即使遠離網絡 也難擺脫黑客攻擊
It took the hackers less than two hours to take over Patsy Walsh’s life.
不到兩個小時,黑客就接管了帕斯蒂·沃爾什(Patsy Walsh)的生活。
On a recent Friday, Mrs. Walsh, a grandmother of six, volunteered to allow two hackers to takea crack at hacking her home. How bad could it be?
沃爾什是六個孩子的祖母,最近一個周五,她志愿參加一個活動,允許兩名黑客入侵她家。這能有多糟呢?
Mrs. Walsh did not consider herself a digital person. As far as she knew, her home was notequipped with any “smart devices, physical objects like refrigerators and thermometers thattransmit information to the Internet. Sure, she has a Facebook account, which she uses tokeep up on friends’ lives, but rarely does she post about her own.
沃爾什自認為不是一個數碼愛好者。就她所知,她家中也沒有任何“智能設備,即可以將信息上傳互聯網的物品,比如智能冰箱和智能溫度計。當然,她有一個Facebook帳號,她通過這個帳號來了解朋友們的生活狀況,但她很少發布關于自己的內容。
“I don’t post things about myself and don’t really understand why other people do, Mrs.Walsh said. “The fact you can go from one friend’s profile to their friends’ profiles is creepy. Iguess you could find out a lot of information about somebody if you really wanted to.
“我不怎么發關于自己的內容,我也真不明白為什么其他人會這么做,沃爾什說。“你可以挨個查看朋友的主頁,這有點嚇人。我猜,只要你真心想查某人的信息,你就可以查出一大堆。
Indeed. Days before hackers even set foot in Mrs. Walsh’s home overlooking Mount Tamalpaisin Marin County, Calif., they found her Facebook account and — though it was comparativelylocked down — uncovered just enough to begin to take over her digital life. The New YorkTimes was invited to witness the hacking, on the condition that Mrs. Walsh’s town not benamed.
的確如此。沃爾什居住在加利福尼亞州,可以從家中遠眺馬林縣的塔瑪珮斯山,而黑客在踏足她家的數日之前,就發現了她的Facebook賬號——盡管它相對來說是保密的——獲得了足以接管她的數字生活的信息。《紐約時報》應邀見證了這起黑客行動,前提是不透露沃爾什住在哪個城鎮。
The twist was that once the hackers found their way in, they discovered someone else hadalready been there.
亮點在于,黑客在成功侵入之后,發現已經有人來過這里。
The hackers could see that Mrs. Walsh had liked a page organized by Change.org. That was allthey needed to construct some convincing click bait. Within 10 minutes, they composed afake email from Change.org asking her to sign a fake petition about land use in Marin County.
黑客可以看到沃爾什贊過Change.org發布的一個頁面。僅僅是這樣,他們就構建了一些令人信服的點擊誘餌。不到10分鐘,他們偽造了一份來自Change.org的假電郵,請她在一份關于馬林縣土地利用的假請愿書上簽名。
When that link led her to a page that asked her to enter her email address and password, shecomplied. To spare Mrs. Walsh any actual harm, the hackers used a service called Phish5, whichdoes not actually store passwords and is often used by employers to test employees’ ability tospot malicious phishing cons.
點擊該鏈接后,她登上一個網頁,要求她輸入電郵地址和密碼,她照做了。為了不讓沃爾什遭受任何實質上的危害,黑客使用了一個名為Phish5的服務,它并不真正存儲密碼,雇主通常用它來測試雇員識別惡意仿冒內容的能力。
Had the two been actual attackers, they would have had all the information they needed to“pwn Mrs. Walsh — hacker speak for taking over someone’s digital life — from afar, particularlybecause, Mrs. Walsh confessed, she was guilty of using the same password across manyaccounts.
如果這兩名黑客是動真格的,他們就已經遠程獲取了“pwn沃爾什所需的一切信息。“pwn是黑客的行話,指接管某人的數字生活。沃爾什承認,她在不同的賬戶上使用了同樣的密碼,而這讓黑客入侵變得尤為輕松。
All this before they had even set foot in Mrs. Walsh’s home.
所有這一切還是在他們登門造訪沃爾什之前完成的。
The hackers, Reed Loden, the 27-year-old director of security of HackerOne, a San Franciscosecurity start-up, and Michiel Prins, the 25-year-old co-founder of HackerOne, were greetedwarmly when they arrived at her home.
這兩名黑客是舊金山初創安全企業HackerOne公司27歲的安全總監里德·洛登(Reed Loden)和25歲的聯合創始人米希爾·普林斯(Michiel Prins)。到沃爾什家時,他們受到了熱烈的歡迎。
“Welcome Hackers was scrawled on a heart-shaped chalkboard on the front door, and deviledeggs, tuna sandwiches and fresh iced tea were waiting. Mrs. Walsh said she expected thehackers would wear black, but Mr. Loden and Mr. Prins did not fit that stereotype. Mr. Loden,who hails from Mississippi, ended his sentences with a warm “thank you, ma’am — his mannersintact even while explaining that he had just hacked Mrs. Walsh’s power of attorney form.
前門掛著一塊心形的黑板,上面寫著“黑客請進。還有魔鬼蛋、金槍魚三明治和爽口的冰茶等著他們。沃爾什以為黑客會穿黑色的衣服,但洛登和普林斯并不符合這種刻板印象。來自密西西比州的洛登在發言結束時熱情地說了句“謝謝您,夫人。即便是在解釋自己剛剛侵入了沃爾什的法律授權書時,神情也并沒有變化。
“They’re very polite, Mrs. Walsh noted. (Later, she invited both to Thanksgiving dinner.)
“他們非常有禮貌,沃爾什說(后來,她還邀請兩人共進感恩節晚餐)。
Over an hour and a half, they discovered a way to open the Walshes’ garage door. It wassimply a matter of using a “brute force attack against an older door opener. The processentailed testing thousands of code combinations until hitting the correct one. Earlier this year,the hacker Samy Kamkar demonstrated how to do this in less than 10 seconds using a Matteltoy.
在一個半小時的時間里,他們找到了打開沃爾什家車庫門的辦法,只需要“用蠻力攻擊上了年頭的開門器即可。這個過程需要試驗數千個密碼組合,直到試出正確的那個。今年早些時候,一個名叫薩米·卡姆卡爾(SamyKamkar)的黑客演示了如何在不到十秒鐘的時間里,用一個美泰(Mattel)玩具完成這件事。
Mr. Loden and Mr. Prins also found a way to intercept Mrs. Walsh’s television. A service workerhad not installed her DirecTV securely, with a password, which meant anyone with knowledge ofthe device’s I.P. address could control the television remotely.
洛登和普林斯還發現了控制沃爾什家電視的辦法。服務人員給她安裝DirecTV時的做法并不安全,沒有設置密碼,這意味著任何人,只要知道這臺設備的IP地址,就能遠程控制電視。
In this case, the hackers used their access to purchase a three-hour pass to an array of adultchannels — the names of which would not be suitable for print here.
在這個案例里,兩名黑客利用自己取得的權限,購買了三小時的觀看許可,可以收看一系列成人頻道。這些頻道的名字不宜在此刊出。
Still, Mrs. Walsh was not impressed. “What’s so wrong about getting into my TV? When Mr.Loden pointed out that someone could blast pornography in her living room in the middle of adinner party, Mrs. Walsh conceded, “I can see how that would be a little shocking to guests.
但沃爾什并沒有很在意。“破解我家的電視有什么大問題嗎?但當洛登指出,有人可以在她舉辦家宴時,讓客廳的電視突然播放色情作品之后,沃爾什承認,“我能想象客人會有些震驚。
From there, the hackers made their way to the back of Mrs. Walsh’s house, where her PC waswaiting. With her passwords posted on the nearby router, their task was easy. Within minutes,they had not only broken into Mrs. Walsh’s email account, but also that of her daughter — whoat some point had allowed the computer’s browser to auto-fill her password. (As a courtesy,the hackers made sure to send Mrs. Walsh’s daughter an email from her own account with thesubject line: “Reminder: Change my password.)
然后,兩名黑客來到沃爾什家的后院。她的個人電腦放在那里,正等待黑客侵入。因為密碼貼在了附近的路由器上,他們的任務很容易。只用了幾分鐘,他們不僅進入了沃爾什的電子郵箱賬戶,還進入了她女兒的賬戶。她女兒在某個時刻允許了這臺電腦的瀏覽器自動輸入她的密碼。(兩人做了件好事,用沃爾什女兒自己的賬戶給她發了一封電子郵件,主題欄上寫著:“提醒:改密碼。)
They searched Mrs. Walsh’s email for the term “SSN and within seconds had access to herSocial Security number, her PayPal account, her air miles account and her insuranceinformation. They had even gotten their hands on her power of attorney form.
他們在沃爾什的郵件中搜索“SSN,幾秒鐘后便獲取了她的社會安全號碼、PayPal賬號、航空里程積分賬號和保險信息。他們甚至還能對她的法律授權書做手腳。
What’s worse, they weren’t the only ones with access to all of the above. Mr. Loden and Mr.Prins ran a scan for malicious programs running on Mrs. Walsh’s machine and found roughly20, including InstallBrain, an installer that can download malicious programs on demand, likeone that helps attackers mine for Bitcoin. And others like DefaultTab, FunWebProducts,SearchProtect, SlimCleaner and Supreme Savings that can change a victim’s home page, spyon search and browsing histories, or replace ads on websites like Facebook and Google withintrusive programs.
更糟糕的是,他們不是唯一能獲取上述所有信息的人。在對沃爾什電腦上運行的程序進行掃描后,洛登和普林斯發現了大約20個惡意程序,包括InstallBrain。這是一個安裝程序,能夠按指令下載惡意程序,如一款幫助攻擊者生成比特幣(Bitcoin)的程序。其他像DefaultTab、FunWebProducts、SearchProtect、SlimCleaner和Supreme Savings這樣的程序,更改受害者的主頁,并監視用戶的搜索和瀏覽記錄,或是將Facebook和谷歌等網站上的廣告替換成侵入性的程序。
After they were through “pwning Mrs. Walsh, the two hackers sat down with their victim for adebriefing. Critical points were that Mrs. Walsh needed a new garage door opener, a passwordfor her television and a password manager to help her set unique and far more complicatedpasswords for each of her accounts.
結束對沃爾什的數字生活進行的“pwn后,兩名黑客和受害人坐了下來,簡單向對方介紹了情況。關鍵的點是,沃爾什的車庫門需要換一個新的開門器;電視機需要設置密碼;需要一個密碼管理程序,來幫她給每個賬戶設置獨一無二的、復雜度遠高于現在的密碼。
The hackers advised her to turn on two-step authentication, a service that sends a second,one-time password to users’ phones when they try to log in from an unrecognized machine.They also gave her a quick lesson in phishing attacks and a lecture on the importance ofinstalling software updates.
兩位黑客建議沃爾什開啟兩步驗證。這項服務會在用戶試圖從陌生設備上登錄時,向用戶的手機再發送一個一次性的驗證碼。他們還向她簡要介紹了釣魚攻擊和安裝軟件更新的重要性。
Best to switch on automatic updates, they said, for core services like Apple’s iOS operatingsystem, Google’s Chrome browser and Windows. And, they said, her PC needed to becompletely wiped. The good news was they promised to return to do this for her, possibly whenthey visit for Thanksgiving dinner.
他們說,最好是為蘋果的iOS操作系統、谷歌的Chrome瀏覽器和Windows等核心服務,打開自動更新。他們還表示,需要徹底清除沃爾什個人電腦上的東西。好消息是,他們許諾會在下次來的時候幫她清理。可能就是來共進感恩節晚餐的時候。
It took the hackers less than two hours to take over Patsy Walsh’s life.
不到兩個小時,黑客就接管了帕斯蒂·沃爾什(Patsy Walsh)的生活。
On a recent Friday, Mrs. Walsh, a grandmother of six, volunteered to allow two hackers to takea crack at hacking her home. How bad could it be?
沃爾什是六個孩子的祖母,最近一個周五,她志愿參加一個活動,允許兩名黑客入侵她家。這能有多糟呢?
Mrs. Walsh did not consider herself a digital person. As far as she knew, her home was notequipped with any “smart devices, physical objects like refrigerators and thermometers thattransmit information to the Internet. Sure, she has a Facebook account, which she uses tokeep up on friends’ lives, but rarely does she post about her own.
沃爾什自認為不是一個數碼愛好者。就她所知,她家中也沒有任何“智能設備,即可以將信息上傳互聯網的物品,比如智能冰箱和智能溫度計。當然,她有一個Facebook帳號,她通過這個帳號來了解朋友們的生活狀況,但她很少發布關于自己的內容。
“I don’t post things about myself and don’t really understand why other people do, Mrs.Walsh said. “The fact you can go from one friend’s profile to their friends’ profiles is creepy. Iguess you could find out a lot of information about somebody if you really wanted to.
“我不怎么發關于自己的內容,我也真不明白為什么其他人會這么做,沃爾什說。“你可以挨個查看朋友的主頁,這有點嚇人。我猜,只要你真心想查某人的信息,你就可以查出一大堆。
Indeed. Days before hackers even set foot in Mrs. Walsh’s home overlooking Mount Tamalpaisin Marin County, Calif., they found her Facebook account and — though it was comparativelylocked down — uncovered just enough to begin to take over her digital life. The New YorkTimes was invited to witness the hacking, on the condition that Mrs. Walsh’s town not benamed.
的確如此。沃爾什居住在加利福尼亞州,可以從家中遠眺馬林縣的塔瑪珮斯山,而黑客在踏足她家的數日之前,就發現了她的Facebook賬號——盡管它相對來說是保密的——獲得了足以接管她的數字生活的信息。《紐約時報》應邀見證了這起黑客行動,前提是不透露沃爾什住在哪個城鎮。
The twist was that once the hackers found their way in, they discovered someone else hadalready been there.
亮點在于,黑客在成功侵入之后,發現已經有人來過這里。
The hackers could see that Mrs. Walsh had liked a page organized by Change.org. That was allthey needed to construct some convincing click bait. Within 10 minutes, they composed afake email from Change.org asking her to sign a fake petition about land use in Marin County.
黑客可以看到沃爾什贊過Change.org發布的一個頁面。僅僅是這樣,他們就構建了一些令人信服的點擊誘餌。不到10分鐘,他們偽造了一份來自Change.org的假電郵,請她在一份關于馬林縣土地利用的假請愿書上簽名。
When that link led her to a page that asked her to enter her email address and password, shecomplied. To spare Mrs. Walsh any actual harm, the hackers used a service called Phish5, whichdoes not actually store passwords and is often used by employers to test employees’ ability tospot malicious phishing cons.
點擊該鏈接后,她登上一個網頁,要求她輸入電郵地址和密碼,她照做了。為了不讓沃爾什遭受任何實質上的危害,黑客使用了一個名為Phish5的服務,它并不真正存儲密碼,雇主通常用它來測試雇員識別惡意仿冒內容的能力。
Had the two been actual attackers, they would have had all the information they needed to“pwn Mrs. Walsh — hacker speak for taking over someone’s digital life — from afar, particularlybecause, Mrs. Walsh confessed, she was guilty of using the same password across manyaccounts.
如果這兩名黑客是動真格的,他們就已經遠程獲取了“pwn沃爾什所需的一切信息。“pwn是黑客的行話,指接管某人的數字生活。沃爾什承認,她在不同的賬戶上使用了同樣的密碼,而這讓黑客入侵變得尤為輕松。
All this before they had even set foot in Mrs. Walsh’s home.
所有這一切還是在他們登門造訪沃爾什之前完成的。
The hackers, Reed Loden, the 27-year-old director of security of HackerOne, a San Franciscosecurity start-up, and Michiel Prins, the 25-year-old co-founder of HackerOne, were greetedwarmly when they arrived at her home.
這兩名黑客是舊金山初創安全企業HackerOne公司27歲的安全總監里德·洛登(Reed Loden)和25歲的聯合創始人米希爾·普林斯(Michiel Prins)。到沃爾什家時,他們受到了熱烈的歡迎。
“Welcome Hackers was scrawled on a heart-shaped chalkboard on the front door, and deviledeggs, tuna sandwiches and fresh iced tea were waiting. Mrs. Walsh said she expected thehackers would wear black, but Mr. Loden and Mr. Prins did not fit that stereotype. Mr. Loden,who hails from Mississippi, ended his sentences with a warm “thank you, ma’am — his mannersintact even while explaining that he had just hacked Mrs. Walsh’s power of attorney form.
前門掛著一塊心形的黑板,上面寫著“黑客請進。還有魔鬼蛋、金槍魚三明治和爽口的冰茶等著他們。沃爾什以為黑客會穿黑色的衣服,但洛登和普林斯并不符合這種刻板印象。來自密西西比州的洛登在發言結束時熱情地說了句“謝謝您,夫人。即便是在解釋自己剛剛侵入了沃爾什的法律授權書時,神情也并沒有變化。
“They’re very polite, Mrs. Walsh noted. (Later, she invited both to Thanksgiving dinner.)
“他們非常有禮貌,沃爾什說(后來,她還邀請兩人共進感恩節晚餐)。
Over an hour and a half, they discovered a way to open the Walshes’ garage door. It wassimply a matter of using a “brute force attack against an older door opener. The processentailed testing thousands of code combinations until hitting the correct one. Earlier this year,the hacker Samy Kamkar demonstrated how to do this in less than 10 seconds using a Matteltoy.
在一個半小時的時間里,他們找到了打開沃爾什家車庫門的辦法,只需要“用蠻力攻擊上了年頭的開門器即可。這個過程需要試驗數千個密碼組合,直到試出正確的那個。今年早些時候,一個名叫薩米·卡姆卡爾(SamyKamkar)的黑客演示了如何在不到十秒鐘的時間里,用一個美泰(Mattel)玩具完成這件事。
Mr. Loden and Mr. Prins also found a way to intercept Mrs. Walsh’s television. A service workerhad not installed her DirecTV securely, with a password, which meant anyone with knowledge ofthe device’s I.P. address could control the television remotely.
洛登和普林斯還發現了控制沃爾什家電視的辦法。服務人員給她安裝DirecTV時的做法并不安全,沒有設置密碼,這意味著任何人,只要知道這臺設備的IP地址,就能遠程控制電視。
In this case, the hackers used their access to purchase a three-hour pass to an array of adultchannels — the names of which would not be suitable for print here.
在這個案例里,兩名黑客利用自己取得的權限,購買了三小時的觀看許可,可以收看一系列成人頻道。這些頻道的名字不宜在此刊出。
Still, Mrs. Walsh was not impressed. “What’s so wrong about getting into my TV? When Mr.Loden pointed out that someone could blast pornography in her living room in the middle of adinner party, Mrs. Walsh conceded, “I can see how that would be a little shocking to guests.
但沃爾什并沒有很在意。“破解我家的電視有什么大問題嗎?但當洛登指出,有人可以在她舉辦家宴時,讓客廳的電視突然播放色情作品之后,沃爾什承認,“我能想象客人會有些震驚。
From there, the hackers made their way to the back of Mrs. Walsh’s house, where her PC waswaiting. With her passwords posted on the nearby router, their task was easy. Within minutes,they had not only broken into Mrs. Walsh’s email account, but also that of her daughter — whoat some point had allowed the computer’s browser to auto-fill her password. (As a courtesy,the hackers made sure to send Mrs. Walsh’s daughter an email from her own account with thesubject line: “Reminder: Change my password.)
然后,兩名黑客來到沃爾什家的后院。她的個人電腦放在那里,正等待黑客侵入。因為密碼貼在了附近的路由器上,他們的任務很容易。只用了幾分鐘,他們不僅進入了沃爾什的電子郵箱賬戶,還進入了她女兒的賬戶。她女兒在某個時刻允許了這臺電腦的瀏覽器自動輸入她的密碼。(兩人做了件好事,用沃爾什女兒自己的賬戶給她發了一封電子郵件,主題欄上寫著:“提醒:改密碼。)
They searched Mrs. Walsh’s email for the term “SSN and within seconds had access to herSocial Security number, her PayPal account, her air miles account and her insuranceinformation. They had even gotten their hands on her power of attorney form.
他們在沃爾什的郵件中搜索“SSN,幾秒鐘后便獲取了她的社會安全號碼、PayPal賬號、航空里程積分賬號和保險信息。他們甚至還能對她的法律授權書做手腳。
What’s worse, they weren’t the only ones with access to all of the above. Mr. Loden and Mr.Prins ran a scan for malicious programs running on Mrs. Walsh’s machine and found roughly20, including InstallBrain, an installer that can download malicious programs on demand, likeone that helps attackers mine for Bitcoin. And others like DefaultTab, FunWebProducts,SearchProtect, SlimCleaner and Supreme Savings that can change a victim’s home page, spyon search and browsing histories, or replace ads on websites like Facebook and Google withintrusive programs.
更糟糕的是,他們不是唯一能獲取上述所有信息的人。在對沃爾什電腦上運行的程序進行掃描后,洛登和普林斯發現了大約20個惡意程序,包括InstallBrain。這是一個安裝程序,能夠按指令下載惡意程序,如一款幫助攻擊者生成比特幣(Bitcoin)的程序。其他像DefaultTab、FunWebProducts、SearchProtect、SlimCleaner和Supreme Savings這樣的程序,更改受害者的主頁,并監視用戶的搜索和瀏覽記錄,或是將Facebook和谷歌等網站上的廣告替換成侵入性的程序。
After they were through “pwning Mrs. Walsh, the two hackers sat down with their victim for adebriefing. Critical points were that Mrs. Walsh needed a new garage door opener, a passwordfor her television and a password manager to help her set unique and far more complicatedpasswords for each of her accounts.
結束對沃爾什的數字生活進行的“pwn后,兩名黑客和受害人坐了下來,簡單向對方介紹了情況。關鍵的點是,沃爾什的車庫門需要換一個新的開門器;電視機需要設置密碼;需要一個密碼管理程序,來幫她給每個賬戶設置獨一無二的、復雜度遠高于現在的密碼。
The hackers advised her to turn on two-step authentication, a service that sends a second,one-time password to users’ phones when they try to log in from an unrecognized machine.They also gave her a quick lesson in phishing attacks and a lecture on the importance ofinstalling software updates.
兩位黑客建議沃爾什開啟兩步驗證。這項服務會在用戶試圖從陌生設備上登錄時,向用戶的手機再發送一個一次性的驗證碼。他們還向她簡要介紹了釣魚攻擊和安裝軟件更新的重要性。
Best to switch on automatic updates, they said, for core services like Apple’s iOS operatingsystem, Google’s Chrome browser and Windows. And, they said, her PC needed to becompletely wiped. The good news was they promised to return to do this for her, possibly whenthey visit for Thanksgiving dinner.
他們說,最好是為蘋果的iOS操作系統、谷歌的Chrome瀏覽器和Windows等核心服務,打開自動更新。他們還表示,需要徹底清除沃爾什個人電腦上的東西。好消息是,他們許諾會在下次來的時候幫她清理。可能就是來共進感恩節晚餐的時候。