On March 12, the Ministry of Industry and Information Technology launched an information-sharing platform on cyber-security threats and loopholes OpenClawTHE “SIX-NO-SIX” RECOMMENDATION FOR OPEN-SOURCE SMART BODY SAFETY RISKS (“CRAWFISH”). IN RESPONSE TO SECURITY RISKS IN THE TYPICAL APPLICATION OF LOBSTER, THE MINISTRY OF INDUSTRY AND INFORMATION TECHNOLOGY'S WEB SECURITY THREATS AND GAP INFORMATION SHARING PLATFORM (NVDB) ORGANIZES SMART BODY PROVIDERS, GAP-COLLECTION PLATFORM OPERATORS, NETWORK SECURITY ENTERPRISES, ETC., THE STUDY MAKES A “SIX NOT”。
1AI attached the specifics below:
I. Typical application scenario security risks
(i) Smart office scenes are mainly at high risk of supply chain attacks and intra-enterprise penetration
1. Scene description:Through the deployment of “crawfish” within the enterprise, a management system is in place for the docking enterprise to enable intelligent data analysis, document processing, administration, financial support and knowledge management。
2. Security risks:The introduction of abnormal plugs, “skill packages” and so forth triggers supply chain attacks; the horizontal spread of cybersecurity risks within the Intranet, leading to the leakage or loss of sensitive information, such as interfaced system platforms, databases; and compliance risks in the absence of audit and traceability mechanisms。
3. Responses:The stand-alone network is deployed, operating in isolation from key production environments, prohibiting the use of unauthorized “crawfish” smart-body terminals in the internal network; conducting full security testing prior to deployment, with minimal delegation of authority when deployed, prohibiting non-essential cross-grid, cross-equipment and cross-system access; and maintaining complete operations and operating logs to ensure compliance with compliance requirements such as audit。
(ii) The development of a transport environment is dominated by the heightened risk of system-equipment-sensitive leaking and hijacking control
1. Scene description:Through the deployment of “crawfish” by enterprises or individuals, the natural language is converted into an enforceable command, supported by code writing, code running, equipment inspection, configuration backup, system monitoring, management processes, etc。
2. Security risks:UNAUTHORIZED ENFORCEMENT OF SYSTEM ORDERS, HIJACKING OF EQUIPMENT BY A CYBER ATTACK; EXPOSURE OF SYSTEM ACCOUNT NUMBERS AND PORT INFORMATION, EXPOSURE TO EXTERNAL ATTACKS OR PASSWORDS; DISCLOSURE OF SENSITIVE INFORMATION SUCH AS NETWORK POPPING, ACCOUNT PASSWORDS, API INTERFACES, ETC。
3. Responses:To avoid direct deployment in the production environment, priority is given to operating in virtual machines or sandboxes; adequate security tests are conducted prior to deployment, with minimal delegation of authority for deployment and no delegation of authority to managers is allowed; and high-risk blacklists are established and manual clearance mechanisms are activated for critical operations。
(iii) High-profile risk of theft of personal information and disclosure of sensitive information to the personal assistant scene
1. Scene description:Remote access to locally deployed lobsters, such as personal instant communication software, provides personal information management, day-to-day transaction processing, digital asset preparation, etc., and can serve as knowledge learning and life entertainment assistants。
2. Security risks:Excessive authority leads to malicious reading and writing and the deletion of arbitrary documents; cyber-attacks in the case of Internet access; the wrongful execution of a dangerous order by means of a hint, or even the taking over of a smart body; and explicit storage of a key leading to the disclosure or theft of personal information。
3. Responses:ENHANCE THE MANAGEMENT OF PRIVILEGES BY ALLOWING ACCESS ONLY TO THE NECESSARY DIRECTORIES, PROHIBITING ACCESS TO SENSITIVE DIRECTORIES, ACCORDING PRIORITY TO ACCESS THROUGH ENCRYPTED CHANNELS, PROHIBITING NON-NECESSARY INTERNET ACCESS, PROHIBITING HIGH-RISK OPERATIONAL INSTRUCTIONS OR ADDING SECOND CONFIRMATIONS; AND STORING STRICTLY ENCRYPTED API KEYS, CONFIGURATION FILES, VITAL PERSONAL INFORMATION, ETC。
(iv) The financial transaction scene is characterized by a significant risk of causing erroneous transactions or even the taking over of accounts
1. Scene description:Through the deployment of “crawfish” by enterprises or individuals, the deployment of financial-related applications interfaces, automated transactions and risk control, improved efficiency in quantitative transactions, intelligent research and portfolio management, and the realization of market data capture, strategic analysis, and implementation of trade directives。
2. Security risks:Memory poisoning leads to erroneous transactions, identification bypasses lead to the illegal taking over of accounts; the introduction of plugs containing malicious codes leads to the theft of documents for transactions; and, in extreme cases, the absence of a melting or emergency mechanism leads to risks such as the loss of control of intelligence and frequent filings。
3. Responses:Implementation of network isolation and minimum access, closure of non-essential Internet ports; establishment of a manual review and smelting emergency response mechanism, with additional secondary validation of critical operations; enhanced supply chain audit, use of official components and regular repair of loopholes; implementation of full-chain audit and security monitoring to detect and address security risks in a timely manner。
Recommendations for safe use
(i) Use of the official latest version。The latest stable version is to be downloaded from official channels and automatically updated alarms are to be activated; backup data is to be provided before upgrades are made, service restart is to be upgraded and the patch is to be validated. Do not use third-party mirror or historical versions。
(ii) Strict control of Internet exposure。PERIODIC SELF-CENSORSHIP OF EXPOSURE TO THE INTERNET IS CARRIED OUT AND, AS SOON AS IT IS DISCOVERED, IS DONE. DO NOT EXPOSE THE CASE OF A LOBSTER SMART BODY TO THE INTERNET, DO NEED ACCESS TO THE INTERNET USING ENCRYPTION CHANNELS SUCH AS SSH, AND LIMIT ACCESS TO SOURCE ADDRESSES AND AUTHENTICATION BY MEANS OF STRONG PASSWORDS OR CERTIFICATES, HARDWARE KEYS, ETC。
(iii) To uphold the principle of minimum competence。Reconfirmation or manual approval of critical processes such as the deletion of documents, the dispatch of data, the modification of the system configuration, etc., is required to be granted the minimum authority necessary to complete the task, in accordance with operational needs. Priority is given to the separation of the operation in a container or virtual machine, which forms an independent area of competence. Do not use administrator rights account numbers for deployment。
(iv) Careful use of the skills market。ClawHub “Skill Package” should be carefully downloaded and the skill pack code reviewed prior to installation. Do not use skill packs that require " Download ZIP " , " Execute shell scripts " or " Enter passwords " 。
(v) Protection against social engineering attacks and browser hijackings。Use browser sandboxes, web filters, etc. to block suspicious scripts, enable log auditing, and break the gateway and reset the password immediately in case of suspicious behaviour. Do not browse from an unknown website, click on an unknown web link, and read untrustworthy documents。
(vi) Establishing long-lasting protection mechanisms。There is a need to regularly check and close loopholes and to provide timely warning of risks from loopholes such as the OpenClaw Official Security Bulletin, the Ministry of Industry and Information Technology ' s Web Security Threat and Gap Information Sharing Platform. Party agencies, business enterprises and individual users can provide real-time protection in conjunction with cyber-security protection tools, mainstream drug-killing software, and address possible security risks in a timely manner. Do not disable the detailed log audit function。