Connect with us


Travis CI exposes free-tier users’ secrets – new claim • The Register

Voice Of EU



Travis CI stands for “Continuous Integration” but might just as well represent “Consciously Insecure” if, as security researchers claim, the company’s automation software exposes secrets by design.

Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

There are evidently more than 770 million logs from free-tier Travis CI users available on demand via API calls. From these logs, the security researchers say, an attacker can extract tokens, secrets, and credentials used for interacting with cloud services like AWS, GitHub, and Docker Hub.

The Aqua Sec group says these tokens can be used to launch attacks or move laterally in the cloud to adjacent systems.

“We disclosed our findings to Travis CI, which responded that this issue is ‘by design’, so all the secrets are currently available,” the Aqua Sec researchers said. “All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately.”

Aqua Sec’s team said it reported its findings to cloud service providers, whose customer tokens were exposed, and got a different response: “Almost all of them were alarmed and quickly responded,” they said.


GitHub saved plaintext passwords of npm users in log files, post mortem reveals


Some then instituted key rotation and others verified that at least half of the researchers’ findings are still valid, with some offering bug bounties for disclosure.

If this sounds familiar, it’s because this issue was reported to Travis CI in 2015 and in 2019 but appears not to have yet been fully addressed. It also came up last September.

Continuous Integration and Continuous Delivery/Deployment describe the practice of automating modern software development and cloud application deployment pipelines. This involves scripts that fetch secrets from environments – access tokens, API keys, and the like – in order to let building, testing, and code merging to occur. Secrets of this sort should not be leaked because they can be used to enable supply chain attacks and account hijacking.

The Travis CPI API supports fetching logs via clear-text and can be explored via enumeration – inputting a continuous range of numbers. The researchers also found an alternative API, using a different URL format, that provided access to other logs not previously accessible – possibly old deleted logs. ®

By switching the numeric references obtained by making API calls using these two formats, the researchers found they could fetch logs that weren’t previously available and could find secrets within them.

They tested their technique and found logs dating back a decade, with numeric identifiers ranging from about 4,280,000 through 774,807,924 – an upper bound for the number of logs potentially exposed.

Travis CI supports various security measures, like API call rate limiting, the obfuscation of tokens and secrets, secret rotation, and log deletion. Nonetheless, the Aqua Sec folk were still able to find clear text logs that contained sensitive data.

In a sample of 8 million requests, the researchers were able to obtain 73,000 tokens and credentials after the requisite data cleanup. These provided access to various cloud services like GitHub, Codecov, AWS, RabbitMQ, and others.

Coincidentally, GitHub in April issued a warning about the theft of OAuth tokens issued to Heroku and Travis CI. Travis CI responded by noting that relevant keys and tokens had been invalidated and not customer data was exposed.

Travis CI did not immediately respond to a request for comment. ®

Source link


‘I’m buying Manchester United’: Elon Musk ‘joke’ tweet charges debate over struggling club’s future | Elon Musk

Voice Of EU



Tesla billionaire Elon Musk briefly electrified the debate about the future of Manchester United by claiming on Twitter that he is buying the struggling Premier League club – before saying that the post was part of a “long-running joke”.

He did not make clear his views on new coach Eric ten Hag’s controversial insistence on passing out from the back, or whether unhappy star striker Cristiano Ronaldo should be allowed to leave, but he did say that if he were to buy a sports team “it would be Man U. They were my fav team as a kid”.

With the team rooted to the bottom of the league after a humiliating 4-0 away defeat to Brentford, the outspoken entrepreneur’s tweet offered hope – however –briefly – to fans who want to see the back of current owners, the Florida-based Glazer family.

Also, I’m buying Manchester United ur welcome

— Elon Musk (@elonmusk) August 17, 2022

Musk has a history of making irreverent tweets, and he later clarified the post by saying he was not buying sports teams.

No, this is a long-running joke on Twitter. I’m not buying any sports teams.

— Elon Musk (@elonmusk) August 17, 2022

Buying United, one of the biggest football clubs in the world, would have cost Musk at least £2bn, according to its current stock market valuation.

Manchester United’s recent on-pitch woes have led to increased fan protests against the Glazers, who bought the club in a heavily leveraged deal in 2005 for £790m ($955.51m).

The anti-Glazer movement gained momentum last year after United were involved in a failed attempt to form a breakaway European Super League.

But a takeover by Musk would have been a case of out of the frying pan and into the fire for the club, given the billionaire’s tendency for off-the-cuff remarks and falling foul of market regulators.

Many were quick to point out that Musk had also promised to buy Twitter for $44bn before the deal collapsed in July, and has also boasted about colonising Mars and boosting birthrates on Earth.

That’s what you said about Twitter.

— Sema (@_SemaHernandez_) August 17, 2022

Fans responded with a mixture of bafflement and optimism given the lowly status of a club used to occupying the top places in the league rather than the bottom.

Manchester United did not immediately respond to a request for comment.

Source link

Continue Reading


Elon Musk ‘buying Manchester United’ football club • The Register

Voice Of EU



Rocketry, energy, automotive, AI, tequila, tunnelling and (maybe) social media engineering entrepreneur Elon Musk has proclaimed his intention to buy Manchester United — the organization often cited as the world’s most supported football club.

Must revealed his “intentions” in a tweet, of course.

Whether Musk is serious or not is impossible to divine – he has a long history of Twitter japes. And of course he also has recent form announcing, then backing away from, a planned purchase of Twitter itself.

Musk’s only previous known involvement in football was building an unasked-for submarine to help rescue a children’s team from a cave in Thailand in 2018. And when the offer was declined he defamed one of the actual rescuers.

But that lack of a round ball background won’t stop some fans from hoping Musk’s tweet expressed a genuine desire to acquire the team, which has performed modestly for years as its owners kept spending on new players low. Rival teams, meanwhile, used their owners’ oil riches to hire the planet’s top talent and win trophy after trophy as Man U’s trophy case gathered nought but dust.

The club’s fortunes hit a new low in recent weeks with a 0–4 loss to Brentford – a team that brings a teensy bit more relevance into this tale. Its home ground anchors one end of the UK’s “M4 Corridor” – which houses a great many technology companies.

Brentford is, however, a footballing minnow.

Losing to Brentford – plus other recent losses and reported disharmony in the playing squad – has enraged fans to the point where some would surely welcome Elon Musk as owner, even if his only contribution is providing a one-way trip into space for some coaching staff and players.

Or perhaps Musk fancies sending Man U to Mars, where the club would be undisputed champions of an entire planet.

Another scenario could see Man turn out a team of humanoid Tesla robots – which are presumably more easily rebooted than the club’s misfiring players, and could compete in the Robot World Cup.

If all else fails, fans could just drown their sorrows in Tesla tequila

Source link

Continue Reading


Scottish start-ups are using satellite tech to help conserve elephants

Voice Of EU



Doug McNeil of Eolas Insight said satellite technology can help humanity tackle the problems of conservation and the climate crisis.

Two Glaswegian start-ups are using satellite tech to help conservationists count African elephants from space.

Glasgow-based Eolas Insight will use artificial intelligence and high-resolution satellite imagery to detect elephants roaming across vast areas of a national park in southern Mozambique.

The company has received funding from the European Space Agency for the project.

It is working with conservationists from the Peace Parks Foundation and with fellow Glasgow tech start-up Omanos Analytics, which uses downstream satellite data analysis and on-the-ground intelligence to improve transparency and reduce risk around the social and environmental impacts of critical infrastructure projects.

Eolas Insight is a previous participant of Scottish accelerator programme CivTech, which focuses on innovation in the public sector. The elephant conservation project is based on previous work the start-up did with NatureScot as part of the CivTech programme in 2020, where it used satellite imagery techniques to monitor Scotland’s wild red deer.

Aerial satellite image showing Scottish deer identified by yellow squares.

Satellite image tracking Scottish deer. Image: Eolas Insight

Not only can satellite tech help monitor threatened species across the world, it can also provide a more sustainable and cheaper alternative to aircraft-based counts.

Satellites can pick up data on elephants such as how vulnerable they are in their environment. The tech can be used in remote areas as it does not depend on people on the ground, and can support efforts to stop poaching.

“Technology can play a key role in tackling what is arguably the biggest challenge facing humankind – conservation and the climate crisis. Detecting animals in satellite imagery will have its place in preservation projects of the future,” said Doug McNeil, managing director of Eolas Insight.

McNeil added that in the future his company would be working on creating a web-based platform, allowing users direct access to its methodology algorithms.

“There are so many hugely powerful new technologies available for environmental professionals and ecologists, however accessing these technologies can be a job in itself,” he said.

“At Eolas, we want to take the complexity out of technology and provide invaluable information to our customers. Our hope is that we can help them in some small way in their hugely important and timely work.”

In a 2020 proof-of-concept study, scientists in the UK used machine learning and satellite imagery to count African elephants from space. They said this approach could improve the monitoring of threatened elephant populations.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!