即使遠離網絡 也難擺脫黑客攻擊

ing-bottom: 74.86%;">

It took the hackers less than two hours to take over Patsy Walsh’s life.

不到兩個小時，黑客就接管了帕斯蒂·沃爾什(Patsy Walsh)的生活。

On a recent Friday, Mrs. Walsh, a grandmother of six, volunteered to allow two hackers to take a crack at hacking her home. How bad could it be?

沃爾什是六個孩子的祖母，最近一個週五，她志願參加一個活動，允許兩名黑客入侵她家。這能有多糟呢？

Mrs. Walsh did not consider herself a digital person. As far as she knew, her home was not equipped with any “smart devices,” physical objects like refrigerators and thermometers that transmit information to the Internet. Sure, she has a Facebook account, which she uses to keep up on friends’ lives, but rarely does she post about her own.

沃爾什自認爲不是一個數碼愛好者。就她所知，她家中也沒有任何“智能設備”，即可以將信息上傳互聯網的物品，比如智能冰箱和智能溫度計。當然，她有一個Facebook帳號，她通過這個帳號來了解朋友們的生活狀況，但她很少發佈關於自己的內容。

“I don’t post things about myself and don’t really understand why other people do,” Mrs. Walsh said. “The fact you can go from one friend’s profile to their friends’ profiles is creepy. I guess you could find out a lot of information about somebody if you really wanted to.”

“我不怎麼發關於自己的內容，我也真不明白爲什麼其他人會這麼做，”沃爾什說。“你可以挨個查看朋友的主頁，這有點嚇人。我猜，只要你真心想查某人的信息，你就可以查出一大堆。”

Indeed. Days before hackers even set foot in Mrs. Walsh’s home overlooking Mount Tamalpais in Marin County, Calif., they found her Facebook account and — though it was comparatively locked down — uncovered just enough to begin to take over her digital life. The New York Times was invited to witness the hacking, on the condition that Mrs. Walsh’s town not be named.

的確如此。沃爾什居住在加利福尼亞州，可以從家中遠眺馬林縣的塔瑪珮斯山，而黑客在踏足她家的數日之前，就發現了她的Facebook賬號——儘管它相對來說是保密的——獲得了足以接管她的數字生活的信息。《紐約時報》應邀見證了這起黑客行動，前提是不透露沃爾什住在哪個城鎮。

The twist was that once the hackers found their way in, they discovered someone else had already been there.

亮點在於，黑客在成功侵入之後，發現已經有人來過這裏。

The hackers could see that Mrs. Walsh had liked a page organized by . That was all they needed to construct some convincing click bait. Within 10 minutes, they composed a fake email from asking her to sign a fake petition about land use in Marin County.

黑客可以看到沃爾什贊過發佈的一個頁面。僅僅是這樣，他們就構建了一些令人信服的點擊誘餌。不到10分鐘，他們僞造了一份來自的假電郵，請她在一份關於馬林縣土地利用的假請願書上簽名。

When that link led her to a page that asked her to enter her email address and password, she complied. To spare Mrs. Walsh any actual harm, the hackers used a service called Phish5, which does not actually store passwords and is often used by employers to test employees’ ability to spot malicious phishing cons.

點擊該鏈接後，她登上一個網頁，要求她輸入電郵地址和密碼，她照做了。爲了不讓沃爾什遭受任何實質上的危害，黑客使用了一個名爲Phish5的服務，它並不真正存儲密碼，僱主通常用它來測試僱員識別惡意仿冒內容的能力。

Had the two been actual attackers, they would have had all the information they needed to “pwn” Mrs. Walsh — hacker speak for taking over someone’s digital life — from afar, particularly because, Mrs. Walsh confessed, she was guilty of using the same password across many accounts.

如果這兩名黑客是動真格的，他們就已經遠程獲取了“pwn”沃爾什所需的一切信息。“pwn”是黑客的行話，指接管某人的數字生活。沃爾什承認，她在不同的賬戶上使用了同樣的密碼，而這讓黑客入侵變得尤爲輕鬆。

All this before they had even set foot in Mrs. Walsh’s home.

所有這一切還是在他們登門造訪沃爾什之前完成的。

The hackers, Reed Loden, the 27-year-old director of security of HackerOne, a San Francisco security start-up, and Michiel Prins, the 25-year-old co-founder of HackerOne, were greeted warmly when they arrived at her home.

這兩名黑客是舊金山初創安全企業HackerOne公司27歲的安全總監裏德·洛登(Reed Loden)和25歲的聯合創始人米希爾·普林斯(Michiel Prins)。到沃爾什家時，他們受到了熱烈的歡迎。

“Welcome Hackers” was scrawled on a heart-shaped chalkboard on the front door, and deviled eggs, tuna sandwiches and fresh iced tea were waiting. Mrs. Walsh said she expected the hackers would wear black, but Mr. Loden and Mr. Prins did not fit that stereotype. Mr. Loden, who hails from Mississippi, ended his sentences with a warm “thank you, ma’am” — his manners intact even while explaining that he had just hacked Mrs. Walsh’s power of attorney form.

前門掛着一塊心形的黑板，上面寫着“黑客請進”。還有魔鬼蛋、金槍魚三明治和爽口的冰茶等着他們。沃爾什以爲黑客會穿黑色的衣服，但洛登和普林斯並不符合這種刻板印象。來自密西西比州的洛登在發言結束時熱情地說了句“謝謝您，夫人”。即便是在解釋自己剛剛侵入了沃爾什的法律授權書時，神情也並沒有變化。

“They’re very polite,” Mrs. Walsh noted. (Later, she invited both to Thanksgiving dinner.)

“他們非常有禮貌，”沃爾什說（後來，她還邀請兩人共進感恩節晚餐）。

Over an hour and a half, they discovered a way to open the Walshes’ garage door. It was simply a matter of using a “brute force attack” against an older door opener. The process entailed testing thousands of code combinations until hitting the correct one. Earlier this year, the hacker Samy Kamkar demonstrated how to do this in less than 10 seconds using a Mattel toy.

在一個半小時的時間裏，他們找到了打開沃爾什家車庫門的辦法，只需要“用蠻力”攻擊上了年頭的開門器即可。這個過程需要試驗數千個密碼組合，直到試出正確的那個。今年早些時候，一個名叫薩米·卡姆卡爾(Samy Kamkar)的黑客演示瞭如何在不到十秒鐘的時間裏，用一個美泰(Mattel)玩具完成這件事。

Mr. Loden and Mr. Prins also found a way to intercept Mrs. Walsh’s television. A service worker had not installed her DirecTV securely, with a password, which meant anyone with knowledge of the device’s I.P. address could control the television remotely.

洛登和普林斯還發現了控制沃爾什家電視的辦法。服務人員給她安裝DirecTV時的做法並不安全，沒有設置密碼，這意味着任何人，只要知道這臺設備的IP地址，就能遠程控制電視。

In this case, the hackers used their access to purchase a three-hour pass to an array of adult channels — the names of which would not be suitable for print here.

在這個案例裏，兩名黑客利用自己取得的權限，購買了三小時的觀看許可，可以收看一系列成人頻道。這些頻道的名字不宜在此刊出。

Still, Mrs. Walsh was not impressed. “What’s so wrong about getting into my TV?” When Mr. Loden pointed out that someone could blast pornography in her living room in the middle of a dinner party, Mrs. Walsh conceded, “I can see how that would be a little shocking to guests.”

但沃爾什並沒有很在意。“破解我家的電視有什麼大問題嗎？”但當洛登指出，有人可以在她舉辦家宴時，讓客廳的電視突然播放色情作品之後，沃爾什承認，“我能想象客人會有些震驚。”

From there, the hackers made their way to the back of Mrs. Walsh’s house, where her PC was waiting. With her passwords posted on the nearby router, their task was easy. Within minutes, they had not only broken into Mrs. Walsh’s email account, but also that of her daughter — who at some point had allowed the computer’s browser to auto-fill her password. (As a courtesy, the hackers made sure to send Mrs. Walsh’s daughter an email from her own account with the subject line: “Reminder: Change my password.”)

然後，兩名黑客來到沃爾什家的後院。她的個人電腦放在那裏，正等待黑客侵入。因爲密碼貼在了附近的路由器上，他們的任務很容易。只用了幾分鐘，他們不僅進入了沃爾什的電子郵箱賬戶，還進入了她女兒的賬戶。她女兒在某個時刻允許了這臺電腦的瀏覽器自動輸入她的密碼。（兩人做了件好事，用沃爾什女兒自己的賬戶給她發了一封電子郵件，主題欄上寫着：“提醒：改密碼。”）

They searched Mrs. Walsh’s email for the term “SSN” and within seconds had access to her Social Security number, her PayPal account, her air miles account and her insurance information. They had even gotten their hands on her power of attorney form.

他們在沃爾什的郵件中搜索“SSN”，幾秒鐘後便獲取了她的社會安全號碼、PayPal賬號、航空里程積分賬號和保險信息。他們甚至還能對她的法律授權書做手腳。

What’s worse, they weren’t the only ones with access to all of the above. Mr. Loden and Mr. Prins ran a scan for malicious programs running on Mrs. Walsh’s machine and found roughly 20, including InstallBrain, an installer that can download malicious programs on demand, like one that helps attackers mine for Bitcoin. And others like DefaultTab, FunWebProducts, SearchProtect, SlimCleaner and Supreme Savings that can change a victim’s home page, spy on search and browsing histories, or replace ads on websites like Facebook and Google with intrusive programs.

更糟糕的是，他們不是唯一能獲取上述所有信息的人。在對沃爾什電腦上運行的程序進行掃描後，洛登和普林斯發現了大約20個惡意程序，包括InstallBrain。這是一個安裝程序，能夠按指令下載惡意程序，如一款幫助攻擊者生成比特幣(Bitcoin)的程序。其他像DefaultTab、FunWebProducts、SearchProtect、SlimCleaner和Supreme Savings這樣的程序，更改受害者的主頁，並監視用戶的搜索和瀏覽記錄，或是將Facebook和谷歌等網站上的廣告替換成侵入性的程序。

After they were through “pwning” Mrs. Walsh, the two hackers sat down with their victim for a debriefing. Critical points were that Mrs. Walsh needed a new garage door opener, a password for her television and a password manager to help her set unique and far more complicated passwords for each of her accounts.

結束對沃爾什的數字生活進行的“pwn”後，兩名黑客和受害人坐了下來，簡單向對方介紹了情況。關鍵的點是，沃爾什的車庫門需要換一個新的開門器；電視機需要設置密碼；需要一個密碼管理程序，來幫她給每個賬戶設置獨一無二的、複雜度遠高於現在的密碼。

The hackers advised her to turn on two-step authentication, a service that sends a second, one-time password to users’ phones when they try to log in from an unrecognized machine. They also gave her a quick lesson in phishing attacks and a lecture on the importance of installing software updates.

兩位黑客建議沃爾什開啓兩步驗證。這項服務會在用戶試圖從陌生設備上登錄時，向用戶的手機再發送一個一次性的驗證碼。他們還向她簡要介紹了釣魚攻擊和安裝軟件更新的重要性。

Best to switch on automatic updates, they said, for core services like Apple’s iOS operating system, Google’s Chrome browser and Windows. And, they said, her PC needed to be completely wiped. The good news was they promised to return to do this for her, possibly when they visit for Thanksgiving dinner.

他們說，最好是爲蘋果的iOS操作系統、谷歌的Chrome瀏覽器和Windows等核心服務，打開自動更新。他們還表示，需要徹底清除沃爾什個人電腦上的東西。好消息是，他們許諾會在下次來的時候幫她清理。可能就是來共進感恩節晚餐的時候。