Connect with us

ZDNET

FBI: Hackers stole source code from US government agencies and private companies

FBI blames intrusions on improperly configured SonarQube source code management tools….

Published

on

The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.

Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website.

The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments.

SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems.

But the FBI says that some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin credentials (admin/admin).

FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.

Officials provided two examples of past incidents:

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.”

The FBI alert touches on a little known issue among software developers and security researchers.

While the cyber-security industry has often warned about the dangers of leaving MongoDB or Elasticsearch databases exposed online without passwords, SonarQube has slipped through the cracks.

However, some security researchers have been warning about the dangers of leaving SonarQube applications exposed online with default credentials since as far back as May 2018.

At the time, data breach hunter Bob Diachenko warned that about 30% to 40% of all the ~3,000 SonarQube instances available online at the time had no password or authentication mechanism enabled.

After @zackwhittaker covered EE leak, I ran a couple of queries on Sonarqube. Shocked to see more than 3K+ instances available, with roughly 30-40% of them set without auth, and almost half of those containing source code with prod data. Big names involved, another area to cover. pic.twitter.com/tKBRLOYzq1

This year, a Swiss security researcher named Till Kottmann has also raised the same issue of misconfigured SonarQube instances. Throughout the year, Kottmann has gathered source code from tens of tech companies in a public portal, and many of these came from SonarQube applications.

“Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube,” Kottmann told ZDNet.

“I don’t know the current number of exposed SonarQube instances, but I doubt it changed much. I would guess it’s still far over 1,000 servers (that are indexed by Shodan) which are ‘vulnerable’ by either requiring no auth or leaving default creds,” he said.

To prevent leaks like these, the FBI alert lists a series of steps that companies can take to protect their SonarQube servers, starting with altering the app’s default configuration and credentials and then using firewalls to prevent unauthorized access to the app from unauthorized users.

Source: https://www.zdnet.com/article/fbi-hackers-stole-source-code-from-us-government-agencies-and-private-companies/

[ALT0]

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

ZDNET

Is there a market for an Apple TV/HomePod Frankenstein?

Rumors are circulating that Apple is planning to take two devices that aren’t selling all that well, and smash them together to make a new, hybrid device.

Published

on

Would you buy an Apple TV/HomePod Frankenstein device? According to Bloomberg’s Mark Gurman, Apple has one in the works.

“The company is working on a product that would combine an Apple TV set-top box with a HomePod speaker and include a camera for video conferencing through a connected TV and other smart-home functions, according to people familiar with the matter, who asked not to be identified discussing internal matters.”

Read more: Who do I pay to get the ‘phone’ removed from my iPhone?

Never one to underestimate Apple’s ability to take an idea that, on the face of it, seems stupid and irrational and turn it into a multibillion-dollar craze, but this feels a bit weird even for Apple.

First off, both the HomePod and the Apple TV haven’t set the world alight. Last month saw Apple pull the plug on the HomePod, and the Apple TV hasn’t had a refresh in over three years.

That tells you a lot about the position of these devices in Apple’s ecosystem.

I’m also not sure about the functionality of such a device. Are people going to replace their TV sound system (or the built-in speakers) with something that’s a fusion of an Apple TV and a HomePod? Maybe a pair of speakers, but that’s something different again.

Smashing together two ideas that have had a lukewarm reception and adding a FaceTime camera doesn’t feel like a recipe for huge success.

Gurman also brings up a HomePod/iPad hybrid too. This would create a competitor for the likes of Amazon’s Echo Show. I don’t know, the idea of adding a screen to the HomePod would be pretty much an admission that Siri is not up to the task. Also, Apple’s focus is on selling high-value devices with displays (iPhones, iPads, and Macs), and the idea of “cheap” displays taking over from those again doesn’t feel congruent with Apple.

What do you think? Is there merit in these hybrid devices, or should these never Frankenstein devices from Apple’s R&D lab never see light of day?

Source: https://www.zdnet.com/article/is-there-a-market-for-an-apple-tv-homepod-frankenstein/

is-there-a-market-for-an-apple-tv/homepod-frankenstein?

Continue Reading

ZDNET

Tencent Cloud pledges SEA expansion with launch of Indonesia data centre

Chinese internet giant launches its first data centre in Indonesia, with plans to open a second one in the Southeast Asian market as well as Thailand and South Korea within the year, as it looks to build out its cloud footprint across the region.

Published

on

Tencent has opened its first data centre in Indonesia, with plans to open a second within months alongside new sites in other Asian markets including Thailand and South Korea. The Chinese technology giant says the investment is part of an “aggressive” plan to build out its infrastructure in the region and tap growing cloud demand.

Located in Jakarta’s central business district, the data centre boasts two utility power lines and 2N redundant transformers as well as N+1 redundant diesel generator with capacity to support up to 72 hours at full load. Tencent’s cloud coverage currently encompasses 27 regions and 61 availability zones, most of which are located in China and the Asia-Pacific, and includes markets such as Singapore, Tokyo, Mumbai, Seoul, Moscow, Toronto, and Frankfurt.

The tech vendor operates more than 40 data centres in China alone, where its cloud business debut was a decade ago. Its international business was launched some three years ago across various regions and currently operates 19 to 20 data centres outside its domestic market.

It added a second data centre in South Korea early this year and, last month, announced plans to launch its first such facility in Bahrain by year-end to support the Middle East and North Africa region.

The latest site in Jakarta would better facilitate access to data and applications for customers in the region and support Indonesian organisations in their digital transformation efforts, said Poshu Yeung, Tencent Cloud International’s senior vice president, in a call with ZDNet. He added that there had been strong online demand across various verticals including financial services, e-commerce, games, education, and media and entertainment.

Tencent itself had seen significant growth for its online services in Indonesia, where its JOOX music streaming app was the second most popular in the country, Yeung said. It also launched WeTV last year, with plans to create more local production this year, and would soon introduce more games for the local market.

Strong demand for its consumer services had further underscored the need for Tencent to build its own data centres in Indonesia, he said, adding that a second data centre would be operational in the country likely in August. This marked the first time the company was launching two sites in the same market in the same year, he noted.

It also should signal how “aggressive and invested” Tencent was bolstering its presence in Indonesia, which he said was one of the leading growth markets for cloud in Southeast Asia. This demand was also evidence in other markets in the region as well as the wider Asia-Pacific, where it saw significant growth last year, he added.

This was despite the fact that the vendor last November had reported “lingering impact” of the global pandemic on its cloud revenue during its third quarter earnings. Tencent then had pointed to delays in project deployment and new customer signups as well as “non-recurring adjustments” to some IaaS (infrastructure-as-a-service) contracts, which led to a lower growth from its cloud and other business revenue.

Asked to elaborate, Yeung said 2020 was a tough year for many businesses but the cloud market was one of few to see robust growth–fuelled by accelerated digital transformation initiatives–not just for global players, but also Tencent. The vendor’s international cloud business last year had clocked triple-digit growth, he said, noting that this upward momentum was expected to continue this year.

He revealed that Tencent would soon launch a second data centre in Thailand as well as in Japan in June.

Apart from supporting its own business and local enterprise customers, its data centre buildout across the region would tap growth potential from Chinese enterprises looking to expand overseas as well as international companies investing in the local markets.

ZDNet asked if he saw fellow Chinese cloud vendors such as Huawei and Alibaba Cloud, which also were eyeing growth in Southeast Asia, as bigger rivals than global cloud players such as Google, Amazon Web Services, and Microsoft. Yeung noted that the cloud business remained sizeable and there was room for several major players.

He added that cloud providers also often worked together, since enterprise customers increasingly were looking to adopt multi-cloud deployments as part of efforts to avoid being locked into one cloud vendor.

“So there are clear opportunities for everyone,” he said, noting that Tencent aimed to offer added value with SaaS products developed for verticals, such as financial and fintech, media, retail, and healthcare.

The vendor also had a wide ecosystem backing its cloud infrastructure and services, including its WeChat platform, he added.

RELATED COVERAGE

Source: https://www.zdnet.com/article/tencent-cloud-pledges-sea-expansion-with-launch-of-indonesia-data-centre/

tencent-cloud-pledges-sea-expansion-with-launch-of-indonesia-data-centre

Continue Reading

ZDNET

Blockchain-based Odysee keeps your social media content online

Upload whatever content you want without threat of removal and makes sure it stays online. But you will never be able to remove it – ever.

Published

on

Odysee ensures your social media content will not be monitored–or removed zdnet Odysee

If you want to put whatever video content you want online and keep it there without risk of it being removed, the Odysee platform will keep your content on the blockchain permanently.

Created in July 2020, video platform Odysee has grown its user base since its launch in December 2020. The YouTube-like platform hosts video content on the LBRY network. Unlike YouTube there are no moderators, and no safety filters for younger viewers – and the content remains on the blockchain permanently.

People forget – or do not know that once data has been added to the blockchain it can not be changed or removed.

Odysee is built on blockchain technology and ensures that its creators’ channels can never be deleted. When a channel is created, it is recorded permanently in a distributed ledger on the blockchain.

While this seems like a great idea, it could have far-reaching consequences for some content creators years down the line – especially as attitudes change over time. Content creators might be saddled with stupid content that they very much regret as they get older.

Placing video content on the blockchain means that no one entity controls or can change it, making de-platforming impossible no matter how extreme, violent, or untrue the content might be.

Odyssee says that there are about 300,000 content creators on Odysee who upload a wide range of video content across topics ranging from informative to downright odd. Users can view any of the videos for free – unlike other video streaming platforms like Streamanity where the content creator sets the price to view videos.

Its press release in December says that the platform boasts 8,7 million monthly active users, however, Sitechecker reckons that Odysee.com gets less than 10,000 unique visitors per month to get a good result.

Odysee is built using the LBRY protocol which developers use to build apps to interact with content on the LBRY network. The platform’s predecessor LBRY.TV has now been retired in favour of Odysee.

When users upload a video, they deposit a minimum amount of LBC (LBRY Credits) starting from 0.01. 0.01 LBC is less than a cent.

Content creators can set an LBC price to watch the video if they choose. Fans of the video can also tip the content creator if they like the video. Each video shows indicate how many credits they have earned for the creator.

The deposit to upload ensures that the content is registered on the LBRY blockchain and will become discoverable by other users.

Users need to have an Odysee wallet associated with their account, which is viewable once they are logged in. They can also use third-party cryptocurrency wallets to store their cash.

Earnings vary for content influencers. Odysee says that the amount typical influencers make varies, and creators “earn $100 per month all the way up to $5,000 per month” for their uploads.

LBRY Credits are not tied to the price of Bitcoin (BTC), but can be purchased via the app. You can also sell LBC at an exchange for cash.

Users can upload any video they want – which could lead to discussions about what should and should not be allowed and regulated – especially as international conversation around social media regulation is growing.

There are concerns that far-right, or extremist content will find it has a permanent home on platforms such as Odysee, with little moderation or takedown.

Odysee does have some general community guidelines – but its comment “We don’t care what you post for the most part” could encourage posters to push the boundaries.

Guideline number 4 says “It’s the internet, we get it; try not to be overtly abusive and nasty toward other users. This extends to continuously harassing other users, encouraging the slander and defamation of other users, and threatening or bullying others in videos.”

Does this mean that users can occasionally harass other users? The guidelines seem to encourage people to step over the line.

Using blockchain gives users and creators more control over their content. Just like in a bar, users still have to adhere to some terms and conditions such as not inciting violence. They are otherwise are free to post and engage as they would in a public setting.

Odyssey’s alternative to demonetization and deplatforming is delisting, whereby a user’s channel and content remain, but cannot be discovered using search, browsing channels, or other tools. This allows the content to continue to be shared as desired.

Users can issue a command to delist their own content. Odysee itself retains the right to delist extremist or troublesome users. However, the content is not delisted from the LBRY network, but just from Odysee.

There is certainly a lot of interesting content on the platform – as well as the usual conspiracy theories and parody accounts.

Top accounts have hundreds of thousands of support credits, whereas other, less compelling, and downright dumb videos, have earned nothing. Will it become a refuge for extremists and nutjobs? Time will tell.

But for content creators, who want to earn LBC right now, and ultimately convert it into cash from their efforts – without a third party dictating how much they can earn – Odysee could be the platform for them.

Source: https://www.zdnet.com/article/blockchain-based-odysee-keeps-your-social-media-content-online/

blockchain-based-odysee-keeps-your-social-media-content-online

Continue Reading

Title

Cointelegraph1 hour ago

Massachusetts regulator seeks to revoke Robinhood’s broker-dealer license

Massachusetts' securities regulator is seeking to revoke the broker-dealer license of cryptocurrency-friendly stock trading app Robinhood in the state.

Entrepreneur7 hours ago

Penny Stocks To Buy For Under $1 On Robinhood

Are Penny Stocks Under $1 on Robinhood Worth It?

Crunchbase20 hours ago

C2i Genomics Secures $100M Note To Detect Tiny Traces of Cancer

C2i’s cancer diagnostics service uses AI pattern recognition and whole-genome analysis to spot trace amounts of cancer much quicker.

Blockchain news23 hours ago

Ethereum’s Upside Appears Limitless as ETH Breaches $2,400 For the First Time Ever

On-chain metrics provider Santiment has delved deeper into Ethereum’s uptrend and noted that its rally to $3k and beyond looks...

CNBC1 day ago

JPMorgan Chase beats profit estimates on strong trading, $5.2 billion release of loan-loss reserves

JPMorgan posted first-quarter profit of $4.50 a share, much higher than the $3.10 per share expected by analysts surveyed by...

CNBC2 days ago

Coinbase drops below debut price

Coinbase held its direct listing on the Nasdaq on Wednesday, luring public market investors who've been waiting to get into...

Ventureburn2 days ago

Joburg healthtech startup secures undisclosed seven-figure funding –

Quro Medical has secured an undisclosed seven-figure USD amount of funding in a seed round led by Enza Capital and...

ZDNET2 days ago

Is there a market for an Apple TV/HomePod Frankenstein?

Rumors are circulating that Apple is planning to take two devices that aren't selling all that well, and smash them...

Reuters2 days ago

Biden set to withdraw U.S. troops from Afghanistan by Sept. 11

President Joe Biden plans to withdraw the remaining 2,500 U.S. troops from Afghanistan by Sept. 11, 2021, 20 years to...

Business insider2 days ago

Annual Report and Sustainability Report 2021: New Wave Group AB

KUNGÄLV, Sweden, April 14, 2021 /PRNewswire/ -- New Wave Group AB today published the Annual Report and Sustainability Report for...

Review

    Select language

    Trending