2014年4月10日星期四

網絡世界大混亂

Posted on 上午8:19 by kenman man

「有可能導致網絡大混亂麼?」反覆修改了自己的問題之後,我點擊了「發送」。
片刻後,對話框裡跳出一句回覆「現在已經亂了。」
之後,是長久的寂靜。
顯然,網絡對面那位頂級白帽(指以善意方式使用自身技術的黑客),已經顧不上搭理我——在這個不眠之夜,Ta還有太多的事情要做。


2014年4月8日,必將永載於互聯網史冊。

這一天,互聯網世界發生了兩件大事:一、微軟正式宣佈XP停止服務退役;第二件,OpenSSL的大漏洞曝光。
很多普通人更關心第一件事,因為與自己切身相關。
但事實上,第二件事,才是真正的大事件。
這個漏洞影響了多少網站,這個數字仍在評估當中,但放眼放去,我們經常訪問的支付寶、淘寶、微信公眾號、YY語音、陌陌、雅虎郵件、網銀、門戶等各種網站,基本上都出了問題。
而在國外,受到波及的網站也數不勝數,就連大名鼎鼎的NASA(美國航空航天局)也已宣佈,用戶數據庫遭洩露。

這個漏洞被曝光的黑客命名為「heartbleed」,意思是「心臟出血」——代表著最致命的內傷。

這是一個極為貼近的表述。
如果用專業的表述,OpenSSL是為網絡通信提供安全及數據完整性的一種安全協議,它通過一種開放源代碼的SSL協議,實現網絡通信的高強度加密。
這也就是說,OpenSSL的存在,就是一個多用途的、跨平台的安全工具,由於它非常安全,所以被廣泛地用於各種網絡應用程序中。
但現在,OpenSSL自己出現了漏洞,而且是非常高危脅的漏洞。利用這個漏洞,黑客可以輕鬆獲得用戶的cookie,甚至明文的帳號和密碼。

這就像什麼呢?你背靠著城牆與敵人戰鬥,突然,牆垮了。

於是,一場瘋狂的競速開始。
網站們開始緊急預警和修復升級,安全公司和白帽們忙著測試漏洞影響並進行擴展推衍,而更多的黑客們,則抓緊時間開始狂歡:
懂技術的人,深入地把玩這個漏洞,以它為武器,向自己久攻不下的網站發起攻擊;不懂技術的小黑客們,也如同大戰場邊緣的游勇,利用漏洞四下劫掠。

這是一個不眠之夜——除了大批仍茫不知情的網民。

面對危機,網站們策略不一,有的緊急升級OpenSSL;有的暫停了服務;有的服務還在,但暫停了SSL加密;當然,還有的在睡大覺……
希望他們早上起來以後,還能保持自己放鬆的心情。
事實上,就漏洞本身來說,現在黑客們爭奪的就是時間,一旦主要的網站們完成漏洞修復,這一波地震就能算是過去,大家自然回歸常態,該網購的網購,該玩的玩。
不過,值得注意的是,由於OpenSSL應用非常廣泛,所以相對網站等表面上的應用,它在各種客戶端、VPN、WAF等其他領域,也將帶來更加隱蔽的風險,並將持續一段時間。
而對整個互聯網產業來說,這個事件更大的一個意義,在於讓所有人重新回過頭來反思:
當我們認為安全的一切,都突然變得不安全,我們又將如何維持這個虛擬世界的存續與穩定?
如果,這個事件能夠改變環境,讓因為不受重視,缺乏商業輸血,長期處於孱弱狀態的中國網絡安全產業獲得新的生機,或許,也能算是塞翁失馬,終有所得。


Internet users told to change ALL passwords in security alert over 'catastrophic' Heartbleed bug

  • Online security breach is described as 'catastrophic'
  • Alert is result of internet bug Heartbleed being uncovered
  • Heartbleed is able to bypass websites' security measures to access passwords and personal information

Internet users have been warned to change all their computer and phone passwords following what could be a ‘catastrophic’ security breach.

Major technology firms have urged the public to immediately update their online security.

The alert is the result of the discovery of an internet bug called ‘Heartbleed’, which is able to bypass computer security settings.
LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren't affected
LastPass Heartbleed Checker warns if a website may be at risk. It also reveals websites that aren't affected

HOW TO BEAT THE BUG

If a password is in any dictionary in any language then it will take just three minutes to crack, warned computer expert Tony McDowell.

The worst passwords are the likes of ‘password’, ‘123456’, ‘qwerty’, or your child’s name. Using the same password for every site can leave you even more vulnerable to hackers, he added.
His advice is to use a phrase rather than a word. For example, use ‘nameisabella’ rather than just ‘Isabella’ – and use a mixture of letters and numbers.

A password of ‘name!saBe1la’ would take a year to crack, said Mr McDowell, managing director of Encription Ltd.

‘Most hackers give up after 24 hours unless it is something they really want to gain access to,’ he added.

WHICH MAJOR SITES ARE AT RISK?

Potentially vulnerable sites:

Facebook, Twitter, Tumblr, Instagram, Google, Gmail, Lloyds TSB, Nationwide, Santander

Safe sites:

Bing, Yahoo, Flickr, LastPass, DuckDuck Go, Natwest, GitHub

The tool is a guide to affected services; it is not a definitive list.

Sites listed as vulnerable may use unreported servers, meaning their status can't be officially verified.
As a result, personal information such as passwords and credit card details has been accessible.

Heartbleed, so called because it creates a ‘bleeding’ leak of security, is a flaw in OpenSSL, the software used by the majority of websites to keep data secure.

The programme works by encrypting data – such as emails, instant messages, bank details or passwords – making it look like nonsense to hackers.

When a line of communication is secure and information encrypted, the user sees a padlock on the page. When software is active, one computer may send a ‘heartbeat’ – a small packet of data – to check there is still another computer at the other end.

However, a flaw in the programming meant it was possible to trick the computer at the other end by sending it a packet of data that looked like one of these heartbeats. This made it possible for hackers to impersonate the website and steal the encryption keys, revealing the data being sent.
The bug was found simultaneously by a Google security researcher and a small Finnish security firm named Codenomicon and disclosed on Monday night.

Many companies have installed a ‘patch’ to fix the flaw, but there are still many that are vulnerable as service providers must install the update.

Furthermore, it is not known whether hackers had used it before the bug came to light – it went undiscovered for two years – as doing so would not leave a trail.

WHAT IS OPEN SSL?

OpenSSL is open-source software that is widely used to encrypt web communications.

It is used to protect websites, instant messaging, email servers and other communications.

It is also used to protect credit card details on select services.
Research by analytics firm Netcraft found almost 500,000 websites could be affected
One of the worst affected sites was Yahoo!, who posted a warning on their blogging site Tumblr to say: ‘The little lock icon we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible.’

A spokesman for Codenomicon said: ‘If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested.

‘In that sense it’s a good idea to change the passwords on all the updated web portals.’

However, researcher Mark Schloesser said changing a password on websites that have not fixed the bug could reveal ‘both the old and new passwords’ to an attacker.
 
When contacted by the Mail last night, Britain’s major banks would not comment on whether passwords should be changed.

HSBC said they were ‘monitoring’ the situation and a Lloyds spokesman said they would not comment on security issues.

HOW DANGEROUS IS IT?


The 'Heartbleed' bug puts encrypted communications at risk

The Heartbleed bug lets anyone on the web read the memory of the systems protected by vulnerable versions of the OpenSSL software.

It compromises secret keys used to identify the service providers and to encrypt web traffic.

This includes the names and passwords of the users and the actual content, such as credit card numbers.

Attackers can 'eavesdrop' on communications between servers, steal data directly from the them, and use the information to impersonate services and users on other sites or platforms.

James Lyne, global head of research at security firm Sophos told MailOnline: 'This fault undermines the fundamental trust on the internet for anyone running the vulnerable software and it is widely integrated into the technology we all use every day.

'While the fault has now been fixed, providers must apply it manually, so many still are vulnerable.

'Worse still, the defect was in the code for over two years before being discovered by security researchers - attackers could have discovered this at any time during that period and retrieved large volumes of data without anyone knowing.

'At this point the best thing for consumers to do is to assume their passwords and alike have been leaked. They may not have been, but since it's very hard to actually tell retrospectively, it is better to be safe than sorry.

'As providers rush to patch [the flaw], consumers should apply typical IT security best practice: ensure you change passwords - once you know the issue has been fixed by your provider; update your computers; and don't use the same password across multiple sites or services.

'This is not the first defect of its kind and it certainly won't be the last, but it is one of the more serious faults we've seen in recent Internet history.'

No Response to "網絡世界大混亂 "

Leave A Reply