Zimbalwa iintsuku ezidlulileyo Isikrelemnqa esamiselwa kumnatha lupapasho olwenziwe nguDonjon (iingcebiso ngezokhuseleko) apho ngokusisiseko ixoxe ngemiba eyahlukeneyo yokhuseleko lwe "Kaspersky Password Manager" ngakumbi kumvelisi wayo wegama eligqithisiweyo, njengoko ibonakalisile ukuba onke amagama agqithisiweyo anokuveliswa anokuqhekeka ngenxa yokuhlaselwa ngamandla.
Kwaye ingcebiso kwezokhuseleko uDonjon wafumanisa ukuba Phakathi kuka-Matshi 2019 ukuya ku-Okthobha u-2020, Umphathi wegama eligqithisiweyo leKaspersky ivelise amagama agqithisiweyo anokuqhekeka ngemizuzwana. Esi sixhobo sisebenzise i-pseudo-random number generator eyayingakulungelanga ukwenza iinjongo zokufihla amagama.
Abaphandi bafumanisa ukuba umenzi wegama eligqithisiweyo ibinengxaki ezininzi kwaye enye yezona zibaluleke kakhulu kukuba i-PRNG isebenzise umthombo omnye we-entropy Ngamafutshane, yayikukuba iiphasiwedi ezivelisiweyo zazisesichengeni kwaye zingakhuselekanga konke konke.
Kwiminyaka emibini edlulileyo, sajonga kwakhona iKaspersky Password Manager (KPM), umphathi wegama eligqithisiweyo elenziwa nguKaspersky. Umphathi wegama eligqithisiweyo leKaspersky yimveliso egcina ngokukhuselekileyo amagama agqithisiweyo kunye namaxwebhu kwindawo ekhuselekileyo ekhuselekileyo kunye negama eligqithisiweyo. Oku kukhuselekile kukhuselwe ligama eliyimfihlo. Ke, njengabanye abaphathi begama eligqithisiweyo, abasebenzisi kufuneka bakhumbule iphasiwedi enye yokusebenzisa nokulawula onke amagama abo okugqitha. Imveliso iyafumaneka kwiinkqubo ezahlukeneyo zokusebenza (iWindows, i-MacOS, i-Android, i-iOS, iWebhu…) Idata ebhaliweyo inokungqanyaniswa ngokuzenzekelayo phakathi kwazo zonke izixhobo zakho, ihlala ikhuselwe ligama eliyimfihlo.
Eyona nto iphambili kwi-KPM kukulawulwa kwephasiwedi. Inqaku eliphambili kubaphathi begama eligqithisiweyo kukuba, ngokungafaniyo nabantu, ezi zixhobo zilungile ekuveliseni iiphasiwedi ezinamandla, ezingahleliwe. Ukwenza iiphasiwedi ezinamandla, Umphathi wegama eligqithisiweyo leKaspersky kufuneka axhomekeke kwindlela yokwenza iiphasiwedi ezinamandla ”.
Ukuya kwingxaki yabela isalathiso CVE-2020-27020, apho i-caveat ethi "umhlaseli uya kufuna ukwazi ulwazi olongezelelekileyo (umzekelo, ixesha eligqithwe ngalo igama eliyimfihlo)" iyasebenza, inyani kukuba amaphasiwedi eKaspersky ngokucacileyo ayekhuselekile kunokuba abantu becinga.
"Umvelisi wegama eligqithisiweyo obandakanyiwe Umphathi wegama eligqithisiweyo leKaspersky uye wadibana neengxaki ezininzi," licandelo lophando lweDungeon lacacisa ngeposi ngoLwesibini. Into ebaluleke kakhulu kukuba wayesebenzisa i-PRNG engafanelekanga ngeenjongo zokufihla. Umthombo wayo kuphela we-entropy yayilixesha langoku. Naliphi na igama eliyilelayo elinokuphulwa kabuhlungu ngemizuzwana. "
I-Dungeon ibonisa ukuba impazamo enkulu kaKaspersky yayikukusebenzisa iwotshi yenkqubo kwimizuzwana njengembewu kumvelisi wenani elingaqhelekanga.
"Oku kuthetha ukuba zonke iimeko zeKaspersky Password Manager emhlabeni ziya kuvelisa igama eligqithisiweyo elilinganayo ngomzuzwana," utshilo uJean-Baptiste Bédrune. Ngokutsho kwakhe, igama eligqithisiweyo ngalinye linokuba lixhoba lokuhlaselwa ngamandla ”. Umzekelo, kukho imizuzwana engama-315,619,200 phakathi ko-2010 kunye no-2021, ke i-KPM inokuvelisa ama-passwords angama-315,619,200 ubuninzi beeseti ezinikiweyo. Ukuhlaselwa ngenkani kolu luhlu kuthatha imizuzu embalwa. "
Abaphandi abavela Umjelo waphetha:
“Umphathi wegama eligqithisiweyo leKaspersky wasebenzisa indlela entsonkothileyo ukwenza iiphasiwedi zakhe. Le ndlela yayijolise ekudaleni iipaswedi ekunzima ukuziqhekeza kubaduni begama lokugqitha eliqhelekileyo. Nangona kunjalo, indlela enjalo inciphisa ukomelela kwamagama agqithisiweyo xa kuthelekiswa nezixhobo ezinikezelweyo. Sibonisile indlela yokuvelisa amagama agqithisiweyo usebenzisa i-KeePass njengomzekelo: iindlela ezilula ezinje ngee-sweepstakes zikhuselekile, nje ukuba ulahle "imodulus bias" ngelixa ujonge ileta kuluhlu olunikezelweyo.
Siphinde sahlalutya i-PRNG yaseKaspersky kwaye sabonisa ukuba ibuthathaka kakhulu. Ubume bayo bangaphakathi, inkanyamba iMersenne evela kwithala leencwadi elikhuthazayo, ayikulungelanga ukuvelisa izixhobo ze-cryptographic. Kodwa esona siphoso sikhulu kukuba le PRNG yatyalwa ngexesha langoku, ngemizuzwana. Oku kuthetha ukuba onke amagama agqithisiweyo aveliswe ziinguqulelo ezisemngciphekweni ze KPM anokuphazanyiswa kabuhlungu kwimizuzu nje embalwa (okanye umzuzwana ukuba uyazi malunga nexesha lesizukulwana).
U-Kaspersky waziswa malunga nokuba semngciphekweni ngoJuni 2019 kwaye wakhupha uguqulelo lwepatch ngo-Okthobha kwakuloo nyaka. Ngo-Okthobha u-2020, abasebenzisi baxelelwa ukuba ezinye iiphasiwedi kuya kufuneka ziphinde zenziwe ngokutsha, kwaye uKaspersky wapapasha iingcebiso ngezokhuseleko ngo-Epreli 27, 2021:
“Zonke iinguqulelo zikawonke-wonke zeKaspersky Password Manager ejongene nale ngxaki ngoku zinayo entsha. Ingqondo yokuvelisa iphasiwedi kunye nesilumkiso sokuhlaziya iphasiwedi yamatyala apho igama eligqithisiweyo lingenamandla ngokwaneleyo ”, itsho inkampani yezokhuseleko
Umthombo: https://donjon.ledger.com
Amagama agqithisiweyo afana neephedi ezitshixwayo: akukho 100% ikhuselekileyo, kodwa eyona inzima ngakumbi, kokukhona ixesha kunye nomzamo ziyafuneka.
Intle kakhulu, kodwa nabani na ongenakho ukufikelela kwikhompyuter yakhe akanakufikelela nakutitshala. Kule mihla, wonke umntu unekhompyuter yakhe, ngaphandle kokuba umhlobo womntu uye endlwini yakhe kwaye ngethuba bafumanisa ukuba banayo le nkqubo efakiweyo.
Babenethamsanqa ngokwaneleyo ukuba banekhowudi yemvelaphi yenkqubo ukuze bakwazi ukuqonda ukuba zenziwe njani, ukuba ibiyinto yokubini kufuneka iqale ichithwe, ekunzima, hayi abaninzi abayiqondiyo ulwimi oluncinci, okanye ngokuthe ngqo ukuqonda indlela esebenza ngayo.