登录以后才能看到帖子详情哦!
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
本帖最后由 小山林卡 于 2019-11-26 15:12 编辑
At Berkeley, aNew Generation of “Ethical Hackers” Learns to Wage Cyberwar
By identifying Web-site vulnerabilities,computer-science students aim to help improve cybersecurity. 计算机专业的学生们意图通过寻找网站的漏洞来提高网络的安全性。
file:///C:/Users/Joyce/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpg Photograph by Gary John Norman / Getty
“Whenever I teach a security class, it happens that there issomething going on in the news cycle that ties into it,” Doug Tygar, acomputer-science professor at the University of California, Berkeley, told merecently. Pedagogically speaking, this has been an especially fruitful year. Sofar in 2017, the Identity Theft Resource Center, an American nonprofit, hastallied more than eleven hundred data breaches, the highest number since 2005.The organization’s running list of victims includes health-care providers, fast-food franchises,multinational banks, public high schools and private colleges, a family-runchocolatier, an e-cigarette distributor, and the U.S. Air Force. In all, atleast a hundred and seventy-one million records have been compromised. Nearlyeighty-five per cent of those can be traced to a single catastrophic breach atthe credit-reporting agency Equifax. That hack was reported in earlySeptember—just as Tygar and his students were settling into the third week of anew course called “Cyberwar.” “每当我教网络安全课的时候,总会正好有些新闻与课程内容相关。”加利福尼亚大学伯克利分校的计算机科学课教授道格·泰伽最近这样告诉我。从教学角度来说,今年是硕果丰厚的一年。身份盗窃资源中心是美国的一个非营利性组织,截至2017年,已经合计找出了超过一千一百个数据泄露事件,这是自2005年以来最高的数字。该组织列举了一份受害者清单,其中包括医疗服务商、快餐特许经销商、跨国银行、公立中学和私立高校,一间家庭经营的巧克力店和一个电子香烟经销商,还有美国空军。总体上,至少削减了一亿七千一百万个数据记录有泄露的风险。这些记录中近百分之八十五源自于征信机构艾可飞的一次灾难性的泄密事件。在九月初报道了那次黑客事件,那正是泰伽和学生们步入新课“网络战争”的第三周。
The purpose of the course, according to Tygar’s faculty Web page, is to teach Berkeley’s budding computer scientists to“forensically examine real cyberwar attacks” with an eye toward preventingthem. Occasionally, this might mean mounting attacks of their own. Penal codesaround the U.S. are not especially lenient when it comes to cybercrime; in somestates, certain computer crimes are considered Class C felonies, on par witharson and kidnapping. So, for the hands-on portion of their studies, Tygar’sstudents rely on HackerOne, a sort of marketplace-cum-social-network devoted to “ethicalhacking.”Companies, organizations, and government agencies use the site tosolicit help identifying vulnerabilities in their products––or, as Tygar putit, “subject themselves to the indignity of having undergraduate students tryto hack them.” In exchange for information about what they’re doing wrong, manyof these clients offer monetary rewards, known as bug bounties. Since 2012,when HackerOne was launched, its hundred thousand or so testers have earned atotal of twenty-two million dollars, a figure that the platform’s Dutch-bornfounders, Jobert Abma and Michiel Prins, hope to quintuple by 2020. For Tygar’sstudents, there is an added incentive: every bug they catch through HackerOnealso gets them points toward their final grades. 据泰伽在系主页上所介绍的,这堂课的目的在于教会伯克利崭露头角的计算机科学家们“运用刑侦手段剖析真实网络战争中的网络攻击”以便阻止攻击。有时这也许意味着让他们自己发动攻击。美国各州的法律对网络犯罪并不仁慈;在某些州,某些种视为三级重罪,这和纵火罪和绑架罪罪刑相当。因此在课程的实践部分,泰伽的学生们借助兼顾市场与社交的网络平台的一款名为HackerOne的软件来实现“道德黑客入侵“。企业、组织和政府机构专门用这个网站来发现他们产品中的漏洞——或者用泰伽的话说就是“不顾颜面地恳请大学本科生入侵他们的网络。许多用户提供金钱类奖励,以换取信息搞清楚自己欠缺的地方,这被称为漏洞赏金。自2012年,HackerOne上线时,它的一万多名左右的测试者们总共共获得了两千两百万美元的奖励,这个平台的荷兰裔创始人约伯特·阿布玛和米歇尔·普林斯希望至2020年这个数字能增长到现在的五倍。泰伽的学生还有额外的奖励:每通过HackerOne找到一个漏洞,他们就能在期末成绩上多得几分。
Late last month, about fifty “Cyberwar” students, shoulderingoverstuffed backpacks and dressed in various forms of U.C.-stamped apparel,gathered in a nineteenth-century building on campus for a “hack night.”HackerOne swag was sprinkled across the desks—T-shirts, laptop-camera covers,branded fidget spinners. Tygardarted around the room in a sweaty teal polo shirt and Birkenstocks, enlistingvolunteers to set up stacks of boxed pizza and distribute cans of soda. Oncefortified, the students set about looking for bugs. HackerOne had sent a cadreof cybersecurity professionals––most skinny young men, most wearingsweatshirts––to provide counsel. One of them, Tanner Emek, an engineer at thepersonal-finance company NerdWallet, had recently received afourteen-thousand-dollar bounty at Def Con, an annual hacker convention in LasVegas, for discovering a flaw in Salesforce, a platform forcustomer-relationship management. (“It’s definitely fixed,” Emek assured me.) 上个月,大约五十名参加“数码战争”的学生背上装得满当当的背包、穿着各式各样印有加利福尼亚大学标志的衣服,聚集在校园里一栋十九世纪的建筑里,举办“黑客之夜”。印有“HackerOne”的T恤、笔记本电脑摄像头贴纸和品牌指尖陀螺放在桌子上到处都是。泰伽穿着一件浸满汗渍的青蓝色POLO衫和勃肯鞋在房间里来回走动,安排志愿者们放好一摞摞盒装披萨并帮忙分发罐装苏打水。等做好了准备,学生们就立即着手寻找漏洞。HackerOne公司派了一批网络安全专家提供咨询——他们多数是消瘦的年轻人,大都穿着汗衫。其中一位叫坦纳·艾莫克,是个人理财公司NerdWallet的一位工程师,他最近因发现了客户关系管理平台Salesforce的一个漏洞而在于洛杉矶举办的年度国际黑客大会上得到了一项一万四千美元的悬赏。(“他们绝对已经把漏洞补上了。”艾莫克向我保证道。)
Tygar’s students were after more modest prizes. “There are certaincompanies that are considered low-hanging fruit for hackers,” Vy-An Phan, ajunior, explained. “For me, state Web sites and local-government Web sites, are, like, the fruitthat’s already fallen onto the ground.” Although HackerOne’s government clientstend not to offer cash bounties, Phan had decided to focus on varioussecretary-of-state Web sites around the country, which house tools central tothe electoral process—voter registration, ballot measures, candidateinformation, Election Day guidelines. So far, she had found eight bugs spreadacross four sites. One was a clickjacking vulnerability, in which a user mightbe unwittingly manipulated into clicking something undesirable. Several others werecross-site-scripting (XSS) vulnerabilities, an especially flexible andmalicious type of attack, in which hackers inject their own code into a domainor Web application. “I could trick someone into registering for the wrongparty, or not registering at all,” Phan said. “It all really depends on what Iwant to do.” 泰伽的学生们并不追求高额的奖金。“某些公司被黑客们视为容易到手的猎物,”大三学生范维安解释道,“对于我来说,州和地方政府的网站就像是待宰的羔羊。“虽然HackerOne的政府方客户通常不会提供现金作为奖赏,但是范还是决定重点关注全国上下的多个州务卿网站,这些网站为选举提供支持,包括有关选民登记、选票计算、候选人信息、选举日程指南等帮助。目前为止,她已经发现了有四家网站都出现了八个漏洞。其中的一个是点击劫持漏洞,该漏洞诱使用户在不经意中点击一些他们无意浏览的东西。其余几个还包括跨站点脚本(XSS)漏洞,这是一种变化多样并且极其危险的攻击形式,骇客通过将自己的代码植入网页应用程序中实现攻击。“我可以诱骗用户注册并非他们想要加入的党派,或者直接阻止他们注册。”范说,“我想做什么都可以。”
Across the room, twoexchange students from China’s Wuhan University were testing the U.S.Department of Defense’s Web site. “We’re just finding bugs,” Angus Zhu, a junior, saidcheerfully. He and his classmate, Farlui Li, had discovered that part of the sitewas susceptible to XSS attacks, making it relatively easy for a malicious actorto steal data from other visitors’ browsers and impersonate them. Zhu and Liwere also testing social networks such as Facebook, Twitter, and Quora forvulnerability to homograph attacks, in which hackers use similar-lookingcharacters from different writing systems to confuse their targets. Thetechnique is particularly popular in e-mail phishing scams. If, for instance, ahacker wanted to fool people into handing over their credit-card information,he might send them a link to a fake version of Paypal.com, replacing the Latinletters in the URL with Cyrillic look-alikes—the English “p” for the Slavic “Р”which actually sounds like “r”; the English “y” for the Slavic “У” whichsounds like “u”; and so on. 在房间的另一端,两个来自中国武汉大学的交换学生正在测试美国国防部网站。“我们正在找漏洞。”大三学生安格斯·朱(音译)高兴地说。他和他的同学李法瑞(音译)发现网站的一处易受XSS攻击,这使得怀有恶意的使用者能够相对容易地从浏览器中窃取其他访问者的网络浏览信息,并冒充成这些访客。朱和李也选择了一些社交网站,诸如Facebook, Twitter还有 Quora,测试它们是否易受同形词攻击,即黑客使用不同书写系统中形状相似的字符来迷惑他们的目标。这种手段在电子邮件钓鱼欺诈中尤其常见。比方说,假如有一名黑客想要骗取他人的信用卡信息,他也许会给他们发送一个假冒贝宝(Paypal)的地址链接,在链接中用形状相似的西里尔字母代替拉丁字母——英语字母“p”换成了斯拉夫字母“Р”,实际读作“r”;英语字母“y”换成了斯拉夫字母“У”,实际读作“u”等等。
Christian Ng, a freshman, was sifting through the source code of aventure-backed cryptocurrency platform. He seemed unimpressed. “They were usingFlash, which is notoriously insecure,” he said. “If I can inject code into theFlash object, I can create an XSS vulnerability.” Attackers could theoreticallyuse such a vulnerability to steal transaction or bank-account data––and Ngcould receive a bounty of as much as seventy-five hundred dollars forfinding it. A few tables away, Jobel Kyle Vecino, a junior, was workingwith a partner to hack into a children’s entertainment site. “Our line ofthinking is that the parts of the Web site that are primarily for the childrenare probably not very well tested,” he said. (In July, after a number ofInternet-connected smart dolls and stuffed animals were found to harborsecurity flaws, the F.B.I. released a public-service announcement warning about“opportunities for child identity fraud.”) 大一学生克里斯蒂安·吴正在仔细检查一个电子加密币平台的源代码,该平台获得了风险投资。他似乎并不看好该平台。“他们网站在用Flash软件,Flash可是出了名得不安全。“他说,”如果我将代码植入Flash对象,就能创造出一个XSS漏洞。“理论上来说,入侵者们可以利用这样的漏洞窃取交易信息或者银行账户资料——而找到这个漏洞的吴可以为此获得高达七千五百美元的赏金。隔着几张桌子的一年级学生约贝尔·凯利·维西诺,正在和同伴一起尝试入侵一个儿童娱乐网站。“我们的思路是,部分主要为儿童服务的网站也许从未被好好检查过。”他又说道。(七月间,调查发现一批可连接互联网的智能玩偶和毛绒玩具存在安全漏洞后,联邦调查局发布了一项公共服务通告,警告“可能会出现针对儿童的身份欺诈”。)
Abma, the HackerOne co-founder, had been pairing up with studentsthroughout the evening. Now, sitting at the back of the classroom, he told methat some of them had the potential to become “really successful” hackers. Buthe also expressed some skepticism. “Persistence and creativity and the drive tokeep going are things that are really hard to teach someone,” he told me. Helikened hacking to a Rubik’s Cube: “You don’t know how to do it, necessarily,but you know there’s a solution.” For Tygar, the solutions themselves are lessimportant than the experience and perspective that “Cyberwar” will provide hisstudents. “We’ve all read the news with these reports that Russian hackersbroke into infrastructure that’s helping to support the integrity of elections,”he said. “It puts a whole other twist on it when you think that undergraduatestudents in college can also break in.” HackerOne的合作创始人阿布玛一整夜都在一对一指导学生。现在,他坐在教室后排,告诉我其中一些学生有潜力成为“极其成功“的黑客。不过他也表达了一定的怀疑态度。”毅力、创新力和不断向前的动力是很难教出来的。“他告诉我。他把网络入侵比做玩魔方:‘你虽然暂时不知道该怎么做,但你清楚一定有一个解决办法。”对泰伽来说,学生们在“网络战争”中积累的经验和学会看待问题的视角比问题的解决办法本身更重要。“我们都在新闻上读到过那些报道:俄罗斯黑客侵入那些为选举提供支持的基础网络设施,“他说,”当你意识到大学在校生也能侵入这些网站时,整个事情就完全不一样了。“
Anna Wiener lives in San Francisco and works in technology. 居住在洛杉矶并在科技公司工作的安娜·威纳为您报道。
文章链接: https://www.newyorker.com/tech/elements/at-berkeley-a-new-generation-of-ethical-hackers-learns-to-wage-cyberwar
|
发表于 2019-11-26 15:12:06
