警惕物聯網的安全黑洞 用流量來攻擊網站

Default passwords on devices from the digital video recorder in your living room to the security camera in your office threaten the stability of the internet, as hackers build vast networks of Internet of Things devices to bombard websites with traffic.

從你客廳裡的數字錄影機到你辦公室裡的安全攝像頭，各種裝置上的預設密碼威脅著網際網路的穩定，因為黑客得以建立起龐大的物聯網裝置網路，用流量來攻擊網站。

The attack on Dyn, a domain name service provider, that disrupted access to high profile sites such as Twitter, Spotify and the New York Times on Friday, highlighted the risks posed by the billions of devices connected to the internet with little or no cyber security protections.

上週五，對域名服務提供商Dyn的攻擊使對Twitter、Spotify和《紐約時報》(New York Times)等熱門網站的訪問中斷，凸顯出數十億隻有很少或者沒有網路安全保護的聯網裝置帶來的風險。

Unidentified hackers took over tens of millions of devices using malicious software called Mirai, making the attack much more powerful and harder to defend against than the average distributed denial of service attack.

身份不明的黑客用叫做Mirai的惡意軟體控制了數千萬臺裝置，使這種攻擊比一般的分散式拒絕服務攻擊更強大、更難以抵禦。

In a rush of excitement about the prospect of controlling houses and office buildings from smartphones — changing the temperature or detecting burglars using cameras — many manufacturers with little experience of cyber security have connected devices to the internet.

在通過智慧手機控制住宅和辦公樓（調整溫度或者利用攝像頭監測盜賊）的前景引起的興奮之情中，許多沒有多少網路安全經驗的廠商把它們的裝置連線到了網際網路上。

Regulators have not yet created clear rules on how they should be protected and even businesses are finding well meaning suppliers or facilities managers have accidentally created holes in their corporate networks by adding connected devices.

監管機構還沒有制定明確的規則，規定該如何保護這些聯網裝置，甚至連企業也逐漸發現，善意的供應商或者裝置管理者也會因為增加聯網裝置不經意地造成企業網路的漏洞。

Michael Sutton, chief information security officer of Zscaler, a cloud security company, said Friday’s attack would be a wake-up call for the hardware industry.

雲安全公司Zscaler的首席資訊保安官邁克爾.薩頓(Michael Sutton)表示，上週五的黑客攻擊將成為硬體行業的一通叫醒電話。

Security in the hardware industry is a decade behind where it is in the software industry, he said.

硬體業的安全落後於軟體業十年，他說，

Mirai was successful because so many webcams, digital video recorders, etc have been produced with default passwords that have never been changed.

Mirai的成功是因為有如此之多的網路攝像頭、數字錄影機等裝置生產出來時附帶的預設密碼從未更改過。

A simple internet scan identifies them and they can quickly be compromised.

一次簡單的網際網路掃描就能識別出這些密碼，讓它們迅速陷入危險的境地。

Cyber security experts have been warning about the risk of Internet of Things devices for years, staging high profile hacks at their annual conference Def Con that show how everything from connected cars to insulin pumps could be hacked.

多年來，網路安全專家一直在告訴人們警惕物聯網裝置的風險，在他們的年度會議Def Con上公開展示引人注目的黑客攻擊，展現出從聯網汽車到胰島素泵等一切事物都可能被入侵。

But often it has been hard to see why a cyber criminal would target an individual’s device, unless to expose the activity of a person in the public eye or cause harm to a political figure.

但通常，很難看出為何網路犯罪者會把個人裝置列為目標，除非是為了把一個人的行動暴露在公眾視線下，或者是為了傷害某個政治人物。

This attack showed even if a connected device is not necessarily a huge threat to its owner, it could be used maliciously to attack others.

這次的黑客攻擊表明，就算一個聯網裝置不一定會給裝置所有者本人帶來巨大威脅，這個裝置也可以被惡意利用來攻擊其他人。

Gartner, the research firm, forecasts there will be over 20bn connected devices in the world by 2020 with consumers spending $1,500bn on the Internet of Things and businesses spending almost as much.

研究公司Gartner預測，到2020年，世界上將有逾200億臺聯網裝置，消費者將在物聯網上花費1.5萬億美元，而企業的花費幾乎也將達到同一水平。

The research firm predicts that more than a quarter of attacks on companies will involve connected devices by 2020, but enterprises will only spend 10 per cent of their cyber security budgets on protecting against these types of attacks.

Gartner預測，到2020年，超過四分之一對企業的攻擊將涉及聯網裝置，但企業只會將10%的網路安全預算花在對此類攻擊的防禦上。

Jeremiah Grossman, chief of security strategy at SentinelOne, a Silicon Valley-based cyber security company, says more attention to the problem of insecure devices is long overdue.

矽谷網路安全公司SentinelOne的安全策略主管傑裡邁亞.格羅斯曼(Jeremiah Grossman)表示，早就應該對裝置不安全問題投注更多注意力。

Device makers should force users to change their default passwords as part of the set-up process and issue security updates, just as they do on PCs, he said.

他說，裝置製造商應該迫使使用者修改預設密碼，將這作為設定流程的一步，並且釋出安全更新，就像對個人電腦(PC)所做的那樣。

Installing an agent that can monitor what the device is doing would have showed the very anomalous behaviour when it was recruited to a botnet, he added.

安裝一個能夠監控裝置活動的代理，就會在這個裝置被黑客吸收到殭屍網路之中時顯示它非常異常的活動。

Regulating the industry is almost impossible, Mr Grossman added, because the companies connecting devices to the internet do not fit in any one category: stretching from makers of smart TVs to medical device manufacturers.

對該行業進行監管幾乎不可能，格羅斯曼補充道，因為將裝置連線到網際網路的公司無法被歸為任何一個類別：囊括了從智慧電視製造商到醫療器械製造商等各類公司。

Some regulators have taken a look at the potential threat, with the US Food and Drug Administration, which oversees the manufacturers of pacemakers and other medical equipment, issuing draft guidelines earlier this year for how hospitals and manufacturers should monitor devices for vulnerabilities and deploy updates.

一些監管機構看到了潛在威脅，監督起搏器和其他醫療器械製造商的美國食品藥品管理局(FDA)今年早些時候就醫院和製造商該如何監控裝置漏洞並運用更新發布了指導檔案草案。

Shuman Ghosemajumder, chief technology officer at Shape Security, agreed it is tough for regulators to solve the problem as security challenges are constantly changing when hackers develop new techniques.

Shape Security首席技術官舒曼.高斯馬宗德(Shuman Ghosemajumder)認同監管機構很難解決問題，因為黑客不斷開發新手段使安全挑戰不斷變化。

But he said they should be responsible for setting minimum expectations and norms.

但他說，監管機構應該負起責任，制定最低要求和規範。

The industry as a whole needs to do a better job.

整個行業應該做得更好。

There’s no question that the growth of the ‘Internet of Things’ has been fuelled by the excitement around the internet connection enabling new functionality and security has taken a back seat, he said.

毫無疑問，對網際網路連線帶來新功能的興奮之情推動了‘物聯網’的發展，而安全問題被拋到了一邊，他說。

However, he added that potential targets, such as Dyn, a domain name services provider which many major companies rely on to provide access to their sites, also need to improve their security and better protect themselves from these ever-expanding botnets.

然而，他補充，像域名服務提供商Dyn（許多大公司都依賴Dyn來提供對它們網站的訪問）這樣的潛在目標也需要提高它們的安全水平，更好地抵禦不斷擴大的殭屍網路。

Dyn said in a blog post on Saturday that it was watching out for any further attacks and working with law enforcement agencies and others to investigate who was behind the attack.

Dyn上週六發布博文稱，正在警惕進一步的攻擊，並正與執法機構和其他方面合作，調查此次攻擊的幕後黑手。

The number and type of attacks, the duration and the scale, and the complexity of these attacks are all on the rise, said Kyle York, chief strategy officer.

這類攻擊的數量和型別、持續時間和規模，以及複雜性，都在上升，首席策略官凱爾.約克(Kyle York)說。

Mr York said because of the customers that relied on it Dyn was often the first responder of the internet.

約克說，因為依賴於Dyn服務的客戶，Dyn通常是網際網路的第一響應者。

But as the internet grows larger, bringing in thermostats, lightbulbs and baby monitor, sending in the paramedics just got even harder.

但隨著網際網路規模擴大，將恆溫器、燈泡和嬰兒監視器都連線進來，請醫務人員救急卻變得更加困難了。