黑客利用遠程登陸軟件盜取信用卡信息

SAN FRANCISCO — The same tools that help millions of Americans work from home are being exploited by cybercriminals to break into the computer networks of retailers like Target and Neiman Marcus.

舊金山——幫助數以百萬計的美國人從家裏上班的同樣工具正被網絡犯罪分子利用，成爲侵入塔吉特百貨(Target)和尼曼(Neiman Marcus)等零售商計算機網絡的手段。

The Homeland Security Department, in a new report, warns that hackers are scanning corporate systems for remote access software — made by companies like Apple, Google and Microsoft — that allows outside contractors and employees to tap into computer networks over an Internet connection.

美國國土安全部在一份新報告中警告說，黑客在搜查企業計算機系統以發現其中的遠程訪問軟件，這類軟件由蘋果(Apple)、谷歌(Google)和微軟等公司提供，能讓外部承包商和公司員工通過互聯網進入公司的計算機網絡。

When the hackers discover such software, they deploy high-speed programs that guess login credentials until they hit the right one, offering a hard-to-detect entry point into computer systems.

當黑客發現這種軟件後，他們使用快速猜測登錄信息的程序，直到碰上一個正確的，這就給他們提供了一個難以識破的打進計算機系統的切入點。

The report, which Homeland Security produced with the Secret Service, the National Cybersecurity and Communications Integration Center, Trustwave SpiderLabs, an online security firm based in Chicago, and other industry partners, is expected to be released on Thursday. It provides insight into what retailers are up against as hackers find ways into computer networks without tripping security systems.

這份報告是國土安全部與其他部門合作產生的，合作單位包括特勤局(Secret Service)、國家網絡安全和通信集成中心(National Cybersecurity and Communications Integration Center)、總部設在芝加哥的在線安全公司Trustwave SpiderLabs，以及其他行業的合作伙伴，報告預計於週四公佈。它爲零售商面臨的挑戰提供了深入瞭解，黑客在尋找不觸發安全系統報警的方法進入計算機網絡。

It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.

報告也提醒人們，典型的網絡由鬆散連接的計算機組成，不是一個有圍牆的堡壘，對有決心的黑客來說，這樣的網絡存在着大量的漏洞，還有容易上當的用戶。

“As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust,” said Vincent Berq of FlowTraq, a network security firm.

“隨着我們開始把軟件和系統變得更安全，信息鏈中最薄弱的環節就是那些坐在用戶端的人：他們鍵入弱密碼，他們點擊所信任的聯繫人發來的電子郵件，”網絡安全公司FlowTraq的文森特·伯爾克(Vincent Berq)說。

While the report does not identify the victims of these attacks, citing a policy of not commenting on current investigations, two people with knowledge of these investigations say that more than a dozen retailers have been hit. They include Target, P. F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and as recently as this month, Goodwill Industries International, the nonprofit agency that operates thrift stores around the country.

雖然這份報告援引不評論目前調查的政策爲由，沒有指明攻擊的受害者，但兩位對調查知情的人士說，有十多家零售商都受到過網絡攻擊，包括塔吉特百貨、華館(P. F. Chang)、尼曼、邁克爾斯公司(Michaels)、莎莉美容用品(Sally Beauty Supply)，以及直到本月還受過攻擊的國際好意企業(Goodwill Industries International)，這是一家在美國各地的經營舊貨店的非營利機構。

Once inside the network, the hackers deploy malicious software called Backoff that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.

報告說，黑客一旦進入網絡，他們使用一個名爲Backoff的惡意軟件，從店內收銀器系統的內存上竊取支付卡的數據。在捕獲到這些信息後，黑客將其發送回自己的計算機，並最終將信息在黑市出售，一個信用卡號在黑市上可賣到100美元(相當於620元人民幣)。

In each case, criminals used computer connections that would normally be trusted to gain their initial foothold. In the Target breach, for example, hackers zeroed in on the remote access granted through the retailer’s computerized heating and cooling software, the two people with knowledge of the inquiry said.

在每次這種攻擊中，犯罪分子用的都是通常被信任的連接，讓他們獲得進入計算機的最初立足點。比如，在塔吉特百貨的例子中，讓黑客鑽空子的，是該零售商計算機化的制熱製冷系統軟件的遠程登錄許可，兩位瞭解調查情況的人表示。

In an interview, Brad Maiorino, recently hired as Target’s chief information security officer, said a top priority was what he called “attack surface reduction.”

在接受記者採訪時，塔吉特百貨最近聘請的首席信息安全官布拉德·邁奧裏諾(Brad Maiorino)表示，當務之急是他稱之爲“減少受攻擊面”的工作。

“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Mr. Maiorino said. “You have to simplify and consolidate those as much as possible.”

邁奧裏諾說，“你不需要軍用級的防禦能力就知道你有太多的連接。你需要儘可能地簡化和合並這些連接。”

The Secret Service first discovered the Backoff malware (named for a word in its code) in October 2013. In the last few weeks, the agency said that it had come across the malware in three separate investigations. Most troubling, the agency said that even fully updated antivirus systems were failing to catch it.

特勤局是在2013年10月首次發現Backoff這個惡意軟件的(其名稱來自軟件編碼中的一個詞)。該機構表示，在過去幾周裏，它已在三個不同的調查中遇到這個惡意軟件。該機構說，最令人不安的是，就連全面更新的防病毒系統都未能查出這個惡意軟件。

Low detection rates meant that “fully updated antivirus engines on fully patched computers could not identify the malware as malicious,” the report concluded.

低查出率意味着“打了所有補丁的計算機系統上的全面更新的防病毒引擎無法識別這個惡意軟件是惡意的”，上述報告的結論說。

Backoff and its variants all perform four functions. First, they scrape the memory of in-store payment systems for credit and debit card “track” data, which can include an account number, expiration dates and personal identification numbers, or PINs.

Backoff及其變異版本都有四項功能。首先，它們從店內支付系統的內存中獲取信用卡和借記卡的“蹤跡”數據，這些數據可能包括賬戶號、有效期，以及個人識別碼(簡稱PIN)。

The malware logs keystrokes, as when a customer manually enters her PIN, and communicates back to the attackers’ computers so they can remove payment data, update the malware or delete it to escape detection.

這個惡意軟件能記錄按鍵動作，比如一個顧客用手輸入自己的PIN這種動作，把其傳回攻擊者的計算機，使他們能夠取得支付數據，更新惡意軟件或將其刪除以免被發現。

The hackers also install a so-called backdoor into in-store payment machines, ensuring a foothold even if the machines crash or are reset. And they continue to tweak the malware to add functions and make it less detectable to security researchers.

黑客還在店內付款機上安裝所謂的後門軟件，確保即使在機器死機或重置後仍能進入系統。他們不斷調整惡意軟件，增添新功能，使其更不易被研究計算機安全的人察覺到。

Security experts say antivirus software alone will not prevent these attacks. They recommend companies take what is called a “defense in depth” approach, layering different technologies and empowering security professionals to monitor systems for unusual behavior.

安全專家說，殺毒軟件本身並不能阻止這些攻擊。他們建議公司採取所謂的“縱深防禦”方法，用不同層次的技術，授權安全專家來監視系統中的不尋常行爲。

Among the report’s recommendations: Companies should limit the number of people with access to its systems; require long, complex passwords that cannot be easily cracked, and lock accounts after repeated login requests.

這份報告的建議包括：公司應限制登錄其系統的人數；要求登錄者使用不能被輕易破解的長且複雜的密碼，出現多次重複的登錄請求後封鎖帳戶。

The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication”— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.

報告還建議，把關鍵系統，比如店內支付系統，與企業的網絡隔離，讓“雙重認證”程序成爲常態，“雙重認證”指的是除了通常需要的登錄密碼外，員工必須另外輸入第二個、一次性的密碼。

The report also recommends encrypting customers’ payment data from the moment their cards are swiped at the store, logging all network activity and deploying security systems that can alert staff to unusual behavior, like a server communicating with a strange computer in Russia.

報告還建議，從顧客在商店刷卡的那一刻起就加密客戶的支付數據，記錄所有的網絡活動，啓用有異常行爲時，比如一臺服務器與一個俄羅斯的陌生計算機通信，能提醒有關人員的安全系統。

At Target, Mr. Maiorino said he planned to build a security program as tough as what was expected from military contractors.

邁奧裏諾說，他計劃在塔吉特百貨建立一個強度可達到軍事承包商所要求的安全系統。

“All of the same tools and techniques that nation states are using for attacks have been commoditized and are available for sale in the black market,” Mr. Maiorino said. “And for the right amount of money you can go out and create a cybercrime ring at a relatively low cost.”

“與國家使用的網絡攻擊工具和技術相同的東西都已經商品化了，而且都在黑市上有賣的，”邁奧裏諾說。“只要有足夠的錢，你就可以去用相對較低的成本組建一個網絡犯罪團伙。”