Abaduni beba ikhodi yomthombo ezinhlanganweni zikahulumeni wase-US nasezinkampanini ezizimele

IFederal Bureau of Investigation (I-FBI) yathumela isexwayiso ngo-Okthoba odlule kwabezokuphepha ezinkampanini nasezinhlanganweni zikahulumeni.

Lo mbhalo uputshuke ngesonto eledlule uthi abaduni abangaziwa basebenzise ithuba lokuba sengozini kungxenyekazi yokuqinisekisa ikhodi yeSonarQube ukufinyelela amakhosombe ekhodi yomthombo. Lokhu kuholela ekuvuza kwamakhodi emithombo evela ezinhlanganweni zikahulumeni nasezinkampanini ezizimele.

Isexwayiso se-FBI sixwayise abanikazi be-SonarQube, uhlelo lokusebenza lwewebhu ukuthi izinkampani zihlanganise nesoftware yazo zakha amaketanga ukuhlola ikhodi yomthombo nokuthola izimbobo zokuphepha ngaphambi kokukhipha ikhodi nezinhlelo zokusebenza ezindaweni zokukhiqiza.

Abaduni basebenzisa ubungozi bokumiswa okwaziwayo, ebavumela ukuthi bafinyelele ikhodi yokuphathelene, bayifakele, futhi bashicilele idatha. I-FBI ikhombe ukungena kwamakhompiyutha okuningi okungahle kube khona okuhambisana nokuvuza okuhambisana nobungozi bokumiswa kweSonarQube.

Izicelo ze I-SonarQube ifakiwe kumaseva wewebhu bese uxhuma ezinhlelweni zokubamba ikhodi Umthombo onjenge-akhawunti ye-BitBucket, i-GitHub noma i-GitLab, noma amasistimu we-Azure DevOps.

Ngokusho kwe-FBI, ezinye izinkampani zishiye lezi zinhlelo zingavikelekile, isebenza ngokucushwa kwayo okuzenzakalelayo (ethekwini 9000) kanye nezimpawu zokuphatha ezizenzakalelayo (admin / admin). Abaduni basebenzise kabi izicelo ze-SonarQube ezingalungiselelwe kusukela okungenani ngo-Ephreli 2020.

“Kusukela ngo-Ephreli 2020, ama-haks angaziwa abelokhu ebhekise ezimweni ezibucayi zeSonarQube ukuthola ukufinyelela kumakhodi emithombo yomthombo evela ezinhlanganweni zikahulumeni wase-US nasezinkampanini ezizimele.

Abaduni basebenzisa ukuba sengozini kokumiswa okwaziwayo, okubavumela ukuthi bafinyelele ikhodi yokuphathelene, bayikhiphe, futhi babonise idatha esidlangalaleni. I-FBI ikhombe ukungena kwamakhompiyutha okuningi okungaba khona okuhambisana nokuvuza okuhambisana nokuba sengozini ekucushweni kweSonarQube, ”kufundeka umbhalo we-FBI.

Izikhulu ze- I-FBI Ithi Usongo Lwabaduni Basebenzisa Izilungiselelo Ezingalungile ukufinyelela izimo ze-SonarQube, shintshela kumakhosombe ekhodi yomthombo axhunyiwe, bese ufinyelela futhi untshontshe izinhlelo zokuphathelene noma ezizimele / ezizwelayo. Izikhulu ze-FBI zisekele isexwayiso sazo ngokunikeza izibonelo ezimbili zezehlakalo ezedlule ezenzeke ezinyangeni ezedlule:

“Ngo-Agasti 2020, baveza imininingwane yangaphakathi yezinhlangano ezimbili ngokusebenzisa ithuluzi lokugcina izimpilo lomphakathi. Imininingwane eyebiwe ivela ezimweni zeSonarQube kusetshenziswa izilungiselelo zembobo ezenzakalelayo kanye nezimpawu zokuphatha ezisebenza kumanethiwekhi ezinhlangano ezithintekile.

“Lo msebenzi ufana nokwephulwa kwedatha kwangaphambilini ngoJulayi 2020, lapho umlingisi we-cyber owahlonza afaka ikhodi yomthombo wenkampani ngokusebenzisa izimo ezingavikelekile zeSonarQube futhi washicilela ikhodi yomthombo efakwe endaweni yokugcina yomphakathi. . «, 

Isexwayiso se-FBI sithinta isihloko esaziwa kancane ngabathuthukisi be-software nabaphenyi bezokuphepha.

Ngesikhathi imboni yezokuphepha ku-inthanethi ivame ukuxwayisa ngezingozis ekususeni imininingwane ye-MongoDB noma i-Elasticsearch evezwe ku-inthanethi ngaphandle kwephasiwedi, uSonarQube ubalekele ukubhekwa.

Eqinisweni, Abaphenyi bavame ukuthola izimo zeMongoDB noma i-Elasticsearch online lokho kuveza idatha ngaphezu kwamashumi ezigidi zamakhasimende angavikelekile.

Isibonelo, ngoJanuwari 2019, uJustin Paine, umcwaningi wezokuphepha, wathola i-database ye-Elasticsearch engaqondakali kahle e-inthanethi, eveza inani elikhulu lamarekhodi amakhasimende ngesihe sabahlaseli abathola ubungozi.

Imininingwane ekubhejeni okungaphezulu kwezigidi eziyi-108, kufaka phakathi imininingwane yolwazi lomuntu siqu lwabasebenzisi, kwakungeyamakhasimende eqembu lamakhasino aku-inthanethi.

Noma kunjalo, ukuAbanye abacwaningi bezokuphepha baxwayise kusukela ngoMeyi 2018 ngezingozi ezifanayo lapho izinkampani zishiya izicelo zeSonarQube zivezwe ku-inthanethi ngeziqinisekiso ezizenzakalelayo.

Ngaleso sikhathi, umxhumanisi wezokuphepha kwe-cyber ogxile ekutholeni ukwephulwa kwemininingwane, uBob Diachenko, uxwayise ngokuthi cishe u-30-40% wezimo ezingaba ngu-3,000 XNUMX zeSonarQube ezazitholakala ku-inthanethi ngaleso sikhathi zazingenayo iphasiwedi noma indlela yokuqinisekisa.

Umthombo: https://blog.sonarsource.com


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.