爱华网After April 8th, 2014, Microsoft (MSFT) will end support, including automatic security patches, for its 13-year-old Windows XP operating system. This may sound like an inconvenience primarily for government agencies and aging uncles, but another major set of Windows XP users are the automated teller machines and credit card sales systems that handle billions of dollars of transactions daily.
2014年4月8日以后,微软(Microsoft)将终止支持拥有13历史的Windows XP操作系统,同时也不会再提供自动安全补丁。大家或许觉得感到最大不便的应该是那些政府机构和大叔大爷们,但事实上另一批使用Windows XP系统的大户则是银行的自动柜员机以及信用卡销售系统,它们每天都处理着几十亿美元的交易。
While major retailers and banks are likely to be well-prepared for the end of XP, financial systems based on the software are also in the hands of a far-reaching hodgepodge of independent ATM operators and small businesses. Despite ample warning, industry analysts and insiders agree that high cost and inconvenience will keep plenty of these smaller players running outdated software for many months to come -- with serious implications for the security of their systems.
尽管不少大型零售商和大型银行很可能已经准备好迎接XP时代的终结了,但是别忘了依托于XP的金融系统还包含着大量独立的ATM运营商和小型金融机构。除了发布空洞的警告之外,行业分析师和内幕人士们也认为,更换操作系统的高成本和它带来的不便将导致这些小企业在未来很多个月里继续使用已经过时的XP系统,而这也将给他们的系统带来严重的隐患。
Jerry Nevins, co-owner of the Kansas City cocktail bar Snow & Co., is close to the dilemma. Snow & Co. bought a point of sale system less than a year ago from the payments servicer Micros -- only to be told within a few months of the need for an upgrade to Windows 7, at a cost of $1,700 for the single-store system. Luckily, Snow & Co. was still under a service agreement, so its upgrade was free. But as Nevins puts it, "If you're a small business, an unexpected $1,700 might be like, eh, I'll go ahead and take my chances." Moreover, Nevins describes a "huge line" of Micros customers waiting for an upgrade. He's crossing his fingers that Snow & Co. will be upgraded before the April 8 deadline.
杰瑞·内文斯是堪萨斯城一家名叫Snow & Co的鸡尾酒吧的老板,他现在就面临着这样的两难局面。他的酒吧不到一年前从支付服务提供商Micros公司处购买了一台销售点系统,才用了几个月就被告知需要升级至Windows 7系统,升级费用为1700美元。幸运的是他的酒吧根据合同还在服务期内,所以这次升级是免费的。但是内文斯说:“如果你是一家小企业,这意料之外的1700美元的费用让你不禁会想,还是碰碰运气,凑合着接着用吧。”另外内文斯还表示,等待系统升级的客户排了一条“超级长”的队,现在他正在祈祷他的系统能赶在4月8号的期限前完成升级。
Costs to retail credit card processors will vary widely, says John Berkeley of Mercury Payment Systems. "If you have the right hardware you can just upgrade the OS, but for some merchants upgrading from XP to Windows 7 can mean all new hardware," likely costing much more than that $1,700.
水星支付系统(Mercury Payments Systems)的约翰·伯克利指出,不同的零售信用卡处理机的价格相差很远。“如果你有合格的硬件,只需要直接升级操作系统就可以了。但是对于有些商家来说,要从XP升级到Windows 7,就必须更换全新的硬件。”而这个价格就远远不是1700美元能搞定的了。
The challenges of upgrading become even bigger in the case of ATMs. ATM manufacturers are offering software upgrades for machines still based on XP -- though some of those have been available for less than a month. But the cost to upgrade can be staggering.
而对于ATM机来说,软件升级带来的挑战更大。许多ATM厂商正在为基于XP系统的ATM机提供软件升级,有些还是最近一个月内才开始的。但是升级成本却高得另人咂舌。
According to Jay Weber, vice president in charge of North American debit and ATM systems for FIS Global, "An ATM machine purchased in the last five years ... would only need a software upgrade of $4,000 to 5,000 per machine." That software cost is so high in part because much specialized software written for Windows XP can't be easily ported to a new operating system. But ATMs 10 years old or more would need to be completely replaced, and Weber says that new high-end ATMs can cost at least $50,000 to $60,000 per device.
FIS Global公司北美借记卡和ATM系统副总裁杰伊·韦伯说:“一台购买不到五年的ATM机……升级一次软件的费用是4000到5000美元。”软件成本之所以这样高,有一部分原因是由于ATM机的许多专门软件是基于Windows XP系统编写的,很难轻易嫁接到一个新的操作系统上。另外使用10年以上的ATM机则需要完全更换。韦伯表示,新的高端ATM机的价格至少都在每台5万到6万美元。
ATM operators and business owners are largely being left to decide on their own whether to upgrade or not, says Weber. "Organizations are trying to look at the investment of the upgrade and weight it against their perceived risk" -- and many seem to be ready to take their chances. "[April 9th] is going to come and go, and there are going to be some merchants who haven't done it yet," says Berkeley. Weber speculates that "it's going to be a trickle approach, a slower ramp-up," with many systems going without an upgrade -- and remaining officially insecure -- through the end of 2014.
韦伯表示:究竟是否更新系统,选择权被抛给了ATM运营商和企业主。“很多企业都在研究升级软件的投资额,同时把它与潜在的风险进行权衡”,而且许多公司已经做好了赌一把的准备。伯克利说:“4月9号马上就要来了,等到这一天过了,还会有一些商家没有升级系统。”韦伯称这将是“一个细水长流的过程,一个较缓慢的更新过程”。许多系统都会选择不更新,而且将维持这种不安全的状态度过2014年年底。
This hesitancy may be worsened because operators are getting mixed messages about their risk. The Payments Card Industry Security Standards Council has issued public warnings about the need for retailers to upgrade their point of sale systems, but their current set of standards, which are used to determine eligibility to operate on credit card networks, do not require it. And Weber himself seems sanguine: "The risk is hard to quantify. There's a lot of technology in place in the marketplace to help mitigate the risk," such as the "fairly closed telecom environment" that most payment systems operate on.
另外,运营商们得到的一些错综复杂的消息可能会进一步强化这种犹豫心态。美国支付卡行业安全标准委员会(the Payments Card Industry Security Standards Council)已经向零售商们发布了建议对销售点系统进行升级的警告,但是以他们现行的信用卡网络操作安全标准来看又不需要升级。韦伯本人对这个问题的态度比较乐观,他说:“这个风险很难量化,市场上有很多现成的技术能够有助于减轻这种风险。”比如现在大多数支付系统都在一个“相当封闭的电信环境”里运营。
But Bogdan Botezatu, senior e-threat analyst for the anti-malware software company Bitdefender, couldn't disagree more. He talks about the issue with the barely suppressed terror of a father watching his teenage son drive solo for the first time. "They're not panicky," he says, "and actually that makes me panicky."
不过,防恶意软件公司比特凡德(Bitdefender)的电子威胁高级分析师伯格丹·博泰扎图却非常不认同这个观点。他把这个问题比作一个父亲看着他十几岁的孩子第一次独自开车上路时的那种担心。“他们没慌,而就是这一点让我非常恐慌。”
Botezatu, who haunts underground hacking forums to keep an eye on looming security threats, claims that hackers are gearing up to raid suddenly insecure XP machines the minute Microsoft support ends. "When an operating system is announced as reaching its end of life, [hackers] are frantically looking for exploits, because then they can use it indefinitely," he says. "It's the holy grail of malware."
为了考察可能的安全性风险,博泰扎图经常出没于地下的黑客论坛。他声称,等到微软正式终止支持Windows XP那一分钟一过,黑客们就会对不安全的XP机器发动突袭。他说:“当一个操作系统被宣布寿终正寝时,黑客们就会疯狂地开发它,因为现在他们可以无限利用它,这就像恶意软件的圣杯。”
To take fullest advantage of the situation, black-market vendors selling new XP exploits have been stockpiling them, waiting to release them until after Microsoft is no longer monitoring and repairing security flaws. Though third-party security firms will continue to update anti-malware programs for XP, users not running or updating such software could be permanently vulnerable to an ever-growing set of exploits. Mercury Payment Systems' John Berkeley confirms that "If a hacker discovers [a vulnerability] a month or two after the end of [XP support], they have more time to exploit that."
为了利用这种情况获得最大利益,那些销售XP攻击程序的黑市厂商已经开始囤积这些程序,只等微软不再监控和修补安全漏洞就开始发布它们。虽然第三方安全机构仍会继续升级XP的防恶意软件程序,但是没有安装这些软件的用户可能将持续存在越来越大的安全风险。水星支付系统公司的伯克利也说:“如果一个黑客在XP终止支持的一两个月后发现了一个弱点,他们就会有更多的时间开发利用这个漏洞。”
These exploits could range from stealing credit card information from small vendors to even more dramatic forms of theft, many of them easily circumventing external security measures such as the semi-closed payments network. Botezatu says there have been reports of an ATM exploit through a mobile phone connected through an ATM's card reader. He also cites a legendary stunt by the security expert Barnaby Jack at the Black Hat security conference in 2010, where he demonstrated a "Jackpotting" hack that easily emptied an XP-based ATM machine. According to Botezatu, Jack, who died in 2013, never revealed the nature of this exploit, meaning that it could remain an unpatched vulnerability in XP-based machines.
这些攻击可能包括从小厂商那里窃取信用卡信息,甚至还包括更严重的盗窃方式。许多攻击手法可以轻易地绕开诸如半封闭式的支付网络等外部安全措施。博泰扎图表示,已经有报告显示黑客可以通过连接到ATM读卡器的手机来攻击ATM机。另外他还提到了2010年安全专家巴纳比·杰克在黑帽安全大会上展示的一项“特技”,当时他轻而易举地偷光了一个基于XP系统的ATM机里的所有现金。博泰扎图表示,杰克(死于2013年)生前从来没有透露这项攻击手法的性质,这也就意味着这个漏洞可能仍然存在基于XP的ATM机里。
Most troubling of all, Botezatu predicts that unsecured XP machines of all kinds will be compromised by hackers to form new botnets. This kind of system, in which hacked systems' processors are put to new tasks unbeknownst to their owners, can be used for everything from massive Denial of Service attacks to mining cryptocurrency, and would add substantially to the insecurity of the Internet as a whole. "I see a lot of trouble," Botezatu warns.
博泰扎图认为,最令人担忧的是,各种不安全的XP电脑可能会被黑客改造成新的僵尸网络。在这种情况下,被攻击的系统的处理器会被种下连电脑的所有人都不知道的任务,从发动大规模的阻断攻击,到窃取像比特币这样的数字货币,几乎没有什么不能做的事情,而且最终会大大加深对整个互联网的风险。博泰扎图警告道:“我看到很多麻烦。”
Whether April 9th brings a plague of cash-spewing ATMs, zombie PCs, and thieving credit-card readers remains to be seen. But Botezatu sounds exasperated that he even has to consider these scenarios. "It's an operating system that was released 13 years ago. Everyone should have started migrating two or three years ago" to avoid the mad rush and risks that come with the end of support. He hopes, at least, that this episode will motivate today's users to think about the future.
4月9日到底会不会迎来一场ATM机的吐钱瘟疫,把许多电脑变成僵尸,或是窃取信用卡读卡器,现在还不得而知。博泰扎图似乎光是想想这些可能的情形就很恼火,他说:“这个操作系统是13年前发布的,大家应该从两三年前起就开始升级了”,以避免现在微软终止服务带来的一窝蜂的升级。他希望今天的这一幕至少能让用户长远地考虑一下未来。
"This is going to happen soon with other operating systems," Botezatu says. "You should start upgrading from Windows 7 now."
博泰扎图说:“这个问题很快也会在其它操作系统上发生,现在应该开始从Windows 7升级到其它系统了。”
