您现在的位置: 纽约时报中英文网 >> 纽约时报中英文版 >> 科技 >> 正文


更新时间:2014-8-1 11:41:59 来源:纽约时报中文网 作者:佚名

Checking In From Home Leaves Entry for Hackers

SAN FRANCISCO — The same tools that help millions of Americans work from home are being exploited by cybercriminals to break into the computer networks of retailers like Target and Neiman Marcus.

旧金山——帮助数以百万计的美国人从家里上班的同样工具正被网络犯罪分子利用,成为侵入塔吉特百货(Target)和尼曼(Neiman Marcus)等零售商计算机网络的手段。

The Homeland Security Department, in a new report, warns that hackers are scanning corporate systems for remote access software — made by companies like Apple, Google and Microsoft — that allows outside contractors and employees to tap into computer networks over an Internet connection.


When the hackers discover such software, they deploy high-speed programs that guess login credentials until they hit the right one, offering a hard-to-detect entry point into computer systems.


The report, which Homeland Security produced with the Secret Service, the National Cybersecurity and Communications Integration Center, Trustwave SpiderLabs, an online security firm based in Chicago, and other industry partners, is expected to be released on Thursday. It provides insight into what retailers are up against as hackers find ways into computer networks without tripping security systems.

这份报告是国土安全部与其他部门合作产生的,合作单位包括特勤局(Secret Service)、国家网络安全和通信集成中心(National Cybersecurity and Communications Integration Center)、总部设在芝加哥的在线安全公司Trustwave SpiderLabs,以及其他行业的合作伙伴,报告预计于周四公布。它为零售商面临的挑战提供了深入了解,黑客在寻找不触发安全系统报警的方法进入计算机网络。

It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.


“As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust,” said Vincent Berq of FlowTraq, a network security firm.

“随着我们开始把软件和系统变得更安全,信息链中最薄弱的环节就是那些坐在用户端的人:他们键入弱密码,他们点击所信任的联系人发来的电子邮件,”网络安全公司FlowTraq的文森特·伯尔克(Vincent Berq)说。

While the report does not identify the victims of these attacks, citing a policy of not commenting on current investigations, two people with knowledge of these investigations say that more than a dozen retailers have been hit. They include Target, P. F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and as recently as this month, Goodwill Industries International, the nonprofit agency that operates thrift stores around the country.

虽然这份报告援引不评论目前调查的政策为由,没有指明攻击的受害者,但两位对调查知情的人士说,有十多家零售商都受到过网络攻击,包括塔吉特百货、华馆(P. F. Chang)、尼曼、迈克尔斯公司(Michaels)、莎莉美容用品(Sally Beauty Supply),以及直到本月还受过攻击的国际好意企业(Goodwill Industries International),这是一家在美国各地的经营旧货店的非营利机构。

Once inside the network, the hackers deploy malicious software called Backoff that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.


In each case, criminals used computer connections that would normally be trusted to gain their initial foothold. In the Target breach, for example, hackers zeroed in on the remote access granted through the retailer’s computerized heating and cooling software, the two people with knowledge of the inquiry said.


In an interview, Brad Maiorino, recently hired as Target’s chief information security officer, said a top priority was what he called “attack surface reduction.”

在接受记者采访时,塔吉特百货最近聘请的首席信息安全官布拉德·迈奥里诺(Brad Maiorino)表示,当务之急是他称之为“减少受攻击面”的工作。

“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Mr. Maiorino said. “You have to simplify and consolidate those as much as possible.”


The Secret Service first discovered the Backoff malware (named for a word in its code) in October 2013. In the last few weeks, the agency said that it had come across the malware in three separate investigations. Most troubling, the agency said that even fully updated antivirus systems were failing to catch it.


Low detection rates meant that “fully updated antivirus engines on fully patched computers could not identify the malware as malicious,” the report concluded.


Backoff and its variants all perform four functions. First, they scrape the memory of in-store payment systems for credit and debit card “track” data, which can include an account number, expiration dates and personal identification numbers, or PINs.


The malware logs keystrokes, as when a customer manually enters her PIN, and communicates back to the attackers’ computers so they can remove payment data, update the malware or delete it to escape detection.


The hackers also install a so-called backdoor into in-store payment machines, ensuring a foothold even if the machines crash or are reset. And they continue to tweak the malware to add functions and make it less detectable to security researchers.


Security experts say antivirus software alone will not prevent these attacks. They recommend companies take what is called a “defense in depth” approach, layering different technologies and empowering security professionals to monitor systems for unusual behavior.


Among the report’s recommendations: Companies should limit the number of people with access to its systems; require long, complex passwords that cannot be easily cracked, and lock accounts after repeated login requests.


The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication”— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.