The Shellshock bug that has left vast swaths of the internet vulnerable to cyber criminals for more than 20 years highlights how the basic foundations of the network are not fit for the 21st century web, security experts have warned.安全性专家警告说道,“Shellshock漏洞”曝露了互联网在多达20年的时间里为网络犯罪分子留给的大量可乘之机,这凸显最基本的网络基础设施早已不适应环境21世纪网络的必须。The fundamental flaw that was discovered on Wednesday has been described as the worst bug exposed for about a decade, as it left the computer systems of governments, the military and companies open to manipulation from afar.周三找到的这一基础性漏洞被称作近十年内找到的最相当严重漏洞。
利用该漏洞,可以远程操控政府机关、军方及企业的计算机系统。Tal Klein, vice-president of strategy and marketing at US-based cloud security company Adallom, warned there could be more bugs like this to be discovered because the whole internet was built on a “sheet of very thin ice”.Adallom副总裁塔尔克莱因(Tal Klein)警告说道,由于整个互联网都看起来辟在“一块极薄的冰层之上”,今后可能会找到更加多这样的漏洞。Adallom是一家总部在美国的云安全公司。“We continuously work on improving the security of the internet assuming the sheet of ice underneath it is secure,” he said. “[But] very few people actively spend time on the security of the underlying components. They are so old that people assume if no one has compromised them yet then it is fine.”他说道:“我们仍然在希望提高互联网的安全性,却想当然地指出互联网之下的冰层是安全性的。
很少有人主动花上时间检验基础组件的安全性。这些组件用于的时间太久,人们理所当然地指出,既然人们还在用,就解释它们没什么问题。
”The threat of the Shellshock bug can be mitigated by updating, or patching, computer systems. But that will take time, as IT teams rush to work out which systems need updating, and Shellshock may be one of many vulnerabilities in the basic architecture of the internet.通过升级电脑系统——或者为系统打上补丁——可以避免Shellshock漏洞的威胁。不过这么做到必须花上上一段时间,因为IT团队必需急忙分析出有哪些系统必须改版,而且Shellshock漏洞有可能只是互联网基础设施的诸多漏洞之一。Trey Ford, global security strategist for Rapid 7, said the problem was that innovations had been bolted on top of a structure that was not built for what it was used for today.Rapid 7全球安全性策略师特雷福特(Trey Ford)回应,问题在于人们仍然在一种基础架构之上展开创意,而当初创建这种基础架构的目的却与今天用于它的目的不完全一致。
“The world wide web just had a birthday, turning 25. When Tim Berners Lee created it I don’t know if he envisaged magical pocket devices where you could take phone calls from Tokyo, surf the internet and more money around,” he said. “We’ve come a long way in 25, 30 years.” Mr Ford said companies such as Google and cyber security companies such as Rapid 7 were working to improve some fundamental aspects of the internet. But security needed to be more valued by consumers so that the companies creating products prioritised security.他说道:“万维网刚童年了25岁生日。当蒂姆伯纳斯-李爵士(Sir Tim Berners-Lee)发明者万维网时,我不告诉他能否想象到今天各种魔术般的口袋设备。
通过这些设备,人们可以从东京拨款长途电话、可以网页互联网、还可以四处调动资金。在25或30年的时间里,我们已回头得很近。”福特回应,许多企业正在著手提高互联网的某些基础性能,还包括谷歌(Google),以及Rapid 7等网络安全公司。
然而,只有当消费者更为推崇安全性问题时,企业才不会研发出有侧重安全性的产品。“In the long run, security should not be a feature but something that is expected,” he said. “I fear it will take more events like this to prioritise those services and investment.”他说道:“长年来说,安全性不该被视作一种特性,而应当是一种适当属性。我担忧人们要经历更加多此类事件,才不会把这类服务和投资放到最重要方位上。
”Product designers had to choose between spending money on new features which were more marketable, or on security that no one would notice, he added.他补足说道,产品设计人员必需作出自由选择:是把资金花上在设计更加不利于产品销售的新功能上,还是花上在提高没人会留意的安全性上。It is hard to prioritise security when the size of the problem remains unknown. Legislation requiring companies to report cyber attacks also varies widely depending on the industry or country, but most focus on the loss of consumer data rather than other attacks aimed at taking over computer systems or stealing intellectual property.在对问题相当严重程度一无所知的情况下,人们很难把安全性问题摆在首位。拒绝企业报告网络攻击的法律,因国家或行业的有所不同而不存在很大差异,但大多都侧重用户数据的泄漏,而不是其他目的掌控电脑系统或盗取知识产权的反击。The effects of Shellshock so far are hard to measure. Even though the vulnerability has existed for more than two decades, it is not clear if it had already been discovered by cyber criminals. There is already some evidence posted on Github, an online forum for software engineers, that the Shellshock bug has been used in an attack, though it is not known where or when.到目前为止,Shellshock漏洞导致的影响还很难评估。
尽管该漏洞已不存在了逾20年,但不确切网络犯罪分子否已找到了这个漏洞。在用户主要为软件工程师的在线论坛Github上,有数人公布证据,表明Shellshock漏洞已被用在一次网络攻击中。不过,这次反击再次发生的时间和地点还不确切。
Sophisticated state-backed cyber criminals, known as advanced persistent threats, could use the bug for a “stealthy attack” where they penetrate deep inside a company or a government’s computer systems.政府反对的尖端网络罪犯被视作一种高级别持续性威胁,他们可能会利用这一漏洞实行“不为人知的反击”,深度渗入进企业或政府的计算机系统。Other attackers could use the vulnerability to take hold of servers and home internet routers from across the world to create a giant network – known as a botnet – which would give them enough computing power to take down any website in a distributed denial of service attack.其他攻击者可能会利用该漏洞掌控世界各地的服务器和家用互联网路由器,从而创建一个可观的“僵尸网络”(botnet)。这种网络不会让他们取得充足的计算能力,可以用“分布式拒绝服务反击”(DDoS)毁坏任何网站。Apple’s Mac computers rely on an operating system that was originally based on Unix, so they could be vulnerable especially if connected to public WiFi, and many so-called “internet of things” devices such as lightbulbs and fridges may be affected.苹果公司(Apple)的Mac电脑使用一种原本基于Unix的操作系统,因此也有可能受到这一漏洞的影响,特别是在相连到公共WiFi的时候。
此外,许多“物联网”设备如灯泡、冰箱等有可能也不会受到影响。Chris Wysopal, chief technology officer of cyber security company Veracode, said this moment between the announcement of a problem and people fixing it by rolling out a software update – or patch – is “the most dangerous time”.网络安全公司Veracode首席技术官克里斯马里夫卡帕尔(Chris Wysopal)回应,从漏洞发布到科技企业公布修缮漏洞的软件改版(或补丁)这段时间是“最危险性的”。“The thing that has people worried is that they don’t know the scope of how many devices are affected,” he said.他说道:“人们担忧的问题在于,目前不确切有多少设备受到了这一漏洞的影响。
本文来源:aoa网页版-www.mahungchi.com