XP退休可能危及ATM安全
|
不过,防恶意软件公司比特凡德(Bitdefender)的电子威胁高级分析师伯格丹•博泰扎图却非常不认同这个观点。他把这个问题比作一个父亲看着他十几岁的孩子第一次独自开车上路时的那种担心。“他们没慌,而就是这一点让我非常恐慌。” 为了考察可能的安全性风险,博泰扎图经常出没于地下的黑客论坛。他声称,等到微软正式终止支持Windows XP那一分钟一过,黑客们就会对不安全的XP机器发动突袭。他说:“当一个操作系统被宣布寿终正寝时,黑客们就会疯狂地开发它,因为现在他们可以无限利用它,这就像恶意软件的圣杯。” 为了利用这种情况获得最大利益,那些销售XP攻击程序的黑市厂商已经开始囤积这些程序,只等微软不再监控和修补安全漏洞就开始发布它们。虽然第三方安全机构仍会继续升级XP的防恶意软件程序,但是没有安装这些软件的用户可能将持续存在越来越大的安全风险。水星支付系统公司的伯克利也说:“如果一个黑客在XP终止支持的一两个月后发现了一个弱点,他们就会有更多的时间开发利用这个漏洞。” 这些攻击可能包括从小厂商那里窃取信用卡信息,甚至还包括更严重的盗窃方式。许多攻击手法可以轻易地绕开诸如半封闭式的支付网络等外部安全措施。博泰扎图表示,已经有报告显示黑客可以通过连接到ATM读卡器的手机来攻击ATM机。另外他还提到了2010年安全专家巴纳比•杰克在黑帽安全大会上展示的一项“特技”,当时他轻而易举地偷光了一个基于XP系统的ATM机里的所有现金。博泰扎图表示,杰克(死于2013年)生前从来没有透露这项攻击手法的性质,这也就意味着这个漏洞可能仍然存在基于XP的ATM机里。 博泰扎图认为,最令人担忧的是,各种不安全的XP电脑可能会被黑客改造成新的僵尸网络。在这种情况下,被攻击的系统的处理器会被种下连电脑的所有人都不知道的任务,从发动大规模的阻断攻击,到窃取像比特币这样的数字货币,几乎没有什么不能做的事情,而且最终会大大加深对整个互联网的风险。博泰扎图警告道:“我看到很多麻烦。” 4月9日到底会不会迎来一场ATM机的吐钱瘟疫,把许多电脑变成僵尸,或是窃取信用卡读卡器,现在还不得而知。博泰扎图似乎光是想想这些可能的情形就很恼火,他说:“这个操作系统是13年前发布的,大家应该从两三年前起就开始升级了”,以避免现在微软终止服务带来的一窝蜂的升级。他希望今天的这一幕至少能让用户长远地考虑一下未来。 博泰扎图说:“这个问题很快也会在其它操作系统上发生,现在应该开始从Windows 7升级到其它系统了。”(财富中文网) 译者:朴成奎 |
But Bogdan Botezatu, senior e-threat analyst for the anti-malware software company Bitdefender, couldn't disagree more. He talks about the issue with the barely suppressed terror of a father watching his teenage son drive solo for the first time. "They're not panicky," he says, "and actually that makes me panicky." Botezatu, who haunts underground hacking forums to keep an eye on looming security threats, claims that hackers are gearing up to raid suddenly insecure XP machines the minute Microsoft support ends. "When an operating system is announced as reaching its end of life, [hackers] are frantically looking for exploits, because then they can use it indefinitely," he says. "It's the holy grail of malware." To take fullest advantage of the situation, black-market vendors selling new XP exploits have been stockpiling them, waiting to release them until after Microsoft is no longer monitoring and repairing security flaws. Though third-party security firms will continue to update anti-malware programs for XP, users not running or updating such software could be permanently vulnerable to an ever-growing set of exploits. Mercury Payment Systems' John Berkeley confirms that "If a hacker discovers [a vulnerability] a month or two after the end of [XP support], they have more time to exploit that." These exploits could range from stealing credit card information from small vendors to even more dramatic forms of theft, many of them easily circumventing external security measures such as the semi-closed payments network. Botezatu says there have been reports of an ATM exploit through a mobile phone connected through an ATM's card reader. He also cites a legendary stunt by the security expert Barnaby Jack at the Black Hat security conference in 2010, where he demonstrated a "Jackpotting" hack that easily emptied an XP-based ATM machine. According to Botezatu, Jack, who died in 2013, never revealed the nature of this exploit, meaning that it could remain an unpatched vulnerability in XP-based machines. Most troubling of all, Botezatu predicts that unsecured XP machines of all kinds will be compromised by hackers to form new botnets. This kind of system, in which hacked systems' processors are put to new tasks unbeknownst to their owners, can be used for everything from massive Denial of Service attacks to mining cryptocurrency, and would add substantially to the insecurity of the Internet as a whole. "I see a lot of trouble," Botezatu warns. Whether April 9th brings a plague of cash-spewing ATMs, zombie PCs, and thieving credit-card readers remains to be seen. But Botezatu sounds exasperated that he even has to consider these scenarios. "It's an operating system that was released 13 years ago. Everyone should have started migrating two or three years ago" to avoid the mad rush and risks that come with the end of support. He hopes, at least, that this episode will motivate today's users to think about the future. "This is going to happen soon with other operating systems," Botezatu says. "You should start upgrading from Windows 7 now." |
