HONG KONG — For Apple in China, trouble seems to be the new normal.
香港——在中国,遭遇麻烦似乎成了苹果公司(Apple)的新常态。
Cybersecurity monitoring groups and security experts said on Monday that people trying to use Apple’s online data storage service, known as iCloud, were the target of a new attack that sought to steal users’ passwords and then spy on their activities.
网络安全监控团体和安全专家周一表示,尝试使用苹果在线数据存储服务iCloud的人,成为了一轮新攻击的目标。攻击者试图窃取用户的密码,然后监控他们的活动。
Starting over the weekend, when many users across China tried to sign into their iCloud accounts, they may have been giving away login information to a third party, in what is called a man-in-the-middle attack.
从上周末开始,中国各地的许多用户在尝试登录iCloud账户时,可能正在把登录信息泄露给第三方。这被称作中间人攻击。
“You think you are getting information directly from Apple, but in fact the authorities are passing information between you and Apple, and snooping on it the whole way,” said a spokesman for an independent censorship-monitoring website, GreatFire, who declined to be named because of fear of reprisal.
“你以为是直接从苹果获取信息,但实际上,当局正在你和苹果之间传递信息,并一直在窥探,”监测网络审查情况的独立网站GreatFire的发言人说。因为害怕遭到报复,这名发言人拒绝公开姓名。
News of the vulnerability came just as the new iPhone 6 arrived in Chinese stores after a monthlong regulatory delay tied, in part, to concerns about the phone’s security.
有关这一问题的消息传出之际,正值苹果新推出的iPhone 6登陆中国市场。此前,因为监管方面的原因,iPhone 6在中国的发售被推迟了一个月,其中的部分原因是对iPhone安全性的担忧。
Activists and security experts say they believe the attacks are backed by the Chinese government because they are hosted from servers to which only the government and state-run telecommunications companies have access, according to GreatFire. They are also similar to recent attacks on Google, Yahoo and Microsoft aimed at monitoring what information users were retrieving on the sites.
GreatFire称,活动人士和安全专家表示,他们认为这次的袭击得到了中国政府的支持,因为它们是由政府和国有电信公司才有权限的服务器上发起的。此外,它们和谷歌(Google)、雅虎(Yahoo)以及微软(Microsoft)最近遭遇的攻击类似,而那些攻击意在监控用户从这些网站上读取了什么信息。
“All signs point to the Chinese government’s involvement,” said Michael Sutton, vice president for threat research at Zscaler, a San Jose, Calif., security company. “Evidence suggests this attack originated in the core backbone of the Chinese Internet and would be hard to pull off if it was not done by a central authority like the Chinese government.”
“所有迹象都指向中国政府与此事有关,”在加利福尼亚州圣何塞的安全公司Zscaler负责威胁研究的副总裁迈克尔·苏顿(Michael Sutton)说。“证据表明,这轮攻击发端于中国互联网的核心中枢,而且假如不是像中国政府这样的中央当局干的,这种攻击将很难实现。”
The targeting of Yahoo, Google and Apple also potentially reveals a new Chinese government effort to adapt to initiatives by Internet companies — most notably new encryption techniques — to protect user data from government spying.
把雅虎、谷歌和苹果作为目标也潜在地揭示出,为了适应互联网公司为保护用户数据免受政府监控而采取的措施,尤其是新的加密技术,中国政府做出了新的努力。
“The Chinese government could no longer sniff traffic, so they intercepted that traffic between the browser and the iCloud server,” Mr. Sutton said.
“中国政府无法再窥探流量,所以他们就截取了浏览器和iCloud服务器之间的流量,”苏顿说。
Many web browsers, like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox, flashed a warning to users that a so-called encryption certificate that is supposed to identify who is on the other end of a web session should not be trusted. That indicated that users were inadvertently communicating with the attackers, rather than iCloud. In effect, the hackers stepped into the middle of the online conversation.
许多网页浏览器,如苹果的Safari、谷歌的Chrome和Mozilla的Firefox,会弹出一条警告,提醒用户不应信任本应识别出网络会话的另一端是谁的“加密证书”。这种警告表明,用户正在疏忽大意地与攻击者而非iCloud交流。实际上,黑客是插入到了网络对话的中间。
Mr. Sutton noted that Qihoo, a browser offered by the Qihoo 360 Technology Company that is popular with Chinese Internet users, did not flash a warning to users.
苏顿指出,奇虎360科技有限公司推出的奇虎浏览器在中国网民中颇受欢迎,它就不会向用户弹出这类警告。
“As more sites move to encryption by default — which prevents the censorship authorities from selectively blocking access to content — the Chinese authorities will grow increasingly frustrated with their ability to censor that content,” said the GreatFire spokesman.
“随着更多网站转为默认加密——可以防止审查机构有选择地屏蔽内容——中国当局对自己审查内容的能力会越来越失望,”前述GreatFire发言人说。
“In some ways their hands are being forced. They can attempt these man-in-the-middle attacks or choose to outright block access to these sites. The more sites they block, the more they cut off the Chinese populace from the global Internet,” he added.
他还说,“他们其实别无选择。他们可以尝试这种中间人攻击,或选择直接屏蔽这些网站。他们屏蔽的网站越多,中国人孤立于国际网络的程度就越严重。”
The timing of the attack, aligned with the release of the new iPhone in China, is a potential indicator that the government is trying to harvest sign-in data from a large number of users who are switching over to the iPhone 6. The new phone comes with better encryption to protect against government snooping.
攻击的时机恰好是新款iPhone在中国市场发售之时。这或许意味着,政府正试图从更换到iPhone 6的大量用户手中获取登录数据。为了防止政府的窥探,新款iPhone使用了更好的加密技术。
In September, Apple, based in Cupertino, Calif., said its latest operating system, iOS 8, included protections that made it impossible for the company to comply with government warrants asking for customer information like photos, emails and call history.
今年9月,总部位于加利福尼亚州库比提诺的苹果表示,公司最新的操作系统iOS 8配有的保护措施,将使其无法遵照政府命令,泄露图片、电子邮件和通话记录等客户信息。
The change prompted the Federal Bureau of Investigation director, James B. Comey, to say in a recent speech that new encryption by Apple and others “will have very serious consequences for law enforcement and national security agencies at all levels.”
基于这个变化,联邦调查局(FBI)局长詹姆斯·B·科米(James B. Comey)在近期的一次演讲中称,苹果等公司的新型加密技术“将给各个层级的执法和国家安全机构造成严重影响”。
“Sophisticated criminals will come to count on these means of evading detection,” Mr. Comey said.
科米说,“经验丰富的罪犯将依赖这些途径来逃避侦查。”
In August, Apple began storing data for iCloud on servers in China in a move it said was intended to enhance performance of the service there. The company said the state-owned service provider China Telecom, which owns the servers where the data is stored, did not have access to the content.
今年8月,苹果开始在中国境内的服务器上储存iCloud数据。苹果表示,这样做是为了提高iCloud在当地的服务质量。公司称,储存数据的服务器归属于中国的国有服务提供商中国电信,但其无法获取储存内容。
But security experts say it appears that Beijing has found a workaround, by coordinating man-in-the-middle attacks on a mass scale.
不过安全专家表示,中国政府似乎找到了一种变通方案,即组织大规模的中间人攻击。
Apple on Tuesday acknowledged a network attack, but clarified that its iCloud servers were not breached. On a security webpage, it implied that man-in-the-middle attacks were being used to direct people to fake connections of iCloud.com, making their user names and passwords vulnerable to theft.
周二,苹果承认受到网络攻击,但明确表示其iCloud服务器未被攻破。在公司的一个有关安全问题的网页上,苹果暗示,有人正通过中间人攻击把用户引向iCloud.com的虚假链接,从而使他们的用户名和密码易于泄露。
On the webpage, Apple explained how people could distinguish an authentic iCloud.com website from a fake one. Basically, users will receive warnings when the web browser detects a fake certificate or an untrusted connection. Apple advised people to heed those warnings when they appear and avoid signing in.
苹果在该网页上对如何分辨真假iCloud.com网站进行了解释。一般来说,当浏览器发现伪造的证书或不值得信赖的链接时,用户就会收到警告。苹果建议人们注意这类警告,不要登录。
“Apple is deeply committed to protecting our customers’ privacy and security,” said Trudy Muller, an Apple spokeswoman. “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously.”
“苹果坚定地致力于保护用户的隐私与安全,”苹果的女发言人特鲁迪·穆勒(Trudy Muller)说。“我们知道,有人为了获取用户信息,在通过不安全的证书不时发动有组织的网络攻击,我们对此非常重视。”
Ms. Muller declined to comment on whether Apple had identified the Chinese government as the source of the attacks.
对于苹果是否已经确认中国政府为攻击来源,穆勒拒绝置评。
Security experts said users should not visit websites if they receive a browser warning. Mr. Sutton also advised users to turn on two-factor authentication whenever possible, a procedure in which a user is prompted to enter a second one-time password that has been texted to the user’s phone. That way, he said, even if an attacker intercepts a password, they cannot use it to log into a site without the second password.
安全专家称,如果收到浏览器发出的警告,用户应该停止访问相应网站。苏顿还建议用户尽可能地开启双因素认证。在进行双因素认证时,用户需要输入另一个一次性密码,而该密码会通过短信发送到用户的手机上。他说,通过这种方式,即便攻击者截获了某个密码,他们也无法在没有第二个密码的情况下用其登录网站。
“Users should treat this seriously,” Mr. Sutton said.
苏顿说,“用户应该严肃对待这个问题。”