Shellshock暴露互聯網如履薄冰

The Shellshock bug that has left vast swaths of the internet vulnerable to cyber criminals for more than 20 years highlights how the basic foundations of the network are not fit for the 21st century web, security experts have warned.

安全專家警告說，“Shellshock漏洞”暴露了互聯網在超過20年的時間裏爲網絡犯罪分子留下的大量可乘之機，這凸顯出最基本的網絡基礎設施已經不適應21世紀網絡的需要。

The fundamental flaw that was discovered on Wednesday has been described as the worst bug exposed for about a decade, as it left the computer systems of governments, the military and companies open to manipulation from afar.

週三發現的這一基礎性漏洞被稱爲近十年內發現的最嚴重漏洞。利用該漏洞，可以遠程操縱政府機關、軍方及企業的計算機系統。

Tal Klein, vice-president of strategy and marketing at US-based cloud security company Adallom, warned there could be more bugs like this to be discovered because the whole internet was built on a “sheet of very thin ice”.

Adallom副總裁塔爾•克萊因(Tal Klein)警告說，由於整個互聯網都像是建在“一塊極薄的冰層之上”，今後可能會發現更多這樣的漏洞。Adallom是一家總部在美國的雲安全公司。

“We continuously work on improving the security of the internet assuming the sheet of ice underneath it is secure,” he said. “[But] very few people actively spend time on the security of the underlying components. They are so old that people assume if no one has compromised them yet then it is fine.”

他說：“我們一直在努力改善互聯網的安全性，卻想當然地認爲互聯網之下的冰層是安全的。極少有人主動花時間檢驗基礎組件的安全性。這些組件使用的時間太久，人們理所當然地認爲，既然人們還在用，就說明它們沒什麼問題。”

The threat of the Shellshock bug can be mitigated by updating, or patching, computer systems. But that will take time, as IT teams rush to work out which systems need updating, and Shellshock may be one of many vulnerabilities in the basic architecture of the internet.

通過升級電腦系統——或者爲系統打上補丁——可以消除Shellshock漏洞的威脅。不過這麼做需要花上一段時間，因爲IT團隊必須趕緊分析出哪些系統需要更新，而且Shellshock漏洞可能只是互聯網基礎設施的諸多漏洞之一。

Trey Ford, global security strategist for Rapid 7, said the problem was that innovations had been bolted on top of a structure that was not built for what it was used for today.

Rapid 7全球安全策略師特雷•福特(Trey Ford)表示，問題在於人們一直在一種基礎架構之上進行創新，而當初建立這種基礎架構的目的卻與今天使用它的目的不一致。

“The world wide web just had a birthday, turning 25. When Tim Berners Lee created it I don’t know if he envisaged magical pocket devices where you could take phone calls from Tokyo, surf the internet and more money around,” he said. “We’ve come a long way in 25, 30 years.” Mr Ford said companies such as Google and cyber security companies such as Rapid 7 were working to improve some fundamental aspects of the internet. But security needed to be more valued by consumers so that the companies creating products prioritised security.

他說：“萬維網剛剛度過了25歲生日。當蒂姆•伯納斯-李爵士(Sir Tim Berners-Lee)發明萬維網時，我不知道他能否想象到今天各種魔術般的口袋設備。通過這些設備，人們可以從東京撥出長途電話、可以瀏覽互聯網、還可以四處調動資金。在25或30年的時間裏，我們已走得很遠。”福特表示，許多企業正在着手改善互聯網的某些基礎性能，包括谷歌(Google)，以及Rapid 7等網絡安全公司。然而，只有當消費者更加重視安全問題時，企業纔會開發出注重安全性的產品。

“In the long run, security should not be a feature but something that is expected,” he said. “I fear it will take more events like this to prioritise those services and investment.”

他說：“長期來說，安全不應被視爲一種特性，而應該是一種必要屬性。我擔心人們要經歷更多此類事件，纔會把這類服務和投資放在重要位置上。”

Product designers had to choose between spending money on new features which were more marketable, or on security that no one would notice, he added.

他補充說，產品設計人員必須做出選擇：是把資金花在設計更有利於產品銷售的新功能上，還是花在提升沒人會注意的安全性上。

It is hard to prioritise security when the size of the problem remains unknown. Legislation requiring companies to report cyber attacks also varies widely depending on the industry or country, but most focus on the loss of consumer data rather than other attacks aimed at taking over computer systems or stealing intellectual property.

在對問題嚴重程度一無所知的情況下，人們很難把安全問題擺在首位。要求企業報告網絡攻擊的立法，因國家或行業的不同而存在極大差異，但大多都着眼於用戶數據的泄露，而不是其他旨在控制電腦系統或竊取知識產權的攻擊。

The effects of Shellshock so far are hard to measure. Even though the vulnerability has existed for more than two decades, it is not clear if it had already been discovered by cyber criminals. There is already some evidence posted on Github, an online forum for software engineers, that the Shellshock bug has been used in an attack, though it is not known where or when.

到目前爲止，Shellshock漏洞造成的影響還很難評估。儘管該漏洞已存在了逾20年，但不清楚網絡犯罪分子是否已發現了這個漏洞。在用戶主要爲軟件工程師的在線論壇Github上，已有人發佈證據，顯示Shellshock漏洞已被用在一次網絡攻擊中。不過，這次攻擊發生的時間和地點還不清楚。

Sophisticated state-backed cyber criminals, known as advanced persistent threats, could use the bug for a “stealthy attack” where they penetrate deep inside a company or a government’s computer systems.

政府支持的尖端網絡罪犯被視爲一種高級別持續性威脅，他們可能會利用這一漏洞實施“隱祕的攻擊”，深度滲透入企業或政府的計算機系統。

Other attackers could use the vulnerability to take hold of servers and home internet routers from across the world to create a giant network – known as a botnet – which would give them enough computing power to take down any website in a distributed denial of service attack.

其他攻擊者可能會利用該漏洞控制世界各地的服務器和家用互聯網路由器，從而建立一個龐大的“殭屍網絡”(botnet)。這種網絡會讓他們獲得足夠的計算能力，可以用“分佈式拒絕服務攻擊”(DDoS)摧毀任何網站。

Apple’s Mac computers rely on an operating system that was originally based on Unix, so they could be vulnerable especially if connected to public WiFi, and many so-called “internet of things” devices such as lightbulbs and fridges may be affected.

蘋果公司(Apple)的Mac電腦採用一種原本基於Unix的操作系統，因此也可能受到這一漏洞的影響，特別是在連接到公共WiFi的時候。此外，許多“物聯網”設備如燈泡、冰箱等可能也會受到影響。

Chris Wysopal, chief technology officer of cyber security company Veracode, said this moment between the announcement of a problem and people fixing it by rolling out a software update – or patch – is “the most dangerous time”.

網絡安全公司Veracode首席技術官克里斯•維索帕爾(Chris Wysopal)表示，從漏洞公佈到科技企業發佈修復漏洞的軟件更新（或補丁）這段時間是“最危險的”。

“The thing that has people worried is that they don’t know the scope of how many devices are affected,” he said.

他說：“人們擔心的問題在於，目前不清楚有多少設備受到了這一漏洞的影響。”