第247期：遏制网络病毒，到底该怎么做？

想成为我们的主播，欢迎加微信 xdfbook 投稿。 一段美文，一首英文歌，或是一点生活感想，全由你做主。 《遏制网络病毒，到底该怎么做？》 Malicious Cyber Capability Is Spreading. How Do We Stop It? A global outbreak of ransomware1) is rapidly infecting machines in critical and not-so-critical infrastructure across the globe, including the National Health Service in the United Kingdom, a Spanish internet service provider, the German rail system, and mall billboards in Singapore. This digital pandemic illustrates a challenge that the cybersecurity community has been wrestling with2) for nearly a decade: How to counter the spread of malicious cyber capability. To help inform this conversation, let’s first step back and review what we know about WannaCry, the ransomware sprinting across globe. As has been widely reported, the malware leverages an exploit3) developed by the U.S. National Security Agency. The exploit, which was called EternalBlue, “works reliably against computers running Microsoft Windows XP,” as Ars Technica4) put it. The developers of WannaCry combined this Windows exploit with code that allowed the ransomware to spread without so much as a keystroke5) or click from either the operator or the victim, locking machines and demanding ransom. How, you might ask, did this exploit reach the authors of WannaCry? In simple terms: The Shadow Brokers6), the group that has spent the last few months leaking NSA tools, essentially made it open-source. Because of difficulties associated with pushing patches7) designed to block an exploit out to the public—it takes a long time for everyone to click on those annoying little security updates, and some portion of the population never will—open-sourcing exploits like this is often a bad idea. It simultaneously notifies the software manufacturers and potential attackers of the bug. The Shadow Brokers/WannaCry case is just one demonstration of the growing challenge of countering the spread of malicious cyber capability. The code for Carberp8) (a “botnet9) creation kit”) was posted online and precipitated10) the outbreak of the Carbanak11) malware used to steal cash from ATMs. Rumors persist that versions of the BlackEnergy trojan—twice leveraged to shut off portions of the Ukrainian power grid—have been floating around in malware forums. In 2013 and in response to the publicity of Stuxnet12), the campaign that sabotaged the Iranian nuclear enrichment13) program, Gen. Michael Hayden14) noted that the time we live in “has the whiff15) of August 1945. Someone, probably a nation-state, just used a cyber weapon in a time of peace … to destroy what another nation could only describe as their critical infrastructure.” To Hayden, it was abundantly clear that cyber-insecurity could threaten global stability, yet the international community was ill-equipped to handle the problem. Today, when policymakers around the world contemplate the intersection of cybersecurity and global stability, they focus their time, money, and effort into developing concepts around norms for responsible state behavior—in other words, what states and other international actors should and should not do in cyberspace. They have not paid enough attention to the other side of the same stability-regime coin: limiting what groups can and cannot do. This means a combination of hardening our own systems against attacks and, likely, somehow countering the proliferation of capability—the possibility of which requires a great deal more exploration from researchers. This research will be important because there are several problems when it comes to countering the spread of malicious software. Chief among the challenges here is the notion that malware, the “weapon of cyberconflict,” is only a portion of the problem. The tool itself isn’t the only thing bad actors need—they must have the knowledge of how to leverage it as well. In any case the capability—the code and how to use it—is not physical. It’s knowledge or information. And it’s easier to lock down a physical object than it is to stop the spread of information. Second, somewhat counterintuitively, there are people who argue that the open spread of malicious capability is actually beneficial to those trying to defend against cyberattacks. If the exchange of tools and practices happens in the open, defenders have a better sense of what and who they are trying to protect against. Third, the cybersecurity community cannot afford to institute blanket16) restrictions on the exchange of malware. When actively defending against an attack or remediating an incident, defenders and responders share artifacts with colleagues to gain insight on how to counter the attack. More often than not, these artifacts could only be described as malware. So what can we do? For starters, the policy community needs to understand that not all malicious cyber capability is made equal. We know that the capability behind the Stuxnet campaign that sabotaged the Iranian nuclear facility at Natanz17) is different from Zeus18), which enabled financial and other cybercrime around the world, which is different from the Mirai19) botnet, which caused the Dyn20) internet outage in October 2016. And all of these tools are constructed and operate differently from WannaCry. Just as cybertools are vastly different in construction and effect, we likely need a variety of policy tools to address them. Wrapping our heads around21) what these capabilities are, how they differ, and how they spread is a massive first step. If we can do that, we can then look to other fields, like biosecurity, pathogen22) and disease control, counternarcotic23), and counter-money-laundering and small arms trade, which could shed light and provide frameworks for addressing diffusion24) problems. This type of framework might be leveraged to help the defensive cybersecurity community address transnational threats like the Mirai botnet and clean up the mess left by widespread ransomware. Similarly, the cybersecurity community can likely draw lessons about where and how to break up illicit markets from the experiences of the counternarcotic community to help address the spread of malware between criminal groups. Western policymakers are not the only ones who see WannaCry as a catalyst26) to renew discussion. Chinese academic Shen Yi’ writes, “all countries that are willing to take responsibility, including the United States, should advocate as soon as possible to promote a global cyber non-proliferation mechanism.” In a polarized world, there may be space for some form of transnational cooperation on this issue. But first, we need to fill the knowledge gap. 一款勒索软件在全球爆发，迅速感染了包括英国国民医疗服务体系、西班牙一家互联网服务提供商、德国铁路系统和新加坡商场广告板在内的全球关键和非关键基础设施的电脑。数字病毒的流行凸显出网络安全领域近十年来一直试图解决的一个问题：如何应对恶意网络力量的传播。 为了使对话双方知晓相关背景，我们先退一步，看一下我们对WannaCry这款光速横扫全球的勒索软件有多少了解。大量报道显示，该恶意软件利用了美国国家安全局开发的一款漏洞利用程序。据美国科技博客Ars Technica称，这款名为“永恒之蓝”的漏洞利用程序可以“有效攻击装有微软Windows XP系统的电脑”。WannaCry的开发人员将这一Windows漏洞利用程序与某种代码结合，使这种勒索软件无需操控者或受害者敲击键盘、点击鼠标便能传播开来，锁定电脑、然后勒索赎金。你可能会问：这个漏洞利用程序是如何落到WannaCry的开发者们手中的？简单来说，一个名为“影子经纪人”的组织近几个月来一直在泄露美国国安局的各种工具，“永恒之蓝”实际上也因此成了开源软件。 由于向公众普及漏洞补丁存在困难——想让每个人都点击那些讨厌的安全升级小程序需要很长时间，有些人甚至从来不升级——故而将“永恒之蓝”这一类漏洞利用程序开源化往往是非常可怕的。这种做法同时提醒着软件开发商和潜在的攻击者，告诉他们有漏洞存在。恶意网络力量传播带来的挑战日益显著，影子经纪人/WannaCry事件只是冰山一角。银行盗号软件Carberp (一种僵尸网络创建工具)的代码曾被挂在网上，造成盗取ATM机现金的Carbanak恶意软件突然爆发。还有传言坚称，曾两度用于关闭乌克兰部分地区电网的“黑暗力量”木马的变种如今仍出没在各大恶意软件论坛上。 2013年，导致伊朗核浓缩计划搁浅的蠕虫病毒Stuxnet被公之于众。针对这件事，美国的迈克尔·海登将军称，我们生活的时代“弥漫着1945年8月的气息。一些人，或许是哪个民族国家，在和平时期使用网络武器……来摧毁对另一个国家来说至关重要的基础设施”。在海登看来，显而易见，网络空间的危险会威胁到全球的稳定，但国际社会却没有足够的能力来处理该问题。 如今，在思考网络安全和全球稳定之间的关系时，全世界的决策者们常把他们的时间、财力、精力投在研究“负责的国家行为准则”这样的概念上。换言之，就是国家和其他国际行为体在网络空间内该做什么，不该做什么。然而，这些决策者并没有把足够的注意力放在这个网络稳定架构硬币的另一面，即对一些组织能做什么、不能做什么加以限定。这意味着在强化我们自身系统防范网络攻击能力的同时，可能的话遏制恶意网络能力的扩散。而后者能否实现，需要研究人员进行大量的探索。 该研究很重要，原因在于要遏制恶意软件的传播，存在几个问题。其中首要的问题是，有人认为恶意软件这一“网络冲突的武器”并非问题的全部。软件工具本身并非恶意行为体唯一需要的东西，他们还必须具备关于如何利用这种工具的知识。无论如何，恶意网络力量——代码及其使用方法——并非是物质的。这种力量是知识或信息。而锁定实体对象远比阻止信息传播要容易得多。 其次，和我们第一反应不同的是，有人认为，对于那些试图抵御网络攻击的人来说，恶意网络力量的公开传播实际是有用的。如果公开交流工具和攻击做法，防御者就能更好地了解他们要抵御的是什么样的对手和武器。 其三，网络安全领域无法对恶意软件交流进行完全的限制，其后果是难以承受的。在对网络攻击进行积极防御或采取补救措施时，防御者和响应者会和同事共享一些工具，以深入了解如何应对攻击。而在大多数情况下，这些工具只能被描述为是恶意软件。 ………… 文章摘自：《新东方英语》杂志2017年8月号