'Yan kwanaki da suka gabata wani mummunan abin kunya da aka kafa akan yanar gizo ta hanyar wallafar da Donjon yayi (wani jami'in tuntuɓar tsaro) wanda a ciki yake tattauna batutuwan tsaro daban-daban na "Manajan Kalmar shiga Kaspersky" musamman a cikin janareta na kalmar wucewa, kamar yadda ta nuna cewa duk kalmar sirri da ta kirkira zata iya fashewa ta hanyar karfin karfi.
Kuma shine mai ba da shawara kan tsaro Donjon ya gano hakan Tsakanin Maris 2019 da Oktoba 2020, Manajan Kalmar wucewa na Kaspersky ƙirƙirar kalmomin shiga waɗanda za a iya fatattaka cikin sakan. Kayan aikin yayi amfani da janareto mai lamba-bazuwar wanda ba shi dace da dalilan rubutun ba.
Masu bincike sun gano cewa janareto na kalmar sirri tana da matsaloli dayawa kuma daya daga cikin mahimmancin shine PRNG yayi amfani da hanyar entropy guda daya tak A takaice, ya kasance cewa kalmomin shiga da aka samar sun kasance masu rauni kuma ba amintattu ba.
“Shekaru biyu da suka gabata, mun yi nazarin Kaspersky Password Manager (KPM), manajan kalmar wucewa wanda Kaspersky ya kirkira. Manajan Kalmar Kaspersky samfuri ne wanda yake adana kalmomin shiga da takardu cikin aminci a cikin sirri mai kariya da kariya. Wannan amintacce ana kiyaye shi ta babban kalmar sirri. Don haka kamar sauran manajojin kalmar sirri, masu amfani suna buƙatar tuna kalmar sirri ɗaya don amfani da sarrafa duk kalmomin shigarsu. Samfurin yana samuwa ga tsarin aiki daban-daban (Windows, macOS, Android, iOS, Yanar gizo…) Ana iya aiki da rufaffen bayanan ta atomatik tsakanin dukkan na'urorinku, koyaushe ana kiyaye su ta kalmar sirri ta maigidanka.
“Babban fasalin KPM shine sarrafa kalmar sirri. Mabuɗin maɓalli tare da manajan kalmar sirri shine, ba kamar mutane ba, waɗannan kayan aikin suna da kyau wajen samar da kalmomin shiga masu ƙarfi, bazuwar. Don samar da kalmomin shiga masu ƙarfi, dole ne Kaspersky Password Manager ya dogara da wata hanyar samar da kalmomin shiga masu ƙarfi ”.
To matsalar sanya ƙididdigar CVE-2020-27020, inda bayanin cewa "mai kawo hari zai bukaci sanin karin bayani (alal misali, lokacin da aka kirkiri kalmar sirri)" yana aiki, gaskiyar ita ce kalmomin Kaspersky ba su da tabbas kamar yadda mutane suke tsammani.
"Generator din password din da aka hada a cikin Manajan Kalmar sirri na Kaspersky ya gamu da matsaloli da dama," kamar yadda kungiyar bincike ta Dungeon ta bayyana a wani sako a ranar Talata. “Abu mafi mahimmanci shi ne cewa yana amfani da PRNG wanda bai dace ba don dalilai na zane-zane. Tushen sa kawai na entropy shine halin yanzu. Duk wata kalmar sirri da kuka kirkira ana iya karya ta a cikin sakanni. "
Dungeon ya nuna cewa babban kuskuren Kaspersky shine amfani da agogon tsarin a cikin dakika a matsayin iri a cikin janareto mai lamba-bazuwar lamba.
Jean-Baptiste Bédrune ya ce "Wannan yana nufin cewa kowane misali na Manajan Kalmar sirri na Kaspersky a duniya zai samar da kalmar sirri iri daya a cikin dakika guda," in ji Jean-Baptiste Bédrune. A cewarsa, kowane kalmar sirri na iya zama makasudin harin karfi ”. “Misali, akwai sakan 315,619,200 tsakanin 2010 da 2021, don haka KPM na iya samar da aƙalla 315,619,200 kalmomin shiga don yanayin halayen da aka bayar. Mummunan harin da aka kai kan wannan jerin yana ɗaukar onlyan mintuna kaɗan. "
Masu bincike daga Kurkuku ya kammala:
“Manajan Kalmar sirri na Kaspersky yayi amfani da wata hanya mai sarkakiya wajen samar da kalmomin shigarsa. Wannan hanyar an yi ta ne da nufin kirkirar kalmomin shiga masu sauki don masu satar bayanan sirri. Koyaya, irin wannan hanyar tana rage ƙarfin kalmar sirri da aka kirkira idan aka kwatanta da kayan aikin sadaukarwa. Mun nuna yadda ake samar da kalmomin shiga masu karfi ta amfani da KeePass a matsayin misali: hanyoyi masu sauki kamar su goge-goge suna da aminci, da zaran ka rabu da "modulus bias" yayin duban harafi a cikin kewayar halayyar da aka bayar.
“Mun kuma bincika PRNG na Kaspersky kuma mun nuna cewa yana da rauni ƙwarai. Tsarinsa na ciki, guguwar Mersenne daga ɗakin karatu na Boost, bai dace da samar da kayan aiki ba. Amma babbar aibi ita ce cewa wannan PRNG an shuka shi da lokacin da yake ciki, a cikin sakan. Wannan yana nufin cewa kowane kalmar sirri da aka kirkira ta hanyar nau'ikan nau'ikan KPM ana iya lalata ta a cikin 'yan mintuna (ko na biyu idan kun san kusan lokacin tsara).
An sanar da Kaspersky game da yanayin rashin lafiyar a watan Yunin 2019 kuma ya fito da fasalin fasalin a watan Oktoba na wannan shekarar. A watan Oktoba na 2020, an sanar da masu amfani cewa wasu kalmomin shiga dole ne a sake sabunta su, kuma Kaspersky ya buga shawarwarin tsaro a ranar 27 ga Afrilu, 2021:
“Duk ire-iren bayanan Kaspersky Manajan Kalmar sirri da ke da alhakin wannan matsalar yanzu suna da sabo. Tunanin kirkirar kalmar wucewa da fadakarwa kan sabunta lamura idan wata kalmar sirri da aka kirkira ba ta da karfi sosai, ”in ji kamfanin tsaro
Source: https://donjon.ledger.com
Kalmomin sirri kamar makulli ne: babu amintacce cikin 100%, amma mafi rikitarwa shine, mafi girman lokaci da ƙoƙari da ake buƙata.
Abin birgewa sosai, amma idan bakada hanyar shiga kwamfutarka, bakada damar isa ga malamin. A zamanin yau, kowa yana da kwamfutarsa, sai dai idan abokin wani ya je gidansa kuma kwatsam sai suka ga cewa sun girka wannan shirin.
Sun yi sa'a sun sami lambar tushe na shirin don su iya fahimtar yadda aka samar dasu, idan ya kasance na binary ne, dole ne a fara lalata shi, wanda yake da wahala, ba da yawa suke fahimtar karamin yare ba, ko kuma kai tsaye ta hanyar karfi ba tare da fahimtar yadda yake aiki ba.