• Guest
HabraHabr
  • Main
  • Users

  • Development
    • Programming
    • Information Security
    • Website development
    • JavaScript
    • Game development
    • Open source
    • Developed for Android
    • Machine learning
    • Abnormal programming
    • Java
    • Python
    • Development of mobile applications
    • Analysis and design of systems
    • .NET
    • Mathematics
    • Algorithms
    • C#
    • System Programming
    • C++
    • C
    • Go
    • PHP
    • Reverse engineering
    • Assembler
    • Development under Linux
    • Big Data
    • Rust
    • Cryptography
    • Entertaining problems
    • Testing of IT systems
    • Testing Web Services
    • HTML
    • Programming microcontrollers
    • API
    • High performance
    • Developed for iOS
    • CSS
    • Industrial Programming
    • Development under Windows
    • Image processing
    • Compilers
    • FPGA
    • Professional literature
    • OpenStreetMap
    • Google Chrome
    • Data Mining
    • PostgreSQL
    • Development of robotics
    • Visualization of data
    • Angular
    • ReactJS
    • Search technologies
    • Debugging
    • Test mobile applications
    • Browsers
    • Designing and refactoring
    • IT Standards
    • Solidity
    • Node.JS
    • Git
    • LaTeX
    • SQL
    • Haskell
    • Unreal Engine
    • Unity3D
    • Development for the Internet of things
    • Functional Programming
    • Amazon Web Services
    • Google Cloud Platform
    • Development under AR and VR
    • Assembly systems
    • Version control systems
    • Kotlin
    • R
    • CAD/CAM
    • Customer Optimization
    • Development of communication systems
    • Microsoft Azure
    • Perfect code
    • Atlassian
    • Visual Studio
    • NoSQL
    • Yii
    • Mono и Moonlight
    • Parallel Programming
    • Asterisk
    • Yandex API
    • WordPress
    • Sports programming
    • Lua
    • Microsoft SQL Server
    • Payment systems
    • TypeScript
    • Scala
    • Google API
    • Development of data transmission systems
    • XML
    • Regular expressions
    • Development under Tizen
    • Swift
    • MySQL
    • Geoinformation services
    • Global Positioning Systems
    • Qt
    • Dart
    • Django
    • Development for Office 365
    • Erlang/OTP
    • GPGPU
    • Eclipse
    • Maps API
    • Testing games
    • Browser Extensions
    • 1C-Bitrix
    • Development under e-commerce
    • Xamarin
    • Xcode
    • Development under Windows Phone
    • Semantics
    • CMS
    • VueJS
    • GitHub
    • Open data
    • Sphinx
    • Ruby on Rails
    • Ruby
    • Symfony
    • Drupal
    • Messaging Systems
    • CTF
    • SaaS / S+S
    • SharePoint
    • jQuery
    • Puppet
    • Firefox
    • Elm
    • MODX
    • Billing systems
    • Graphical shells
    • Kodobred
    • MongoDB
    • SCADA
    • Hadoop
    • Gradle
    • Clojure
    • F#
    • CoffeeScript
    • Matlab
    • Phalcon
    • Development under Sailfish OS
    • Magento
    • Elixir/Phoenix
    • Microsoft Edge
    • Layout of letters
    • Development for OS X
    • Forth
    • Smalltalk
    • Julia
    • Laravel
    • WebGL
    • Meteor.JS
    • Firebird/Interbase
    • SQLite
    • D
    • Mesh-networks
    • I2P
    • Derby.js
    • Emacs
    • Development under Bada
    • Mercurial
    • UML Design
    • Objective C
    • Fortran
    • Cocoa
    • Cobol
    • Apache Flex
    • Action Script
    • Joomla
    • IIS
    • Twitter API
    • Vkontakte API
    • Facebook API
    • Microsoft Access
    • PDF
    • Prolog
    • GTK+
    • LabVIEW
    • Brainfuck
    • Cubrid
    • Canvas
    • Doctrine ORM
    • Google App Engine
    • Twisted
    • XSLT
    • TDD
    • Small Basic
    • Kohana
    • Development for Java ME
    • LiveStreet
    • MooTools
    • Adobe Flash
    • GreaseMonkey
    • INFOLUST
    • Groovy & Grails
    • Lisp
    • Delphi
    • Zend Framework
    • ExtJS / Sencha Library
    • Internet Explorer
    • CodeIgniter
    • Silverlight
    • Google Web Toolkit
    • CakePHP
    • Safari
    • Opera
    • Microformats
    • Ajax
    • VIM
  • Administration
    • System administration
    • IT Infrastructure
    • *nix
    • Network technologies
    • DevOps
    • Server Administration
    • Cloud computing
    • Configuring Linux
    • Wireless technologies
    • Virtualization
    • Hosting
    • Data storage
    • Decentralized networks
    • Database Administration
    • Data Warehousing
    • Communication standards
    • PowerShell
    • Backup
    • Cisco
    • Nginx
    • Antivirus protection
    • DNS
    • Server Optimization
    • Data recovery
    • Apache
    • Spam and antispam
    • Data Compression
    • SAN
    • IPv6
    • Fidonet
    • IPTV
    • Shells
    • Administering domain names
  • Design
    • Interfaces
    • Web design
    • Working with sound
    • Usability
    • Graphic design
    • Design Games
    • Mobile App Design
    • Working with 3D-graphics
    • Typography
    • Working with video
    • Work with vector graphics
    • Accessibility
    • Prototyping
    • CGI (graphics)
    • Computer Animation
    • Working with icons
  • Control
    • Careers in the IT industry
    • Project management
    • Development Management
    • Personnel Management
    • Product Management
    • Start-up development
    • Managing the community
    • Service Desk
    • GTD
    • IT Terminology
    • Agile
    • Business Models
    • Legislation and IT-business
    • Sales management
    • CRM-systems
    • Product localization
    • ECM / EDS
    • Freelance
    • Venture investments
    • ERP-systems
    • Help Desk Software
    • Media management
    • Patenting
    • E-commerce management
    • Creative Commons
  • Marketing
    • Conferences
    • Promotion of games
    • Internet Marketing
    • Search Engine Optimization
    • Web Analytics
    • Monetize Web services
    • Content marketing
    • Monetization of IT systems
    • Monetize mobile apps
    • Mobile App Analytics
    • Growth Hacking
    • Branding
    • Monetize Games
    • Display ads
    • Contextual advertising
    • Increase Conversion Rate
  • Sundry
    • Reading room
    • Educational process in IT
    • Research and forecasts in IT
    • Finance in IT
    • Hakatonas
    • IT emigration
    • Education abroad
    • Lumber room
    • I'm on my way

Protection of repositories on GitHub from malicious commits

Mozilla tries to protect its repositories on GitHub from malicious changes. As shown by the recent incident with Gentoo , such attacks are real.
 
 
https://t.co/Mxtcxki9Ce
Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. More see link.
- Gentoo Linux (@ gentoo) June 2? 2018
 
Initially Mozilla used GitHub as a spare hosting. Like Gentoo, the original repositories were stored on its own infrastructure. And although most of the Firefox code is still distributed from its own infrastructure, many projects exist only on GitHub. Some are just experiments, and others are used in production (for example, , Firefox Accounts ). Such "sensitive" repositories need to be protected from malicious changes, while not complicating commits for normal people.
 
some tools for the audit. Such protection almost does not interfere with normal working processes in GitHub.
 
 
We are here considering the risk of hacking the GitHub account through the unique mechanisms of this site. As shown by the case of Gentoo and other incidents, in the case of hacking, all code that is accessed by the user is endangered.
 
 

The crux of the problem is


 
GitHub is a wonderful ecosystem with many extensions or "applications" to simplify certain workflows. Applications receive permission from the user to perform actions on his behalf. They can request permission, including changing or adding additional accounts. GitHub explicitly shows these requests: the user must approve them through the web interface, but not everyone is familiar with the consequences. Many do not understand that permission to access the personal repository gives the same access to any repository on GitHub on behalf of the user.
 
 
Excess permissions expose the repository with confidential information, while the administrator of the repository does not see anything. The best thing that he can do is to notice the post-factum malicious commit. Neither GitHub nor Git can be configured to prevent or denote this kind of malicious commits. Only external monitoring.
 
 

Implementation of


 
The following recommendations are taken from our security system , only for this article are the specific features of Mozilla removed. As much as possible, we borrow the best Internet practices, use the functions of GitHub and try not to complicate the lives of developers.
 
 

Recommendations for organizations


 
 
Mandatory 2FA for all employees.
 
To all or even users with elevated permissions:
 
 
Provide a contact (e-mail, IM) to the organization or administrator (GitHub allows you to hide contact information for confidentiality).
 
Be sure to inform the organization or administrator about a possible compromise of your account (for example, about laptop theft).
 
 
 

Recommendations for repositories


 
 
Important repositories should be placed only in the organization that follows the recommendations given above.
 
Identify and customize the production branches:
 
 
Prohibition of forced push.
 
Permission to commits to only a small number of users.
 
Apply these restrictions also to admins and owners.
 
Sign all commits in advance with known GPG keys.
 
 
 

Recommendations for the workflow


 
 
Deplays, releases and other events worthy of audit should be marked with a tag signed in advance with a known key of GPG.
 
All releases and releases must be released only after the audit of all signed commits and tags for the correct keys.
 
 
The implementation of these protection measures involves certain costs, especially in connection with the signature of the commits. We have developed tools for auditing configurations and plan to release tools for audit commits. All of them lie in our repository .
 
 
Protection of repositories on GitHub from malicious commits  
 
Here is an example of an audit. First we get a local copy of the data for the organization octo_org , and then a report is prepared for each repository:
 
 
    $ ./get_branch_protections.py octo_org
2018-07-???: 52: 4?584 INFO: Running as ms_octo_cat
2018-07-???: 52: 4?854 INFO: Gathering branch protection data. (calls remaining 4992).
2018-07-???: 52: 4?117 INFO: Starting on org octo_org. (calls remaining 4992).
2018-07-???: 52: 5?116 INFO: Finished collection branch protection data (call remaining 4947).

 
Now with any locally cached data, you can generate any reports. For example, one report shows compliance with the above recommendations:
 
 
    $ ./report_branch_status.py --header octo_org.db.json
name, protected, restricted, enforcement, signed, team_used
octo_org /react-starter, True, False, False, False, False
octo_org /node-starter, False, False, False, False, False

 
As you can see, only octo_org /react-starter included protection from forced push on the production line. The result is given in the CSV format to easily insert into the spreadsheet.
 
 

How can you help


 
We are still implementing these recommendations and are learning along the way. If you think that our recommendations on the safety of repositories help you, help to simplify implementation. Share your experience at page of tips or open the ticket in the repository GitHub-Audit .

It may be interesting

  • Comments
  • About article
  • Similar news
This publication has no comments.

weber

Author

14-09-2018, 18:11

Publication Date

Information Security / Open source / GitHub

Category
  • Comments: 0
  • Views: 393
FireFox may be monetized by the
The best free editors for development
eslint-scope v??? hacked
Hackers have compromised Gentoo Linux
Deploy the webpack application to
Why GitHub does not help hire a
Write a comment
Name:*
E-Mail:


Comments
this is really nice to read..informative post is very good to read..thanks a lot! How is the cost of house cleaning calculated?
Yesterday, 17:14

Legend SEO

It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content.

entegrasyon programları
Yesterday, 17:09

taxiseo2

I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work.

entegrasyon programları
Yesterday, 17:02

taxiseo2

I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work...먹튀

Yesterday, 16:50

raymond weber

Lose Weight Market provides the best fitness tips, workout guides, keto recipes and diet plans, yoga workout routine and plans, healthy recipes, and more! Check Out: Lose Weight Market


Corvus Health provides medical training services as well as recruiting high quality health workers for you or placing our own best team in your facility. Check Out: Health Workforce Recruitment




I.T HATCH offers a wide range of IT services including remote access setup, small business servers, data storage solutions, IT strategy services, and more. Check Out: IT strategy services
Yesterday, 22:33

noorseo

Adv
Website for web developers. New scripts, best ideas, programming tips. How to write a script for you here, we have a lot of information about various programming languages. You are a webmaster or a beginner programmer, it does not matter, useful articles will help to make your favorite business faster.

Login

Registration Forgot password