「華人戴明學院」是戴明哲學的學習共同體 ,致力於淵博型智識系統的研究、推廣和運用。 The purpose of this blog is to advance the ideas and ideals of W. Edwards Deming.

2014年9月28日 星期日

Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant

Shellshock暴露互聯網“如履薄冰”

 
安全專家警告說,“Shellshock漏洞”暴露了互聯網在超過20年的時間里為網絡犯罪分子留下的大量可乘之機,這凸顯出最基本的網絡基礎設施已經不適應21世紀網絡的需要。
周三發現的這一基礎性漏洞被稱為近十年內發現的最嚴重漏洞。利用該漏洞,可以遠程操縱政府機關、軍方及企業的計算機系統。
Adallom副總裁塔爾•克萊因(Tal Klein)警告說,由於整個互聯網都像是建在“一塊極薄的冰層之上”,今後可能會發現更多這樣的漏洞。Adallom是一家總部在美國的雲安全公司。
他說:“我們一直在努力改善互聯網的安全性,卻想當然地認為互聯網之下的冰層是安全的。極少有人主動花時間檢驗基礎組件的安全性。這些組件使用的時間太久,人們理所當然地認為,既然人們還在用,就說明它們沒什麽問題。”
通過升級電腦系統——或者為系統打上補丁——可以消除Shellshock漏洞的威脅。不過這麽做需要花上一段時間,因為IT團隊必須趕緊分析出哪些系統需要更新,而且Shellshock漏洞可能只是互聯網基礎設施的諸多漏洞之一。
Rapid 7全球安全策略師特雷•福特(Trey Ford)表示,問題在於人們一直在一種基礎架構之上進行創新,而當初建立這種基礎架構的目的卻與今天使用它的目的不一致。
他說:“萬維網剛剛度過了25歲生日。當蒂姆•伯納斯-李爵士(Sir Tim Berners-Lee)發明萬維網時,我不知道他能否想象到今天各種魔術般的口袋設備。通過這些設備,人們可以從東京撥出長途電話、可以瀏覽互聯網、還可以四處調動資金。在25或30年的時間里,我們已走得很遠。”福特表示,許多企業正在著手改善互聯網的某些基礎性能,包括谷歌(Google),以及Rapid 7等網絡安全公司。然而,只有當消費者更加重視安全問題時,企業才會開發出註重安全性的產品。
他說:“長期來說,安全不應被視為一種特性,而應該是一種必要屬性。我擔心人們要經歷更多此類事件,才會把這類服務和投資放在重要位置上。”
他補充說,產品設計人員必須做出選擇:是把資金花在設計更有利於產品銷售的新功能上,還是花在提升沒人會註意的安全性上。
在對問題嚴重程度一無所知的情況下,人們很難把安全問題擺在首位。要求企業報告網絡攻擊的立法,因國家或行業的不同而存在極大差異,但大多都著眼於用戶數據的泄露,而不是其他旨在控制電腦系統或竊取知識產權的攻擊。
到目前為止,Shellshock漏洞造成的影響還很難評估。盡管該漏洞已存在了逾20年,但不清楚網絡犯罪分子是否已發現了這個漏洞。在用戶主要為軟件工程師的在線論壇Github上,已有人發布證據,顯示Shellshock漏洞已被用在一次網絡攻擊中。不過,這次攻擊發生的時間和地點還不清楚。
政府支持的尖端網絡罪犯被視為一種高級別持續性威脅,他們可能會利用這一漏洞實施“隱秘的攻擊”,深度滲透入企業或政府的計算機系統。
其他攻擊者可能會利用該漏洞控制世界各地的服務器和家用互聯網路由器,從而建立一個龐大的“僵屍網絡”(botnet)。這種網絡會讓他們獲得足夠的計算能力,可以用“分佈式拒絕服務攻擊”(DDoS)摧毀任何網站。
蘋果公司(Apple)的Mac電腦採用一種原本基於Unix的操作系統,因此也可能受到這一漏洞的影響,特別是在連接到公共WiFi的時候。此外,許多“物聯網”設備如燈泡、冰箱等可能也會受到影響。
網絡安全公司Veracode首席技術官克裡斯•維索帕爾(Chris Wysopal)表示,從漏洞公佈到科技企業發布修復漏洞的軟件更新(或補丁)這段時間是“最危險的”。
他說:“人們擔心的問題在於,目前不清楚有多少設備受到了這一漏洞的影響。”
譯者/簡易



Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant

Long before the commercial success of the Internet, Brian J. Fox invented one of its most widely used tools.
In 1987, Mr. Fox, then a young programmer, wrote Bash, short for Bourne-Again Shell, a free piece of software that is now built into more than 70 percent of the machines that connect to the Internet. That includes servers, computers, routers, some mobile phones and even everyday items like refrigerators and cameras.
  • 查看大图An employee working on fixing viruses at the cybersecurity company Kaspersky Lab in Moscow.
    Sergei Karpukhin/Reuters
    An employee working on fixing viruses at the cybersecurity company Kaspersky Lab in Moscow.
On Thursday, security experts warned that Bash contained a particularly alarming software bug that could be used to take control of hundreds of millions of machines around the world, potentially including Macintosh computers and smartphones that use the Android operating system.
The bug, named “Shellshock,” drew comparisons to the Heartbleed bug that was discovered in a crucial piece of software last spring.
But Shellshock could be a bigger threat. While Heartbleed could be used to do things like steal passwords from a server, Shellshock can be used to take over the entire machine. And Heartbleed went unnoticed for two years and affected an estimated 500,000 machines, but Shellshock was not discovered for 22 years.
That a flawed piece of code could go unnoticed for more than two decades could be surprising to many. But not to programmers.
Many of the commercial tools that individual users and large corporations depend upon are built on top of programs that are written and maintained by a few unpaid volunteers in what is called the open-source community. That community, along with big companies like Google, adjusts and builds new things on top of older work. The Macintosh operating system, for example, is routinely updated, but it is built on top of older programs like Unix.
Sometimes there are flaws in that code. And over the years, the flaw becomes part of all sorts of products.
Mr. Fox maintained Bash — which serves as a sort of software interpreter for different commands from a user — for five years before handing over the reins to Chet Ramey, a 49-year-old programmer who, for the last 22 years, has maintained the software as an unpaid hobby. That is, when he is not working at his day job as a senior technology architect at Case Western Reserve University in Ohio.
Mr. Ramey said in an interview on Thursday that he believed he inadvertently introduced Shellshock in a new Bash feature in 1992, though he could not be sure because back then he was not keeping comprehensive logs. Through the years, he maintained Bash by himself and occasionally bug reports would arrive in his email inbox.
On Sept. 12, he was contacted by Stephane Chazelas, another open-source enthusiast, about a potentially dangerous bug.
Mr. Chazelas discovered the flaw after finding a similar issue in another system a few months back. He tested the bug — which he called “Bashdoor”— against his own servers and looked for ways to detect and fix it.
Working with Mr. Ramey and people who work on open-source security, Mr. Chazelas had a patch within hours. Then they contacted major software makers while trying to avoid tipping off hackers.
An official alert from the National Institute of Standards and Technology warned that the vulnerability was a 10 out of 10, in terms of its severity, impact and exploitability, but low in terms of its complexity, meaning that it could be easily used by hackers.
Security researchers say that as soon as the bug was reported they detected widespread Internet scanning by so-called white hat hackers — most likely security researchers — as well as people thought to be cybercriminals. The worry is that it is only a matter of time before somebody writes a program that will use Shellshock to take them over.
Researchers noted that it would be much easier for this to happen with Internet-connected servers than with a personal Macintosh laptop, because individuals would have to connect their laptops to a public network that hackers knew they were connected to in order to exploit the vulnerability.
Apple did not return a call seeking comment.
The Department of Homeland Security’s Computer Emergency Readiness Team, US-CERT, advised users and technology administrators to refer to their Linux or Unix-based operating systems suppliers for an appropriate patch. For users at home, security experts advised them to stay abreast of software updates and check manufacturer websites, particularly for hardware like routers.
Even as some question the open-source community, its biggest advocates say the bug’s discovery — even after 22 years — at least proves that programmers never stop trying to get things right.
In an interview Thursday, Mr. Fox, the Bash inventor, joked that his first reaction to the Shellshock discovery was, “Aha, my plan worked.”
After the Heartbleed bug was discovered last spring, the nonprofit Linux Foundation worked with major technology companies like Amazon, Apple and Google on the Core Infrastructure Initiative, an effort to identify and fund core pieces of open-source infrastructure. Contacted Thursday, Jim Zemlin, the executive director of the Linux Foundation, said the initiative was contacting Mr. Ramey to see how it could help.
“I don’t think this is an open-source problem,” Mr. Zemlin said. “Software is eating the world. The bad news is software is hard and complex.”
The mantra of open source was perhaps best articulated by Eric J. Raymond, one of the elders of the open-source movement, who wrote in 1997 that “given enough eyeballs, all bugs are shallow.” But, in this case, Steven M. Bellovin, a computer science professor at Columbia University, said, those eyeballs are more consumed with new features than quality. “Quality takes work, design, review and testing and those are not nearly as much fun as coding,” Mr. Bellovin said. “If the open-source community does not develop those skills, it’s going to fall further behind in the quality race.”

一個「潛伏」了22年的安全漏洞

1987年,年輕的程序員福克斯編寫了Bash(Bourne-Again Shell的簡稱)。如今,逾70%連入網絡的機器都裝有該免費軟件,比如服務器、電腦、路由器、某些類型的手機,乃至冰箱和相機等日常用品。
  • 檢視大圖網絡安全公司卡巴斯基實驗室莫斯科總部的一名工作人員正在查殺病毒。
    Sergei Karpukhin/Reuters
    網絡安全公司卡巴斯基實驗室莫斯科總部的一名工作人員正在查殺病毒。
周四,安全專家警告,Bash存在一個極其令人擔憂的軟件漏洞,而這一漏洞可以被用於控制世界範圍內數以億計的機器,或許會危及蘋果電腦(Macintosh)和使用Android操作系統的智能手機。
這個名為「Shellshock」的漏洞被拿來與今年春天在一重要軟件中發現的「心臟出血」(Heartbleed)漏洞作比較。
不過,Shellshock有可能會帶來更大的威脅。「心臟出血」漏洞可以被用於從服務器上盜取密碼等行動,而Shellshock則可以用於控制整台機器。前者潛伏了兩年,給大約50萬台機器造成影響,而後者潛伏了22年後才被發現。
一種存在漏洞的代碼能夠在20多年的時間裡不被發現,這可能會令很多人感到震驚。但程序員們並不吃驚。
個人用戶及大型企業依賴的很多商用工具,基於的都是由開源社區的幾名無償志願者編寫並維護的程序。谷歌(Google)等大公司與開源社區一樣,都是在之前產品的基礎上改造、創造新東西。例如,蘋果操作系統會定期更新,但它建立在Unix等老版程序的基礎之上。
有時候,這種代碼會出現漏洞。隨着時間的流逝,漏洞成為了各種產品的一部分。
福克斯對Bash——相當於用於解讀用戶不同指令的軟件——維護了五年,然後將它交給現年49歲的程序員切特·雷米(Chet Ramey)。這項工作雷米一干就是22年,純屬業餘愛好,沒有報酬。他平時在凱斯西儲大學(Case Western Reserve University)擔任高級技術架構師,業餘時間才維護Bash。
雷米周四接受採訪時表示,他認為是自己在1992年推出Bash的一項新功能時無意間引入了Shellshock,但他無法確定,因為當時沒有進行詳細的記錄。這些年來,他一個人維護Bash,郵箱里偶爾會收到錯誤報告。
9月12日,另一名開源愛好者斯特凡·查澤拉斯(Stephane Chazelas)聯繫上他,稱存在一個可能很危險的漏洞。
在發現這個漏洞的幾個月前,查澤拉斯在另外一個系統里找到了類似問題。他在自己的服務器上測試這個被他稱為「Bashdoor」的漏洞,並尋找修復它的方法。
與雷米和開源社區的安全工作人員合作,查澤拉斯數小時內就編寫好了補丁。然後他們開始聯繫各大軟件廠商,同時試圖避免把風聲走漏給黑客。
美國國家標準與技術研究院(National Institute of Standards and Technology)發出了正式警告,宣稱在嚴重程度、影響和可利用性方面,該漏洞達到了最高分10,而且它的複雜性較低,這就意味着很容易被黑客利用。
安全研究人員說,這個漏洞一經通報,他們就發現,通常所說的「白帽黑客」——很可能是安全研究人員——以及有網絡罪犯嫌疑的人,均對互聯網進行了全面掃描。他們擔心,遲早會有人編寫一個程序,利用Shellshock來控制機器。
研究人員指出,相較於蘋果個人筆記本電腦,連接到互聯網的服務器遠遠更容易受到這種攻擊,因為你必須把自己的筆記本電腦連接到一個公共網絡上,而且黑客需要知道你連接到哪個網絡上,才能利用這個漏洞攻擊你。
蘋果尚未回應置評請求。
國土安全部旗下的計算機應急小組(Computer Emergency Readiness Team,簡稱US-CERT)建議用戶和技術管理人員通知Linux或Unix操作系統的供應商,請他們提供相應的補丁。對於家庭用戶,安全專家建議保持軟件更新到最新版本,並查看生產商網站上的信息,特別是針對路由器這樣的硬件。
即使一些人對開源社區有所質疑,但其最大的支持者提出,該漏洞被發現——就算是22年後才發現——至少也證明了程序員從來沒有停止過糾錯工作。
在本周四接受採訪時,Bash的發明者福克斯開玩笑說,對於發現Shellshock漏洞這件事,他的第一反應是,「啊哈,我的計劃成功了。」
今年春天「心臟出血」漏洞被發現後,非營利組織Linux基金會成立了核心基礎設施聯盟(Core Infrastructure Initiative),與亞馬遜(Amazon)、蘋果(Apple)和谷歌(Google)等各大科技公司開展合作。該聯盟的目的是識別和資助開源基礎設施的核心件。本周四接受採訪時,Linux基金會的執行總監吉姆·澤姆林(Jim Zemlin)稱,該聯盟正在聯繫雷米,看看他有沒有需要幫忙的地方。
「我不認為這個問題的關鍵在開源,」澤姆林說。「軟件正在滲透這個世界的方方面面。糟糕的是,軟件又難又複雜。」
至於開源社區的真諦,開源運動元老埃里克·J·雷蒙德(Eric J. Raymond)所做的闡述也許是最精闢的。他在1997年寫道,「只要吸引足夠多的眼球,一切漏洞都很淺顯。」但是,哥倫比亞大學(Columbia University)的計算機科學教授史蒂夫·M·貝羅文(Steven M. Bellovin)說,在這件事情上,吸引更多眼球的是新功能,而不是質量。「質量需要干苦活、設計、檢查和測試,這些事情根本比不上編程有趣,」貝羅文說。「如果不培養這些技能,開源社區就會在質量競賽中落後得更遠。」
翻譯:許欣、土土

沒有留言:

網誌存檔