立即打开
又现黑客入侵,又见事故迟报

又现黑客入侵,又见事故迟报

Dan Mitchell 2011-06-13
花旗集团最近报告了一起黑客入侵事件,但发生时间已经是1个多月前了。大公司们是时候对系统安全问题开诚布公了。

First 4 digits of a credit card

图片来自维基百科

    鉴于近期频频发生网络黑客入侵事件,引发广泛关注,2011年或许可以称为“黑客之年”。但问题在于,2012年的网络完全形势很可能将更加严峻。

    T恶意软件专家蒂姆•阿姆斯特朗接受《网络安全日报》(Security News Daily)采访时称,深层次原因在于“许多大型跨国公司的安全意识松懈”,“对于目的明确的团体或个人,一些公司的(安全屏障)已变得微不足道。”

    最新曝光的这起黑客入侵事件发生在1个多月前,但直至上周四才公诸于众。花旗集团(Citigroup)表示,约21万名客户(占其北美信用卡持有者的1%)的信息被窃取,这些信息包括信用卡号和电子邮箱等联系信息。该行表示,其他数据,如社会保障号码、出生日期、信用卡失效日期以及信用卡验证码都安然无恙。

    花旗沿袭了目前此类事件常见的处理模式,没有在事件发生的第一时间或是随后的几周发布任何警告。这一模式令人忧虑。事实上,如果不是《金融时报》(Financial Times) 上周三晚间曝出这则消息,迫使其不得不表态,花旗可能会继续保持沉默。花旗向媒体发布了一份声明,但截至上周四下午,花旗集团网站,包括其新闻稿一栏,都没有明确提及黑客入侵事件。

    无独有偶,今年4月份PlayStation网络遭到入侵后,索尼(Sony)也决定延迟一周后再通知客户;据报道此次入侵是“黑客行动主义者”组织Anonymous所为。3月份,黑客入侵威胁到客户洛克希德-马丁航空航天公司(Lockheed Martin)的信息安全。事件曝光后,EMC信息安全部RSA Security上周早些时候提出为数百万用户更换新的ID安全令牌。

    立法委员们对此深感忧虑。美国参议员帕特里克•利奇(民主党人-佛蒙特州)本周提出了《个人数据隐私和安全法案》(Personal Data Privacy and Security Act)。根据该法案,企业掩盖数据被盗事件将构成犯罪。该法案同时将建立一个全国统一的黑客事件报告标准,取代目前各州各行其道的做法。

    很难说近期黑客入侵事件频现背后有什么特别的原因。部分原因可能是在黑客和信息安保部门间无休止的猫捉老鼠游戏中,黑客目前暂时占据了上风。

    但毫无疑问,这一系列黑客入侵事件在某种程度上也是一种跟风行为。此次入侵花旗系统的黑客显然是纯罪犯,看中的是经济利益。而近期其他许多黑客入侵则是所谓的“灰帽”攻击行为,目的是为了出名、找刺激、炫技,或者仅仅只是为了揭示某一机构的电脑系统是多么不堪一击。此类攻击往往公开声明支持某一事业,比如LulzSec在攻击PBS网络服务器时宣称是为了抗议Frontline对布兰德利・曼宁/维基解密(Wikileaks)案的报道。显然,近期其他几宗黑客入侵案,包括Fox News和索尼的案子,该组织同样难辞其咎。

    PlayStation入侵案曝光之后,LulzSec宣称对数宗针对索尼系统的黑客入侵事件负责。其中最近的一起发生在上周四早间,据报道LulzSec宣称从Sony Developer Network窃取了54兆的源代码以及Sony BMG的内部网络图。这些数据发布在BT跟踪服务器网站Pirate Bay上。

    PlayStation黑客入侵案很可能是这一系列事件的导火索——显然该公司的系统非常不安全,容易使其成为攻击目标。

    但不管如何,可以明确的是,包括私营企业和政府部门在内的各个组织都将加大安全投入,同时在系统遭到入侵时采取更加开诚布公的态度。

    Given the number of recent, high-profile network security breaches, it might be tempting to call 2011 the Year of the Hack. The danger is that there's a good chance 2012 might be even worse.

    The underlying reason for this is the "lax security posture of many large-scale global companies," the malware expert Tim Armstrong told Security News Daily. It has, he added, "now become almost trivial for a motivated group or individual to find a way in."

    The latest known hack, which occurred more than a month ago, was announced this morning: Citigroup (C) said information for about 210,000 customers, or 1% of its credit-card holders in North America, was stolen. The information included card numbers and contact information including email addresses. The bank said other data, such as Social Security numbers, birth date, expiration dates and card verification numbers were not compromised.

    In what is becoming a disturbingly familiar pattern, Citi decided not to issue any warnings about the breach when it occurred, or for several weeks following. In fact, it might still be mum if the Financial Times had not broken the story late last night, prompting Citi to confirm it. The company issued a statement to the media, but as of Thursday afternoon, there is no obvious mention on Citigroup's website of the attack, including on its press-release page.

    Likewise, Sony (SNY) decided to wait a week to inform its customers in April when its PlayStation Network was breached, reportedly by the "hacktivist" group Anonymous. Earlier this week, RSA Security, a division of EMC (EMC), offered to replace millions of customer secure ID tokens after it became known that a hack into its system back in March exposed its customer, Lockheed Martin (LMT), to a security breach.

    Lawmakers are becoming frustrated. U.S. Sen. Patrick Leahy (D-Vt.) this week introduced the Personal Data Privacy and Security Act, which would make it a crime for companies to conceal data breaches, and would create a national standard for reporting hacks, replacing the many disparate state laws now in place.

    It's hard to cite any particular reason why there have been so many high-profile hacks recently. Partly, it could be that in the endless cat-and-mouse game between hackers and security teams, the hackers have jumped ahead.

    But it's also no doubt partly trendmongering. The Citi hackers are apparently pure criminals, motivated by financial gain. Many of the other recent hacks are so-called "grey-hat" attacks. That is, they're done for publicity, for thrills, just to show off, or to reveal how bad an organization's computer security is. Often they're ostensibly done in support of a cause, as when LulzSec claimed it hacked PBS's Web servers to protest Frontline's coverage of the Bradley Manning/Wikileaks case. That group is apparently responsible for several other recent hacks as well, including on Fox News and Sony.

    LulzSec has claimed credit for several hacks on Sony's systems in the wake of the PlayStation breach. The latest came just this morning, when the group reportedly claimed to have lifted 54 megabytes of source code from the Sony Developer Network, along with maps of Sony BMG's internal network. The data was posted to Pirate Bay, the Bittorrent tracker site.

    The PlayStation hack likely motivated the subsequent attacks – the company's systems clearly are woefully insecure, making them a tempting target.

    Whatever the motivations though, it seems clear that organizations including private companies and governments going to have to invest more in security, and they're going to have to start being more forthcoming when their systems are breached.

热读文章
热门视频
扫描二维码下载财富APP