Users’ Stark Reminder: As Web Grows, It Grows Less Secure
April 11, 2014
"Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” said Edward Felten of Princeton.
Eva Russo/Momenta Creative
It was the computer programming equivalent of misspelling Mississippi — an error at once careless, inevitable and hard for most human eyes to spot.
The bug known as Heartbleed, a flaw widely replicated in the main system for encrypting consumers’ online data, is a stark reminder that the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.
“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” said Edward Felten, a computer security expert at Princeton University.
In some ways, the tech world today resembles the chaotic, unruly days of other essential industries, including the meatpacking industry depicted in Upton Sinclair’s “The Jungle” and the automobile business portrayed in Ralph Nader’s “Unsafe at Any Speed.” While those industries were made safe by a combination of regulation and industrywide cooperation, progress took time, and it came through trial and error.
But it’s not clear that the same solutions will work with technology. We have decided, as a society, to rush headlong into a world ruled by digital devices, continually weighing convenience versus safety. We’re constantly storing more of our important information on more new kinds of hardware run by more complicated software. All of it is increasingly interdependent, which makes the whole ecosystem more vulnerable.
Even though security is an increasing area of concern for large technology companies, it is often considered an afterthought rather than an essential part of building all the goodies we use. Experts say that while instituting a more secure tech culture is possible, it will require a long-term investment in educating software engineers and improving core technologies.
“There’s a level of care in designing systems and sweating the details of their operations that’s missing in the culture of software development,” Mr. Felten said. “We don’t have the kind of safety culture that is common in fields such as aviation.”
That’s because enhanced safety will surely cost consumers in speed, novelty and convenience.
Matthew Green, a professor at Johns Hopkins, said strict standards would require programmers to spend significantly more time testing their work.
Cara Walen
“We have standards for coding in mission-critical systems like the airline industry, but I’m not sure we would want those standards applied everywhere,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University. Such strict standards require programmers to spend significantly more time testing their work — and neither technology companies nor consumers can stomach such delays. “I don’t think we want to wait 20 years for the next Google and Facebook,” Mr. Green said.
Like other similar bugs found recently — including one in Apple’s mobile and desktopdevices — the Heartbleed flaw had gone unnoticed for years. As far as researchers can tell, the problem was introduced by a programmer making a routine coding change onNew Year’s Eve in 2011. OpenSSL, the system in which the error was found, is an open-source program, which means that its code resides online and can be amended by anyone. In theory, such code is supposed to be more secure from bugs than a closed system; with enough programmers checking the code, the flaw should have been quickly detected.
But apparently that did not happen. “There just weren’t enough eyeballs on this — and that’s very bad,” Mr. Green said.
One problem might be basic economics. Many huge Internet companies depend on free technologies like OpenSSL to run their systems, but they don’t always return resources to the small teams that create the code. “If we could get $500,000 kicked back to OpenSSL and teams like it, maybe this kind of thing won’t happen again,” Mr. Green said.
Unlike other potentially dangerous corners of modern life, like aviation or health care, the tech industry is unusually volatile. The companies that run the show today will inevitably be usurped by newer ones that offer supposedly better ways of doing things. Such constant upheaval makes industrywide coordination on security more difficult.
“I’m not sure there’s any other industry that handles as much change and as much usage in such a short amount of time,” said Kurt Baumgartner, a researcher at Kaspersky Lab, a digital security firm. Still, Mr. Baumgartner contends that the field is getting better. Compared with the slow, haphazard way that companies once responded to security threats, the industry’s response to Heartbleed was “pretty responsibly coordinated,” he said. Many large companies fixed their services before the problem was disclosed. “On the whole, things have been improving.”
Stuart Goldenberg
But is it improving enough to keep up with an increasingly determined set of attackers? According to a recent study by Risk Based Security, a threat research firm, there were more than 2,000 data security breaches in 2013. The good news is that the number of intrusions was down from 2012, when more than 3,000 episodes were reported. The bad news is that the smaller number of attacks in 2013 resulted in more damage — about 814 million data records were exposed during the year (including the credit card you used at Target), about twice as many as in any other previous year on record.
The numbers point to another factor that adds to the difficulty in addressing digital threats: Attackers are intelligent, so, frequently, advances in security are matched by advances in attacks. This makes online security a more complicated problem than, say, improving the safety of automobiles.
If you fix one Internet security bug, you can be sure that attackers will just find another, potentially more dangerous one. “Over all, attackers have the competitive advantage,” said Jen Weedon, who works on the threat intelligence team at the security company Mandiant. “Defenders need to defend everything. All attackers need to find is one vulnerability.”
If you aren’t worried enough yet, there’s one more reason to expect digital technology to remain prone to errors. “There’s an underlying process here, which says that as devices get more memory or power, people add more complexity to a product — until it becomes so complicated that it’s too difficult to understand,” Mr. Felten said. That “smart” watch you’re wearing today might not be very complex, but in a few years’ time, smartwatches might run processors that are as powerful as those in today’s laptops.
Companies will create hundreds of apps to take advantage of that power, and you’ll probably install them, because they’ll make your life more convenient or more fun. You’ll pour all your most precious data into your watch. Suddenly, without your noticing it, your watch will have become a target. And among one of those apps will be some threat that no one had anticipated. “As our engineering methods get better, our products get more complicated, so we’re always out at the edge of complexity that our engineering processes can handle,” Mr. Felten said.
Does this mean we’re doomed? Not necessarily; researchers are gratified that large hacks and vulnerabilities are receiving more attention, which might push the industry and consumers to take security more seriously. “Within the past year or so, it’s interesting to see how high-profile these threats have become,” Ms. Weedon said. “Now average people are talking about how to patch their systems. And that’s the best we can hope for, for now.”
互聯網還年輕,安全隱患防不勝防
科技 2014年04月11日
“'心臟出血'進一步證明,我們在網絡安全方面做得很糟糕,”普林斯頓大學的計算機安全專家愛德華·費爾滕說。
Eva Russo/Momenta Creative
這個電腦編程問題相當於拼錯了“Mississippi”這個英文單詞——由粗心所導致,無法避免,而且大多數人都難以察覺。
這個漏洞名為“心臟出血”(Heartbleed),在一些用來加密消費者在線數據的主流系統裡廣泛存在。這一事件明確地提醒我們:互聯網仍處於青年期,並且容易遭遇各種看不見的危險,其中也包括簡單的人為失誤。如今的數字系統非常複雜,而且滲透到了我們生活中的每一個角落。完全控制它們是不可能的。
“'心臟出血'進一步證明,我們在網絡安全方面做得很糟糕,”普林斯頓大學(Princeton University)計算機安全專家愛德華·費爾滕(Edward Felten)說。
從某些方面來說,眼下的高科技世界跟其他一些關鍵產業昔日混亂、無序的局面不無相似,比如厄普頓·辛克萊(Upton Sinclair)在《屠場》(The Jungle)中描述的肉類加工業,以及拉爾夫·納德(Ralph Nader)在《任何車速都不安全》(Unsafe at Any Speed)中描繪的汽車業。雖然監管和整個行業的協作已經讓這些行業變得安全,但改善不僅需要時間,而且也需要不斷嘗試。
但目前還不清楚同樣的解決方案是否適用於科技業。我們作為一個社會,已經決定一頭扎進被數字設備統治的世界,不斷在便利性與安全性之間做權衡。我們一直在往更多的新型硬件上存儲更多的重要信息,而這些硬件上正運行著更加複雜的軟件。所有這一切的相互依存性正在日益加重,使得整個生態系統變得更加脆弱。
雖然大型科技公司對安全領域越來越重視,但它通常被作為事後的補救措施,而不是構建產品和服務過程中的一個關鍵組成部分。專家指出,雖然培養一種更加註重安全的科技文化是可能的,但這需要做出長期的投入,教育軟件工程師並提升核心技術。
“在軟件開發的文化中,人們對設計系統和精心打造產品細節,在一定程度上不夠關心,”費爾滕說。“航空等領域常見的那種安全文化我們並不具備。”
這是因為更高的安全性,肯定會讓消費者享受到的速度、新奇性和便利性打些折扣。
約翰·霍普金斯大學教授馬修·格林說,嚴格的標準需要程序員花費遠遠更多的時間來測試自己的程序。
Cara Walen
“對於航空等行業中的關鍵任務系統,我們對編程是有標準的,但我不知道把這些標準套用到所有地方是否合適,”密碼學家馬修·格林(Matthew Green)說,他也是約翰·霍普金斯大學(Johns Hopkins University)的研究教授。那種嚴格的標準要求程序員花費遠遠更多的時間來測試自己的程序,無論是科技企業還是消費者都無法忍受這樣的等待。格林說,“我覺得,我們不會希望等到20年後才出現下一個谷歌和Facebook。”
和最近發現的其他類似漏洞(其中包括蘋果移動設備和桌面設備的一個漏洞)一樣,“心臟出血”多年來也沒有被人察覺。就研究人員所知,這個問題是一名程序員在2011年最後一天進行例行的代碼修改時造成的。發現這個漏洞的系統OpenSSL是開源程序,這意味著它的代碼放在網上,任何人都可以修改。從理論上講,相對於封閉的系統,開源代碼被認為更加安全;有足夠多的程序員檢查開源代碼,漏洞可以很快就被檢測出來。
但情況顯然不是這樣。“沒有足夠多的人關注這些代碼——這真是非常糟糕,”格林說。
一個問題可能是基本經濟層面上的。很多大型互聯網公司依靠OpenSSL這樣的免費技術來運行系統,但它們往往不會回饋資源給編寫這些代碼的小團隊。“如果能提供50萬美元(約合310萬元人民幣)給OpenSSL以及類似的團隊,這種事情也許就不會再發生了,”格林說。
現代生活中也有其他可能存在危險的行業,比如航空或醫療,但不同於它們的是,高科技行業的變化日新月異。眼前如日中天的公司必然會被更新的、人們認為能提供更好產品的公司所顛覆。這種不斷更迭的狀況,讓整個行業的安全協調變得越發困難。
“我想沒有哪個產業會在這麼短的時間裡,應對這麼多的變化,這麼大的使用量,”數字安全公司卡巴斯基實驗室(Kaspersky Lab)的研究員庫爾特·鮑姆加特納(Kurt Baumgartner)說。不過,鮑姆加特納也表示,這個領域正在日益改善。科技企業回應安全威脅的方式曾經相當緩慢、沒有章法,但他說,相比之下,整個行業應對“心臟出血”時“相當負責任地進行了協調”。很多大公司在該問題曝光之前就已經對自己的服務採取了措施。“總體來說,事情已經在好轉。”
Stuart Goldenberg
但改進的速度足夠快,能抵禦越來越頑固的攻擊者嗎?網絡威脅研究機構Risk Based Security近期的一項研究顯示,2013年發生了2000多起數據安全受到破壞的攻擊事件。好消息是這一數字與2012年的3000多起相比有所下降。但壞消息是,雖然2013年攻擊次數有所減少,但攻擊結果卻更具破壞性——大約8.14億條數據記錄在這一年裡被暴露(包括你在Target超市使用的信用卡信息),大約是有記錄以來過去任何一年的兩倍。
這一數字表明了應對數據威脅的另一個困難因素:攻擊者都很聰明,所以頻繁發生的情況是,隨著安全性的提升,攻擊的水平也會提高。這使得網絡安全變成一個更複雜的問題,比提升汽車安全要難得多。
如果你修復了一個網絡安全漏洞,可以肯定的是攻擊者一定會找到另一個漏洞,而且有可能更危險。“總的來說,攻擊者擁有競爭優勢,”網絡安全公司Mandiant威脅信息情報小組的珍·威登(Jen Weedon)說。“防守方需要防守所有可能的威脅,而攻擊者只需要找到一個弱點。”
如果這還不夠讓你擔心,數字技術還有另外一個總會出問題的原因。“有這樣一個深層的過程,隨著設備擁有更多的存儲量、變得更強大,人們也會讓產品變得愈發複雜——直到復雜得讓人難以理解,”費爾滕說。你今天所戴的“智能”手錶也許還不是很複雜,但在未來幾年中,智能手錶裡運行的處理器,或許就會像如今的筆記本電腦一樣強大。
各家公司將會創作成百上千的應用程序來運用這種計算能力,而你很有可能會安裝這些應用,因為它們會讓你的生活更便利、更有樂趣。你會向手錶裡傾注大量有關於你的珍貴數據。突然間,在你還沒有意識到的時候,你的手錶就已經成了攻擊目標。在那些應用當中,會存在誰都始料未及的威脅。費爾滕說,“隨著我們的工程方法越來越好,我們的產品變得越來越複雜,所以我們一直在追求工程流程可以處理的複雜度的極限。”
這意味著我們遲早會遭殃嗎?並不見得。大規模黑客襲擊和網絡漏洞正在受到越來越多的關注,研究人員對於這一點頗為欣慰,這可能會促使整個行業和用戶更加重視安全問題。“在過去一年左右的時間裡,我們看到這些襲擊事件廣為人知,這一點相當有趣,”威登說。“現在連普通人都在談論該如何修補他們的系統。這是我們現在可以期望的最好情況了。”
沒有留言:
張貼留言