[b]本文为转贴，作者见http://blog.sina.com.cn/u/59191ea6010005j0[/b]　　[b]4.2 暗处的攻击者们更懂得致胜之道[/b]　　很显然，安全与破坏安全的入侵者们一直进行着卫“道”士与石地“魔”的较量。　　他们之间此消彼长，在进行一场没有终点的拉力赛。攻击者们善于挖掘并利用任何一个潜在的可能脆弱性并真正威胁到信息世界的完整性、可用性与保密性，而进一步超越合法用户获得控制权。微软曾经推出Windows Genuine Advantage 正版增值计划对其补丁下载并安装增加了验证机制，然而不到24 小时，该机制即被破解。SONY 耗资数百万美金开发了名key2audio 的数字版权管理技术以保护其音乐CD 不接受未经授权的复制或者音轨抓取行为。而在此类CD 摆上WalMart 超市柜台不超过12 小时，网络上就提供了相应破解服务，成本仅需要不到1 美金。更为常用的一些防护措施更是形同虚设，譬如Yahoo、PayPal 以及Hotmail 等服务在登陆帐户时都不同程度的要求输入页面上的随机生产的图形验证码以确保其登陆会话的唯一性。然而，来自SAM.zoy.org 的一个项目PWNTCHA 的成果使得攻击者可以使用该工具几乎可以百分之百正确识别出大量的图形验证码。 [img]http://s16.sinaimg.cn/orignal/59191ea65275216fcf02f[/img]　　图：百分百“识别”　　[b]4.3 人是罪恶的根源[/b]　　主啊！请以你的宝血洗涤我所犯下的种种罪恶吧！……然而人们对于触手可及的诱惑总是缺乏足够的抵制力。做为掌握一定计算机知识的爱好者们，尤其是那些远超常人的计算机天才更是有可能成为攻击者与破坏者阵营中的主力成员。随着技术的演化，入侵抑或是破坏已经不需要掌握高深的计算机技巧，最新计算机漏洞公告榜、病毒生成器、自动化、分布式、智能的攻击工具已经使得入侵者破坏者无所不在。　　俄罗斯黑客站点上以不到100 人民币的价格打包出售“Web 攻击工具套装”，从针对浏览器Web 页面的漏洞检测、入侵以及植入后门并清除日志痕迹等你只需要简单到指定目标URL并点击Start 按钮即可实现你的骇客梦想。一切安全措施似乎都形同虚设。统计表明，2006 年全球PC 数量在6.6-6.7 亿台之间，而预计到2010 年，会达到甚至超过10 亿台。随着互联网的进一步扩张，网络“破坏者“的数量与攻击的类型将日趋增加。　　[b]4.4 安全永不可达[/b]　　Gartner 集团安全分析师John Pescatore 在对AT&T 以及MCI 进行的一项调查中发现，诸如此类的电信运营商部署了大量的Anti-DDOS 设备以确保其业务的连续性不受影响，其开支高达每月平均12000 美金。现实情况是，绝大多数企业并没有足够的时间、精力以及预算支出用于确保并改善安全现状，他们只能听之任之，使安全处于一种放任自流的失控状态之中。消费者更是对此大多一无所知，他们更不懂得如何规避互联网中的各种安全风险，也许，他们只会问一个问题：　　我，上网安全么？　　一个令所有安全厂商、安全专家、安全工程师难于回答的一个问题，然后我们或许该问自己一个问题：　　我，尽力了么？　　[b]4.5 安全的敌人[/b]　　信息系统的复杂性、扩展性以及互连接特性等进一步使得我们虚拟世界中的信息系统变得不再成为一个个的“信息孤岛”，其提升了我们对于信息系统的管理效能但同时也为安全提出了更为严峻的挑战。 [img]http://s12.sinaimg.cn/orignal/59191ea61e0ce2bae602b[/img]　　图：信息系统复杂“云”图　　举例来说，我们的网络打印机大都支持数种协议与连接方式（如：SNMP、Telnet、SMTP、SNMP、蓝牙、1394、USB、COM 等），也许我们所面临到的最大威胁就是网络打印机因为一个远程溢出漏洞而成为威胁源，进而成为危及全网的根源。　　[b]5 我们该如何改善[/b]　　这是一个难于回答的问题，无论从技术角度、从管理角度我们都找不出彻底改善并逃脱困境的“银弹”。因此，我们只有再次低头的问自己：　　你，尽力了么？　　或许还应该加上一个问题：　　你，做对了么？　　[b]6 结语[/b]　　此为信息安全产业三部曲之敦科尔克大撤退，第二部正在筹划中，欢迎邮件批评指教。　　[b]7 参考资料[/b]1. http://searchoracle.techtarget.com/originalContent/0,289142,sid41_gci1157806,00.html2. http://www.sans.org/resources/ethics.php3. http://www.consumeraffairs.com/news04/2005/gartner.html4. http://www.eweek.com/article2/0,1895,1915486,00.asp215. http://www.consumeraffairs.com/news04/2005/gartner.html6. http://www.usatoday.com/tech/news/computersecurity/2005-12-28-computer-security_x.htm7. http://www.utimaco.us/encryption/fbi_csi_2005_p1.html8. http://news.zdnet.com/5208-1009-0.html?forumID=1&threadID=1925&messageID=428349. http://security.ittoolbox.com/news/display.asp?i=13824410. http://news.com.com/Credit+card+breach+exposes+40+million+accounts/2100-1029_3-5751886.html?tag=nl11. http://news.com.com/Bank+of+America+loses+a+million+customer+records/2100-1029_3-5590989.html?tag=st.rn12. http://www.military.com/NewsContent/0,13319,95760,00.html13. http://news.com.com/Online+attack+puts+1.4+million+records+at+risk/2100-1029_3-5420149.html?tag=st.rn14. http://www.spamdailynews.com/publish/Hacker_faces_extradition_over_biggest_military_computer_hack_of_all_time.asp15. http://news.com.com/Laptop+theft+puts+data+of+98,000+at+risk/2100-1029_3-5645362.html?tag=st.rn16. http://news.com.com/Medical+group+Data+on+185,000+people+was+stolen/2100-7349_3-5660514.html?tag=nl17. http://www.pcworld.com/news/article/0,aid,119953,00.asp18. http://news.com.com/ChoicePoint+data+theft+widens+to+145,000+people/2100-1029_3-5582144.html?tag=st.rn19. http://www2.csoonline.com/blog_view.html?CID=1986820. http://www.itworldcanada.com/a/News/e292f953-5fcc-4a1e-8fad-838344402d61.html21. http://www.techweb.com/wire/security/5420130622. http://en.wikipedia.org/wiki/Honeypot_(computing)23. http://www.incidents.org/24. http://www.sans.org/rr/whitepapers/windows/1298.php25. http://support.microsoft.com/default.aspx?scid=kb;ln;87536426. http://en.wikipedia.org/wiki/Spyware27. http://www.staysafeonline.info/pdf/safety_study_2005.pdf28. http://www.securityfocus.com/columnists/25029. http://www.eweek.com/article2/0,1759,1731474,00.asp30. http://www.eweek.com/article2/0,1895,1945808,00.asp31. http://www.honeynet.org/papers/phishing/32. http://www.antiphishing.org/33. http://blogs.techrepublic.com.com/Ou/?p=20134. http://www.utimaco.us/encryption/fbi_csi_2005_p1.html35. http://www.microsoft.com/security/malwareremove/default.mspx36. http://www.snpx.com/cgi-bin/news55.cgi?target=140055536?-1143437. http://www.eweek.com/article2/0,1895,1936666,00.asp38. http://www.caida.org/analysis/security/code-red/2239. http://richie.idc.ul.ie/eoin/SILICON%20DEFENSE%20-%20Flash%20Worm%20Analysis.htm40. http://www.icir.org/vern/papers/topspeed-worm04.pdf41. http://www.securityfocus.com/news/1122242. http://www.microsoft.com/43. http://www.itmanagement.earthweb.com/secu/article.php/330420144. http://www.postini.com/stats/45. http://www.eicar.org/46. http://pharos.cpsc.ucalgary.ca/Dienst/UI/2.0/Describe/ncstrl.ucalgary_cs/2006-808-0147. http://www.usatoday.com/tech/news/computersecurity/2004-08-30-cyber-crime_x.htm48. http://www.informationweek.com/story/showArticle.jhtml?articleID=17230326549. http://www.pandasoftware.com/50. http://www.zone-h.org/51. http://www.owasp.org/52. http://www.webappsec.org/projects/whid/list_id_2005-61.shtml53. http://www.webappsec.org/projects/whid/list_id_2006-24.shtml54. http://www.webappsec.org/projects/whid/list_id_2006-9.shtml55. http://www.webappsec.org/projects/whid/list_id_2006-26.shtml56. http://www.webappsec.org/projects/whid/list_id_2006-15.shtml57. http://www.webappsec.org/projects/whid/list_id_2006-18.shtml58. http://news.netcraft.com/59. http://news.bbc.co.uk/1/hi/technology/3549883.stm60. http://www.networkworld.com/news/2005/051605-ddos-extortion.html61. http://software.silicon.com/security/0,39024655,39124881,00.htm62. http://www.computerbytesman.com/63. http://blogs.washingtonpost.com/securityfix/2006/01/research_buggy_.html64. http://www.eweek.com/article2/0,1895,1958355,00.asp65. http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech0366. http://ophcrack.sourceforge.net/67. http://geeksaresexy.blogspot.com/2006/04/cracking-your-windows-sam-database-in.html68. http://www.schneier.com/blog/archives/2005/03/the_failure_of.html69. http://news.com.com/2100-7349_3-6041173.html70. http://www.oracle.com/oramag/oracle/02-mar/o22insight.html71. http://www.theregister.co.uk/2006/01/26/security_researcher_versus_oracle/72. http://www.nextgenss.com/73. http://www.scanit.be/74. http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx75. http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=10324276. http://www.theinquirer.net/?article=2859077. http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=3852378. http://www.siliconvalleysleuth.com/2006/02/wmf_nightmare_s.html79. http://www.issa.org/80. http://www.compliancepipeline.com/16050261281. http://www.securityfocus.com/infocus/181482. http://www.securityfocus.com/infocus/181483. http://www.bestbuy.com/site/olspage.jsp?skuId=4627121&type=product&id=105138447139184. http://www.csoonline.com/read/040106/caveat041206.html?source=csoupdate85. http://news.zdnet.com/2100-1009_22-5754773.html86. http://dw.com.com/redir?destUrl=http%3A//www.yankeegroup.com/public/news_releases/news_release_detail.jsp?ID=PressReleases/news_06202005_FearandLoathing_PR.htm&siteId=22&oId=2100-1009-5754773&ontId=1009&lop=nl.ex87. http://www.eeye.com/html/research/advisories/AD20040512D.html88. http://vil.nai.com/vil/content/v_101118.htm89. http://www.securityfocus.com/news/829190. http://www.iss.net/91. http://www.businessweek.com/technology/content/apr2006/tc20060413_027470.htm92. http://search.symantec.com/custom/us/query.html?col=us+kb&ht=0&qp=+language%3Aen&qs=-url%3A/sarc-intl.nsf/+-url%3A/navintl.nsf/+-link%3Aplatinum.css&qc=&pw=100%&ws=0&la=en&si=0&fs=&qt=symbos&ex=&rq=0&oq=&qm=0&ql=&st=11&nh=10&lk=1&rf=093. http://www.securityfocus.com/columnists/29494. http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html95. http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm96. http://www.theregister.co.uk/2005/11/10/sony_drm_trojan97. http://www.freedom-to-tinker.com/?p=92198. http://www.freedom-to-tinker.com/?p=92799. http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html100. http://www.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/101. http://www.cs.technion.ac.il/~biham/publications.html102. http://theory.csail.mit.edu/~yiqun/shanote.pdf103. http://www.schneier.com/essay-074.html104. http://isc.sans.org/infocon.php105. http://www.symantec.com/avcenter/threatcon/learnabout.html106. http://www.pandasoftware.com/virus_info/virusometer/detail.htm107. http://www.microsoft.com/genuine/downloads/WhyValidate.aspx?displaylang=en108. http://www.usatoday.com/money/tech/2002-05-20-copyproof-cd.htm109. http://sam.zoy.org/projects/pwntcha/110. http://www.boingboing.net/2004/01/27/solving_and_creating.html111. http://www.packetstormsecurity.org/112. http://www.securityfocus.com/vulnerabilities113. http://www.informationweek.com/news/showArticle.jhtml?articleID=186700539114. http://www.channelregister.co.uk/2005/03/22/ddos_for_hire_plot_arrests/24115. http://www.cioupdate.com/trends/article.php/3600126116. http://www.thinkgeek.com/gadgets/electronic/5a05/117. http://news.com.com/A+billion+PC+users+on+the+way/2100-1003_3-5290988.html?tag=nefd.lede118. http://www.networkworld.com/news/2005/051605-ddos-extortion.html?page=2119. http://www.securityfocus.com/bid/9972/discuss第一部分 http://blog.sina.com.cn/u/59191ea6010005j0第二部分 http://blog.sina.com.cn/u/59191ea6010005j1