免责声明设为首页收藏本站

云麓园BBS

 找回密码
 注册
查看: 1580|回复: 3

黑客偷你的密码干什么?

[复制链接]
发表于 2012-6-23 23:41:35 | 显示全部楼层 |阅读模式
                                What do hackers do with your password?
The news on Wednesday sounded like the setup for a lame Silicon Valley joke. Russian hackers stole 6 million passwords from LinkedIn. Did they mistranslate “world’s largest professional network” as “professional network that people actually use”? Where will they strike next, Google+? What are they going to do now that they’ve hacked all of those accounts, sell a bunch of résumés on the black market? Use your contact list to spam you with even more LinkedIn email invitations than you already get?
Amid the yawns and derision, one small group of people took the LinkedIn breach very seriously: security experts.
The answers to the facetious questions above are, in all probability, no, no, yes, and yes. No, the Russian hackers aren’t stupid, and they don’t care whether you actually use LinkedIn or not. No, they did not strike next at Google—too secure—but at the massively popular dating site eHarmony. Yes, stealing résumés and other personal information is almost certainly part of the plan, and a potential gold mine at that. And yes, sending you bogus emails that appear to be from people you know is one of the main ways they’ll hook you. It’s a lot more effective than sending emails from someone posing as a Nigerian prince.
The full dimensions of the breach are not yet clear. LinkedIn and eHarmony have not been particularly forthcoming about when and how it happened, perhaps because even they don’t know all the details yet. But computer security types are becoming increasingly convinced that the attack was more complex and sinister than the companies initially made it seem.
The bottom line: If you have a LinkedIn or eHarmony account, you should be concerned. And if you use the same password for other sites—particularly sensitive ones such as PayPal or Facebook—you should be very concerned. If you fall into either of those categories, you should go change your passwords immediately. (Well, you should finish reading this article first. But then go change those passwords!)
The first reports about the breach indicated that some 6.5 million LinkedIn user passwords had been published online, but without the email addresses needed to tie them to individual accounts. That sounded reassuring but raised a bunch of questions: Why would hackers post people’s passwords on an Internet forum for all to see? How could those passwords be used once they became public? And if your password wasn’t among those “cracked and leaked, ” did that mean you were safe?
Security experts have arrived at a surprising hypothesis: The hackers may have posted the passwords online because they needed the public’s help cracking some of them. If yours isn’t among those publicized, it may mean you’re not safe at all—it’s possible the hackers already figured out your password on their own. If that theory is true, that might also explain why no emails or other personal information was posted. Not because they don’t have it but because they’re keeping it to themselves, possibly with the intent of selling it to criminal hackers on the black market.
The majority of systematic security breaches, according to Symantec’s Marian Merritt, are orchestrated by criminal gangs with a profit motive. A smaller number are the work of “hacktivist” groups such as Anonymous or LulzSec whose main goal is to embarrass, expose, thwart, or intimidate their targets, often large corporations that run afoul of the hackers’ ideology. The LinkedIn breach bore a passing resemblance to past LulzSec hacks, including one that compromised the personal information of 1 million Sony users last summer. But no hacktivists have claimed responsibility, and the fact that the data were first posted on a Russian forum dedicated to password decryption suggests that publicity was a by-product of this attack, not its main intent.
So how exactly do cyber-crooks use these passwords once they have them? There are multiple potential uses, explains Chester Wisniewski, senior security adviser for data security firm Sophos. For hackers around the world, the huge trove of new leaked passwords is an opportunity to update their “rainbow tables”—vast databases that serve as a digital key for cracking encrypted passwords, called “hashes.” The most-secure websites use an extra layer of password encryption, called “salting, ” so that two users with the same password—say, “123456”—will have different hashes. But LinkedIn didn’t do that, so the same key will unlock the accounts of every user who has that password, not only on LinkedIn but on any other site that uses the same hashing algorithm. (eHarmony apparently used an even weaker algorithm, also sans salt.)
If the hackers have people’s email addresses as well as their passwords—and most security analysts suspect they do—the information can also be used to target LinkedIn and eHarmony users directly. One of the first things crooks will do is run software that will try out the same email/password combinations on other sites, to see if they can get into people’s financial or social media accounts.
The personal information available on users’ LinkedIn accounts could also be ideal for a type of targeted attack known as “spear phishing.” The idea behind spear phishing is to lure someone into downloading malware or divulging sensitive information by sending them an email that looks legitimate, says Marcus Carey, a former security analyst for the National Security Agency who now works as a researcher for the cybersecurity firm Rapid7. Such a message might appear to be from a boss or colleague, or it might be designed to look like an email they have to respond to in the course of their work, like a request for a quote on a particular service. Because it doesn’t look like spam, the target’s guard is down.
Spear phishing requires care and individual attention on the cyber-criminal’s part, so it’s only worth trying on high-value targets—like the professionals and executives who make up the core of LinkedIn’s membership.
There’s one more type of phishing that almost always accompanies attacks like the LinkedIn and eHarmony breaches, and in some ways it’s the most devious. Internet mischief-makers know that lots of people will read articles like this and decide it’s time to change their passwords. The right way to do it is to go directly to the LinkedIn or eHarmony site. The wrong way is to click through a link in an official-looking email that sends you to an official-looking website with instructions on how to reset your account. If the hackers didn’t have your password before, they certainly will once you’ve dutifully entered a new one in the form they provide. Don’t be fooled. It’s bad enough to get your password hacked. It’s worse when you do it to yourself.
 楼主| 发表于 2012-6-23 23:42:43 | 显示全部楼层
周三的新闻听起来像是标准的硅谷冷笑话。俄罗斯黑客窃取了600万LinkedIn账户密码。难道他们把“世界上最大的职业网络”误翻成了“大家都在用的职业网络”?他们下一步要黑哪一家,谷歌+么?窃取这些账户之后,他们还打算干嘛,到黑市上卖简历吗?嫌LinkedIn邀请注册邮件还不够多,所以要利用联系人列表来发垃圾邮件么?     漠不关心者有之,冷嘲热讽者有之,但是还有一小掇人高度重视这次LinkedIn被攻击事件:安全专家。
    上文几个恶搞问题最有可能的答案是:不、不、是的、是的。第一个问题,俄罗斯黑客又不傻,他们才不关心你到底有没有在用LinkedIn。第二个问题,他们并没有紧接着攻击谷歌——谷歌太难攻了——而是攻击了人气很旺的约会网站一派和谐(eHarmony)。第三个问题,窃取简历等个人信息几乎可以肯定是黑客计划的一部分,那可是潜在的金矿。第四个问题,伪装熟人发邮件是黑客请君入瓮的主要手段。这比自称是尼日利亚王子的邮件可信多了。
    目前还不清楚此次攻击所造成的影响。LinkedIn和一派和谐现在还没有给个说法,也许是因为他们根本还没查出来究竟哪里出了问题。不过计算机安全方面的专家越来越肯定,这起事件本身远比这两家公司所说的要复杂险恶。
    警告:注册了LinkedIn或者一派和谐的用户要小心了。如果你在其他网站上用了同样的用户名,特别是像贝宝(Paypal)和脸谱这样的高危网站——就更要特别小心了。如果注册了这两个网站,就要马上去改密码。(别轻举妄动,先看完这篇文章再改!)
    最初的攻击报道显示,约有650万LinkedIn用户密码被放到了网上,不过还没有电子邮箱地址可以追溯到具体账号。这看上去让人松了一口气,不过又引出了一大串疑问:黑客把大家的密码放出来给所有人看,这葫芦里究竟卖的是什么药?这些密码一旦公之于众,谁还会继续用呢?如果没有遭到“破解泄漏”的用户密码就安全吗?
    安全专家作了这样一个惊人的假设:黑客把这些密码公布出来,是为了让公众帮助他们破解其中一部分密码。如果用户密码不在公布之列,很有可能意味着用户的账户已经不安全了。黑客有可能已经暗中掌握了密码。如果假设成立,黑客没有公布电子邮箱地址等个人信息也就合情合理了。黑客并非没有得到这些个人信息,而是他们将其“雪藏”了,为的是有朝一日能到黑市上卖给犯罪黑客组织。
    赛门铁克专家马里安·梅里特(Marian Merritt)称,有组织的黑客攻击大多是由犯罪团伙策划的,意在谋财。其次是“黑客活跃分子”组织所为,比如“匿名(Anonymous)”和“LulzSec”。这些团伙的主要目标是恶心、揭露、阻遏以及恐吓他们的攻击目标,主要与黑客意识形态格格不入的大公司。攻击LinkedIn的手法跟LulzSec有相似之处,比如去年夏天索尼公司100万用户个人信息失窃。不过,没有任何黑客活跃分子声称对此事负责,而且这些数据最先公布在俄罗斯专注于密码破解论坛的事实表明,公开密码只是此番攻击的副产品,而决不是主要目标。
    这些网络骗子拿到密码想干什么呢?数据安全企业Sophos的高级安全顾问切斯特·维斯涅夫斯基(Chester Wisniewski)说,用途很多。对于全世界的黑客来说,大批量泄漏的密码正好可以拿来更新他们所谓的“彩虹表(rainbow table)”——巨大的数据库,可作为破解加密密码的数字钥匙,称之为“哈希(Hash)”。最安全的网站使用另一层密码加密,称之为“放盐(salting)”,如此一来,同样是用了“123456”这串密码,两个用户的哈希是不一样的。可是LinkedIn没有这样做,结果就是同样的钥匙可以解锁一大批使用同一个密码串的用户,此法不仅可以用在LinkedIn上,还可以用在采取同一种哈希算法的网站上。(一派和谐的算法甚至更弱,同样没有“放盐”。)
    如果黑客同时拥有用户的电子邮箱地址和密码——多数分析师怀疑他们会这么做——这些信息同样可以直接针对LinkedIn和一派和谐用户。网络骗子得手之后,首先要做的是运行软件,用同样的电子邮箱地址和密码组合来登录其他网站,看看是不是可以得到大家的财务或者社交账号。
    LinkedIn账号上的个人信息也是某种网络攻击的理想目标,称之为“鱼叉式网络钓鱼(spear phishing)”。前国家安全局安全分析师马库斯·卡雷(Marcus Carey)说,钓鱼者的如意算盘是引诱他人下载流氓软件或者通过发送貌似正常的邮件让收件人泄露敏感信息。马库斯如今是网络安全企业快7(Rapid7)的研究员。这些消息看上去是老板或者同事发来的,或者伪装成一封与用户业务相关的电子邮件,比如要求报价或者特定服务。由于这类邮件不像是垃圾邮件,攻击目标往往会放松警惕。
    因为鱼叉式网络钓鱼需要网络罪犯的照看和单独关注,所以仅会针对高价值目标——比如专家或者企业高管。这些人恰好又是LinkedIn的核心会员。
    还有一种钓鱼几乎始终伴随着类似针对LinkedIn还有一派和谐的攻击,从某种角度来说,它是最诡计多端的。网络上图谋不轨者知道,很多人会读到包括本文在内的文章,并且会随之修改密码。正确的办法是直接登录LinkedIn或者一派和谐网站去修改。错误的做法是点击一封看似来自官方的邮件中的链接,然后被这个链接带到一个冒充的官方网站,并且照上面的提示重置密码。如果黑客在此之前没有得到密码,那么只要用户老老实实的照着他们设下的圈套输入密码,他们就得逞了。别被骗了。密码被人偷走就够郁闷的了。把密码亲自送上门就更悲摧了。
回复 支持 反对

使用道具 举报

发表于 2012-6-24 10:28:53 | 显示全部楼层
小文wen居然会关心这个
回复 支持 反对

使用道具 举报

 楼主| 发表于 2012-6-24 12:00:06 | 显示全部楼层
ahcheqiu 发表于 2012-6-24 10:28
小文wen居然会关心这个

回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|免责声明|更新日记|云麓团队 ( 湘ICP备05005659  

GMT+8, 2017-9-26 22:40 , Processed in 0.084576 second(s), 21 queries , Memcache On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表