A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims’ source-code repositories.
For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers’ repos. For example, if an app was granted read-only access to an organization or individual’s code repo, the app could effortlessly escalate that to read-write access.
This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft’s GitHub, which assured The Register it’s “committed to investigating reported security issues.”
This is good news, because according to Aqua Security researchers, exploitation would have had a massive impact on “basically everyone.” In effect, this is a near hit for the industry as miscreants could have exploited the hole to exfiltrate cloud credentials from private repos or potentially tamper with software projects.
“Every company that uses GitHub and has a GitHub App installed (basically everyone) could potentially be affected by this,” Aqua security researcher Gal Singer wrote in an analysis this week. The cloud-native security company privately alerted GitHub to fix the oversight.
“Following the report, we thoroughly investigated the bug to identify possible paths of exploitation,” a GitHub spokesperson said, in response to questions about the bug. In lieu of publishing a security advisory for all to see, GitHub sent a notice to all of its customers, adding: “We do not have any evidence to suggest that GitHub or customer data was impacted.”
The GitHub Apps system allows applications to integrate with the source-code warehouse so that developers can add features, automate processes, and extend projects’ workflows. These third-party apps can also be bought and shared in the GitHub Marketplace, and some of the most popular ones have thousands if not millions of installs.
GitHub Apps authenticate using tokens, and according to Aqua herein lies the problem.
Here’s the way it’s supposed to work: GitHub Apps create and use scoped installation tokens based on the permissions granted to them when a user or organization installs the app.
As Singer explained:
However, a flaw in GitHub’s own code between February 25 and March 2 could have been exploited by an app to generate a token with an overly permissive scope. This could have allowed an app, which should have generated a token that only allowed read-access, to elevate the permission to write:user.
In a worst-case scenario, every newly generated token during that time frame could have been stepped up to grant the app administrator access, Singer noted:
The bug also highlights the larger security risk posed by third-party applications, libraries, and packages to software supply chains, he added.
This echoes concerns shared by the boss of the Microsoft Security Response Center, as well as 82 percent of CIOs in a survey of 1,000 such C-suite execs. ®
The Shannon-based project aims to integrate the operations of uncrewed and conventional aircraft to modernise air traffic management in Europe.
A European consortium based in Shannon has received EU funding to develop a flight ecosystem for drones and help integrate uncrewed aircraft into our airspace.
Coordinated by Future Mobility Campus Ireland (FMCI), this consortium will conduct a three-year engineering project to develop, deploy and optimise this type of system in Europe.
Describing itself as Ireland’s “first testbed for future mobility”, FMCI is a development centre based in the Shannon Free Zone focused on innovation in both ground and air mobility tech.
Illustration of the Advanced Aerial Mobility Hub at FMCI. Image: FMCI
FMCI said the research project, known as EALU-AER, represents a “major vote of confidence” in Ireland’s local expertise, industry operators and the resourcing of air mobility development.
Other members of the consortium include Shannon Group, the Irish Aviation Authority, Collins Aerospace, Dublin-based Avtrain, and Deep Blue in Italy.
The consortium has received the three-year funding award to develop uncrewed aviation business opportunities in Ireland, as part of a collaborative research project that could help modernise air traffic management in Europe.
The consortium said the new funding will help build an end-to-end ecosystem that supports the safe operation of uncrewed flights. The goal is to help integrate the operations of both uncrewed and conventional aircraft.
“This will result in developing and building out the critical infrastructure to allow advanced air mobility proliferate across Europe,” FMCI CEO Russell Vickers said.
“It will secure access to airspace for large numbers of drones and eVTOL [electric vertical take-off and landing] aircraft, resulting in safe, cost-effective and sustainable transport of freight and people in the future.”
The project’s work will be based at FMCI’s Advanced Aerial Mobility Research Test and Development Facilities in Shannon, but will include a network of Advanced Air Mobility routes across Ireland.
FMCI has already worked with Avtrain and Shannon Group to trial freight delivery services using beyond visual line of sight (BVLOS) drones.
“We are entering a new era of innovation where the success of the industry will depend on the integration of uncrewed aircraft into our airspace, rather than the segregation of airspace,” Avtrain CEO Julie Garland said.
Funding for the project came from the SESAR 3 Joint Undertaking, which is partnership of private and public sector entities in the EU that aim to accelerate the delivery of the Digital European Sky through research and innovation.
It comes as people are increasingly looking at the potential of drones and uncrewed flight technology. A Dublin City Council initiative recently looked to show how local government can utilise drones in areas such as civil defence, emergency response, public safety and environmental monitoring.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
Having an ice pack strapped to your chest – that’s how some describe the experience of taking a walk in cold weather when you have breast implants. Silicone only slowly reaches body temperature once out of the cold, so that icy feeling can persist for hours. As well as being uncomfortable, for breast cancer survivors it can be an unwelcome reminder of a disease they would rather put behind them.
Every year, 2 million people worldwide are diagnosed with breast cancer and the treatment often involves removing at least one breast. But most choose not to have their breasts reconstructed; in the UK, it is only about 30%. Now a handful of startups want to change that, armed with 3D-printed implants that grow new breast tissue before breaking down without a trace. “The whole implant is fully degradable,” says Julien Payen, CEO of the startup Lattice Medical, “so after 18 months you don’t have any product in your body.”
It could spell the end not only of cold breasts, but the high complication rates and long surgeries associated with conventional breast reconstruction. The first human trial of such an implant, Lattice Medical’s Mattisse implant, is scheduled to begin on 11 July in Georgia. Others will soon follow. “We expect to start clinical trials in two years’ time,” says Sophie Brac de la Perrière, CEO of another startup, Healshape.
“It’s exciting,” says Stephanie Willerth, professor of biomedical engineering at the University of Victoria, Canada, who is not involved with the companies. “As engineers, we’ve been playing with 3D printing for half a decade”, but having a clinical use that doctors recognise as useful for patients is key to getting the technology out there, she says.
But in a field fraught with difficult medical compromises, unequal access issues and expectations about what women want, the question is how big an impact the new technology will actually have.
Today, there are two main types of breast reconstruction: silicone implants and flap surgery. While implants are easy to install, flap surgery is a highly specialised business that requires a tissue “flap” being taken from the stomach, thigh or back. Surgeons often recommend flaps because, while there’s a lot of initial surgery and a longer recovery period, it gives a good, long-lasting result.
Silicone is still the most common choice. It is easy and simple, which appeals to cancer patients who either medically can’t have or mentally can’t face having tissue removed from another part of their body. But “it’s far from perfect”, says Shelley Potter, an oncoplastic surgeon at the University of Bristol and the Bristol Breast Care Centre. “It’s quite high risk. There’s a 10% chance of losing an implant.”
Silicone implants also require replacement every 10 or so years and they have had their fair share of scandals: the 2010s PIP scandal, in which a major implant manufacturer was found to have made its implants of dodgy silicone, and the 2018 Allergan scandal, in which popular textured implants were linked to an increased risk of a rare lymphoma. And as an American study from last year shows, it is mainly the idea of having that foreign object stuck inside your body that puts many off reconstruction altogether.
“So what we want to do,” says Brac de la Perrière, “is to give the benefits of the different solutions without the constraints.” In other words: the single, simple surgery of an implant, but without any lingering foreign material to cause trouble.
This can be achieved in different ways. Healshape uses a hydrogel to 3D-print a soft implant that will slowly be colonised by the person’s own fat cells, the initial batch of which is injected, while the implant disappears over six to nine months. The company CollPlant is developing something similar using a special collagen bioink, extracted from tobacco leaves it has genetically engineered to produce human collagen. “I think it will change the opinion of many patients,” says CEO, Yehiel Tal.
Lattice Medical has a different approach. Its implant is a 3D-printed cage made of a degradable biopolymer, in which they encase a small flap from underneath the breast area. This flap then grows to fill the cage with fat tissue, while the cage itself is absorbed by the body, ultimately leaving a regrown breast in its place.
Regrowing breasts using a cage has been shown to work in humans before, in a 2016 trial. However, it only worked in one of five women and the cages were not degradable. Andrea O’Connor from the University of Melbourne, Australia, who led the trial’s engineering team, hopes the new trial will address the problems raised in the first – for example, that patient responses can vary greatly. But if successful, it “would have the potential to help many women to achieve a superior reconstruction”, she says. Lattice Medical says its cage is an improvement because a flat base and larger pores help the tissue grow.
One big unknown is how much feeling the regrown breasts will have. A mastectomy usually means losing some sensation and, according to plastic surgeon Stefania Tuinder from the Maastricht University Medical Centre+ in the Netherlands, reconstruction affects it too. “From our data, it seems that implants have a negative effect on sensation, so the feeling in the skin is less than when you have only a mastectomy,” she says. In comparison, reconstruction from a flap with connected nerves can bring back some feeling within a few years.
Tuinder suspects the implant numbness is both because of nerve damage when the implants are inserted, and because the nerves can’t grow back once they are blocked by a lump of silicone. Whether that will also apply to the new implants remains to be seen, but since eventually there will be nothing to block the nerves, hopes are that sensation will be better.
Tissue engineered implants, however, are not the only recent innovations in the field. Many groups are working on perfecting a reconstruction technique using injections of the person’s own fat, boosted with extra stem cells to help the tissue survive. Medical professionals are still debating the safety and how the breasts hold up long term. In contrast to the new implants, the procedure might have to be done several times.
While any of these new techniques could result in something better than what’s currently on offer, Potter warns that we have a tendency to jump at new and shiny tech – an optimism bias. “We always think it’s going to be brilliant,” she says, but “we don’t want a situation like with vaginal mesh, where in 10 years’ time … we find out we have done something that isn’t helpful.”
Other solutions to the problems of reconstruction do exist. One is living without breasts, known as “going flat”. Contrary to the companies that think they can turn the reconstruction statistics around, people within the flat movement argue that if people were better informed, even more would opt out. “I reckon if [going flat] was given as an equal option,” says Gilly Cant, founder of the charity Flat Friends, “at least another 30-50% of women wouldn’t have [reconstruction].”
At the moment, the guidance from the National Institute for Health and Care Excellence (Nice) says that doctors should be aware that some might not want reconstruction. But Cant says it is often presented to people as part of the treatment process. “It’s like, ‘OK, we need to do a mastectomy. Then you have chemo. Then you’ll have your radiotherapy and then we’ll do reconstruction.’ So women live for that reconstruction at the end,” she says. It comes to signal the finish line.
It is particularly contentious when only one breast is removed, because some might want the other taken off to feel and look symmetrical, rather than have a new one made. But according to Cant, many doctors don’t want to remove a healthy breast. Part of the doctors’ concern is that women will regret their decision, says Potter, but “women know what they want to do with their own bodies. We should help and support them to do what they want to do.”
Potter herself would like to see more of the ultimate alternative: not having a mastectomy in the first place. “There’s no evidence that mastectomy gives you better cancer outcomes than a breast-conserving operation,” she says. In this case, the tumour is removed but the breast is kept. For example, one of her patients had a breast reduction that removed her cancer while giving her breasts a lift. “She calls them her silver lining breasts.”
So even without tissue-engineered implants, there are enough options to make the choice a hard one. To help people choose, some charities pair up people considering a specific procedure with someone who has already been through it. At the charity Keeping Abreast, show and tell sessions give people the chance to ask the questions they might be uncomfortable asking their doctor and see the results for themselves.
But according to a 2018 report by the all-party parliamentary group on breast cancer, knowing what you want is not the same as having access to it. “There’s a massive postcode lottery,” says Potter. It stems from flap surgery being so involved that it often requires specialist plastic surgeons who can do minute surgery under a microscope. Many clinics don’t have such experts in-house and while the Nice guidance says people should still have the option, in practice it limits access.
The companies say this won’t be a problem with the new implants, because they are specifically designed to be easy to put in. Flap surgery can take from three to 12 hours depending on the flap, but insertion of Lattice Medical’s implant, for example, takes only one hour and 15 minutes. “It’s really accessible to all plastic surgeons,” says Payen.
This accessibility will no doubt be crucial in taking the new implants from a cool technology to something with real impact. But from Potter’s perspective, it’s just one potential piece in a big puzzle, not a techno-fix. The implants “would be an option for a lot of women”, she says. “But I think the main advance is all around access, proper information, giving women choice and hopefully reducing the number of mastectomies that we need.”
The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure.
But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.
“Industrial control systems have these inherent vulnerabilities,” Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. “That’s just the way they were designed. They don’t have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB.”
In research published last week, Forescout’s Vedere Labs detailed 56 bugs in devices built by ten vendors and collectively named the security flaws OT:ICEFALL.
As the report authors acknowledged, many of these holes are a result of OT products’ being built with no basic security controls. Indeed, Forescout’s analysis comes ten years after Digital Bond’s Project Basecamp that also looked at OT devices and protocols and deemed them “insecure by design.”
A few hours after Forescout published its research, CISA issued its own security warnings related to the OT:ICEFALL vulnerabilities.
CVEs: The problem? Or the fix?
“Up until this point, CVEs haven’t been generated for these insecure-by-design-things, and there’s a reason for that,” Fabela said. “It’s bad for the industry.”
Once a CVE is generated, it sets into motion a series of actions by industrial systems’ operators, especially in heavily regulated industries like electric utilities and oil and gas pipelines.
First, they have to determine if the environment contains any affected products. But unlike enterprise IT, which usually has centralized visibility and control over IT assets, in OT environments, “everything is distributed,” Fabela noted.
If industrial and manufacturing environments do have any products impacted by the vulnerability, that triggers an internal review and regulatory process that involves responding to CISA and developing a plan to improve security.
One SynSaber customer sarcastically described OT:ICEFALL as “the gift that keeps on giving,” Fabela said. “He said, ‘Now I have this on top of all my other like, the real vulnerabilities’,” which present a slew of other problems when it comes to patching — such as having to wait until a planned maintenance outage that may be months out — if the manufacturer has a patch at all.
OT protocols don’t use authentication
For example: The current Modbus protocol, which is very commonly used in industrial environments, does not have authentication.
Forescout’s analysis details nine vulnerabilities related to unauthenticated protocols and disputes the argument that against assigning a CVE ID to a product with an insecurity OT protocol.
“On the contrary, we believe a CVE is a community recognized marker that aids in vulnerability visibility and actionability by helping push vendors to fix issues and asset owners to assess risks and apply patches,” the authors wrote.
While this makes sense from an IT security perspective, Fabela said it’s unrealistic from an OT perspective, and ultimately doesn’t make critical infrastructure any more secure.
Modbus, as a protocol that does not use authentication, could generate “thousands” of CVEs that “affect every product line in the world,” he Fabela. “You’re tying up the product security teams with the OEMs and you’re tying up the customers, the asset owners with CVE that they can’t do anything about.”
Basecamp researcher weighs in
Reid Wightman is a senior vulnerability researcher with OT security shop Dragos’ threat intel team. He’s also one of the original Project Basecamp researchers, and, more recently has done work on the ProConOs and MultiProg software vulnerabilities.
Forescout cited some of his research, and dedicated a section of the ICEFALL analysis to security flaws with the ProConOS runtime in PLCs.
In an email to The Register, Wightman noted that a lot of industrial controllers have the same set of problems that isn’t going away: “they allow unauthenticated code to run on the PLC.”
“This means that one malicious logic transfer to the PLC may permanently compromise the PLC,” he added, noting that, because the control logic is causing the change, it can happen outside of a normal firmware update. “It’s kind of a thing I’ve harped on since the Basecamp days, but may be worth repeating. Over and over again. Until the sun burns out, probably.”
Lately, one of Wightman’s “big, personal concerns” is that some vendors say they can use TLS and client certificates to secure controllers, presumably to avoid. In reality, this would just make the traffic more difficult to inspect, Wightman said.
“If an attacker gets onto the engineering system, they may load a malicious payload using CVE-2022-31800/CVE-2022-31801 (or any of the similar problems that exist in almost every logic runtime) into the controller,” he added. “Only, now we have no way of telling whether they did it because the traffic is encrypted.”
So how do we fix the problem?
“I guess my answer would be: if your engineering system is compromised, throw away all of the controllers that it was allowed to talk to,” Wightman said. “And I doubt most end users would go to that level of paranoia.”
Which, again, points to the insecure-by-design nature of how these systems are engineered.
“Thankfully, we see no signs of any widespread abuse of these protocols or ‘features’ in spite of some of the bugs being well-known for years,” Wightman added. “I really do hope it stays that way.” ®