新型黑客工具威脅Wi Fi用戶安全
下面是本站小編整理的新型黑客工具威脅Wi-Fi用戶安全,供廣大學者參考。
You may think the only people capable of snooping on your Internet activity are government intelligence agents or possibly a talented teenage hacker holed up in his parents’ basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online.
也許你曾以爲窺探你上網活動的事只有政府情報人員或者藏在自家地下室的青年黑客纔會乾的出來。但一些簡單的軟件使得哪怕是小咖啡館裏在你身邊的任何人都可以看到你在瀏覽的網頁甚至獲得你的身份驗證信息。
“Like it or not, we are now living in a cyberpunk novel,” said Darren Kitchen, a systems administrator for an aerospace company in Richmond, Calif., and the host of Hak5, a video podcast about computer hacking and security. “When people find out how trivial and easy it is to see and even modify what you do online, they are shocked.”
達倫·凱臣是美國加州里士滿市的一家航空公司的系統管理員,同時他還是一家名爲Hak5的計算機黑客與信息安全視頻播客網站的站長。他說,“不管你喜歡與否,我們現在正生活在一個數字龐克小說之中。當人們發現他們的網上信息是多麼容易被黑時,他們都會目瞪口呆。”
Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.
不久前若要監視你的筆記本或智能手機通過Wi-Fi熱點上網的情況,這還只是有能力和有毅力的黑客,花費大量時間並利用高精尖的工具才能辦到的事。但去年十月發佈的一款叫做Firesheep的自由程序使得監測未加密的Wi-Fi網絡變得易如反掌,利用該軟件人們可以監測別人上網信息乃至登錄他人訪問的網站帳戶。
Without issuing any warnings of the possible threat, Web site administrators have since been scrambling to provide added protections.
在沒有發佈任何潛在安全威脅警告的情況下,網站管理員已經爭先恐後的開始提供附加安全保護措施了。
“I released Firesheep to show that a core and widespread issue in Web site security is being ignored,” said Eric Butler, a freelance software developer in Seattle who created the program. “It points out the lack of end-to-end encryption.”
Firesheep的作者是西雅圖的自由軟件開發者埃裏克巴·特勒,他表示:“我發佈Firesheep就是爲了讓大家知道在網站安全上一個普遍的核心問題一直以來都被大家忽略了,那就是端到端的加密。”
What he means is that while the password you initially enter on Web sites like Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser’s cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.
當你在Facebook、Twitter、Flickr、Amzon、eBay和紐約時報之類的網站上初次輸入登錄密碼時,端到端信息被加密。但當使用cookie登錄時,常常是不進行加密的。Cookie是對記錄你的登錄信息、個人訪問設置及某些私人信息的一段代碼的稱呼。Firesheep就設法抓取這些cookie,這樣就可以使任何心存好奇或別有用心的用戶乾脆變成你,從網站上登錄你的帳號。
More than a million people have downloaded the program in the last three months (including this reporter, who is not exactly a computer genius). And it is easy to use.
在過去三個月內超過一百萬人已下載了該程序(包括對計算機並不在行的筆者在內)。它真的很簡單易用。
The only sites that are safe from snoopers are those that employ the cryptographic protocol Transport Layer Security or its predecessor, Secure Sockets Layer, throughout your session. PayPal and many banks do this, but a startling number of sites that people trust to safeguard their privacy do not. You know you are shielded from prying eyes if a little lock appears in the corner of your browser or the Web address starts with “https” rather than “
唯一安全的網站就是那些在整個會話過程中使用傳輸層加密協議或其前身SSL的網站。PayPal和許多銀行做了這樣的設定。但仍有一批數量驚人的網站沒有這麼做,而通常人們卻一直相信它們能夠保護其私人信息。當你的瀏覽器的一角出現一個小小的鎖形圖標或者你所訪問的網址前以“https”而不是“http”開頭時,你才能躲過那些窺視的眼睛。
“The usual reason Web sites give for not encrypting all communication is that it will slow down the site and would be a huge engineering expense,” said Chris Palmer, technology director at the Electronic Frontier Foundation, an electronic rights advocacy group based in San Francisco. “Yes, there are operational hurdles, but they are solvable.”
電子前哨基金會是一家總部位於舊金山的數字版權維權組織,它的技術總監克利斯·帕爾默說:“網站不提供全程通信加密的理由通常是,這會拖慢站點訪問速度並造成巨大的工程開銷。要提供全程通信機密的確有一些操作上的障礙,但這些困難都是可以解決的。”
Indeed, Gmail made end-to-end encryption its default mode in January 2010. Facebook began to offer the same protection as an opt-in security feature last month, though it is so far available only to a small percentage of users and has limitations. For example, it doesn’t work with many third-party applications.
實際上,Gmail已於2010年一月起在其默認模式中採用了端到端加密技術。上個月,Facebook也開始將同樣的保護措施作爲一項可選擇的安全功能提供給用戶,但目前仍只限於一小部分用戶應用。例如,它並不適用於許多第三方應用。
“It’s worth noting that Facebook took this step, but it’s too early to congratulate them,” said Mr. Butler, who is frustrated that “https” is not the site’s default setting. “Most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.”
“Facebook這麼做並不值得,現在就爲他們的成功祝賀也爲時尚早。大多數人並不會瞭解這項保護措施,或者並不會認爲這有多重要,或者由於這對於大多數第三方應用無效而不會使用它。”巴特勒先生如是說,他仍覺得“https”訪問並不是網站的默認訪問設置乃是一件憾事。
Joe Sullivan, chief security officer at Facebook, said the company was engaged in a “deliberative rollout process,” to access and address any unforeseen difficulties. “We hope to have it available for all users in the next several weeks,” he said, adding that the company was also working to address problems with third-party applications and to make “https” the default setting.
Facebook的信息安全總監喬·沙利文表示,他們正着手準備一個“慎重的發佈過程”,以發現並克服所有潛在的困難。他說,“我們希望在幾周後這項安全措施能適用於所有用戶。”此外他還補充說,公司正在努力解決第三方應用方面的安全問題併力促“https”訪問方式成爲默認設置。
Many Web sites offer some support for encryption via “https,” but they make it difficult to use. To address these problems, the Electronic Frontier Foundation in collaboration with the Tor Project, another group concerned with Internet privacy, released in June an add-on to the browser Firefox, called Https Everywhere. The extension, which can be downloaded at , makes “https” the stubbornly unchangeable default on all sites that support it.
許多網站通過“https”提供加密服務,但這用起來並不方便。爲解決這個問題,電子前哨基金會聯合Tor項目組(另一個互聯網隱私相關組織)於去年六月發佈了一款名爲Https Everywhere(Https無處不在)的火狐瀏覽器插件。該插件(可由下載)強制通過https方式訪問所有支持該訪問服務的網站。
Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.”
由於並非所有網站都能提供“https”訪問支持,白帽安全公司(美國加州聖克拉拉的網絡風險管理公司)的首席策略官比爾·潘寧頓告戒大衆:“如果你要進行涉及敏感信息的操作,不要通過Wi-Fi來做,還是回家再弄吧。”
But home wireless networks may not be all that safe either, because of free and widely available Wi-Fi cracking programs like Gerix WiFi Cracker, Aircrack-ng and Wifite. The programs work by faking legitimate user activity to collect a series of so-called weak keys or clues to the password. The process is wholly automated, said Mr. Kitchen at Hak5, allowing even techno-ignoramuses to recover a wireless router’s password in a matter of seconds. “I’ve yet to find a WEP-protected network not susceptible to this kind of attack,” Mr. Kitchen said.
但家裏的無線網絡也並不一定能確保安全,因爲Gerix WiFi Cracker、Aircrack-ng 和Wifite之類的自由Wi-Fi黑客程序正被廣泛使用着。此類軟件仿冒合法用戶的活動以竊取一系列所謂弱密匙或者可能透露戶密碼的蛛絲馬跡。這個過程完全是自動的,凱臣在Hak5上說,這使得哪怕是一個技術白癡都能在幾秒鐘內獲得一個無線路由器的密碼。他還說:“我還沒有發現哪個採用WEP保護的網絡能夠對這種攻擊免疫。”
A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so, hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.
WEP(有線等效保密)密碼並不如WPA(Wi-Fi接入保護)密碼強大,所以使用WPA密碼方爲上策。但即便如此,黑客們也還是可以用同樣的軟件得到採用WPA密碼保護的網絡的密碼信息。這只是需要花上更長的時間(大概是幾周),當然也需要更多的計算機專業知識。
Using such programs along with high-powered Wi-Fi antennas that cost less than $90, hackers can pull in signals from home networks two to three miles away. There are also some computerized cracking devices with built-in antennas on the market, like WifiRobin ($156). But experts said they were not as fast or effective as the latest free cracking programs, because the devices worked only on WEP-protected networks.
使用這些程序和大功率的Wi-Fi天線的成本不到90美元,這樣黑客們就能監聽到兩三英里內的家庭無線網絡信號了。市場上還有一些帶有內置天線的黑客設備,例如售價156美元的WifiRobin之類。但專家們稱這些設備並不如最新的自由黑客程序來的便捷有效,這些設備只能針對採用WEP保護的網絡使用。
To protect yourself, changing the Service Set Identifier or SSID of your wireless network from the default name of your router (like Linksys or Netgear) to something less predictable helps, as does choosing a lengthy and complicated alphanumeric password.
要保護你自己,最好將你的服務集標識符或無線網絡服務組標識符(SSID)由路由器的默認名(Linksys或Netgear之類)改成一個比較不易預測的名字,就像選擇夠長夠複雜的字母數字混合的密碼那樣。
Setting up a virtual private network, or V.P.N., which encrypts all communications you transmit wirelessly whether on your home network or at a hot spot, is even more secure. The data looks like gibberish to a snooper as it travels from your computer to a secure server before it is blasted onto the Internet.
建立一個虛擬專用網絡將對你收發的所有信息進行加密,無論你使用的是家用無線網絡或是Wi-Fi熱點。這會更安全些。你的計算機發出的數據會先經過一個網絡安全服務器再在互聯網上傳播,這樣加密後的數據在嗅探軟件看來就像是一堆亂碼一樣。
Popular V.P.N. providers include Vyper, HotSpot and LogMeIn Hamachi. Some are free; others are as much as $18 a month, depending on how much data is encrypted. Free versions tend to encrypt only Web activity and not e-mail exchanges.
流行的提供商包括Vyper, HotSpot 和LogMeIn Hamachi。其中一些是免費的,另一些則依加密的數據量的多少來計費(如每月18美金)。免費版本的通常只加密Web訪問信息而不加密電郵。
However, Mr. Palmer at the Electronic Frontier Foundation blames poorly designed Web sites, not vulnerable Wi-Fi connections, for security lapses. “Many popular sites were not designed for security from the beginning, and now we are suffering the consequences,” he said. “People need to demand ‘https’ so Web sites will do the painful integration work that needs to be done.”
但電子前哨基金會的帕爾默先生卻認爲網絡安全的疏失更多的要歸咎於糟糕的網站設計,而非Wi-Fi連接本身的脆弱性。他說:“許多熱門網站在其設計之初就對安全問題考慮不足,現在不得不自食其果,大衆要求使用‘https’,因此網站不得不艱難的履行其義務。”
