10 common security mistakes that should never be made
10个不应犯的常见安全错误
Author: Chad Perrin
作者:Chad Perrin
翻译:endurer 2008-08-25 第1版
Category: Security, Authentication, Encryption, Risk Management, Privacy
分类:安全,认证,加密,风险管理,隐私
Tags: Password, Security, Chad Perrin
标签:密码,安全,Chad Perrin
英文来源:http://blogs.techrepublic.com.com/security/?p=542&tag=nl.e101
Read about ten very basic, easily avoided security mistakes that should never be made — but are among the most common security mistakes people make.
一起来阅读和了解10个不应犯的非常基本、易于避免的——却是人们犯的最多的常见安全错误罢。
《endurer注:1、Read about:读知(阅后得知)》
The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.
以下是我一直在看的10个安全错误列表。然而它们不仅是常见的—它们也非常基本的,初级的错误,即任何具有一点点的安全知识的人都应该知道,更不要说犯了。
《endurer注:1、all the time:一直》
- Sending sensitive data in unencrypted email: Stop sending me passwords, PINs, and account data via unencrypted email. Please. I understand that a lot of customers are too stupid or lazy to use encryption, but I’m not. Even if you’re going to give them what they want, in the form of unencrypted sensitive data sent via email, that doesn’t mean you can’t give me what I want — secure communications when sending sensitive data.
使用未加密的电子邮件发送敏感数据:通过未加密的电子邮件发送口令、帐号数据的,请停下来。我理解许多客户太蠢或太懒而不使用加密,但我不是这样。即使你们以通过以电子邮件以非加密敏感数据的方式,把他们想要的东东发给他们,这不意味着你不能我所需要的——在发送敏感数据时使通信安全。 - Using “security” questions whose answers are easily discovered: Social security numbers, mothers’ maiden names, first pets, and birthdays do not constitute a secure means of verifying identity. Requiring an end user to compromise his or her password by specifying a question like that as a means of resetting the password basically ensures that the password itself is useless in preventing anyone that is willing to do a little homework from gaining unauthorized access.
使用答案很容易发现的“安全”问题:社会安全号码,母亲的婚前姓名,第1个宠物,以及生日,并不构成一个核实身份的安全手段。要求最终用户指定一个那样的问题,作为一种重置密码的手段,以妥协处理他或她的密码,基本可以确信的是,密码本身在防范为获得未经授权的访问而愿意花点功夫的人时没有用。
《endurer注:1、be willing to:愿意,乐意》 - Imposing password restrictions that are too strict: The number of cases I’ve seen where some online interface to a system that offers the ability to manage one’s finances — such as banking Web sites — impose password restrictions that actually make the interface less secure is simply unacceptable. Six-character numeric passwords are dismayingly common, and the examples only go downhill from there. See a previous article, “How does bad password policy like this even happen?” for another example in more detail.
密码限制过头了:我曾数次看到一个提供管理一个人财务的功能的系统的在线接口——如银行网站——实际上使接口缺少安全的强制密码限制是明显不能接受的。六位数字密码是令人惊愕地相同,并且该例只会变坏。看前一篇文章,《像这样的坏密码如何会出现呢?》来获得其它例子的详情。
《endurer注:1、go downhill:变坏(每况愈下,衰退)》 - Letting vendors define “good security”: I’ve said before that there’s no such thing as a vendor you can trust. Hopefully you were listening. Ultimately, the only security a corporate vendor really cares about protecting is the security of its own profits and market share. While this sometimes prompts a vendor to improve the security of its products and services, it sometimes prompts exactly the opposite. As such, you must question a vendor’s definition of “good security”, and you must not let vendors tell you what’s important to you.
让供应商来定义“良好的安全”:此前我说过没有您可以信任的供应商。希望您正在听。最终,公司供应商真正关心保护的惟一安全是其自身利益和市场占有率的安全。虽然这有时会提醒供应商来改善其安全产品和服务,但它有时会提示了相反一面。如此一来,你必须质疑供应商“良好的安全”的定义,你不能让供应商告诉你什么是对你最重要的。
《endurer注:1、no such thing:没有的事
2、market share:市场占有率》 - Underestimating required security expertise: People in positions of authority in corporations often fail to understand the necessity for specific security expertise. This applies not only to nontechnical managers, but to technical IT managers as well. In fact, standards working groups such as the one that produced the WEP standard often include a lot of very smart technologists, but not a single cryptographer, despite the fact they intend to develop security standards that rely explicitly on cryptographic algorithms.
低估所需要安全专业技术:企业的掌权者常常不明白特定安全技术的必要性。不仅非技术性的管理人员如此,而且技术性的IT管理人员也是这样。事实上,在标准工作组,如一个产生了WEP标准的,往往包括了很多很聪明的技术人员,而不仅仅有一个译解密码者,尽管事实上他们打算制定的安全标准,很晃显地依赖加密算法。 - Underestimating the importance of review: Even those with security expertise specific to what they’re trying to accomplish should have their work checked by others with that expertise as well. Peer review is regarded in the security community as something akin to a holy grail of security assurance, and nothing can really be considered secure without being subjected to significant, punishing levels of testing by security experts from outside the original development project.
低估审查的重要性:即使那些有安全技术专长的人,需要将他们正试图完成的工作,交由其他同样具有该专长的人检查。在安全团体中,同行审查被视为是类似于圣杯的安全保证,并且没有什么东东,未经相当数量的来自外部独立发展计划的安全专家的惩治水平测试,就真地被视为安全。
《endurer注:1、akin to:类似(近于,的同族)
2、peer review:同行审查
3、Holy Grail:〈宗〉圣杯,圣盘
4、be subjected to:使经受,使遭受》 - Overestimating the importance of secrecy: Many security software developers who make the mistake of underestimating the importance of review couple that with overestimation of the importance of secrecy. They justify a lack of peer review with hand-waving about how important it is to keep security policies secret. As Kerckoffs’ Principle — one of the most fundamental in security research — points out, however, any system whose security relies on the design of the system itself being kept secret is not a system with strong security.
高估保密的重要性:一些犯了低估复审的重要性的安全软件开发者同时高估保密的重要性。他们摇手以要保持安全政策的秘密是何等重要为由来为缺乏同行审查作开脱。然而,作为kerckoffs 的原则——最根本的安全性研究之一——指出,任何本身安全依赖于系统设计保密的系统,不是一个强健安全的系统。
《endurer注:1、couple with:接在一起(耦合)
2、Kerckhoffs 提出的密码系统的设计准则:数据的安全性应该依赖于密钥,而不是密码算法的保密。》 - Requiring easily forged identification: Anything that involves faxing signatures, or sending photocopies or scans of ID cards, is basically just a case of security theater — putting on a great show without actually providing the genuine article (security, in this case) at all. It is far too easy to forge such second-generation (or worse) low quality copies. In fact, for things like signatures and ID cards, the only way for a copy to serve as useful verification is for it to actually be a good enough copy that it is not recognized as a copy. Put another way, only a successful forgery of the original is a good enough copy to avoid easy forgery.
要求很容易伪造的身份证明:凡是涉及到传真签名,或发送影印或扫描身份证的,情形基本上类似于一个安全戏院——作了大型演出,实际上却没有真品(安全,在这种情况下)。到目前为止,伪造诸如第二代(或更糟的)低质量的副本太容易了。其实,对于类似签字和身份证的东西,让一份拷贝起到有效核查作用的唯一方法是它要是一个足以以假乱真的副本。换句话说,只有一个成功的赝品才是避免易于伪造的足够好的副本。
《endurer注:1、genuine article:真品
2、serve as:担任(充当,起...的作用)》 - Unnecessarily reinventing the wheel: Often, developers of new security software are recreating something that already exists without any good reason for doing so. Many software vendors suffer from Not Invented Here disease, and end up creating new software that doesn’t really do anything new or needed. That might not be a big deal, if not for the fact that the new software is often not peer reviewed, makes security mistakes that have already been ironed out of the previous implementation of the idea, and generally just screws things up pretty badly. Whenever creating a new piece of software, consider whether you’re replacing something else that already does that job, and whether your replacement actually does anything different that is important. Then, if it is doing something important and different, think about whether you might be able to just add that to the already existing software so you will not create a whole new bundle of problems by trying to replace it.
不必要的重复制造:通常,新安全软件的开发者没来由地重新创建一些已经存在的东东。一些软件供应商患上了非我发明症,最终创建了没有新意或需要的新软件。这可能没什么大不了的,如果不在意新软件通常未经同行审查,犯了先前贯彻思想已摆平的安全失误,通常弄得一团糟。每当创建一款新软件时,思考一下你是否正在替换已经在做那项工作的别的东西,你的替换是否确实有重大差别。然后,如果它做的是重要并且不同的工作,考虑你是否能把它增加到现存软件中,这样你就不会因试图替换而产生一包新问题。
《endurer注:1、suffer from:遭受(因...而蒙受损害)
2、Not Invented Here Syndrome:非我发明症, 指不愿意或拒绝使用外人发明的技术
3、big deal:要人(可好哇)
4、iron out:熨平,摆平,理顺,解决
5、screw up:拧紧(强迫,加强,鼓足)
Don't ask them to organize the trip, they'll only screw everything up.别让他们组织此行,他们准得把一切都搞糟了。
6、The bad news has shaken her up pretty badly.那坏消息一直使她感到极度不安。》 - Giving up the means of your security in exchange for a feeling of security: This is a mistake so absurd to make that I have difficulty formulating an explanation. It is also so common that there’s no way I can leave it out of the list. People give up the keys to their private security kingdoms to anyone who comes along and tells them, “Trust me, I’m an expert,” and they do it willingly, eagerly, often without thought. “Certificate Authorities” tell you who to trust, thus stripping you of your ability to make your own decisions about trust; Webmail service providers offer on-server encryption and decryption, thus stripping you of end-to-end encryption and control over your own encryption keys; operating systems decide what to execute without your consent, thus stripping you of your ability to protect yourself from mobile malicious code. Don’t give up control of your security to some third party. Sure, you may not be able to develop a good security program or policy yourself, but that doesn’t mean the program or policy shouldn’t give you control over its operation on your behalf.
放弃安全手段,换取安全感:这是一个错误,荒谬得令我难于解释,但它是如此普遍,以致我无法将其从清单中剔除。只要有人宣称,“相信我,我是一个专家,”人们就会将个人隐私安全王国的钥匙双手奉上,并且他们是如此心甘情愿,热切,通常不加思索。 “证书颁发机构”告诉你信任谁,从而剥夺了你就信任问题作出自己的决定的能力;Webmail服务供应商提供了服务器端的加密和解密,从而剥夺你的端对端加密和对自有密钥的控制;操作系统决定执行什么,无需您的同意,从而剥夺了你保护自己免于移动恶意代码侵害的能力。不要将安全控制对弃给第三方。当然,你自己未必能够开发一个良好的安全程序或策略,但这并不意味着该程序或策略不应该让您为自身利益而其控制运作。
《endurer注:1、in exchange for:交换(调换)
2、give control over:对...给予控制》
581
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
