NMSCD Incident

[Khaoz-Topsy]

Sorry about being so quiet about this, I was on holiday but I am back now 😋. Recently our Github Organisation disappeared from the internet taking all the websites hosted with Github down as well. It turns out that one of our member's accounts were compromised and it was used to create public repositories in the organisation with malicious code. Github's automated scans picked it up and flagged our organisation. It took a while to get Github support to respond and sort out the organisation. Seems like they are experiencing a lot of issues like this one 😅

I think that we could have prevented the organisation from being flagged if we noticed the repositories and deleted them within the day the were uploaded. I received an email telling me that 3 new repos were added but I did not take a look at them, I just assumed someone was busy with a weird project call cpp-application 😅 . We could also limit the ability to create repositories in the organisation to accounts who have 2FA, feel free to share your thoughts in this discussion 😋

[DgINC]

Glad to hear good news. Even though I'm new here, I'll still put my two cents in.
Prevent everyone from creating projects and repositories without 2FA, from creating projects with the approval of organizational members, and from creating project-only repositories. All possible methods must be used to exclude the possibility of a repetition of such a situation. That's how I think.

[cyberpunk2350]

I mentioned this elsewhere but maybe set up web hooks to announce new repo creation to a discord channel, and mabe add approvals for new repos creates by all but admins/pre approved/trusted members

[Lenni009]

I have set up a webhook that points to a channel on the NMSCD server, but it doesn't display anything. GitHub says it fired an event multiple times, so it appears to be working on GitHub's side.

[Lenni009]

It announces new commits, but it didn't send anything on repo creation/deletion, despite being configured that way, and it also says that it fired these events

[Khaoz-Topsy]

I also realised when making this post that I was the only "Owner" of the organisation. We have a Management team that has extra permissions on almost all of the repos but it would not have helped this situation. So we have 2 new "Owners" 🥳

[akupiec]

I haven't even noticed the problems 😅, but I agree we should restict a little permissions in general. I don't have access to github right now so I can't double check it (vacation) but as far I remember I had way to much power in our organization. pon., 18 gru 2023, 10:51 użytkownik Kurt Lourens ***@***.***> napisał:

…

I also realised when making this post that I was the only "Owner" of the organisation. We have a Management team that has extra permissions on almost all of the repos but it would not have helped this situation. So we have 2 new "Owners" 🥳 — Reply to this email directly, view it on GitHub <#10 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAEHZJ32JAHKJ7VGKAZQYMLYKAN23AVCNFSM6AAAAABAZFPCBKVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQOBUHE2DO> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>