GitHub secret key finder released to public

EHS培训的实施与效果的考核
GitHub
A researcher has published a tool for finding secret keys with varying cryptographic strength in git repositories.
The tool, dubbed TruffleHog, is able to search for and locate keys containing high-entropy strings by digging deep into commit history and branches, according to developer Dylan Ayrey.
TruffleHog’s search capabilities make it “effective at finding secrets accidentally committed that contain high entropy,” Ayrey says, and the tool needs nothing more than GitPython to work.
网络时代的保护隐私令人头痛,互联网广告公司使用程序分析用户历史行为,并进行预测,提供定向的个性化广告,那些社交攻击的黑客们和喜欢进行人肉搜索的家伙们在使用这些类似的功能。
Ayrey commented: “This module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the Shannon entropy for both the base64 character set and hexidecimal character set for every blob of text greater than 20 characters comprised of those character sets in each diff.” TruffleHog calculates entropy levels using a Shannon Entropy (.PDF) calculator. The entropy levels of keys are important, as the more or less information required to determine unknown key variables can alter how difficult it is to crack.
If a high-entropy string is detected, the string is printed to the screen.
Users of TruffleHog said in a Reddit discussion topic that Amazon already uses the tool to preemptively search GitHub for Amazon Web Services (AWS) keys accidentally connected to public repositories, which prevents attackers from snatching the keys, spinning up vast AWS instances and leaving the owners with the bill.
Top 10 tech products revealed at CES 2017…
SEE FULL GALLERY
1 – 5 of 10
NEXT
PREV
More security news
FTC files lawsuit against D-Link for router and camera security flaws
$247,000 KillDisk ransomware demands a fortune, forgets to unlock files

This ransomware scheme is targeting schools, colleges and head teachers, warn police
Malware uses denial-of-service attack in attempt to crash Macs
多家金融机构承认黑客窃取了大量客户信用卡信息,身份欺诈犯罪可真是一个很大的产业。

猜您喜欢

信息安全不是意识形态“制脑权”的争夺
关注“宽带中国”战略及实施方案
您的移动计算设备在僵尸网络犯罪份子的控制之下么?
鱼跃医疗:收购中优医药已处于目标股权交割阶段
FULLSTACK CAMPCALE
国内医疗卫生行业信息化应该避免数据泄露