評論
打印
Online business and security
網絡商業及網絡安全
A digital heart attack
電子心臟病
A flaw in popular internet-security software could have serious consequences for all sorts of business
廣泛使用的網絡安全軟件出現漏洞,可能會殃及幾乎所有企業
THE Heartbleed bug sounds like a nasty coronary condition. But it is in fact a software flaw that has left up to two-thirds of the world's websites vulnerable to attack by hackers. “This is potentially the most dangerous bug that we have seen for a long, long time,” says James Beeson, the chief information security officer of GE Capital Americas, an arm of GE. Since its existence was revealed on April 7th by researchers at Codenomicon, a security outfit, and Google, countless companies around the world that rely on the internet for part or all of their business have been scrambling to fix the flaw.
“心臟流血”,聽起來像是某種嚴重的心臟病的名稱。但事實上,它是一個軟件漏洞的名字,此漏洞使得全球三分之二的網站暴露于被黑客攻擊的危險之中。“這可能是近些年來發現過的最危險的漏洞了,”通用電氣旗下的通用電氣金融服務公司的首席信息安全官詹姆士·比森說道。這個漏洞是由網絡安全研究團隊Codenomicon和谷歌于四月七日發現的,自從那時起,全球范圍內,只要是或多或少依靠互聯網的公司,都火急火燎地在修補漏洞。
Ironically, the bug was discovered in OpenSSL, encryption software that was designed to make the internet more secure. Available free, this open-source code is popular with businesses and governments, which use it to help secure everything from online credit-card transactions to public services. On April 9th, for instance, Canada's tax authority shut off public access to its online services while it checked the security of its systems in the light of news about the bug.
諷刺的是,這個漏洞是在OpenSSl中發現的,而后者是一個用于提升網絡安全的加密軟件。OpenSSL是一個免費的開源軟件,被企業和政府部門廣泛使用,用于保護信用卡交易或公共服務的安全。比如加拿大稅務部門的提供的公眾網絡服務就使用了OpenSSL,在得知漏洞的存在后,稅務部門便在四月九日關閉了服務。
The flaw makes it possible for hackers to trick a server into spewing out data held in its memory. OpenSSL has a feature known as a “heartbeat” that allows a computer at one end of an encrypted link to send occasional signals to the computer at the other end of it, to check that it is still online. The researchers discovered that a hacker with knowledge of the bug could replicate this signal and use it to steal all manner of data from a remote computer.
“心血”漏洞增加了黑客套取存儲在服務器上的數據的可能性。OpenSSL有一個名為“心跳”的功能,允許加密鏈接一端的電腦隨機發出一條信息,確認另一端的電腦是否仍然在線。研究人發現,一個熟悉“心血”漏洞的黑客,可以通過復制這個信號來盜取遠程計算機上的所有數據。
Those data could include encryption keys that let hackers decipher traffic. To make matters worse, the researchers found that the bug, which is present in some versions of OpenSSL that have been available since March 2012, allows attacks to be mounted without leaving a trace in targeted computers' “server logs”, so victims are unaware their systems have been compromised. That means it is impossible to tell for sure what damage has been done.
這些數據可能包括可以讓黑客解碼之前通信內容的密鑰。更糟糕的是,研究人員發現,此漏洞從2012起就開始在OpenSSL的一些版本中出現;而且,黑客通過此漏洞攻擊時不會在其目標計算機的“服務器日志”中留下痕跡,所以,受害者無法察覺到自己的系統已經被入侵了。
The bug has forced companies to find out fast how many of their systems employ the vulnerable versions of OpenSSL. “Everyone knows they have to patch their customer-facing internet websites, but that is only the tip of the iceberg,” says Jonathan Sander of STEALTHbits Technologies, a security firm that is helping one of America's biggest banks work out where it has deployed the buggy software. Web-connected systems that handle things such as accounting and personnel data will also need to be checked for the bug.
這個漏洞促使企業迅速查明它們自己有哪些系統使用了存在漏洞的OpenSSL。“所有人都知道要去修補他們面向客戶的網站,但那些只是冰山一角,”安全公司STEALTHbits Technologies的喬納森·桑德說。該公司正在幫助美國的一家大型銀行定位其系統上的漏洞。其他聯網系統,例如處理帳務和私人信息的聯網系統,都有必要檢查一下是否有漏洞。
Mr Sander likens the discovery of the Heartbleed bug to finding a faulty part in nearly every make and model of car. The problem is that the internet cannot be recalled. Big web companies such as Google and Yahoo have moved fast to deal with the bug. But millions of smaller e-commerce sites and other businesses face the worrying prospect of being attacked by hackers alerted to the bug's existence as the firms race to fix the problem.
桑德說,發現“心血”漏洞,就好比汽車廠商在它的每款車里都發現一個同一個缺陷。但問題是,互聯行業里沒有召回這一說。像谷歌和雅虎這樣的大型網絡公司已經立即處理了漏洞。但是還有大量的小型的電商網站和其他類型的小公司只能一邊搶修,一邊擔心被那些獲悉漏洞存在的黑客的攻擊。
The cure includes applying a software “patch” and then choosing new encryption keys to replace those that may have been compromised. Once this has been done, customers will often need to change their passwords too. Tumblr, a blogging service owned by Yahoo, has urged its users to change the passwords they use for all of the secure online services that hold sensitive data about them. Some companies even chose to suspend services while they were working on a fix. Bitstamp, a Bitcoin e-currency exchange, temporarily suspended new account registrations and logins to its existing accounts.
補救的辦法包括給軟件打“補丁”,然后用新密鑰替換那些可能被盜取的密鑰。完成了這兩步之后,用戶通常還需要更改他們的密碼。雅虎旗下提供博客服務的Tumblr就強烈建議用戶更改所有包含他們敏感信息的服務的密碼。有些公司甚至在其修補漏洞期間暫停了服務。比特幣交易網站Bitstamp就暫時關閉了注冊和登錄服務。
Another Y2 K?
另一個千年蟲?
Perhaps the risk posed by the Heartbleed bug will turn out to be overblown. But if it emerges that companies' systems have indeed been hacked because of it, this could open a legal can of worms. Firms could argue that they ought not to be punished for using widely trusted security software. But aggrieved customers—and their lawyers—may see things differently.
也許,“心血”漏洞可能造成的風險被夸大了。但是一旦真的有公司因此漏洞被黑客入侵了,就可能引起極為棘手的法律糾紛。企業可能會自辯說其不應該因使用被廣泛信任的安全軟件受罰。但受害的用戶和他們的律師可不會這么想。
Quite how the bug got into the OpenSSL software in the first place is a mystery. Bruce Schneier, an internet-security expert, argues in a blog post that “the probability is close to one” that intelligence agencies have exploited the glitch to nab the encryption keys needed to decipher information about their targets. His guess is that the glitch is the result of a coding error rather than the handiwork of spies, though he says he cannot be sure.
至于究竟這個漏洞最初是如何出現在OpenSSL中的,這還是一個謎。網絡安全專家布魯斯·施奈爾在他的一篇博客里稱,“毫無疑問”,情報部門已利用此漏洞盜取密鑰以獲取其監控目標的信息。雖然他不能完全肯定,但他認為漏洞是編程失誤的結果,不太可能是間諜的杰作。
No matter who is to blame, this episode is another reminder of the security challenges companies face as ever more economic activity shifts online. According to eMarketer, a research outfit, worldwide business-to-consumer e-commerce sales are likely to grow by just over a fifth this year, to $1.5 trillion. That is a huge commercial opportunity, but it will also encourage cyber-crooks to target businesses even more vigorously. Expect more computer-security heartburn in boardrooms.
不管幕后黑手到底是誰,這個事件再一次提醒我們,在企業不斷將經濟活動向線上轉移的過程中,它們將面臨大量的安全挑戰。據一個名為eMarketer的市場調查公司稱,今年全球B2C電商的銷售總額將有望達到1.5萬億美元,同比增長超過五分之一。這是巨大的商機,同時也會讓網絡罪犯們更堅定地咬住企業這塊肥肉。就讓董事會的老爺們為此燒心窩火吧。
