Connect with us


GitHub launches ‘Security Lab’ to help secure open source ecosystem



Today, at the GitHub Universe developer conference, GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.

“GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code,” the company said in a press release.

“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” it said.

Founding members include security researchers from organizations like Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, J.P. Morgan, NCC Group, IOActive, F5, Trail of Bits, and HackerOne.

GitHub says Security Lab founding members have found, reported, and helped fix more than 100 security flaws already.

Other organizations, as well as individual security researchers, can also join. A bug bounty program with rewards of up to $3,000 is also available, to compensate bug hunters for the time they put into searching for vulnerabilities in open source projects.

Bug reports must contain a CodeQL query. CodeQL is a new open source tool that GitHub released today; a semantic code analysis engine that was designed to find different versions of the same vulnerability across vasts swaths of code. Besides GitHub, CodeQL is already being rolled out in other places to help with vulnerability code scans, such as Mozilla.

SolarWinds® Network Insight for Cisco ASA goes beyond basic up/down status. It can help provide comprehensive firewall performance, and also offers access control list monitoring.Downloads provided by SolarWinds

GitHub’s new Security Lab project did not come out of the blue. Efforts have been going on at the company to improve the overall security state of the GitHub ecosystem for some time. Security Lab merges all these together.

For example, GitHub has been working for the past two years on rolling out security notifications that warn project maintainers about dependencies that contain security flaws.

Earlier this year, GitHub started testing a feature that would enable project authors to create “automated security updates.” When GitHub would detect a security flaw inside a project’s dependency, GitHub would automatically update the dependency and release a new project version on behalf of the project maintainer.

The feature has been in beta testing for all 2019, but starting today automated security updates are generally available and have been rolled out to every active repository with security alerts enabled. [Also see official announcement.]

Image: GitHub

Furthermore, GitHub also recently became an authorized CVE Numbering Authority (CNA), which means it can issue CVE identifiers for vulnerabilities. GitHub didn’t apply to become a CNA for nothing.

Its CNA capability has been added to a new service feature called “security advisories.” These are special entries in a project’s Issues Tracker where security flaws are handled in private.

Once a security flaw is fixed, the project owner can publish the security, and GitHub will warn all upstream project owners who are using vulnerable versions of the original maintainer’s code.

But before publishing a security advisory, project owners can also request and receive a CVE number for their project’s vulnerability directly from GitHub.

Previously, many open source project owners who hosted their projects on GitHub didn’t bother requesting a CVE number due to the arduous process.

However, getting CVE identifiers is crucial, as these IDs and additional details can be integrated into many other security tools that scan source code and projects for vulnerabilities, helping companies detect vulnerabilities in open sourcec tools that they would have normally missed.[Also see official announcement.]

Image: GitHub

And in addition to the new GitHub Security Lab, the code-sharing platform is also launching the GitHub Advisory Database, where it will collect all security advisories found on the platform, to make it easier for everyone to keep track of security flaws found in GitHub-hosted projects. [Also see official announcement.]

And last, but not least, GitHub also updated Token Scanning, its in-house service that can scan users’ projects for API keys and tokens that have been accidentally left inside their source code.

Starting today, the service, which previously could detect API tokens from 20 services, can identify four more formats, from GoCardless, HashiCorp, Postman, and Tencent. [Also see official announcement.]


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Trump reportedly uses unsecured phone lines. Cybersecurity experts explain why those are ‘so easy to hack it’s scary.’




President Donald Trump reportedly uses unsecured phones for White House business, rather than encrypted phone services intended for top government officials, according to a recent Washington Post report .

Trump on phone
Trump on phone
  • Business Insider spoke to cybersecurity experts about how hackers can gain access to phone conversations on unsecured devices.
  • Unsecured phones are an easy target for hackers, according to the experts, who said they are “so easy to hack it’s scary.”

President Donald Trump made Hillary Clinton’s use of private email servers a hallmark of his campaign, but the president himself regularly conducts phone calls using unsecured devices, according to a new report from The Washington Post .

Call records released as part of the impeachment inquiry into Trump show that he and his top advisors routinely used unsecured phones for White House business, a fact that several unnamed administration officials confirmed to the Post. Top government officials typically use encrypted phone services to protect calls or texts from being intercepted by hackers.

To put that revelation in context, Business Insider spoke to cybersecurity experts about the risks associated with unsecured phones.

Alex Heid, chief technology officer of Security Scorecard, said that unencrypted phone services are exceptionally easy to hack.

“In some cases, it’s as simple as walking into a cell phone tower, plugging in a laptop, and downloading everything,” Alex Heid said. “It’s generally so easy to hack its scary.”

Kiersten Todt, managing director of the Cyber Readiness Institute and a former cybersecurity advisor to the Obama Administration, said that gaining access to unsecured phone activity is well within the capabilities of sophisticated hackers.

“With enough time and focus, which we know that many malicious actors have, it’s certainly doable,” Todt said.

Here’s a breakdown of how hackers can gain access to unsecured phone activity and how encryption can protect against hacks, according to experts.

Encrypted phones have been the standard for top-ranking government officials dating back to World War II, when extensive technology was employed to protect against wiretapping.

BusinessInsider USA Images
National Security Agency

Phone encryption became much less expensive with the advent of the internet. Most encrypted phone lines now use software called “voice over internet protocol” to shield against spying.

BusinessInsider USA Images
Nam Y. Huh/AP

However, most standard phone services, including calls and texts, are “basically wide open,” according to Heid: “It’s unencrypted data stream that’s broadcast over the airways.”

BusinessInsider USA Images
Scott Morgan/Reuters

“Hackers are constantly hacking telecom carriers,” according to Heid. “In some cases, it’s as simple as walking into a cell phone tower, plugging in a laptop, and downloading everything.”

BusinessInsider USA Images
Justin Sullivan/Getty Images

There are now a range of smartphone apps that provide encrypted calls and messaging services, including Signal, Wickr, and WhatsApp. The latter is used intermittently by White House officials, according to The Washington Post.

BusinessInsider USA Images

The primary reason that people opt to use unsecured rather than encrypted phone services is because of convenience. “There’s always that trade-off between encryption and ease of use,” Heid said.

BusinessInsider USA Images
Mark Wilson/Getty Images

There have been several instances of targeted phone hacking in the past year alone. One tactic, known as SIM swapping, involves fraudulently convincing a mobile carrier to transfer control of a phone number to a hacker’s device.

BusinessInsider USA Images
Steve Kovach, Business Insider

“Mobile security is something that the government is still struggling to prioritize,” Todt said. “Given the use of smartphones across business and government use, we’ve got to figure it out.”

BusinessInsider USA Images

AP Photo/Jacquelyn Martin


Continue Reading


New Android bug targets banking apps on Google Play store




Labeled “StrandHogg,” the vulnerability discovered by the mobile security vendor Promon could give hackers access to users’ photos, contacts, phone logs, and more.

Android apps in Google’s Play Store have frequently been the target of malware designed to infect mobile devices and steal personal information from users. 

Google is then put in the position of playing clean up to remove the malicious apps and then repeating the process the next time such fraudulent apps appear. 

The latest malware vulnerability is one that affects all Android devices by targeting banking apps in an attempt to compromise user data and gain access to financial accounts.

Powerful trends are pushing the global community to develop more smart cities and invest in connected technologies, as the world population increases and more people move to urban environments. This ebook looks at smart city growth from several angles…eBooks provided by TechRepublic Premium

Discovered by Promon, the vulnerability dubbed StrandHogg allows malicious apps to pose as legitimate ones, giving hackers access to private SMS messages and photos, steal login credentials, track the movements of users, record phone conversations, and spy on people through the phone’s camera and microphone, according to a Promon press release posted on Monday.

Security researchers at Promon analyzing real malware that exploited this vulnerability discovered that all of the top 500 most popular apps had been at risk, affecting all versions of Android, including Android 10. As ranked by the app intelligence company 42 Matters, the list of 100 includes mostly popular and general apps across all types of categories

Specifically, Promon’s partner and security firm, Lookout, confirmed 36 malicious apps that exploited the flaw. Among them were variants of the BankBot banking trojan, which has been seen as early as 2017 and is one of the most widespread banking trojans around.

In response to Promon’s findings, Google has since removed the identified malicious apps from its Play store, according to a statement sent to BBC News and TechRepublic.

“We appreciate the researchers work, and have suspended the potentially harmful apps they identified,” Google said in its statement. “Google Play Protect detects and blocks malicious apps, including ones using this technique. Additionally, we’re continuing to investigate in order to improve Google Play Protect’s ability to protect users against similar issues.” 

In an overview page, Promon provided details on the StrandHogg vulnerability, explaining its impact and the different ways that hackers can exploit it.

As Promon describes it, StrandHogg allows a malicious app masquerading as a legitimate one to ask for certain permissions, including access to SMS messages, photos, GPS, and the microphone.

Unsuspecting users approve the requests, thinking they’re granting permission to a legitimate app and not one that’s fraudulent and malicious. When the user enters the login credentials within the app, that information is immediately sent to the attacker, who can then sign in and control sensitive apps.

The vulnerability itself lies in the multitasking system of Android, Promon’s marketing and communication director, Lars Lunde Birkeland, said. The exploit is based on an Android control setting called “taskAffinity,” which allows any app, including malicious ones, to freely assume any identity in the multitasking system, Birkeland said.

A specific malware sample analyzed by Promon was not on Google Play but was instead installed through dropper apps and hostile downloaders available on Google’s mobile app store, according to Promon. Such apps either have or pretend to have the features of games, utilities, and other popular apps but actually install additional apps that can deploy malware or steal user data.

“We have tangible proof that attackers are exploiting StrandHogg in order to steal confidential information,” Promon’s chief technology officer, Tom Lysemose Hansen, said in a statement on the overview page. “The potential impact of this could be unprecedented in terms of scale and the amount of damage caused because most apps are vulnerable by default and all Android versions are affected.”

Though Google removed the 36 exploited apps, Birkeland said that to the best of Promon’s knowledge, the vulnerability itself has not been fixed in any version of Android, including Android 10. Google also tries to safeguard its app store through its Google Play Protect security suite, but dropper apps continue to appear on the store. Often slipping under the radar, these apps can be downloaded millions of times before they’re caught and removed.

“Google Play is usually considered a safe haven for downloading software,” Birkeland said. “Unfortunately, nothing is 100% safe, and from time to time malware distributors manage to sneak their apps into Google Play.”

Sam Bakken, a senior product marketing manager with the anti-fraud company OneSpan, also weighed in on the threat posed by such vulnerabilities as StrandHogg.

“As you might imagine, criminals salivate over the monetization potential in stolen mobile banking credentials and access to one-time-passwords sent via SMS,” Bakken said in a statement. 

“Promon’s recent findings make the vulnerability as severe as it’s ever been. Consumers and app developers alike were exposed to various types of fraud as a result for four year,” he continued. “In addition, now, at least 36 examples of malware attacking the vulnerability as far back as 2017 have been identified—some being variants of the notorious Bankbot Trojan. This goes to show you that attackers are aware of the vulnerability and actively exploiting it to steal banking credentials and money.”


Continue Reading


How to move Google Authenticator to your new phone for added security




You can move Google Authenticator to a new phone so that your new device can gain an additional level of security through two-step authentication.

Unlike the traditional method of using only a single password, two-step authentication provides greater security for your accounts by requiring two steps to log into your Google apps.

Google Authenticator is an app that assists in two-step authentication for your Google account, and allows you to use your phone as a second step in confirming your identity before accessing your account.

If you’ve used Google Authenticator before and recently got a new phone, you’ll need to move the Google Authenticator app to your new phone so that it can be used for two-step authentication. Follow the steps below to do so.

How to move Google Authenticator to your new phone

1. On your new Android or iPhone , download and install the Google Authenticator app.

How to move Google Authenticator to new phoneChrissy Montelli/Business Insider

2. Using a PC or Mac , open Google’s webpage for two-step authentication and log in. When it becomes an option, click on “Move to a different phone.”

3. Click on either “Android” or “iPhone” based on what kind of phone you are using, then click “Continue.” The next screen should show a barcode or QR code.

4. Open the Google Authenticator app on your new phone and follow the on-screen instructions. When you are prompted, tap on “Scan a barcode,” and scan the barcode/QR code shown on your computer screen.

How to move Google Authenticator to new phoneChrissy Montelli/Business Insider

5. After you scan the barcode, a six-digit code should appear on the Google Authenticator app. This code changes every few minutes for security purposes. Type the code into the corresponding field on your computer and click “Verify.”

How to move Google Authenticator to new phoneChrissy Montelli/Business Insider

Google Authenticator should now be set up on your new phone, enabling you to use it for two-step account verification.


Continue Reading


%d bloggers like this: