黑客利用遠端登陸軟體盜取信用卡資訊

SAN FRANCISCO — The same tools that help millions of Americans work from home are being exploited by cybercriminals to break into the computer networks of retailers like Target and Neiman Marcus.

舊金山——幫助數以百萬計的美國人從家裡上班的同樣工具正被網路犯罪分子利用，成為侵入塔吉特百貨(Target)和尼曼(Neiman Marcus)等零售商計算機網路的手段。

The Homeland Security Department, in a new report, warns that hackers are scanning corporate systems for remote access software — made by companies like Apple, Google and Microsoft — that allows outside contractors and employees to tap into computer networks over an Internet connection.

美國國土安全部在一份新報告中警告說，黑客在搜查企業計算機系統以發現其中的遠端訪問軟體，這類軟體由蘋果(Apple)、谷歌(Google)和微軟等公司提供，能讓外部承包商和公司員工通過網際網路進入公司的計算機網路。

When the hackers discover such software, they deploy high-speed programs that guess login credentials until they hit the right one, offering a hard-to-detect entry point into computer systems.

當黑客發現這種軟體後，他們使用快速猜測登入資訊的程式，直到碰上一個正確的，這就給他們提供了一個難以識破的打進計算機系統的切入點。

The report, which Homeland Security produced with the Secret Service, the National Cybersecurity and Communications Integration Center, Trustwave SpiderLabs, an online security firm based in Chicago, and other industry partners, is expected to be released on Thursday. It provides insight into what retailers are up against as hackers find ways into computer networks without tripping security systems.

這份報告是國土安全部與其他部門合作產生的，合作單位包括特勤局(Secret Service)、國家網路安全和通訊整合中心(National Cybersecurity and Communications Integration Center)、總部設在芝加哥的線上安全公司Trustwave SpiderLabs，以及其他行業的合作伙伴，報告預計於週四公佈。它為零售商面臨的挑戰提供了深入瞭解，黑客在尋找不觸發安全系統報警的方法進入計算機網路。

It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.

報告也提醒人們，典型的網路由鬆散連線的計算機組成，不是一個有圍牆的堡壘，對有決心的黑客來說，這樣的網路存在著大量的漏洞，還有容易上當的使用者。

“As we start to make more secure software and systems, the weakest link in the information chain is the human that sits on the end — the weak password they type in, the click on the email from the contact they trust,” said Vincent Berq of FlowTraq, a network security firm.

“隨著我們開始把軟體和系統變得更安全，資訊鏈中最薄弱的環節就是那些坐在使用者端的人：他們鍵入弱密碼，他們點選所信任的聯絡人發來的電子郵件，”網路安全公司FlowTraq的文森特·伯爾克(Vincent Berq)說。

While the report does not identify the victims of these attacks, citing a policy of not commenting on current investigations, two people with knowledge of these investigations say that more than a dozen retailers have been hit. They include Target, P. F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and as recently as this month, Goodwill Industries International, the nonprofit agency that operates thrift stores around the country.

雖然這份報告援引不評論目前調查的政策為由，沒有指明攻擊的受害者，但兩位對調查知情的人士說，有十多家零售商都受到過網路攻擊，包括塔吉特百貨、華館(P. F. Chang)、尼曼、邁克爾斯公司(Michaels)、莎莉美容用品(Sally Beauty Supply)，以及直到本月還受過攻擊的國際好意企業(Goodwill Industries International)，這是一家在美國各地的經營舊貨店的非營利機構。

Once inside the network, the hackers deploy malicious software called Backoff that is devised to steal payment card data off the memory of in-store cash register systems, the report says. After that information is captured, the hackers send it back to their computers and eventually sell it on the black market, where a single credit card number can go for $100.

報告說，黑客一旦進入網路，他們使用一個名為Backoff的惡意軟體，從店內收銀器系統的記憶體上竊取支付卡的資料。在捕獲到這些資訊後，黑客將其傳送回自己的計算機，並最終將資訊在黑市出售，一個信用卡號在黑市上可賣到100美元(相當於620元人民幣)。

In each case, criminals used computer connections that would normally be trusted to gain their initial foothold. In the Target breach, for example, hackers zeroed in on the remote access granted through the retailer’s computerized heating and cooling software, the two people with knowledge of the inquiry said.

在每次這種攻擊中，犯罪分子用的都是通常被信任的連線，讓他們獲得進入計算機的最初立足點。比如，在塔吉特百貨的例子中，讓黑客鑽空子的，是該零售商計算機化的制熱製冷系統軟體的遠端登入許可，兩位瞭解調查情況的人表示。

In an interview, Brad Maiorino, recently hired as Target’s chief information security officer, said a top priority was what he called “attack surface reduction.”

在接受記者採訪時，塔吉特百貨最近聘請的首席資訊保安官布拉德·邁奧裡諾(Brad Maiorino)表示，當務之急是他稱之為“減少受攻擊面”的工作。

“You don’t need military-grade defense capabilities to figure out that you have too many connections,” Mr. Maiorino said. “You have to simplify and consolidate those as much as possible.”

邁奧裡諾說，“你不需要軍用級的防禦能力就知道你有太多的連線。你需要儘可能地簡化和合並這些連線。”

The Secret Service first discovered the Backoff malware (named for a word in its code) in October 2013. In the last few weeks, the agency said that it had come across the malware in three separate investigations. Most troubling, the agency said that even fully updated antivirus systems were failing to catch it.

特勤局是在2013年10月首次發現Backoff這個惡意軟體的(其名稱來自軟體編碼中的一個詞)。該機構表示，在過去幾周裡，它已在三個不同的調查中遇到這個惡意軟體。該機構說，最令人不安的是，就連全面更新的防病毒系統都未能查出這個惡意軟體。

Low detection rates meant that “fully updated antivirus engines on fully patched computers could not identify the malware as malicious,” the report concluded.

低查出率意味著“打了所有補丁的計算機系統上的全面更新的防病毒引擎無法識別這個惡意軟體是惡意的”，上述報告的結論說。

Backoff and its variants all perform four functions. First, they scrape the memory of in-store payment systems for credit and debit card “track” data, which can include an account number, expiration dates and personal identification numbers, or PINs.

Backoff及其變異版本都有四項功能。首先，它們從店內支付系統的記憶體中獲取信用卡和借記卡的“蹤跡”資料，這些資料可能包括賬戶號、有效期，以及個人識別碼(簡稱PIN)。

The malware logs keystrokes, as when a customer manually enters her PIN, and communicates back to the attackers’ computers so they can remove payment data, update the malware or delete it to escape detection.

這個惡意軟體能記錄按鍵動作，比如一個顧客用手輸入自己的PIN這種動作，把其傳回攻擊者的計算機，使他們能夠取得支付資料，更新惡意軟體或將其刪除以免被發現。

The hackers also install a so-called backdoor into in-store payment machines, ensuring a foothold even if the machines crash or are reset. And they continue to tweak the malware to add functions and make it less detectable to security researchers.

黑客還在店內付款機上安裝所謂的後門軟體，確保即使在機器宕機或重置後仍能進入系統。他們不斷調整惡意軟體，增添新功能，使其更不易被研究電腦保安的人察覺到。

Security experts say antivirus software alone will not prevent these attacks. They recommend companies take what is called a “defense in depth” approach, layering different technologies and empowering security professionals to monitor systems for unusual behavior.

安全專家說，防毒軟體本身並不能阻止這些攻擊。他們建議公司採取所謂的“縱深防禦”方法，用不同層次的技術，授權安全專家來監視系統中的不尋常行為。

Among the report’s recommendations: Companies should limit the number of people with access to its systems; require long, complex passwords that cannot be easily cracked, and lock accounts after repeated login requests.

這份報告的建議包括：公司應限制登入其系統的人數；要求登入者使用不能被輕易破解的長且複雜的密碼，出現多次重複的登入請求後封鎖帳戶。

The report also suggests segregating crucial systems like in-store payment systems from the corporate network and making “two factor authentication”— a process by which employees must enter a second, one-time password in addition to their usual credentials — the status quo.

報告還建議，把關鍵系統，比如店內支付系統，與企業的網路隔離，讓“雙重認證”程式成為常態，“雙重認證”指的是除了通常需要的登入密碼外，員工必須另外輸入第二個、一次性的密碼。

The report also recommends encrypting customers’ payment data from the moment their cards are swiped at the store, logging all network activity and deploying security systems that can alert staff to unusual behavior, like a server communicating with a strange computer in Russia.

報告還建議，從顧客在商店刷卡的那一刻起就加密客戶的支付資料，記錄所有的網路活動，啟用有異常行為時，比如一臺伺服器與一個俄羅斯的陌生計算機通訊，能提醒有關人員的安全系統。

At Target, Mr. Maiorino said he planned to build a security program as tough as what was expected from military contractors.

邁奧裡諾說，他計劃在塔吉特百貨建立一個強度可達到軍事承包商所要求的安全系統。

“All of the same tools and techniques that nation states are using for attacks have been commoditized and are available for sale in the black market,” Mr. Maiorino said. “And for the right amount of money you can go out and create a cybercrime ring at a relatively low cost.”

“與國家使用的網路攻擊工具和技術相同的東西都已經商品化了，而且都在黑市上有賣的，”邁奧裡諾說。“只要有足夠的錢，你就可以去用相對較低的成本組建一個網路犯罪團伙。”