Kwinkomfa ye-Black Hat USA eLas Vegas umsitho wokuwonga , ebonisa ubuthathaka obubalulekileyo kunye nokusilela okungenangqondo kwinkalo yokhuseleko lwekhompyuter. I-Pwnie Awards ithathwa njengelingana ne-Oscars kunye ne-Golden Raspberries kwintsimi yokhuseleko lwekhompyutheni kwaye ibanjwe ngonyaka ukususela kwi-2007.
Siseko и :
- Eyona bug yeseva. Iwongwa ngokuchonga nokusebenzisa eyona bug intsonkothileyo yobuchwephesha kunye nenomdla kwinkonzo yenethiwekhi. Abaphumeleleyo yayingabaphandi ubuthathaka kumnikezeli we-VPN uPulse Secure, inkonzo yakhe ye-VPN isetyenziswa yi-Twitter, Uber, Microsoft, sla, SpaceX, Akamai, Intel, IBM, VMware, US Navy, iSebe lezoKhuseleko lwase-US (DHS) kwaye mhlawumbi isiqingatha se iinkampani ezivela kuluhlu lwe-Fortune 500. Abaphandi baye bafumana i-backdoor evumela umhlaseli ongagunyaziswanga ukuba atshintshe igama eliyimfihlo lanoma yimuphi umsebenzisi. Ithuba lokusebenzisa ingxaki ukufumana ukufikelela kweengcambu kwi-server ye-VPN apho kuphela i-port ye-HTTPS evulekileyo ibonakalisiwe;
Phakathi kwabaviwa abangazange balifumane ibhaso, kunokuqatshelwa oku kulandelayo:
- Isebenza kwinqanaba lokuqinisekisa kwangaphambili kwi Jenkins inkqubo yokudibanisa eqhubekayo, ekuvumela ukuba wenze ikhowudi kumncedisi. Ubuthathaka busetyenziswa ngokusebenzayo yi-bots ukucwangcisa imigodi ye-cryptocurrency kwiiseva;
- Kubalulekile kwi Exim imeyile yomncedisi, ekuvumela ukuba wenze ikhowudi kumncedisi ngamalungelo engcambu;
- kwiikhamera ze-Xionngmai XMeye P2P IP, ekuvumela ukuba uthathe ulawulo lwesixhobo. Iikhamera zinikezelwe ngegama eliyimfihlo lobunjineli kwaye azizange zisebenzise ukuqinisekiswa kwesignesha yedijithali xa kuhlaziywa i-firmware;
- Kubalulekile ekuphunyezweni kweprotocol yeRDP kwiWindows, ekuvumela ukuba wenze ukude ikhowudi yakho;
- kwi-WordPress, ehambelana nokulayisha ikhowudi ye-PHP phantsi komfanekiso womfanekiso. Ingxaki ikuvumela ukuba wenze ikhowudi engafanelekanga kumncedisi, unamalungelo ombhali weempapasho (uMbhali) kwisiza;
- Eyona Bug yeSoftwe yoMxumi. Ophumeleleyo kwaba lula ukuyisebenzisa kwinkqubo yokufowuna yeqela le-Apple FaceTime, evumela umqalisi womnxeba weqela ukuba aqalise ukwamkelwa ngenkani komnxeba kwicala leqela elibiziweyo (umzekelo, ukumamela kunye nokukroba).
Abanye abachongelwe ibhaso ngaba:
- kwi-WhatsApp, ekuvumela ukuba wenze ikhowudi yakho ngokuthumela umnxeba welizwi owenziwe ngokukodwa;
- kwilayibrari yemizobo ye-Skia esetyenziswa kwisiphequluli se-Chrome, enokukhokelela kukonakala kwememori ngenxa yeempazamo zamanqaku adadayo kwezinye iinguqu zejometri;
- Okona kuPhakamisayo kweLungelo lokuba sesichengeni. Uloyiso lwawongwa ngokuchongwa kwi-iOS kernel, enokuthi isetyenziswe nge ipc_voucher, ifikeleleke nge-browser ye-Safari.
Abanye abachongelwe ibhaso ngaba:
- kwi-Windows, ikuvumela ukuba ufumane ulawulo olupheleleyo kwindlela yokusebenza ngokusetyenziswa kobuchule nge CreateWindowEx (win32k.sys) umsebenzi. Ingxaki ichongiwe ngexesha lokuhlalutya i-malware esebenzise ubuthathaka ngaphambi kokuba ilungiswe;
- kwi-runc kunye ne-LXC, echaphazela i-Docker kunye nezinye iinkqubo zokwahlula izikhongozeli, ukuvumela isikhongozeli esizimeleyo esilawulwa ngumhlaseli ukuba sitshintshe ifayile ephunyeziweyo ye-runc kunye nokufumana amalungelo engcambu kwicala lenkqubo yokusingatha;
- kwi-iOS (CFPrefsDaemon), ekuvumela ukuba ugqithe iindlela zokuzikhetha kwaye wenze ikhowudi ngamalungelo eengcambu;
- kuhlelo lwe-Linux TCP stack esetyenziswa kwi-Android, evumela umsebenzisi wasekhaya ukuba aphakamise amalungelo abo kwisixhobo;
- kwi-systemd-journald, ekuvumela ukuba ufumane amalungelo engcambu;
- kwisixhobo se-tmpreaper sokucoca /tmp, ekuvumela ukuba ugcine ifayile yakho kuyo nayiphi na indawo yesixokelelwano sefayile;
- Olona hlaselo lweCryptographic. Iwongwa ngokuchonga ezona zithuba zibalulekileyo kwiinkqubo zokwenyani, iiprothokholi kunye ne-encryption algorithms. Ibhaso lanikezelwa ngokuchongwa kwi-WPA3 iteknoloji yokhuseleko lwenethiwekhi engenazingcingo kunye ne-EAP-pwd, ekuvumela ukuba uphinde wenze igama eligqithisiweyo loqhagamshelwano kwaye ufumane ukufikelela kwinethiwekhi engenazingcingo ngaphandle kokwazi igama eligqithisiweyo.
Abanye abagqatswa bewonga bebe:
- uhlaselo kwi-PGP kunye ne-S/MIME uguqulelo oluntsonkothileyo kubaxumi be-imeyile;
- indlela yokuqalisa ebandayo ukufumana ufikelelo kwimixholo yezahlulo ezifihliweyo zeBitlocker;
- kwi-OpenSSL, ekuvumela ukuba wahlule iimeko zokufumana i-padding engalunganga kunye ne-MAC engalunganga. Ingxaki ibangelwa kukuphathwa kakubi kwee-byte zero kwi-padding oracle;
- ngamakhadi esazisi asetyenziswa eJamani kusetyenziswa iSAML;
- kunye ne-entropy yamanani angaqhelekanga ekuphunyezweni kwenkxaso yamathokheni e-U2F kwi-ChromeOS;
- kwi-Monocypher, ngenxa yokuba iisiginitsha ze-null ze-EDDSA zamkelwa njengezichanekileyo.
- Olona phando luyilayo. Ibhaso lanikezelwa kumphuhlisi wobuchwephesha , esebenzisa imiyalelo ye-AVX-512 ye-vector ukuxelisa ukuphunyezwa kweprogram, evumela ukwanda okukhulu kwisantya sokuvavanya i-fuzzing (ukuya kwi-40-120 yezigidigidi imiyalelo ngomzuzwana). Ubuchwephesha buvumela undoqo we-CPU ngamnye ukuba aqhube i-8 64-bit okanye i-16-bit ye-32-bit oomatshini benyani ngokunxuseneyo nemiyalelo yovavanyo lwe-fuzzing yesicelo.
Aba balandelayo bebekufanele ukufumana ibhaso:
- kwiTekhnoloji ye-Power Query evela kwi-MS Excel, ekuvumela ukuba uququzelele ukuphunyezwa kwekhowudi kunye nokudlula iindlela zokuzihlukanisa zesicelo xa uvula i-spreadsheets ezenzelwe ngokukodwa;
- ukukhohlisa i-autopilot yeemoto zeTesla ukucaphukisa ukuqhuba kwindlela ezayo;
- umva ubunjineli be-ASICS chip Siemens S7-1200;
- -Indlela yokulandelela intshukumo yomnwe ukumisela ikhowudi yokuvula ifowuni, esekwe kumgaqo wokusebenza kwe-sonar - izithethi eziphezulu nezisezantsi ze-smartphone zivelisa iintshukumo ezingabonakaliyo, kunye neemakrofoni ezakhelwe ngaphakathi zithatha ukuze zihlalutye ubukho bokungcangcazela okubonakaliswa isandla
- Izixhobo zobunjineli ze-NSA ze-Ghidra;
- - ubuchule bokumisela ukusetyenziswa kwekhowudi kwimisebenzi efanayo kwiifayile ezininzi eziphunyezwayo ngokusekelwe kuhlalutyo lweendibano zokubini;
- indlela yokudlula indlela ye-Intel Boot Guard yokulayisha i-firmware ye-UEFI elungisiweyo ngaphandle kokuqinisekiswa komsayino wedijithali.
- Eyona mpendulo isiqhwala evela kumthengisi (Impendulo yomthengisi oLamest). Ukutyunjwa kweyona mpendulo inganelanga kumyalezo malunga nokuba sesichengeni kwimveliso yakho. Abaphumeleleyo ngabaphuhlisi be-wallet ye-BitFi crypto, abakhwazayo malunga ne-ultra-security yemveliso yabo, eneneni yajika yaba yinto ecingelwayo, ixhaphaza abaphandi abachonga ubuthathaka, kwaye abahlawuli iibhonasi ezithenjisiweyo zokuchonga iingxaki;
Phakathi kwabafake izicelo zebhaso kukwajongwe:
- Umphandi wezokhuseleko utyhola umlawuli we-Atrient ngokumhlasela ukuze amnyanzele ukuba asuse ingxelo malunga nokuba sengozini ayichongileyo, kodwa umlawuli uyasikhanyela eso siganeko kwaye iikhamera zokucupha azizange zibhale uhlaselo;
- Usondezo ulibazisekile ukulungisa umba obalulekileyo kwinkqubo yayo yeenkomfa kwaye yalungisa ingxaki kuphela emva kokubhengezwa koluntu. Ukuba sesichengeni kuvumele umhlaseli wangaphandle ukuba afumane idatha kwiikhamera zewebhu zabasebenzisi be-macOS xa evula iphepha eliyilwe ngokukodwa kwisikhangeli (i-Zoom yazisa iseva ye-http kwicala lomxumi elifumene imiyalelo kwisicelo sasekhaya).
- Ukungaphumeleli ukulungisa iminyaka engaphezu kwe-10 ngeeseva ezingundoqo ze-OpenPGP ze-cryptographic, echaza ukuba ikhowudi ibhalwe ngolwimi oluthile lwe-OCaml kwaye ihlala ingenamlondolozi.
Esona sibhengezo sesichengeni esichukumisayo okwangoku. Iwongwe ngowona mthwalo ulusizi kunye nobukhulu bengxaki kwi-Intanethi nakwimithombo yeendaba, ngakumbi ukuba ubuthathaka ekugqibeleni bujike bube bungenakusebenziseka ekusebenzeni. Ibhaso lanikezelwa kwiBloomberg malunga nokuchongwa kwee-spy chips kwiibhodi ze-Super Micro, ezingazange ziqinisekiswe, kunye nomthombo ubonise ngokupheleleyo .
Ikhankanyiwe kunyulo:
- Ukuba sesichengeni kwi-libssh, leyo izicelo zomncedisi omnye (i-libssh phantse ayizange isetyenziswe kumncedisi), kodwa yanikezelwa liQela le-NCC njengobuthathaka obuvumela ukuhlasela nayiphi na iseva ye-OpenSSH.
- Uhlaselo usebenzisa imifanekiso yeDICOM. Inqaku lelokuba ungalungiselela ifayile ephunyezwayo yeWindows eya kujongeka njengomfanekiso osebenzayo weDICOM. Le fayile inokukhutshelwa kwisixhobo sonyango kwaye iphunyezwe.
- Ukuba sesichengeni , ekuvumela ukuba ugqithe indlela ekhuselekileyo yesiqalo kwizixhobo zeCisco. Ubuthathaka buhlelwa njengengxaki egqithisileyo kuba ifuna amalungelo engcambu ukuhlasela, kodwa ukuba umhlaseli wayesele ekwazile ukufikelela kwiingcambu, ngoko loluphi ukhuseleko esinokuthetha ngalo. Ukuba sesichengeni kwakhona kwaphumelela kudidi lwezona ngxaki zingacingelwayo, njengoko ikuvumela ukuba ungenise umva osisigxina kwiFlash;
- Eyona ntsilelo inkulu (Eyona Epic FAIL). Uloyiso lwawongwa iBloomberg ngothotho lwamanqaku achukumisayo anezihloko ezikhwazayo kodwa iinyani ezenziweyo, ukucinezelwa kwemithombo, ukuhla kwiithiyori zeyelenqe, ukusetyenziswa kwamagama afana “nezixhobo ze-cyberweapons”, kunye nokudityaniswa ngokubanzi okungamkelekanga. Abanye abonyulwa baquka:
- Uhlaselo lwe-Shadowhammer kwinkonzo yohlaziyo lwe-Asus firmware;
- Ukugqekeza i-vault ye-BitFi epapashwe “njengengenakugqojozwa”;
- Ukuvuza kwedatha yomntu kunye ukufikelela kuFacebook.
umthombo: opennet.ru