The person shown here is a basic user of this site. He or she may be contacted directly for language-related services.
|
Working languages: English to Chinese
| Rocky Stone
computer translator, 6 years experience
WUHAN, Hubei, China Local time: 14:48 CST (GMT+8)
Native in: Chinese  | |
Computer translator, English-Chinese, 6 years experience | | Freelancer | | Translation, Website localization, Software localization | | Specializes in: | | Computers: Hardware | Computers: Software | | Computers: Systems, Networks | Computers (general) |
| English to Chinese - Rates: 0.03 - 0.05 USD per word / 10 - 15 USD per hour
| Sample translations submitted: 1 | English to Chinese: 认证与访问控制 | Source text - English
Authentication and Access Control
If you’ve used the Internet for banking, shopping, registering for classes, or working from home, I’d be willing to bet you’ve had to log in through a web-based application. From the consumer side or the provider side, the topic of authentication and access control is an obvious issue. Consumers want an access control mechanism that provides the security and privacy they would expect from a trusted entity, but they also don’t want to be too burdened by the process. From the service providers’ perspective, they want to provide the highest amount of security to the consumer that performance, compliance, and cost will allow. So, from both of these perspectives, typically user-names and passwords are still used to control access to most web applications.
The problem with using passwords to authenticate users on a web site is probably the same reason you use the Internet to deliver your service in the first place: accessibil-ity. Accessibility is great if all the people accessing your site are legitimate users. Acces-sibility isn’t that great when everyone on the planet who’s inclined to attempt unauthorized access to your site can anonymously give it a shot. Passwords don’t really prove much. They are used because they are cheap and reasonably effective, but they really don’t prove that the user “jsmith” is really John Smith; they just prove that the person using the account jsmith has typed in the correct password. That could be any-one! Have you ever used anyone else’s account for anything? Tell the truth!
It wouldn’t be a stretch to think of a system that held sensitive information (medi-cal, financial, and so on) to be an identified target for attackers. Mining usernames via search engines or simply using common usernames (like jsmith) and attempting to log in to these sites is very common. If you’ve ever signed up at a web site for access to download a “free” document or file, what username did you use? Is it the same one you use for other sites? Maybe even the same password? Crafty attackers might be mining information via other web sites that seem rather friendly, offering to evaluate your IQ and send you the results, or enter you into a sweepstakes. Remember that untrained, unaware users are an organization’s biggest threat. Beware!
Another weakness in authentication (especially when passwords are used) is the fact that illegitimate (as well as legitimate) users can lock out the account after a thresh-old of bad logon attempts are made. This is a good policy to help prevent password guessing and brute force attacks against your system. As you probably know, brute force attacks attempt every possible combination of characters to get into a system, and web applications are just as vulnerable as other systems. The countermeasure of account lockout does, in fact, keep this attack in check, but if this type of attack attempts to log in as every user account on the system, it effectively locks all users out. What would be the impact if this was a financial institution and now 100,000 users suddenly needed the Help Desk to assist them with unlocking their accounts? An administrative night-mare! This may also lead to an evaluation of your organization’s account creation and password reset policy. How do you authenticate a user who has lost their password? What do you reset the password to? When an account is created, do you use a default password? All of these should be defined in policy and procedure. Remember, you are only as secure as your weakest link.
The solution to the massive account lockout DoS attack could be to only lock out the account for a limited amount of time—30 minutes for low risk sites to three hours or even a day depending on the amount of risk. Ultimately, your organization must determine what level of risk you’re willing to accept. Using a multifactor authentication mechanism won’t necessarily stop these types of attacks either, but it will make the suc-cess of unauthorized access less likely.
Log files should be analyzed to determine the offending system or systems, although these will seldom be the actual machines belonging to the attacker. Such analysis will allow your organization to see where the attempts are originating from and adjust the access rules of firewalls and systems accordingly.
Finally, a best practice would be to exchange all authentication information via a secure mechanism. This will typically mean using encryption of the password and cre-dentials or securing the channel of communication. These days, it would seem silly to have to remind web sites that the benefits of using SSL (when your http:// changes to https://) are well worth the price you pay for the server certificate required and the pro-cessing related to the encryption/decryption process on each end. Some large sites, however, still don’t use encrypted authentication mechanisms and have exposed them-selves to the threat of attackers sniffing usernames and passwords. | Translation - Chinese
认证与访问控制
如果您有过使用网银、网上购物、注册在线课程或家庭办公等经历,我敢打赌:您也一定有过使用基于 web 的应用程序进行过登录的体验。 无论从客户的角度来看还是从供应商的角度来看,认证与访问控制都是一个重要的问题。 客户希望通过某种可信任实体获得可以实现安全和隐私保护的访问控制机制,但是他们也不希望这个过程过于复杂。 从服务供应商的角度看,他们则希望在性能、合规性和成本许可的范围内,为客户提供最高的安全性。 因此,从双方的角度看,大多数 web 应用程序仍然需要使用传统的“用户名 + 密码”的方式来控制访问。
在 web 站点通过密码认证用户身份与您当初使用因特网发布服务,这两者之间很可能存在一个相同的问题: 易用性。 如果访问您站点的用户均为合法用户,易用性的优势便可以彰显出来。 如果未经授权的访问者尝试使用匿名方式登录站点,那么易用性就容易出问题了。 实际上,密码的作用有限。 “用户名 + 密码”的方式成本低廉,具有一定保护作用,所以应用较广。但是该方式无法证明用户“jsmith”确实是 John Smith 本人;该方式只能证实账号 jsmith 的使用者所输入的密码是正确的。 jsmith 的使用者可能是任何人! 实话实说,你是否用过其他人的账号?
认为保存有敏感信息(医疗、金融等信息)的系统是攻击者确定的目标,这种说法并不牵强。 通过搜索引擎或简单使用常见的用户名(如jsmith)挖掘用户名并尝试登录这些站点的现象非常普遍。 如果你需要在一个web站点注册并下载“免费”文档或文件,你会使用什么用户名呢? 你会使用和其他站点相同的用户名吗? 你甚至会使用相同的密码吗? 狡猾的攻击者可能会通过其他看似友好、提供IQ测试并返回结果、或者让你参加抽奖的web站点来挖掘信息。 记住,未经过培训、轻信的用户是组织最大的威胁。 小心!
认证机制(特别是在使用密码时)的另一个弱点在于,非法(及合法)用户可以通过超出错误登录尝试的次数限制来锁定某个账号。 这种策略有助于防止针对你的系统的密码猜测攻击和蛮力攻击。 如你所知,蛮力攻击(brute force attack)企图使用各种字符组合作为用户名和密码,希望入侵一个系统;且web应用程序与其他系统一样易于受到攻击。 账号锁定策略确实可以防止这类攻击;但是,如果这类攻击尝试用系统的每一个用户账号登录,它会有效地锁定所有用户账号。 如果这是一家金融机构,现在突然有10万名用户需要帮助桌面的援助来解锁他们的账号,那会造成什么影响呢? 管理恶梦! 这还会导致组织对账号创建与密码重设策略进行评估。 你如何认证一名丢失密码的用户呢? 你将重新设定什么作为密码呢? 在创建一个账号时,你会使用默认密码吗? 所有这些都需要在策略和规程中定义。 记住,你的系统并不安全。
应对这种锁定大量账号的DoS攻击的办法在于仅在有限的时间内锁定账号——低风险站点只需30分钟,根据风险等级,再将这一时间延长至3小时甚至是一天。 最终,你们组织必须决定愿意接受什么样的风险等级。 使用多因素认证机制(multifactor authentication mechanism)不一定能够阻止这些攻击,但是,它可以降低未授权访问的成功几率。
应分析日志文件确定实施入侵的系统,尽管这些机器实际上并不为攻击者所有。 这类分析可帮助组织了解攻击的来源,从而对防火墙和系统的访问规则进行相应地调整。
最后,通过一个安全的机制传送所有认证信息是一个最佳做法。 通常,这意味着对密码和证书进行加密或保障通信渠道的安全。 现如今,向web站点提醒使用SSL(地址栏的http://将变为https://)的好处似乎是一种愚蠢的做法。但是,与满足服务器的证书要求以及在两端进行加密/密码所涉及的处理相比,使用SSL仍然是明智的选择。 然而,一些大型站点仍然并没有使用加密的认证机制,而将自己暴露在攻击者嗅探用户名和密码的威胁之中。
|
More Less | | Master's degree - WuHan University | | Years of translation experience: 6. Registered at ProZ.com: Oct 2006. | | N/A | | N/A | | N/A | | Adobe Acrobat, Adobe Photoshop, Dreamweaver, Frontpage, Microsoft Excel, Microsoft Word, Powerpoint, SDL TRADOS | | http://blog.sina.com.cn/u/1415493510 | | Chinese (DOC), English (DOC) | | About me Computer Freelancer, 6 years experience.
Good at computer security, software localization
Two books translated -- "Crimeware: Understanding New Attacks and Defenses" and "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws"
qulity translator
|
|
Keywords: computer, computer, software, software, hardware, hardware, localization, localization, security, qulity translator, security, qulity translator
Profile last updated
Nov 27, 2008 |
The translation workplace 
Portfolio