court after November 1, 2015 concluded the crime of illegally obtaining personal information for statistical analysis, found that the people’s court does not exist in the case of a serious recognition of this crime, the author cited three cases described:
案例之一:某科技公司员工蒋某在履行职务过程中发现自己所在公司的测试系统具有手机定位功能。为此,他利用该系统为彭某提供他人的手机定位信息并非法获利人民币169300元。人民法院认为蒋某已经构成出售公民个人信息罪。[ 详情见浙江省杭州市滨江区人民法院(2015)杭滨刑初字169号刑事判决书。]
Case one: a technology company employees in the performance of his duties in the process of finding his own company’s test system has a mobile positioning function. To this end, he used the system to provide information on the location of others to provide information and illegal profits of 169300 yuan. The people’s court held that Jiang had constituted the crime of selling personal information of citizens. For details, see the Binjiang District Hangzhou people’s Court (2015), the criminal judgment of the first sentence of the criminal law of Hang Hang, No. 169, No. 1, Zhejiang. ]
案例之二:2013年6月至2015年1月,被告人李某某为非法牟利从事“私家侦探”业务,先后接受了王某某、吴某某、陈某某、袁某某等人的委托,调查他人的婚外情、个人行踪等信息,采取安装定位器、派人跟踪等非法手段非法获取他人信息100余条,非法获利人民币20余万元。人民法院认为蒋某已经构成出售公民个人信息罪。[ 详情见江苏省苏州市虎丘区人民法院(2016)苏0505刑初字刑事判决书。]
Case two: June 2013 to January 2015, the defendant Moumou for illegal profits in private detective business, has accepted the Commission, Wang Moumou, Chen Moumou, Yuan Moumou et al, to investigate the affair of others, the whereabouts of the individual information, including the installation of positioning device, for tracking and other illegal means illegal access to others more than 100 messages, illegal profits more than 20 yuan rmb. The people’s court held that Jiang had constituted the crime of selling personal information of citizens. For details, see Huqiu District Jiangsu City People’s Court (2016) criminal verdict of the first sentence of the Soviet Union in 0505, the first sentence of the Soviet Union, Suzhou. ]
案例之三:自2014年2月起,被告人项某某通过QQ非法获取大量涉及白银、礼品交易等公民个人信息存入自己所有个人使用的电脑之中,共计17万余条。人民法院认为蒋某已经构成出售公民个人信息罪。[ 详情见上海市嘉定区人民法院(2016)沪0114刑初字185号刑事判决书。]
Case three: since February 2014, the defendant Moumou through illegal access to a large number of QQ involving silver, gifts and other personal information of citizens into their own personal computers, a total of more than 17. The people’s court held that Jiang had constituted the crime of selling personal information of citizens. For details, see the Shanghai Jiading District people’s Court (2016) criminal verdict No. 185 of the first sentence of the criminal law of Shanghai 0114. ]
从上述三个案例来看,三个法院对“非法获取公民个人信息罪”的“情节严重”的认定,各个法院认定的标准不一。从整体上来看,在认定侵犯公民个人信息犯罪的案件中,人民法院认定“情节严重”的主要标准有两个:一个是“信息数量”;另一个是“牟利数量”。然而,根据笔者调查了“非法获取公民个人信息罪”268份刑事判决书发现,不同法院存在不同的认定数量。以信息数量标准来看,认定“情节严重”的非法获取信息数量从12条个人信息到1000余万条个人信息。以牟利数量来看,认定“情节严重”的牟利数量从1000元到50万元。由此可见,无论是“信息数量”还是“牟利数量”均存在悬殊的差异。正如有学者认为,“在如此悬殊的差异之下,‘非法获取信息数量’和‘非法牟利数量’这两项指标能在多大程度上发挥认定‘情节严重’的功能,无疑是一个不容忽视的问题。”[ 廖宇羿:《侵犯公民个人信息犯罪“情节严重”认定研究》,载《法律适用》2016年第2期,第112页。]同时,侵犯公民个人信息犯罪中其他构成要素(出售、非法提供、窃取、购买等)对于“情节严重”认定的影响,各个法院均存在理解不一。此外,信息属性对于“情节严重”认定的影响,不同地区法院在具体认定标准上存在差异性,譬如对侵犯国家机关中的公民个人信息,不同法院存在见解不一的现象。
From the above three cases, the three courts of illegal access to personal information of citizens, the crime is serious, the court finds that different standards. On the whole, in determining the infringement of citizens’ personal information crime cases, the people’s court finds that the main standard serious have two: one is the information; another is the number of profit. However, according to the author’s investigation of the crime of illegal access to personal information of citizens, 268 criminal judgments found that different courts have different number of identified. The amount of information standards, the cognizance of illegal access to information from the number 12 to more than 1000 personal information personal information serious. In terms of the number of profit, that the serious circumstances, the number of profit from 1000 yuan to 500 thousand yuan. Thus, whether it is the number of information or the number of profit there are disparities. As some scholars believe that under the difference is so poor, the number of illegal access to information and illegal profit number of the two indicators that can play a serious function in a large extent, is undoubtedly a problem can not be ignored. Yu Yi: the crime of infringement of citizens’ personal information serious circumstances identified , the law applicable in 2016 second, page 112nd. At the same time, other elements of the crime of infringement of personal information (sale, illegal provision, theft, purchase, etc.) for the serious impact of the case, there are different understanding of each court. In addition, information property influence on the serious cognizance, different court differences on specific standards, such as the personal information of citizens in violation of state organs, the court has a different opinion phenomenon.
四、突围困境之中的思考:我国个人信息安全刑法保护之完善
Four, thinking out of the dilemma: the improvement of the criminal law protection of personal information security
如何更好地保护公民个人信息安全,亟待我们在突围困境方面作思考。为此,笔者提出如下三个对策,仅供参考。
How to better protect the personal information security, we need to think about the plight of the breakthrough. To this end, the author put forward the following three countermeasures, for reference only.
(一)对策之一:厘定“公民个人信息”的概念
(a) one of the Countermeasures: to define the concept of citizen personal information

Win10系统显示文件扩展名详细教程

在刑法保护方面,“公民个人信息”是一个至关重要的概念,对“公民个人信息”概念的界定尤为重要。在笔者看来,前述中第四种学说,即为私人生活安宁说更为科学和合理。因为私人生活安宁说主张的公民个人信息包括了个人隐私,但又不局限个人隐私。同时,私人生活安宁说主张的公民个人信息包括了部分能识别个人身份的信息,也包括了部分不能识别个人身份的信息。根据私人生活安宁说,公民个人信息是指:公民的姓名、年龄、有效证件号码、婚姻状况、工作单位、学历、履历、家庭住址、电话号码等事关私人生活领域,泄露后可能威胁到私人生活安宁的各方面信息。[ 胡胜:《侵犯公民个人信息罪的犯罪对象》,载《人民司法(应用)》2015年第7期,第41页。]这一学说,也得到了实务界学者的认可,对“公民个人信息”进行厘定时候,正如郭婕法官认为,“最好采取一种开放式即定义+列举的规定,在保证刑法随着不断演进的社会现实进行自我更新的同时,又不囊括所有的可公开或半公开的信息,从立法本义或法益保护的初衷排除那些不仅有刑法保护价值与保护意义的对象。”[ 郭婕:《论我国个人信息安全之刑法保护——兼议刑法修正案(七)第七条》,载贺荣主编:《全国法益学术讨论会论文集》,人民法院出版社2015年版,第268页。]同时,作为侵犯公民个人信息犯罪的“个人信息”不同于普通意义上的“个人信息”,侵犯公民个人信息犯罪的“个人信息”应当具有两个方面的特征:一是主观上公民个人不希望外人知晓;二是客观上具有一定的法律保护价值,一旦泄露后可能会导致侵害后果发生。譬如官员的个人房产信息、车辆信息、家庭成员就业信息等个人信息就不属于该罪所言的“公民个人信息”。
In the aspect of the protection of criminal law, citizen personal information is a very important concept. In my opinion, the fourth theories mentioned above are more scientific and reasonable. Because of the privacy of personal life, the personal information of citizens, including personal privacy, is not limited to personal privacy. At the same time, the private life of private life advocates that the personal information includes some of the information that can identify personal identity, but also some of the information can not identify personal identity. According to his personal life, personal information refers to the citizen’s name, ID number, age, marital status, work, education, curriculum vitae, home address and telephone number and other related to private life, after the leak could threaten the peace of private life in all aspects of information. Hu Sheng: the object of the crime of infringing upon the personal information of citizens, people’s Justice (application) in 2015 seventh, page forty-first. This theory, practice has also been recognized by scholars, analyze the personal information, as judge Guo Jie think, it is best to take an open – definition list, in ensuring the criminal law with the development of the social reality of self update at the same time, it does not include all publicly or semi public information, from the legislation original or legal protection intention to exclude those who not only have the value object of the criminal law protection and protection significance. [Guo Jie: on the criminal law protection of personal information security in China — and on the criminal law amendment (seven) seventh, he set Rong editor: national law Symposium, the people’s court press 2015 edition, page 268th. At the same time, as the infringement of citizens’ personal information crime personal information is different from the common sense of personal information, the infringement of citizens’ personal information crime personal information should have two characteristics: one is the subjective individual citizens do not want outsiders to know; two is the objective of legal protection has certain value once, after the leak may cause infringement consequences. For example, the official personal property information, vehicle information, family members employment information and other personal information does not belong to the crime, said the citizen personal information.
(二)对策之二:界定犯罪对象“公民个人信息”的主要内容
(two) the countermeasure of the two: define the main content of the object of crime citizen personal information
让”民生阳光”普照雪域高原 –西藏自治区奋力推进经济社会又好又…
个人信息范围十分广泛,在笔者看来,将常用的个人信息进行界定,即准确界定好“犯罪对象——公民个人信息”是当前司法实践中重要的一环。正如有实务界专家认为,“如何在司法实务中来准确认定公民个人信息才是我们最终的目标。”[ 方玉,张燕龙:《非法获取公民个人信息罪的犯罪对象研究——兼论〈刑法修正案(七)〉第七条之法律适用》,载贺荣主编:《全国法院第二十七届学术讨论会论文集》人民法院出版社2015年,第289页。]为此,我们非常有必要准确界定“犯罪对象”。2013年,最高人民法院、最高人民检察院、公安部《关于依法惩处侵害公民个人信息犯罪活动的通知》探索性地给“犯罪对象”进行界定。该《通知》指出,公民个人信息包括公民的姓名、年龄、有效证件号码、婚姻状况、工作单位、学历、履历、家庭住址、电话号码等能够识别公民个人身份或者涉及公民个人隐私的信息、数据资料。[ 详情见最高人民法院、最高人民检察院、公安部《关于依法惩处侵害公民个人信息犯罪活动的通知》的内容。]有学者也质疑这种表述,认为,“该《通知》并未明确公民个人信息的定义[ 胡胜:《侵犯公民个人信息罪的犯罪对象》,载《人民司法(应用)》2015年第7期,第40页。]”同时,经过3年的刑事司法实践,该界定因内容不详细、难以把握并没有得到了我国广大刑事法官的认可,故该界定还是不够科学。在当前难以非常准确地给出“犯罪对象”,笔者认为可以通过对“犯罪对象”进行分门别类,同时也有利于司法实践中的适用和操作。在笔者看来,对常用的“犯罪对象”——公民个人信息封为六大类,具体为:第一类是个人身份类信息,包括姓名、家庭住址、身份证号、工作单位等;第二类是个人消费类信息,包括网购记录、线下购物记录、网络浏览记录等;第三类是个人通讯类信息,包括手机号码、邮箱地址,短信、QQ、微信等聊天记录;第四类是个人财务类信息,包括银行卡号、个人财务状况、网络账号和密码等;第五类是个人背景类信息,包括病历、体检记录、学历、工作经历等;第六类是个人社会关系类信息,包括家庭成员情况、婚姻情况等。
The scope of personal information is very wide, in the opinion of the author, the definition of the commonly used personal information, that is, to define the object of the crime is the important part of the current judicial practice. As there are experts in the field of practice, how to accurately identify the personal information of citizens in judicial practice is our ultimate goal. The jade, Zhang Yanlong: the research object of crime — amendment to the criminal law of the crime of illegal access to personal information (seven) for the seventh article of law, Rong he loaded editor: the national court twenty-seventh Annual Symposium on the people’s court press, 2015, page 289th. To this end, it is necessary for us to define the object of crime. In 2013, the Supreme People’s court, the Supreme People’s Procuratorate and the Ministry of public security of the people’s Republic of China, on the basis of the law to punish the crime of infringing on the personal information of citizens, to explore the object of crime. The Circular pointed out that personal information includes the name of the citizens, ID number, age, marital status, work, education, curriculum vitae, home address, phone number and other information, data can identify the identity of individual citizens or citizens involving personal privacy information. The contents of the notice of the Supreme People’s court, the Supreme People’s Procuratorate and the Ministry of public security of the people’s Republic of China on the punishment of the crime of infringing upon the personal information of citizens according to law. Some scholars have questioned this statement], that the notice is not clear the definition of personal information of citizens [Hu Sheng: the object of the crime of infringement of citizens’ personal information crime , people’s judicial load (application) in 2015 seventh, fortieth pages. At the same time, after 3 years of criminal justice practice, the definition of the content is not detailed, it is difficult to grasp and has not been recognized by the majority of criminal judges in China, so the definition is not enough science. In the current difficult to accurately give the object of crime, the author thinks that the object of crime can be arranged, but also conducive to the application and operation in judicial practice. In my opinion, the common object of crime – letter of personal information of citizens into six categories: the first category is specific for the personal identification information, including name, home address, ID number, work units; the second category is the personal consumer information, including online shopping records, offline shopping records, network browsing records; the third category is the personal communications information, including mobile phone number, email, SMS, QQ, WeChat and other chat records; the fourth category is the personal financial information, including bank card, personal finance, network account and password; fifth is the personal background information, including medical records, medical records Education and work experience; sixth is the personal social relationship information, including family members, marriage etc..
(三)对策之三:厘定“情节严重”的标准
(three) strategy of the three: to determine the serious circumstances standard
博登海默曾经指出:“法律的基本作用之一乃是使人类为数众多、种类纷繁、各不相同的行为与关系达致某种合理程度的秩序,并颁布一些适用于某些应予限制的行动或行为的行为规则或行为标准。”[ E·博登海默:《法理学:法律哲学与法律方法》,邓正来译,中国政法大学出版社1984年版,第484页。]在司法实践中,可以根据以下六个方面判断“情节严重”的标准,并且由最高人民法院作出司法解释,方便司法实践中的适用。为此,笔者依据六个标准对判断“情节严重”,具体为:第一个标准是犯罪动机上把握。根据行为人犯罪动机,明确其主观恶性大小予以断定情节是否严重。譬如基于牟利为目的而非法获得信息的行为比出于日常生活和工作需要而非法获得信息的行为主观恶性明显要大。第二个标准是从非法获取的信息数量上把握。数量是可客观量化的,所以方便认定。非法获取公民个人信息200条以上的,也构成“情节严重”。第三个标准是从非法获利和非法销售金额上把握。可以借鉴非法经营罪情节严重标准的做法,对非法获利和非法销售金额进行认定情节严重。譬如侵犯公民个人信息的犯罪,个人非法获利数额在1000元以上,单位非法获利数额在5000元以上的,即构成“情节严重”。第四个标准是从犯罪次数上把握。依据行为人在一定时间内实施了一定次数的犯罪行为为标准。借鉴最高人民法院司法解释的相关规定的经验,“多次”一般是指三次以上,因此,一年之内非法获取公民个人信息三次以上,构成“情节严重”。第五个标准是从行为性质上把握。具体而言,以贿赂、欺骗、盗窃、购买等多种非法手段,应认定为“行为性质恶劣”。第六个标准是从危害结果上把握。即为从行为对社会危害的结果角度来把握,一般从对公民的人身、财产安全和日常生活造成不良影响角度来分析,包括电话骚扰、垃圾短信或者敲诈勒索等。如果给公民个人造成较大经济损失或者严重影响公民个人日常生活甚至造成精神损害的,构成“情节严重”。同时,行为人非法获取公民个人信息用于非法活动或者其获取的个人信息被用于非法活动的,构成“情节严重”。当然,应当综合考虑犯罪情节的整体性来认定情节严重与否。将上述六个方面进行加权处理,并对整个案件进行整体性上的考量,运用综合情节标准来认定是否构成“情节严重”。
Bodenheimer once pointed out: one of the basic function of the law is that human behavior and relation number, numerous species, different to some reasonable degree of order, action or behavior and issued shall be applicable to certain rules of conduct or limit the behavior standard. [E BODENHEIMER: Jurisprudence: legal philosophy and legal methods, translated by Deng Zhenglai, China University of Political Science and Law press, 1984 edition, page 484th. In judicial practice, it can be judged according to the following six aspects of the serious circumstances standard, and the Supreme People’s court to make judicial interpretation to facilitate the application of judicial practice. To this end, the author based on the six criteria to judge the serious circumstances, as follows: the first standard is to grasp the criminal motive. According to the perpetrator of the crime motive, clear the size of their subjective malignancy to determine whether the plot is serious. For example, for the purpose of profit for the purpose of illegal access to information than the needs of daily life and work and the need for illegal access to information is significantly greater subjective vicious behavior. The second standard is to grasp the amount of information from illegal access. Quantity can be objectively quantified, so easy to identify. Illegal access to personal information of more than 200 citizens, but also constitute a serious situation. The third criterion is to grasp the amount of illegal profits and illegal sales. You can learn from the practice of illegal business crimes serious standards, the illegal profits and illegal sales amount of serious cases identified. For example, the crime of infringement of personal information of citizens, the amount of illegal profits of more than 1000 yuan, the amount of illegal profits of more than $5000, which constitutes a serious situation. The fourth criterion is to grasp the number of crimes. According to the perpetrator in a certain period of time to implement a certain number of criminal acts as the standard. Learn from the Supreme Court’s judicial interpretation of the relevant provisions of the experience, often refers to more than three times, therefore, within one year of illegal access to personal information of citizens more than three times, constitutes a serious situation. The fifth criterion is to grasp the nature of behavior. Specifically, bribery, fraud, theft, purchase and other illegal means, should be identified as bad behavior. The sixth standard is to grasp the results from harm. Is the behavior of social harm from the point of view, from the general citizen’s personal and property safety and the daily life of the adverse impact of perspective, including telephone harassment, spam or blackmail and impose exactions on etc.. If the individual citizens to cause greater economic losses or serious impact on the daily lives of citizens and even cause mental damage, constitute serious. At the same time, the behavior of illegal access to personal information of citizens for illegal activities or access to personal information is used for illegal activities, constitutes a serious. Of course, we should take into account the overall circumstances of the crime to determine the seriousness of the plot or not. The above six aspects of the weighted processing, and the overall consideration of the whole case, the use of comprehensive plot criteria to determine whether the formation of serious circumstances.
结语
epilogue
“大数据时代之下,个人信息是否受到应有的保护、受到保护的程度高低,既体现了法律对公民权利的尊重和保护水平,也在一定程度上反映了一个社会的整体文明程度。”[ 姚辉,张璇:《个人信息保护的多元化法律体系构建——以大数据时代为背景的分析》,载《判解研究》2015年第3期,第1页。]《刑法修正案(九)》能够在《刑法修正案(七)》的基础之上不断完善对个人信息安全的刑法保护,是一次可喜的立法进步。然而,《刑法修正案(九)》司法适用之中,个人信息安全的刑法保护却有诸多困境,亟待我们去突围。当然,我们必须正视的是关于侵犯公民个人信息犯罪的刑事立法过程不可能一蹴而就,而是需要刑法理论界与实务界反复不断地碰撞、吸收与融合,才能使得我国公民个人信息安全能够得到更为理想的保护。
Under the era of big data, personal information is protected, protected level, not only embodies the law of respect for citizens’ rights and protection level, but also reflects the overall level of social civilization to a certain extent. Yao Hui, Zhang Xuan: the construction of a diversified legal system for the protection of personal information — an analysis of the background of the era of big data, contained in the study of the interpretation of the third issue of 2015, page first. The amendment of criminal law (nine) can improve the criminal protection of personal information security on the basis of the criminal law amendment (seven). However, the criminal law amendment (nine) in the judicial application, the protection of personal information security criminal law has many difficulties, we need to break through. Of course, we have to face is the process of criminal legislation on the infringement of citizens’ personal information crime can not be achieved, but the criminal law theory circle and the practice circle repeatedly collision, absorption and fusion, in order to make the safety of our citizens’ personal information can get better protection.

许多公司网络安全措施松懈,没有及时安装更新导致遭受网络攻击,甚至包括一些互联网安全公司有时都未能意识到自己的网络已遭到攻击。

猜您喜欢

漫谈信息安全经理需要了解的国内外安全标准
安全意识教育还是安全系统设计?
网络安全宣传短片——勿乱连通公司内部网络与运营商数据网络
习近平会见世界经济论坛主席施瓦布
CLOUDLYNC SHAWNEENEWS-STAR
网络信息安全的发展趋势展望

200万美元 这是2016年ZDI总共付出的漏洞赏金

云计算,终端只要一个浏览器软件,限制一个进程,当然安全些,可是网络应用和带宽尚需较长时日才能替代掉大量传统的桌面应用软件。
Zerodium2016年零日漏洞价位表
趋势科技的ZDI(零日计划)发布了一份674个漏洞的年度报告,根据这份名为“2016回顾”的报告,ZDI计划在一年内共向漏洞报告者支付了近200万美元的赏金。
ZDI用奖金来鼓励漏洞披露,然而该公司没有将手中的漏洞进行售卖或分发,而是使用用相关信息来保护TippingPoint的消费者免受潜在的攻击,这种防护甚至会早于补丁。
在这份报告中,有54个漏洞没有在披露的时候完成修补,其余的漏洞都在ZDI和受影响供应商的妥善合作中得以解决。研究人员在过去的一年里向ZDI提交了很多漏洞,但是其中43%左右的漏洞未被ZDI所认可。
2016年间ZDI收集到的最有趣的漏洞,包括影响IE浏览器(CVE-2016-3382)、Edge引擎(CVE-2016-0158)、Windows系统(CVE-2016-7272)、OS X 系统(CVE-2016-1806)、Flash播放器(CVE-2016-7857)和谷歌浏览器(CVE-2016-5161)。其中影响OS X系统的CVE-2016-1806在Pwn2Own大赛上被公开。
一些研究人员在去年表现突出,包括kdot(30份报告),bee13oy(18份报告),rgod(15份报告)和史蒂芬·斯利(20份警告)。这些专家的其他报告会在供应商修复漏洞后尽快发布。所发布的漏洞报告中有12%是零日计划的员工的成果。
在去年公布的674个漏洞报告中,有149个漏洞涉及Adobe产品,占总数的22%。值得注意的是,Adobe Flash Player在11月的周二推送的安全补丁修复的九个漏洞,都是由ZDI汇报给这家软件巨头的。

中国Web 安全产品究竟哪家强?

令人惊讶的是,报告中受影响第二大(112个相关漏洞)的厂商,是提供工业自动化解决方案的研华科技(Adventech)。微软、苹果、福昕阅读器、甲骨文、太阳风、趋势科技、惠普(HPE)和谷歌也“跻身”前十。
ZDI的Dustin Childs表示,“有趣的是,去年有关苹果的漏洞大幅增加。在2014或2015年里,苹果产品的漏洞只占总数的4%,然而这个数字在2016年上升到了9%,即61个漏洞报告。我们很关心这一趋势在2017年会如何发展。”
目前,在接下来的四个月里ZDI有379个漏洞报告等待披露,这表明该机构在2017年发布的报告数量将至少与去年持平。

云计算评估的六个陷阱

---
洛阳轴研科技:轴承创新的协同力量

抱财网获公安部信息系统安全等级保护三级备案证明

在订阅号里,长按公众号,即可“置顶”
该文章作者已设置需关注才可以留言
微信扫一扫关注该公众号

如何应对BYOD时代的安全风险,历史上从没有任何时候像今天这样在一个公司的网络上能轻松绕过IT部门消费云服务,CEO跑到IT部门为业务需要要求获得某项云中的服务,这种情况经常发生。

猜您喜欢

如何营销信息安全思想
反间谍法对网络信息安全行业的影响分析
防范假冒WiFi热点保护手机支付安全
有风度!著名球星梅西2年让14个点球 成全队友真球王!
LEEDSBUILDINGSOCIETY VIDEOBOSS
商业间谍与黑客参与搜索专利大战 APT攻击让提升员工信息安全意识

2017年CNVD漏洞周报第3期(2017年01月09日-2017年01月15日)

本周漏洞态势研判情况

本周信息安全漏洞威胁整体评价级别为中。
国家信息安全漏洞共享平台(以下简称CNVD)本周共收集、整理信息安全漏洞211个,其中高危漏洞92个、中危漏洞113个、低危漏洞6个。漏洞平均分值为6.68。本周收录的漏洞中,涉及0day漏洞71个(占34%)。其中互联网上出现“InternetDownload Accelerator缓冲区溢出漏洞、Joomla!组件com_remository文件上传漏洞”零日代码攻击漏洞,请使用相关产品的用户注意加强防范。此外,本周CNVD接到的涉及党政机关和企事业单位的事件型漏洞总数549个,与上周(511个)环比增长7%。
图1 CNVD收录漏洞近10周平均分值分布图

本周漏洞事件处置情况

本周,CNVD向基础电信企业通报漏洞事件10起,向银行、证券、保险、能源等重要行业单位通报漏洞事件20起,协调CNCERT各分中心验证和处置涉及地方重要部门漏洞事件203起,协调教育行业应急组织验证和处置高校科研院所系统漏洞事件124起,向国家上级信息安全协调机构上报涉及部委门户、子站或直属单位信息系统漏洞事件9起。
此外,CNVD通过已建立的联系机制或涉事单位公开联系渠道向以下单位通报了其信息系统或软硬件产品存在的漏洞,具体处置单位情况如下所示:
福建福昕软件开发股份有限公司、达梦数据库有限公司、海虹企业(控股)股份有限公司、淄博闪灵网络科技有限公司、北京卡巴斯基网络安全技术有限公司、太原迅易科技有限公司、Yxcms Inc.、DM企业建站系统、kalcaddle、Catfish CMS等软件产品的生产商。
本周,CNVD发布了《关于ISC BIND 存在多个拒绝服务高危漏洞的安全公告》。详情参见CNVD网站公告内容。
http://www.cnvd.org.cn/webinfo/show/4032

本周漏洞报送情况统计

本周,共12家成员单位、合作伙伴及企业用户、个人用户报送了本周收录的全部211个漏洞。报送情况如表1所示。其中,安天实验室、启明星辰、天融信、华为技术有限公司等单位报送数量较多。360网神、漏洞盒子、广西鑫瀚科技有限公司、江苏省信息安全测评中心、新疆天山智汇信息科技有限公司、军工保密资格审查认证中心、广州神月信息安全技术有限公司、北京安码科技有限公司及其他个人白帽子向CNVD提交了549个以事件型漏洞为主的原创漏洞。
报送单位或个人
漏洞报送数量
原创漏洞数量
360网神
430
430
安天实验室
125
0
启明星辰
118
10
天融信
104
0
华为技术有限公司
90
0
H3C
88
0
东软
76
0
绿盟科技
54
0
蓝盾信息安全技术股份有限公司
54
0
恒安嘉新
24
0
中国电信集团系统集成有限责任公司
21
0
北京数字观星科技有限公司
10
0
漏洞盒子
60
60
广西鑫瀚科技有限公司
11
11
江苏省信息安全测评中心
2
2
新疆天山智汇信息科技有限公司
1
1
军工保密资格审查认证中心
1
1
广州神月信息安全技术有限公司
1
1
北京安码科技有限公司
1
1
CNCERT湖南分中心
4
4
CNCERT宁夏分中心
3
3
CNCERT江西分中心
2

2
CNCERT广东分中心
1

“互联网+”时代手机保密安全防范措施

1
CNCERT海南分中心
1
1
个人
21
21
报送总计
1303
549
录入总计
211(去重)
549
表1 漏洞报送情况统计表

本周漏洞按类型和厂商统计

本周,CNVD收录了101个漏洞。其中应用程序漏洞112个, web应用漏洞60个,操作系统漏洞27个,网络设备漏洞10个,安全产品漏洞2个。
漏洞影响对象类型
漏洞数量
应用程序漏洞
112
web应用漏洞
60
操作系统漏洞
27
网络设备漏洞
10
安全产品漏洞
2
表2 漏洞按影响类型统计表
图2 本周漏洞按影响类型分布
CNVD整理和发布的漏洞涉及WordPress、Adobe、Google等多家厂商的产品,部分漏洞数量按厂商统计如表3所示。
序号
厂商(产品)
漏洞数量
所占比例

培养00后女孩当间谍 英国情报机构下功夫

1
WordPress
47
23%
2
Adobe
41
19%
3
Google
29
14%
4
IBM
15
7%
强强联手 洛阳轴研科技与中车投资等组建高铁轴承产业化合资公司
5
ImageMagick
7
3%
6
Irssi
4
2%
7
ISC
4
2%
8
EMC
3
1%
9
Microsoft
3
1%
10
其他
58
28%
表3 漏洞产品涉及厂商分布统计表

本周行业漏洞收录情况

本周,CNVD收录了1个电信行业漏洞,29个移动互联网行业漏洞,3个工控系统行业漏洞(如下图所示)。其中,“Google AndroidFramesequence Library远程代码执行漏洞(CNVD-2017-00329)、Google AndroidSynaptics权限提升漏洞、Google Android Synaptics Touchscreen Driver特权提升漏洞、Google AndroidOne Qualcomm Radio Driver权限提升漏洞、多个Google Device权限提升漏洞、Google NexusQualcomm Wi-Fi Driver特权提升漏洞、多个Google Devices权限提升漏洞、多个Google DevicesQualcomm Sound Driver权限提升漏洞、Google Android远程代码执行漏洞、Google AndroidNVIDIA GPU Driver特权提升漏洞、Google Nexus Qualcomm Wi-Fi Driver权限提升漏洞”的综合评级为“高危”。相关厂商已经发布了上述漏洞的修补程序,请参照CNVD相关行业漏洞库链接。
电信行业漏洞链接:http://telecom.cnvd.org.cn/
移动互联网行业漏洞链接:http://mi.cnvd.org.cn/
工控系统行业漏洞链接:http://ics.cnvd.org.cn/
图3 电信行业漏洞统计
图4 移动互联网行业漏洞统计
图5 工控系统行业漏洞统计

本周重要漏洞安全告警
本周,CNVD整理和发布以下重要安全漏洞信息。
1、Microsoft产品安全漏洞
1月10日,微软发布了2017年1月份的月度例行安全公告,共含4项更新,修复了MicrosoftWindows、Edge、Office、OfficeServices、Web Apps和Adobe Flash Player中存在的4个安全漏洞。其中,1项远程代码更新的综合评级为最高级“严重”级别。利用上述漏洞,攻击者可提升权限,远程执行任意代码。
CNVD收录的相关漏洞包括:Microsoft Edge远程权限提升漏洞、MicrosoftOffice内存破坏漏洞(CNVD-2017-00428)、Microsoft Windows LSASS拒绝服务漏洞。除“Microsoft Edge远程权限提升漏洞”外,其余漏洞的综合评级为“高危”。目前,厂商已经发布了上述漏洞的修补程序。CNVD提醒用户及时下载补丁更新,避免引发漏洞相关的网络安全事件。
参考链接:http://www.cnvd.org.cn/webinfo/show/4031
2、ISC产品安全漏洞
BIND是一套开源的用于实现DNS协议的软件。本周,该产品被披露存在拒绝服务漏洞,攻击者可利用漏洞发起拒绝服务攻击,对互联网上广泛应用BIND系统解析软件的域名服务器构成安全运行风险。
CNVD收录的相关漏洞包括:ISC BIND 9db.c断言失败拒绝服务漏洞、ISC BIND 9 DNSSEC断言失败拒绝服务漏洞、ISC BIND 9 DS响应断言失败拒绝服务漏洞、ISC BIND 9RTYPE ANY断言失败拒绝服务漏洞。上述漏洞的综合评级为“高危”。目前,厂商已经发布了上述漏洞的修补程序。CNVD提醒用户及时下载补丁更新,避免引发漏洞相关的网络安全事件。
参考链接:
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00382
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00383
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00384
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00385
3、Adobe产品安全漏洞
Adobe Acrobat和Reader是美国Adobe公司开发的一款可以用便携式文档格式出版所有的文档的编辑软件。本周,上述产品被披露存在内存破坏漏洞,攻击者可利用漏洞执行任意代码。
CNVD收录的相关漏洞包括:Adobe Acrobat和Reader内存破坏漏洞(CNVD-2017-00399、CNVD-2017-00412、CNVD-2017-00415、CNVD-2017-00416、CNVD-2017-00417、CNVD-2017-00418、CNVD-2017-00419、CNVD-2017-00420)等。上述漏洞的综合评级为“高危”。目前,厂商已经发布了上述漏洞的修补程序。CNVD提醒用户及时下载补丁更新,避免引发漏洞相关的网络安全事件。
参考链接:
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00399
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00412
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00415
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00416
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00417
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00418
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00419
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00420
4、Google产品安全漏洞
Google Pixel C等都是美国谷歌(Google)公司的智能设备。Android onNexus 5X等是一套运行于Nexus 5X等以Linux为基础的开源操作系统。Google AndroidOne是一款智能手机。Google Nexus是搭载原装Android系统的高端手机系列。本周,上述产品被披露存在权限提升漏洞,攻击者可利用漏洞执行任意代码。
CNVD收录的相关漏洞包括: GooglePixel Binder权限提升漏洞、Google Android Synaptics权限提升漏洞、Google AndroidOne Qualcomm Radio Driver权限提升漏洞、多个Google Device权限提升漏洞、Google NexusQualcomm Wi-Fi Driver特权提升漏洞、多个Google Devices权限提升漏洞、多个Google DevicesQualcomm Sound Driver权限提升漏洞、Google Nexus Qualcomm Wi-Fi Driver权限提升漏洞等。上述漏洞的综合评级为“高危”。目前,厂商已经发布了上述漏洞的修补程序。CNVD提醒用户及时下载补丁更新,避免引发漏洞相关的网络安全事件。
参考链接:
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00342
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00341
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00332
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00334
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00335
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00337
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00339
http://www.cnvd.org.cn/flaw/show/CNVD-2017-00185
5、Joomla!组件com_remository文件上传漏洞
Joomla!是一款开放源码的内容管理系统(CMS)。本周,Joomla!被披露存在文件上传漏洞。攻击者可以利用该漏洞上传恶意文件到服务器从而获得服务器权限。目前,厂商尚未发布该漏洞的修补程序。CNVD提醒广大用户随时关注厂商主页,以获取最新版本。
参考链接:http://www.cnvd.org.cn/flaw/show/CNVD-2017-00253
更多高危漏洞如表4所示,详细信息可根据CNVD编号,在CNVD官网进行查询。
参考链接:http://www.cnvd.org.cn/flaw/list.htm
CNVD编号
漏洞名称
综合评级
修复方式
CNVD-2017-00187
Nagios不完全修复本地权限提升漏洞


厂商已发布了漏洞修复程序,请及时关注更新:
http://seclists.org/oss-sec/2016/q4/783
CNVD-2017-00314
Irssi内存破坏漏洞

厂商已发布了漏洞修复程序,请及时关注更新:
http://seclists.org/oss-sec/2016/q1/610
CNVD-2017-00313
Irssi内存破坏漏洞(CNVD-2017-00313)

厂商已发布了漏洞修复程序,请及时关注更新:
http://seclists.org/oss-sec/2016/q1/610
CNVD-2017-00312
Irssi内存破坏漏洞(CNVD-2017-00312)

乌云安全平台创始人方小顿谈架构师和互联网安全,国内互联网的安全情况与国外相比还是有很大差距的,用户意识跟不上是关键。
厂商已发布了漏洞修复程序,请及时关注更新:
http://seclists.org/oss-sec/2016/q1/610
CNVD-2017-00311
Irssi内存破坏漏洞(CNVD-2017-00311)

厂商已发布了漏洞修复程序,请及时关注更新:
http://seclists.org/oss-sec/2016/q1/610
CNVD-2017-00323
IBM UrbanCode Deploy安全绕过漏洞

厂商已发布了漏洞修复程序,请及时关注更新:
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000238
CNVD-2017-00344
IBM BigFix Platform远程代码执行漏洞

用户可参考如下供应商提供的安全公告获得补丁信息:
http://www-01.ibm.com/support/docview.wss?uid=swg21996375
CNVD-2017-00402
Game Music Emulators内存破坏漏洞

厂商已发布了漏洞修复程序,请及时关注更新:
https://bitbucket.org/mpyne/game-music-emu/wiki/Home
CNVD-2017-00403
Game Music Emulators内存破坏漏洞(CNVD-2017-00403)

厂商已发布了漏洞修复程序,请及时关注更新:
https://bitbucket.org/mpyne/game-music-emu/wiki/Home
CNVD-2017-00404
Game Music Emulators内存破坏漏洞(CNVD-2017-00404)

厂商已发布了漏洞修复程序,请及时关注更新:
https://bitbucket.org/mpyne/game-music-emu/wiki/Home
表4部分重要高危漏洞列表
小结:1月10日,微软发布了2017年1月份的月度例行安全公告,共含4项更新,修复了MicrosoftWindows、Edge、Office、OfficeServices、Web Apps和Adobe Flash Player中存在的4个安全漏洞。攻击者可提升权限,远程执行任意代码。此外,ISC、Adobe、Google等多款产品被披露存在权限提升和拒绝服务漏洞,攻击者利用漏洞可执行任意代码或发起拒绝服务攻击。另外,Joomla!被披露存在文件上传漏洞。攻击者可以利用该漏洞上传恶意文件到服务器从而获得服务器权限。建议相关用户随时关注上述厂商主页,及时获取修复补丁或解决方案。
微信扫一扫关注该公众号

我们很重视商业机密数据的保护,因为这些机密数据和我们的成功密切相关,如果它们被竞争者窃取或者被非法曝光,我们的业务将受到严重的损失,所以在不断地挖掘客户需求和开发新产品的同时,我们注意保护这些机密数据的安全。

猜您喜欢

湿冷魔法攻击 周六最低气温仅0℃
位置定位服务LBS泄漏私密信息
地铁机场的无线安全使用
上海、重庆楼市突发异动!暴风雨真 搜狐美股行情 的要来了?
PACKAGING-INT PETERDRUMMOND
成功的信息安全意识教育计划是给用户亲身体验机会