I-Federal Bureau yoPhando (I-FBI) yathumela isilumkiso ngo-Okthobha ophelileyo kwiinkonzo zokhuselo zeenkampani nemibutho karhulumente.
Olu xwebhu luvezwe kwiveki ephelileyo amabango angaziwayo abahlaseli basebenzise ithuba lokuba sesichengeni kwiqonga lokuqinisekisa ikhowudi ye-SonarQube ukufumana ukufikelela kumthombo wokugcina ikhowudi. Oku kukhokelela kwimithombo yokuvuza kwekhowudi evela kwiiarhente zikarhulumente nakwiinkampani zabucala.
Isilumkiso se-FBI silumkise abanini be-SonarQube, isicelo sewebhu esithi iinkampani zidibanise kwisoftware yazo zakha imixokelelwane yokuvavanya ikhowudi yemvelaphi kunye nokufumana imingxunya yokhuseleko ngaphambi kokukhupha ikhowudi kunye nokusetyenziswa kwindawo yemveliso.
Abagculi basebenzise ithuba lokuba semngciphekweni, ebavumela ukuba bafikelele kwikhowudi yokuthengisa, bayikhuphele ngaphandle, kwaye bapapashe idatha. I-FBI ichonge ukungena kweekhompyuter okunokwenzeka okunxibelelana nokuvuza okunxulunyaniswa nobuthathaka bokumiselwa kweSonarQube.
Ukusetyenziswa kwe I-SonarQube ifakwe kwiiseva zewebhu kwaye uqhagamshele kwiinkqubo zokubamba iikhowudi imvelaphi efana neBitBucket, iGitHub, okanye iiakhawunti zeGitLab, okanye iinkqubo zeAzure DevOps.
Ngokwe-FBI, ezinye iinkampani ziye zashiya ezi nkqubo zingakhuselekanga, Isebenza ngoqwalaselo lwayo olungagqibekanga (kwizibuko 9000) kunye neenkcukacha zolawulo olungagqibekanga (admin / admin). Abagculeli basebenzise gwenxa izicelo ze-SonarQube ukusukela ubuncinci ngo-Epreli 2020.
Ukusukela ngo-Epreli 2020, ii-doks ezingaziwayo bezisoloko zijolise kwizimo ze-SonarQube ezisengozini yokufumana ikhowudi yemithombo yolwazi evela kwiiarhente zikarhulumente zase-US nakwiinkampani zabucala.
Abagculeli basebenzisa ubuthathaka obaziwayo, bevumela ukuba bafikelele kwikhowudi yokuthengisa, bayikhuphele ngaphandle, kwaye babonise idatha esidlangalaleni. I-FBI ichonge ukungena kweekhompyuter okunokubakho okunxulumana nokuvuza okunxulunyaniswa nokuba semngciphekweni kulungelelwaniso lweSonarQube, ”ufunda uxwebhu lwe-FBI.
Amagosa e I-FBI ithi Isisongelo abaHacker baSebenzisa kakubi ezi Zicwangciso zingachanekanga ukufikelela kwiimeko zeSonarQube, tshintshela kwimithombo yolwazi edityanisiweyo, emva koko ufikelele kwaye webe izicelo zobunini okanye zabucala / ezinobuthathaka. Amagosa e-FBI axhasa isilumkiso sabo ngokunikezela ngemizekelo emibini yezehlo ezidlulileyo ezenzeke kwiinyanga ezidlulileyo:
“Nge-Agasti ka-2020, baveze idatha yangaphakathi yemibutho emibini ngesixhobo sokugcina sobomi kuluntu. Idatha ebiweyo ivela kumzekelo weSonarQube kusetyenziswa useto olungasasebenziyo lwezibuko kunye neempawu zolawulo ezisebenza kunxibelelwano lwemibutho echaphazelekayo.
"Lo msebenzi uyafana nolwaphulo lwangaphambili lwedatha ngoJulayi 2020, apho umdlali we-cyber ochongiweyo wacoca ikhowudi yemithombo yenkampani ngokusebenzisa iindlela ezingakhuselekanga zikaSonarQube kwaye wathumela ikhowudi yemithombo exfiltered kwindawo yokugcina abantu. «,
Isilumkiso se-FBI sichukumisa isihloko esaziwa kancinci ngabaphuhlisi besoftware kunye nabaphandi bezokhuseleko.
Ngexesha Icandelo lokhuseleko lwe-cyber belisoloko lilumkisa ngobungoziUkushiya i-MongoDB okanye i-Elasticsearch yolwazi oluvezwe kwi-intanethi ngaphandle kwephasiwedi, uSonarQube ubalekile ukubekwa kweliso.
Ngapha koko, i Abaphandi bahlala befumana iimeko ze-MongoDB okanye i-Elasticsearch kwi-intanethi eziveza idatha ngaphezulu kwamashumi ezigidi zabathengi abangakhuselekanga.
Umzekelo, ngoJanuwari 2019, uJustin Paine, umphandi wezokhuseleko, wafumanisa indawo ekugcinwa kuyo izinto ezingasasebenziyo kwi-Intanethi i-Elasticsearch, eveza inani elibalulekileyo leerekhodi zabathengi kwinceba yabahlaseli abafumene ukuba semngciphekweni.
Ulwazi malunga nokubheja okungaphezulu kwesigidi se-108, kubandakanya neenkcukacha zolwazi lomntu, zezabathengi beqela lokungcakaza kwi-Intanethi.
Nangona kunjalo, ukuyaAbanye abaphandi bezokhuseleko balumkisile ukusukela ngoMeyi 2018 ngeengozi ezifanayo xa iinkampani zishiya izicelo zeSonarQube zivezwe kwi-intanethi ngeenkcukacha ezingagqibekanga.
Ngelo xesha, umcebisi wezokhuseleko ojolise ekufumaneni ukophuka kwedatha, uBob Diachenko, walumkisa ukuba malunga ne-30-40% ye-3,000 ye-SonarQube iimeko ezazifumaneka kwi-intanethi ngelo xesha zazingenalo igama eligqithisiweyo okanye indlela yokuqinisekisa.
Umthombo: https://blog.sonarsource.com