cocotang 于2015-07-31发布 l 已有人浏览
增大字体 减小字体
2013年7月,一名自称“和平”(Peace)的黑客向美国能源部(US Department of Energy)的电脑上传了一串恶意代码。该部负责监督美国的核武器计划、电力生产以及其他至关重要的国家利益。

In July 2013, a hacker calling himself “Peace” uploaded a malicious string of code into computers at the US Department of Energy, the agency that oversees the American nuclear weapons programme, its power production and other vital national interests.  

2013年7月,一名自称“和平”(Peace)的黑客向美国能源部(US Department of Energy)的电脑上传了一串恶意代码。该部负责监督美国的核武器计划、电力生产以及其他至关重要的国家利益。

Peace hit the jackpot, gaining access to a trove of confidential personal data — including the names of employees, their social security numbers and their bank account details. 


“YASSSS,” he typed in an online chatroom. “I AM INVINCIBLE!!! Finally shelled mis.doe.gov after over 24h.” 


Prosecutors allege “Peace” is Lauri Love, a 30-year old resident of Suffolk, England. With relative ease, he and his unnamed co-conspirators gained “unlimited access” to the system and ran more than 600 queries on the DoE’s computers. The alleged hackers accessed personal information of over 104,000 current and former DoE employees by breaking in through a known — but unpatched — vulnerability in an Adobe software programme called ColdFusion. 

检方称,“和平”的真名是劳里?洛夫(Lauri Love),是英格兰萨福克郡一名30岁的居民。他和未被点名的同伙相对轻松地就获得了美国能源部系统的“无限访问权限”,并在能源部的电脑上进行了超过600次检索。利用Adobe公司ColdFusion软件程序的一个已知(但未修补)的漏洞,这些被指控的黑客得以闯入系统,窃取了美国能源部超过10.4万名现任及前任雇员的个人信息。

Mr Love allegedly used the same tactic to infiltrate the Federal Reserve, Nasa, the Environmental Protection Agency, the US Army and the US Missile Defense Agency, according to three separate criminal charges. The DoE breach was one of the biggest violations of government employee data at the time — and the department’s watchdog says it could have been prevented. 

三份独立的刑事诉状显示,洛夫还涉嫌使用同样的手段侵入了美联储(Federal Reserve)、美国国家航空航天局(NASA)、美国国家环境保护局(EPA)、美国陆军(US Army)和美国导弹防御局(MDA)。美国能源部遭黑客攻击是当时最严重的政府雇员信息泄露事故之一,而该部的监督机构表示,此次事故本来是可以避免的。

“The vulnerability exploited by the attacker was specifically identified by [US software company Adobe] in January 2013,” Gregory Friedman, the DoE’s inspector-general, concluded after investigating the hack. 

能源部监察长格雷戈里?弗里德曼(Gregory Friedman)在调查此次黑客事件后总结称:“黑客所利用的漏洞在2013年1月就被(美国软件公司Adobe)明确指出了。”

While serious, the breach at the DoE can hardly be called rare. Even as the US technology sector leads the world, the US government’s computer systems — including those of agencies that handle information crucial to national security — are woefully unprepared for the frequency and sophistication of today’s cyber attackers. 


US agencies’ vulnerabilities have been hiding in plain sight. Last week the Obama administration admitted that hackers stole the private information of about 25m individuals through two hacks at the Office of Personnel Management, the government’s human resources arm. The second breach was the largest ever cyber attack on a US government agency. The OPM’s chief resigned last Friday. 

美国各政府机构的脆弱性一直不难发现。奥巴马政府最近承认,黑客通过对政府人力资源部门——美国人事管理局(Office of Personnel Management)的两次攻击,窃取了约2500万联邦雇员的私人信息。第二次侵入是美国政府机构历来遭遇的最大规模网络攻击。美国人事管理局局长已为此辞职。

Lawmakers see the skyrocketing number of hacks as evidence of a new cold war — one which the US is losing. Whether the attacker is a nation — China is thought to have been behind the OPM hack — or a small group like Mr Love and his associates, the enemy is often more sophisticated and more nimble than the US government. Mr Love, who has been charged by prosecutors in New York, New Jersey and Virginia but who has not yet been sought for extradition, could not be reached for comment. 


China and Russia have become more aggressive in their cyber attacks, prompting US defence and intelligence officials to admit grudging admiration. 


“You have to kind of salute the Chinese for what they did,” said James Clapper, director of national intelligence, referring to the OPM breaches. 

“对于中国人的所作所为,你不得不在一定程度上表示敬佩,”美国国家情报总监(DNI)詹姆斯?克拉珀(James Clapper)在谈到美国人事管理局被攻击时表示。

An analysis by the Financial Times of dozens of reports by agency inspectors general, the Government Accountability Office and the Office of Management and Budget reveals that for years more than half of the 24 agencies required to report their cyber defences failed to take the most basic security steps. Such measures include patching software holes, using strong authentication technology and continuously monitoring systems, to help secure the data collected on employees, retired military officials and government programmes. 

英国《金融时报》对政府机构监察长、美国政府问责局(Government Accountability Office)以及白宫行政管理和预算局(Office of Management and Budget)发表的几十份报告的分析表明,多年来,在24家被要求报告自身网络防御情况的联邦机构中,超过半数没有采取最基本的安全措施。这些措施包括安装软件补丁以堵住漏洞、使用强认证技术,以及不间断监测系统以保障其采集的雇员、退役军官及政府计划数据。

A review of thousands of documents and interviews with current and former government officials reveal the deep challenges facing government agencies. Most agency officials did not return repeated calls to discuss the reports’ findings or declined to comment. 


“One of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats,” Tony Scott, the government’s new chief information officer, told Congress this year. 

今年,美国政府新任首席信息官托尼?斯科特(Tony Scott)对国会表示:“如今的核心问题之一是,我们手上的这些老式设备在设计或建造时不存在这样的威胁。”

The number of successful hacks of government agencies into highly sensitive information has been skyrocketing. This year, hackers accessed 100,000 tax accounts after breaking into systems at the Internal Revenue Service. A hack of the US Postal Service last year exposed the sensitive information belonging to 800,000 employees. The State Department and White House said last year that their unclassified systems were breached, officials believe, by the Russian government. 

黑客成功侵入政府机构并窃取高度敏感信息的次数近年激增。今年,黑客闯入美国国税局(IRS)系统,窃取了10万个税务账户。去年,对美国邮政服务(US Postal Service)的网络攻击曝光了其80万雇员的敏感信息。美国国务院(State Department)和白宫去年曾表示,它们的非机密系统遭到入侵;官员们认为那是俄罗斯政府所为。

“We have to raise our level of cyber security in both the private sector and the public sector,” Michael Daniel, the White House cyber security co-ordinator, said last week. 

白宫网络安全协调员迈克尔?丹尼尔(Michael Daniel)不久前称:“我们的私营和公共部门都必须提高网络安全水平。”

Under siege 


Since 2006 the number of “incidents” at federal agencies, including phishing attempts, malware attachments and unauthorised access by employees, rose 1,100 per cent to 67,168 in 2014, according to OMB. Some of that increase, officials say, reflects the better job agencies have done in detecting attacks. 


“The entire nation is now making up for 20 years of under-investment in our nation’s cyber security, in both the public and private sectors,” Andy Ozment, assistant secretary of the Department of Homeland Security, told Congress.

国土安全部(Department of Homeland Security)助理部长安迪?奥兹门特(Andy Ozment)对国会表示:“整个国家如今在弥补过去20年期间对公共和私营部门网络安全的投资不足。”

The Obama administration has incrementally increased IT spending for the federal government from $78.6bn in 2013 to a suggested budget of $86.3bn for 2016. For 2015, the administration initially suggested cutting the budget by about 3 per cent before it was increased. Budget wrangling with Congress and a focus on cost-cutting add to the woes.


Although more money would help, officials also note problems such as bureaucratic hurdles in hiring, a challenging procurement process and bad budgeting — tens of millions of dollars have been wasted on software upgrades that went awry. 


Tom Carper, a Democratic senator from Delaware, told the FT that two laws passed last year to give agency chief information officers more authority over their IT budgets will help make “significant strides” toward modernising cyber security. 

特拉华州民主党参议员汤姆?卡珀(Tom Carper)对英国《金融时报》说,去年通过的两部给联邦机构首席信息官在信息技术预算方面更大权限的法律,将有助于朝向网络安全现代化“大步跨越”。

“But Congress cannot rest on our laurels when it comes to cyber security — we have more work to do. Congress should promptly authorise and fund the latest generation in cyber defence technology to make future intrusions across our government less likely,” he said. 


The outdated equipment often used by US agencies means that modern cyber defence techniques such as having a “zero trust” approach in which all users, applications and devices must be verified — now a common feature in software offered by companies such as VMware, Palo Alto Networks and Cisco — do not work. Encryption is also not possible on older IT infrastructure, such as the legacy networks at OPM. Its cyber security was viewed as so poor that in the week before the latest breach, its inspector-general recommended shutting down its networks and essentially rebooting. OPM declined. 

美国联邦机构往往使用的过时设备意味着,现代网络防御技术——例如实行让所有用户、应用程序和设备都必须得到验证的“零信任”方式(如今VMware、Palo Alto Networks以及思科(Cisco)等公司提供软件的常见功能特点)——无法发挥作用。对于老旧的信息技术基础设施(如美国人事管理局的古董级网络)而言,也不可能进行加密。该局的网络安全状况如此糟糕,以至于在最近一次被黑客侵入的前一周,其监察长就建议关闭网络然后从头开始。但该局拒绝这样做。

‘An intelligence bonanza’


Strong authentication is defined as requiring more than a username and password, such as a two-factor test using a login and security code or a personal identity verification card. This is now a basic procedure at many companies and is frequently used in free online services such as Gmail. Some agencies, including the State Department, Labor Department and OPM, did not implement a two-factor test, while 15 out of 24 agencies failed to have at least half of their users in compliance, the OMB said in February.

强身份认证意味着比用户名和密码更多的验证要求,比如双因素认证,要求使用登录+安全码或个人身份验证(PIV)卡。此类认证已经是许多企业的基本程序,而且经常用于Gmail等免费在线服务。白宫行政管理和预算局在2月表示,美国国务院、美国劳工部(Department of Labor)以及美国人事管理局等一些机构没有实施双因素测试,而在24个联邦机构中,有15个机构未能达到至少一半用户遵守程序。

“This statistic is significant due to the fact that major cyber incidents can often be tied to a lack of strong authentication implementation,” OMB wrote in its annual report to Congress. 


The layers of old technologies, far flung operations and need for 24/7 connectivity present a host of security challenges, current and former officials say. “We’re trying to put a Band-aid on a carotid artery that’s been severed,” said an inspector-general auditor who identified flaws at the agency he audits. 


Many federal agencies do not even have a handle on the basics of their IT — as was illustrated by the DoE breach, where an employee deleted a data file rather than investigate the traffic produced by Mr Love’s hack. Government reviews found that many departments did not have a grasp of how many IT systems they operated. 


Even the Department of Homeland Security was found to have spotty cyber defences in some areas, especially at the Federal Emergency Management Agency, according to a December 2014 report by its inspector-general. Among other responsibilities, DHS has oversight of immigration and background checks on foreign visitors; it is also the federal agency that is supposed to help other agencies better manage their cyber risks.


US officials say China gained access to the background records of 21.5m people, their contacts overseas, their friends, their financial information and their work history in the second hack into the OPM. 


“It’s an intelligence bonanza for the Chinese. Why there isn’t more outrage tells me how far we are from fixing this problem,” says Mike Rogers, a former senator who, as chairman of the intelligence committee, was an advocate for improving cyber defences. “It would take a serious effort in each [agency] to get this right, to revamp the technology, and it takes money.” 

前众议员迈克?罗杰斯(Mike Rogers)说:“这对中国方面是个情报宝藏。为什么这件事没有引起更大的愤慨?这告诉我,我们距离解决这一问题还差多远。”罗杰斯在担任众议院情报委员会主席时曾经倡导加强网络防御。“每个(机构)都需要付出认真努力纠正这一问题,采用更好的技术,这需要花钱。”

The US government, he says, has to be held accountable. “If you expose all of these people who have voluntarily filled out these forms and put their lives out there you have some responsibility [to protect the data],” says Mr Rogers, who was among those whose information was exposed. 


A decade behind 


Six months before Peace’s alleged hack, a unit within the DoE identified weaknesses in the compromised software. But the agency put off spending $4,200 to buy the new version, the inspector-general found. The IG calculated the breach cost at least $3.7m in credit monitoring and lost productivity. 


Some agencies do not have clear lines on who is responsible for their IT, often meaning no one takes charge. And if improving cyber security interferes with the main job of an agency, those fixes often get put on the backburner.


The risks and frustration with the lack of response to repeated warnings about security flaws led Steven Linick, inspector-general for the State Department, which in addition to diplomatic relations has reams of data on visas and passports, to ask Congress for a proprietary network. “I would like to be completely separate from the department to ensure the integrity of our system,” Mr Linick said this year. 

面对有关安全漏洞的一再警告,美国国务院仍缺乏应对,这其中的风险和受挫感促使国务院监察长史蒂芬?利尼科(Steven Linick)请求国会拨款建立一个专有网络。国务院除了负责外交关系,还掌管着大量签证和护照数据。利尼科今年表示:“我希望这个网络与国务院完全脱离,以确保我们系统的完好性。”

Robert Brese, who was in charge of DoE’s IT system at the time of the “Peace” hacks, bemoans the fact that the US government’s technology lags behind that of the private sector. 

罗伯特?布雷泽(Robert Brese)是美国能源部遭到“和平”入侵时IT系统的负责人,他哀叹美国政府的IT技术比私营部门落后了10年。

“The government in many places is still several years to a decade behind the best and brightest in the private sector on legacy modernisation and the building of secure, resilient systems,” says Mr Brese, who left the agency in 2014. “I don’t mean the Googles and Amazons, but longstanding companies like Ford.” 


 1 2 下一页