黑客工具如何威脅Wi-Fi用戶安全
黑客工具如何威脅Wi-Fi用戶安全
在信息安全里,“黑客”指研究智取計(jì)算機(jī)安全系統(tǒng)的人員。利用公共通訊網(wǎng)路,如互聯(lián)網(wǎng)和電話系統(tǒng),在未經(jīng)許可的情況下,載入對(duì)方系統(tǒng)的被稱為黑帽黑客接下來(lái)小編為大家整理黑客工具如何威脅Wi-Fi用戶安全,希望對(duì)你有幫助哦!
You may think the only people capable of snooping on your Internet activity aregovernment intelligence agents or possibly a talented teenage hacker holed up in his parents’ basement. But some simple software lets just about anyone sitting next to you at your local coffee shop watch you browse the Web and even assume your identity online.
也許你曾以為窺探你上網(wǎng)活動(dòng)的事只有政府情報(bào)人員或者藏在自家地下室的青年黑客才會(huì)干的出來(lái)。但一些簡(jiǎn)單的軟件使得哪怕是小咖啡館里在你身邊的任何人都可以看到你在瀏覽的網(wǎng)頁(yè)甚至獲得你的身份驗(yàn)證信息。
“Like it or not, we are now living in a cyberpunk novel,” said Darren Kitchen, a systems administrator for an aerospace company in Richmond, Calif., and the host of Hak5, a video podcast about computer hacking and security. “When people find out how trivial and easy it is to see and even modify what you do online, they are shocked.”
達(dá)倫·凱臣是美國(guó)加州里士滿市的一家航空公司的系統(tǒng)管理員,同時(shí)他還是一家名為Hak5的計(jì)算機(jī)黑客與信息安全視頻播客網(wǎng)站的站長(zhǎng)。他說(shuō),“不管你喜歡與否,我們現(xiàn)在正生活在一個(gè)數(shù)字龐克小說(shuō)之中。當(dāng)人們發(fā)現(xiàn)他們的網(wǎng)上信息是多么容易被黑時(shí),他們都會(huì)目瞪口呆。”
Until recently, only determined and knowledgeable hackers with fancy tools and lots of time on their hands could spy while you used your laptop or smartphone at Wi-Fi hot spots. But a free program called Firesheep, released in October, has made it simple to see what other users of an unsecured Wi-Fi network are doing and then log on as them at the sites they visited.
不久前若要監(jiān)視你的筆記本或智能手機(jī)通過(guò)Wi-Fi熱點(diǎn)上網(wǎng)的情況,這還只是有能力和有毅力的黑客,花費(fèi)大量時(shí)間并利用高精尖的工具才能辦到的事。但去年十月發(fā)布的一款叫做Firesheep的自由程序使得監(jiān)測(cè)未加密的Wi-Fi網(wǎng)絡(luò)變得易如反掌,利用該軟件人們可以監(jiān)測(cè)別人上網(wǎng)信息乃至登錄他人訪問(wèn)的網(wǎng)站帳戶。
Without issuing any warnings of the possible threat, Web site administrators have since been scrambling to provide added protections.
在沒有發(fā)布任何潛在安全威脅警告的情況下,網(wǎng)站管理員已經(jīng)爭(zhēng)先恐后的開始提供附加安全保護(hù)措施了。
“I released Firesheep to show that a core and widespread issue in Web site security is being ignored,” said Eric Butler, a freelance software developer in Seattle who created the program. “It points out the lack of end-to-end encryption.”
Firesheep的作者是西雅圖的自由軟件開發(fā)者埃里克巴·特勒,他表示:“我發(fā)布Firesheep就是為了讓大家知道在網(wǎng)站安全上一個(gè)普遍的核心問(wèn)題一直以來(lái)都被大家忽略了,那就是端到端的加密。”
What he means is that while the password you initially enter on Web sites like Facebook, Twitter, Flickr, Amazon, eBay and The New York Times is encrypted, the Web browser’s cookie, a bit of code that that identifies your computer, your settings on the site or other private information, is often not encrypted. Firesheep grabs that cookie, allowing nosy or malicious users to, in essence, be you on the site and have full access to your account.http://www.24en.com愛思英語(yǔ)網(wǎng)
當(dāng)你在Facebook、Twitter、Flickr、Amzon、eBay和紐約時(shí)報(bào)之類的網(wǎng)站上初次輸入登錄密碼時(shí),端到端信息被加密。但當(dāng)使用cookie登錄時(shí),常常是不進(jìn)行加密的。Cookie是對(duì)記錄你的登錄信息、個(gè)人訪問(wèn)設(shè)置及某些私人信息的一段代碼的稱呼。Firesheep就設(shè)法抓取這些cookie,這樣就可以使任何心存好奇或別有用心的用戶干脆變成你,從網(wǎng)站上登錄你的帳號(hào)。http://www.24en.com愛思英語(yǔ)網(wǎng)
More than a million people have downloaded the program in the last three months (including this reporter, who is not exactly a computer genius). And it is easy to use.http://www.24en.com愛思英語(yǔ)網(wǎng)
在過(guò)去三個(gè)月內(nèi)超過(guò)一百萬(wàn)人已下載了該程序(包括對(duì)計(jì)算機(jī)并不在行的筆者在內(nèi))。它真的很簡(jiǎn)單易用。
The only sites that are safe from snoopers are those that employ the cryptographic protocol Transport Layer Security or its predecessor, Secure Sockets Layer, throughout your session. PayPal and many banks do this, but a startling number of sites that people trust to safeguard their privacy do not. You know you are shielded from prying eyes if a little lock appears in the corner of your browser or the Web address starts with “https” rather than “http.”http://www.24en.com愛思英語(yǔ)網(wǎng)
唯一安全的網(wǎng)站就是那些在整個(gè)會(huì)話過(guò)程中使用傳輸層加密協(xié)議或其前身SSL的網(wǎng)站。PayPal和許多銀行做了這樣的設(shè)定。但仍有一批數(shù)量驚人的網(wǎng)站沒有這么做,而通常人們卻一直相信它們能夠保護(hù)其私人信息。當(dāng)你的瀏覽器的一角出現(xiàn)一個(gè)小小的鎖形圖標(biāo)或者你所訪問(wèn)的網(wǎng)址前以“https”而不是“http”開頭時(shí),你才能躲過(guò)那些窺視的眼睛。http://www.24en.com愛思英語(yǔ)網(wǎng)
“The usual reason Web sites give for not encrypting all communication is that it will slow down the site and would be a huge engineering expense,” said Chris Palmer, technology director at the Electronic Frontier Foundation, an electronic rights advocacy group based in San Francisco. “Yes, there are operational hurdles, but they are solvable.”
電子前哨基金會(huì)是一家總部位于舊金山的數(shù)字版權(quán)維權(quán)組織,它的技術(shù)總監(jiān)克利斯·帕爾默說(shuō):“網(wǎng)站不提供全程通信加密的理由通常是,這會(huì)拖慢站點(diǎn)訪問(wèn)速度并造成巨大的工程開銷。要提供全程通信機(jī)密的確有一些操作上的障礙,但這些困難都是可以解決的。”
Indeed, Gmail made end-to-end encryption its default mode in January 2010. Facebook began to offer the same protection as an opt-in security feature last month, though it is so far available only to a small percentage of users and has limitations. For example, it doesn’t work with many third-party applications.http://www.24en.com愛思英語(yǔ)網(wǎng)
實(shí)際上,Gmail已于2010年一月起在其默認(rèn)模式中采用了端到端加密技術(shù)。上個(gè)月,F(xiàn)acebook也開始將同樣的保護(hù)措施作為一項(xiàng)可選擇的安全功能提供給用戶,但目前仍只限于一小部分用戶應(yīng)用。例如,它并不適用于許多第三方應(yīng)用。
“It’s worth noting that Facebook took this step, but it’s too early to congratulate them,” said Mr. Butler, who is frustrated that “https” is not the site’s default setting. “Most people aren’t going to know about it or won’t think it’s important or won’t want to use it when they find out that it disables major applications.”
“Facebook這么做并不值得,現(xiàn)在就為他們的成功祝賀也為時(shí)尚早。大多數(shù)人并不會(huì)了解這項(xiàng)保護(hù)措施,或者并不會(huì)認(rèn)為這有多重要,或者由于這對(duì)于大多數(shù)第三方應(yīng)用無(wú)效而不會(huì)使用它。”巴特勒先生如是說(shuō),他仍覺得“https”訪問(wèn)并不是網(wǎng)站的默認(rèn)訪問(wèn)設(shè)置乃是一件憾事。
Joe Sullivan, chief security officer at Facebook, said the company was engaged in a “deliberative rollout process,” to access and address any unforeseen difficulties. “We hope to have it available for all users in the next several weeks,” he said, adding that the company was also working to address problems with third-party applications and to make “https” the default setting.
Facebook的信息安全總監(jiān)喬·沙利文表示,他們正著手準(zhǔn)備一個(gè)“慎重的發(fā)布過(guò)程”,以發(fā)現(xiàn)并克服所有潛在的困難。他說(shuō),“我們希望在幾周后這項(xiàng)安全措施能適用于所有用戶。”此外他還補(bǔ)充說(shuō),公司正在努力解決第三方應(yīng)用方面的安全問(wèn)題并力促“https”訪問(wèn)方式成為默認(rèn)設(shè)置。
Many Web sites offer some support for encryption via “https,” but they make it difficult to use. To address these problems, the Electronic Frontier Foundation in collaborationwith the Tor Project, another group concerned with Internet privacy, released in June an add-on to the browser Firefox, called Https Everywhere. The extension, which can be downloaded at eff.org/https-everywhere, makes “https” the stubbornly unchangeable default on all sites that support it.
許多網(wǎng)站通過(guò)“https”提供加密服務(wù),但這用起來(lái)并不方便。為解決這個(gè)問(wèn)題,電子前哨基金會(huì)聯(lián)合Tor項(xiàng)目組(另一個(gè)互聯(lián)網(wǎng)隱私相關(guān)組織)于去年六月發(fā)布了一款名為Https Everywhere(Https無(wú)處不在)的火狐瀏覽器插件。該插件(可由eff.org/https-everywhere下載)強(qiáng)制通過(guò)https方式訪問(wèn)所有支持該訪問(wèn)服務(wù)的網(wǎng)站。
Since not all Web sites have “https” capability, Bill Pennington, chief strategy officer with the Web site risk management firm WhiteHat Security in Santa Clara, Calif., said: “I tell people that if you’re doing things with sensitive data, don’t do it at a Wi-Fi hot spot. Do it at home.”http://www.24en.com愛思英語(yǔ)網(wǎng)
由于并非所有網(wǎng)站都能提供“https”訪問(wèn)支持,白帽安全公司(美國(guó)加州圣克拉拉的網(wǎng)絡(luò)風(fēng)險(xiǎn)管理公司)的首席策略官比爾·潘寧頓告戒大眾:“如果你要進(jìn)行涉及敏感信息的操作,不要通過(guò)Wi-Fi來(lái)做,還是回家再弄吧。”
But home wireless networks may not be all that safe either, because of free and widely available Wi-Fi cracking programs like Gerix WiFi Cracker, Aircrack-ng and Wifite. The programs work by faking legitimate user activity to collect a series of so-called weak keys or clues to the password. The process is wholly automated, said Mr. Kitchen at Hak5, allowing even techno-ignoramuses to recover a wireless router’s password in a matter of seconds. “I’ve yet to find a WEP-protected network not susceptible to this kind of attack,” Mr. Kitchen said.
但家里的無(wú)線網(wǎng)絡(luò)也并不一定能確保安全,因?yàn)镚erix WiFi Cracker、Aircrack-ng 和Wifite之類的自由Wi-Fi黑客程序正被廣泛使用著。此類軟件仿冒合法用戶的活動(dòng)以竊取一系列所謂弱密匙或者可能透露戶密碼的蛛絲馬跡。這個(gè)過(guò)程完全是自動(dòng)的,凱臣在Hak5上說(shuō),這使得哪怕是一個(gè)技術(shù)白癡都能在幾秒鐘內(nèi)獲得一個(gè)無(wú)線路由器的密碼。他還說(shuō):“我還沒有發(fā)現(xiàn)哪個(gè)采用WEP保護(hù)的網(wǎng)絡(luò)能夠?qū)@種攻擊免疫。”
A WEP-encrypted password (for wired equivalent privacy) is not as strong as a WPA (or Wi-Fi protected access) password, so it’s best to use a WPA password instead. Even so,hackers can use the same free software programs to get on WPA password-protected networks as well. It just takes much longer (think weeks) and more computer expertise.
WEP(有線等效保密)密碼并不如WPA(Wi-Fi接入保護(hù))密碼強(qiáng)大,所以使用WPA密碼方為上策。但即便如此,黑客們也還是可以用同樣的軟件得到采用WPA密碼保護(hù)的網(wǎng)絡(luò)的密碼信息。這只是需要花上更長(zhǎng)的時(shí)間(大概是幾周),當(dāng)然也需要更多的計(jì)算機(jī)專業(yè)知識(shí)。
Using such programs along with high-powered Wi-Fi antennas that cost less than ,hackers can pull in signals from home networks two to three miles away. There are also some computerized cracking devices with built-in antennas on the market, like WifiRobin (6). But experts said they were not as fast or effective as the latest free cracking programs, because the devices worked only on WEP-protected networks.
使用這些程序和大功率的Wi-Fi天線的成本不到90美元,這樣黑客們就能監(jiān)聽到兩三英里內(nèi)的家庭無(wú)線網(wǎng)絡(luò)信號(hào)了。市場(chǎng)上還有一些帶有內(nèi)置天線的黑客設(shè)備,例如售價(jià)156美元的WifiRobin之類。但專家們稱這些設(shè)備并不如最新的自由黑客程序來(lái)的便捷有效,這些設(shè)備只能針對(duì)采用WEP保護(hù)的網(wǎng)絡(luò)使用。
To protect yourself, changing the Service Set Identifier or SSID of your wireless network from the default name of your router (like Linksys or Netgear) to something lesspredictable helps, as does choosing a lengthy and complicated alphanumeric password.
要保護(hù)你自己,最好將你的服務(wù)集標(biāo)識(shí)符或無(wú)線網(wǎng)絡(luò)服務(wù)組標(biāo)識(shí)符(SSID)由路由器的默認(rèn)名(Linksys或Netgear之類)改成一個(gè)比較不易預(yù)測(cè)的名字,就像選擇夠長(zhǎng)夠復(fù)雜的字母數(shù)字混合的密碼那樣。http://www.24en.com愛思英語(yǔ)網(wǎng)
Setting up a virtual private network, or V.P.N., which encrypts all communications you transmit wirelessly whether on your home network or at a hot spot, is even more secure. The data looks like gibberish to a snooper as it travels from your computer to a secure server before it is blasted onto the Internet.http://www.24en.com愛思英語(yǔ)網(wǎng)
建立一個(gè)虛擬專用網(wǎng)絡(luò)將對(duì)你收發(fā)的所有信息進(jìn)行加密,無(wú)論你使用的是家用無(wú)線網(wǎng)絡(luò)或是Wi-Fi熱點(diǎn)。這會(huì)更安全些。你的計(jì)算機(jī)發(fā)出的數(shù)據(jù)會(huì)先經(jīng)過(guò)一個(gè)網(wǎng)絡(luò)安全服務(wù)器再在互聯(lián)網(wǎng)上傳播,這樣加密后的數(shù)據(jù)在嗅探軟件看來(lái)就像是一堆亂碼一樣。
Popular V.P.N. providers include Vyper, HotSpot and LogMeIn Hamachi. Some are free; others are as much as a month, depending on how much data is encrypted. Free versions tend to encrypt only Web activity and not e-mail exchanges.
流行的提供商包括Vyper, HotSpot 和LogMeIn Hamachi。其中一些是免費(fèi)的,另一些則依加密的數(shù)據(jù)量的多少來(lái)計(jì)費(fèi)(如每月18美金)。免費(fèi)版本的通常只加密Web訪問(wèn)信息而不加密電郵。http://www.24en.com愛思英語(yǔ)網(wǎng)
However, Mr. Palmer at the Electronic Frontier Foundation blames poorly designed Web sites, not vulnerable Wi-Fi connections, for security lapses. “Many popular sites were not designed for security from the beginning, and now we are suffering the consequences,” he said. “People need to demand ‘https’ so Web sites will do the painful integration work that needs to be done.”
但電子前哨基金會(huì)的帕爾默先生卻認(rèn)為網(wǎng)絡(luò)安全的疏失更多的要?dú)w咎于糟糕的網(wǎng)站設(shè)計(jì),而非Wi-Fi連接本身的脆弱性。他說(shuō):“許多熱門網(wǎng)站在其設(shè)計(jì)之初就對(duì)安全問(wèn)題考慮不足,現(xiàn)在不得不自食其果,大眾要求使用‘https’,因此網(wǎng)站不得不艱難的履行其義務(wù)。”