警惕物联网的安全黑洞 用流量来攻击网站

本文摘要:Default passwords on devices from the digital video recorder in your living room to the security camera in your office threaten the stability of the internet, as hackers build vast networks of Internet of Things devices to bombard websites


Default passwords on devices from the digital video recorder in your living room to the security camera in your office threaten the stability of the internet, as hackers build vast networks of Internet of Things devices to bombard websites with traffic.从你客厅里的数字录像机到你办公室里的安全性摄像头,各种设备上的配置文件密码威胁着互联网的平稳,因为黑客以求创建起可观的物联网设备网络,用流量来反击网站。The attack on Dyn, a domain name service provider, that disrupted access to high profile sites such as Twitter, Spotify and the New York Times on Friday, highlighted the risks posed by the billions of devices connected to the internet with little or no cyber security protections. 上周五,对域名服务提供商Dyn的反击使对Twitter、Spotify和《纽约时报》(New York Times)等热门网站的采访中断,凸显数十亿只有很少或者没网络安全维护的联网设备带给的风险。

Unidentified hackers took over tens of millions of devices using malicious software called Mirai, making the attack much more powerful and harder to defend against than the average distributed denial of service attack. 身份未知的黑客用叫作Mirai的恶意软件掌控了数千万台设备,使这种反击比一般的分布式拒绝服务反击更加强劲、更加无法抵挡。In a rush of excitement about the prospect of controlling houses and office buildings from smartphones — changing the temperature or detecting burglars using cameras — many manufacturers with little experience of cyber security have connected devices to the internet.在通过智能手机掌控住宅和办公楼(调整温度或者利用摄像头监测盗贼)的前景引发的激动之情中,许多没多少网络安全经验的厂商把它们的设备相连到了互联网上。

Regulators have not yet created clear rules on how they should be protected and even businesses are finding well meaning suppliers or facilities managers have accidentally created holes in their corporate networks by adding connected devices. 监管机构还没制订具体的规则,规定该如何维护这些联网设备,甚至连企业也渐渐找到,愿意的供应商或者设备管理者也不会因为减少联网设备不经意地导致企业网络的漏洞。Michael Sutton, chief information security officer of Zscaler, a cloud security company, said Friday’s attack would be a wake-up call for the hardware industry.云安全公司Zscaler的首席信息安全官迈克尔.萨顿(Michael Sutton)回应,上周五的黑客攻击将沦为硬件行业的一通睡觉电话。

Security in the hardware industry is a decade behind where it is in the software industry, he said. 硬件业的安全性领先于软件业十年,他说道,Mirai was successful because so many webcams, digital video recorders, etc have been produced with default passwords that have never been changed. Mirai的顺利是因为有如此之多的网络摄像头、数字录像机等设备生产出来时附带的配置文件密码未曾变更过。A simple internet scan identifies them and they can quickly be compromised. 一次非常简单的互联网扫瞄就能辨识出有这些密码,让它们很快陷于危险性的境地。

Cyber security experts have been warning about the risk of Internet of Things devices for years, staging high profile hacks at their annual conference Def Con that show how everything from connected cars to insulin pumps could be hacked. 多年来,网络安全专家仍然在告诉他人们警觉物联网设备的风险,在他们的年度会议Def Con上公开发表展出引人注目的黑客攻击,展现从联网汽车到胰岛素泵等一切事物都有可能被侵略。But often it has been hard to see why a cyber criminal would target an individual’s device, unless to expose the activity of a person in the public eye or cause harm to a political figure. 但一般来说,很难显现出为何网络犯罪者不会把个人设备列入目标,除非是为了把一个人的行动曝露在公众视线下,或者是为了损害某个政治人物。This attack showed even if a connected device is not necessarily a huge threat to its owner, it could be used maliciously to attack others. 这次的黑客攻击指出,就算一个联网设备不一定会给设备所有者本人带给极大威胁,这个设备也可以被蓄意利用来反击其他人。

Gartner, the research firm, forecasts there will be over 20bn connected devices in the world by 2020 with consumers spending $1,500bn on the Internet of Things and businesses spending almost as much. 研究公司Gartner预测,到2020年,世界上将有逾200亿台联网设备,消费者将在物联网上花费1.5万亿美元,而企业的花费完全也将超过同一水平。The research firm predicts that more than a quarter of attacks on companies will involve connected devices by 2020, but enterprises will only spend 10 per cent of their cyber security budgets on protecting against these types of attacks. Gartner预测,到2020年,多达四分之一对企业的反击将牵涉到联网设备,但企业只不会将10%的网络安全支出花上在对此类反击的防卫上。Jeremiah Grossman, chief of security strategy at SentinelOne, a Silicon Valley-based cyber security company, says more attention to the problem of insecure devices is long overdue. 硅谷网络安全公司SentinelOne的安全策略主管杰里迈亚.格罗斯曼(Jeremiah Grossman)回应,早已应当对设备不安全性问题下注更加多注意力。

Device makers should force users to change their default passwords as part of the set-up process and issue security updates, just as they do on PCs, he said. 他说道,设备制造商应当被迫用户改动配置文件密码,将这作为设置流程的一步,并且公布安全更新,就像对个人电脑(PC)所做到的那样。Installing an agent that can monitor what the device is doing would have showed the very anomalous behaviour when it was recruited to a botnet, he added.加装一个需要监控设备活动的代理,就不会在这个设备被黑客吸取到僵尸网络之中时表明它十分出现异常的活动。

Regulating the industry is almost impossible, Mr Grossman added, because the companies connecting devices to the internet do not fit in any one category: stretching from makers of smart TVs to medical device manufacturers.对该行业展开监管完全不有可能,格罗斯曼补足道,因为将设备相连到互联网的公司无法被不属于任何一个类别:涵盖了从智能电视制造商到医疗器械制造商等各类公司。Some regulators have taken a look at the potential threat, with the US Food and Drug Administration, which oversees the manufacturers of pacemakers and other medical equipment, issuing draft guidelines earlier this year for how hospitals and manufacturers should monitor devices for vulnerabilities and deploy updates. 一些监管机构看见了潜在威胁,监督起搏器和其他医疗器械制造商的美国食品药品管理局(FDA)今年早些时候就医院和制造商该如何监控设备漏洞并运用改版公布了指导文件草案。Shuman Ghosemajumder, chief technology officer at Shape Security, agreed it is tough for regulators to solve the problem as security challenges are constantly changing when hackers develop new techniques. Shape Security首席技术官舒曼.高斯马宗德(Shuman Ghosemajumder)尊重监管机构很难解决问题,因为黑客大大开发新手段使安全性挑战大大变化。But he said they should be responsible for setting minimum expectations and norms. 但他说道,监管机构应当担起责任,制订低于拒绝和规范。


The industry as a whole needs to do a better job. 整个行业应当做到得更佳。There’s no question that the growth of the ‘Internet of Things’ has been fuelled by the excitement around the internet connection enabling new functionality and security has taken a back seat, he said. 毫无疑问,对互联网相连带给新功能的激动之情推展了‘物联网’的发展,而安全性问题被扔到了一旁,他说道。However, he added that potential targets, such as Dyn, a domain name services provider which many major companies rely on to provide access to their sites, also need to improve their security and better protect themselves from these ever-expanding botnets. 然而,他补足,像域名服务提供商Dyn(许多大公司都倚赖Dyn来获取对它们网站的采访)这样的潜在目标也必须提升它们的安全性水平,更佳地抵挡不断扩大的僵尸网络。

Dyn said in a blog post on Saturday that it was watching out for any further attacks and working with law enforcement agencies and others to investigate who was behind the attack. Dyn上周六公布博文称之为,正在警觉更进一步的反击,并于是以与执法人员机构和其他方面合作,调查此次反击的幕后黑手。The number and type of attacks, the duration and the scale, and the complexity of these attacks are all on the rise, said Kyle York, chief strategy officer. 这类反击的数量和类型、持续时间和规模,以及复杂性,都在下降,首席策略官凯尔.约克(Kyle York)说道。Mr York said because of the customers that relied on it Dyn was often the first responder of the internet. 约克说道,因为依赖Dyn服务的客户,Dyn一般来说是互联网的第一响应者。

But as the internet grows larger, bringing in thermostats, lightbulbs and baby monitor, sending in the paramedics just got even harder.但随着互联网规模不断扩大,将恒温器、灯泡和婴儿监视器都相连进去,请求医务人员救急却显得更为艰难了。