The Shellshock bug that has left vast swaths of the internet vulnerable to cyber criminals for more than 20 years highlights how the basic foundations of the network are not fit for the 21st century web, security experts have warned.
安全专家警告说,“Shellshock漏洞”暴露了互联网在超过20年的时间里为网络犯罪分子留下的大量可乘之机,这凸显出最基本的网络基础设施已经不适应21世纪网络的需要。
The fundamental flaw that was discovered on Wednesday has been described as the worst bug exposed for about a decade, as it left the computer systems of governments, the military and companies open to manipulation from afar.
周三发现的这一基础性漏洞被称为近十年内发现的最严重漏洞。利用该漏洞,可以远程操纵政府机关、军方及企业的计算机系统。
Tal Klein, vice-president of strategy and marketing at US-based cloud security company Adallom, warned there could be more bugs like this to be discovered because the whole internet was built on a “sheet of very thin ice”.
Adallom副总裁塔尔•克莱因(Tal Klein)警告说,由于整个互联网都像是建在“一块极薄的冰层之上”,今后可能会发现更多这样的漏洞。Adallom是一家总部在美国的云安全公司。
“We continuously work on improving the security of the internet assuming the sheet of ice underneath it is secure,” he said. “[But] very few people actively spend time on the security of the underlying components. They are so old that people assume if no one has compromised them yet then it is fine.”
他说:“我们一直在努力改善互联网的安全性,却想当然地认为互联网之下的冰层是安全的。极少有人主动花时间检验基础组件的安全性。这些组件使用的时间太久,人们理所当然地认为,既然人们还在用,就说明它们没什么问题。”
The threat of the Shellshock bug can be mitigated by updating, or patching, computer systems. But that will take time, as IT teams rush to work out which systems need updating, and Shellshock may be one of many vulnerabilities in the basic architecture of the internet.
通过升级电脑系统——或者为系统打上补丁——可以消除Shellshock漏洞的威胁。不过这么做需要花上一段时间,因为IT团队必须赶紧分析出哪些系统需要更新,而且Shellshock漏洞可能只是互联网基础设施的诸多漏洞之一。
Trey Ford, global security strategist for Rapid 7, said the problem was that innovations had been bolted on top of a structure that was not built for what it was used for today.
Rapid 7全球安全策略师特雷•福特(Trey Ford)表示,问题在于人们一直在一种基础架构之上进行创新,而当初建立这种基础架构的目的却与今天使用它的目的不一致。
“The world wide web just had a birthday, turning 25. When Tim Berners Lee created it I don’t know if he envisaged magical pocket devices where you could take phone calls from Tokyo, surf the internet and more money around,” he said. “We’ve come a long way in 25, 30 years.” Mr Ford said companies such as Google and cyber security companies such as Rapid 7 were working to improve some fundamental aspects of the internet. But security needed to be more valued by consumers so that the companies creating products prioritised security.
他说:“万维网刚刚度过了25岁生日。当蒂姆•伯纳斯-李爵士(Sir Tim Berners-Lee)发明万维网时,我不知道他能否想象到今天各种魔术般的口袋设备。通过这些设备,人们可以从东京拨出长途电话、可以浏览互联网、还可以四处调动资金。在25或30年的时间里,我们已走得很远。”福特表示,许多企业正在着手改善互联网的某些基础性能,包括谷歌(Google),以及Rapid 7等网络安全公司。然而,只有当消费者更加重视安全问题时,企业才会开发出注重安全性的产品。
“In the long run, security should not be a feature but something that is expected,” he said. “I fear it will take more events like this to prioritise those services and investment.”
他说:“长期来说,安全不应被视为一种特性,而应该是一种必要属性。我担心人们要经历更多此类事件,才会把这类服务和投资放在重要位置上。”
Product designers had to choose between spending money on new features which were more marketable, or on security that no one would notice, he added.
他补充说,产品设计人员必须做出选择:是把资金花在设计更有利于产品销售的新功能上,还是花在提升没人会注意的安全性上。
It is hard to prioritise security when the size of the problem remains unknown. Legislation requiring companies to report cyber attacks also varies widely depending on the industry or country, but most focus on the loss of consumer data rather than other attacks aimed at taking over computer systems or stealing intellectual property.
在对问题严重程度一无所知的情况下,人们很难把安全问题摆在首位。要求企业报告网络攻击的立法,因国家或行业的不同而存在极大差异,但大多都着眼于用户数据的泄露,而不是其他旨在控制电脑系统或窃取知识产权的攻击。
The effects of Shellshock so far are hard to measure. Even though the vulnerability has existed for more than two decades, it is not clear if it had already been discovered by cyber criminals. There is already some evidence posted on Github, an online forum for software engineers, that the Shellshock bug has been used in an attack, though it is not known where or when.
到目前为止,Shellshock漏洞造成的影响还很难评估。尽管该漏洞已存在了逾20年,但不清楚网络犯罪分子是否已发现了这个漏洞。在用户主要为软件工程师的在线论坛Github上,已有人发布证据,显示Shellshock漏洞已被用在一次网络攻击中。不过,这次攻击发生的时间和地点还不清楚。
Sophisticated state-backed cyber criminals, known as advanced persistent threats, could use the bug for a “stealthy attack” where they penetrate deep inside a company or a government’s computer systems.
政府支持的尖端网络罪犯被视为一种高级别持续性威胁,他们可能会利用这一漏洞实施“隐秘的攻击”,深度渗透入企业或政府的计算机系统。
Other attackers could use the vulnerability to take hold of servers and home internet routers from across the world to create a giant network – known as a botnet – which would give them enough computing power to take down any website in a distributed denial of service attack.
其他攻击者可能会利用该漏洞控制世界各地的服务器和家用互联网路由器,从而建立一个庞大的“僵尸网络”(botnet)。这种网络会让他们获得足够的计算能力,可以用“分布式拒绝服务攻击”(DDoS)摧毁任何网站。
Apple’s Mac computers rely on an operating system that was originally based on Unix, so they could be vulnerable especially if connected to public WiFi, and many so-called “internet of things” devices such as lightbulbs and fridges may be affected.
苹果公司(Apple)的Mac电脑采用一种原本基于Unix的操作系统,因此也可能受到这一漏洞的影响,特别是在连接到公共WiFi的时候。此外,许多“物联网”设备如灯泡、冰箱等可能也会受到影响。
Chris Wysopal, chief technology officer of cyber security company Veracode, said this moment between the announcement of a problem and people fixing it by rolling out a software update – or patch – is “the most dangerous time”.
网络安全公司Veracode首席技术官克里斯•维索帕尔(Chris Wysopal)表示,从漏洞公布到科技企业发布修复漏洞的软件更新(或补丁)这段时间是“最危险的”。
“The thing that has people worried is that they don’t know the scope of how many devices are affected,” he said.
他说:“人们担心的问题在于,目前不清楚有多少设备受到了这一漏洞的影响。”