GitHub has made its automated code-scanning tools available to all open-source projects free of charge.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects.

The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

GitHub senior product manager Justin Hutchings told The Register that a key component of the Semmle (and now GitHub) scanning was CodeQL, the query language that graphs and then checks code for mistakes.

“It turns out that capability is extremely useful in security,” said Hutchings. “Most security problems are bad data flow or bad data usage in one way or another.”

While the feature itself will be new to GitHub, the underlying Semmle tools have been in use for years, which is why GitHub believes they’ll hit the ground running when they launch for free with open-source projects and as an add-on for the paid (enterprise), closed-source part of GitHub.

Although the code-scanning feature could be seen as most beneficial to smaller projects without enough work hours needed to thoroughly check for bugs, Hutchings noted that by making the feature cloud-based, bigger developers are also getting something on their wishlist.

“A lot of our commercial customers are excited about being able to run this at scale on our cloud,” he told us.

“Security analysis is compute intensive, you are dealing with millions of lines of code. You want to do this rapidly and we are finally bringing this capability into a hosted cloud environment, so they can scale up more quickly than they could previously.”

In addition to scanning for security bugs, GitHub is also adding the option for commercial developers to scan offline repositories and for exposed secrets (keys, credentials, etc) that could lead to network breaches and data leaks if let out onto the public internet. Previously limited to public repositories (such as AWS or Google Cloud), the secret-scanning feature will now be able to run on private GitHub repositories.

This addition, Hutchings said, is not just a security feature but also a stability feature, as it helps developers keep up with security policies that require changing keys at regular intervals by tracking and logging the changes. In this way, developers can avert outages and downtime that might otherwise occur when keys changes don’t get properly reported and handled.

Source: GitHub blasts code-scanning tool into all open-source projects • The Register

Very cloudy indeed!

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. These were purchased off eBay, and despite having been reset, Green found that plenty of private owner information and passwords were still easily recoverable from the units.

[…]

There’s a number of reasons why Tesla owners may need to replace these units: if you’re adding on Autopilot to an existing car, for example, some early models had data-logging issues that caused failure after a few years, and various other wear-and-tear and failure issues.

Once he had the units, Green found that there was a surprising amount of data still on them, from what appear to be debugging screenshots taken every time a Model 3 starts up:

…to far more compromising data, which he described to InsideEVs:

“…owner’s home and work location, all saved wi-fi passwords, calendar entries from the phone, call lists and address books from paired phones, Netflix and other stored session cookies.”

That’s a security hole big enough to drive a Model X through, even with the Falcon Doors stuck open. And, speaking of the Model X, the unit he got from that model was physically crushed, but data was still recoverable.

Green gave more details on his Twitter feed, clarifying that the Spotify passwords are stored as plain text, and that the Netflix and Gmail passwords are stored in cookie format:

The ability to get calendar events and owner’s phone book and call history are also huge security breaches, too.

When owners decide to upgrade their cars’ computer, Tesla will only let them keep their original hardware for, according to a Tesla owners’ forum, a $1,000 fee. Yes, it’s strange to have to pay the company to take hardware that you should have owned when you bought your car, but Tesla has a history with non-traditional ideas of just what you think you’ve bought with your car.

Source: Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found.

TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS climbs or descends – and even to produce climb rates of up to 3,000ft/min.

Building on earlier research into the bare-bones concept [PDF], PTP said it had figured out how to shape and control airliners’ automatic TCAS responses so they moved up or down at precisely known points.

In a blog post the firm said: “We rationalised this to the point where we only needed three fake aircraft to provide [a Resolution Advisory] that caused a climb of over 3,000 ft/min.”

[…]

The prospect of a rollercoaster ride is less scary (or realistic) than it might seem; a recent Oxford University study showed that when airliner pilots are presented with too many spoof warnings, they simply disable the system responsible – and look out of the window so they keep flying safely.

Source: Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers • The Register

Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced.

Organizations with extreme security needs may keep certain computer hardware disconnected from any network, a practice known as air-gapping, to preclude the possibility of miscreants hacking in from compromised systems on the network, or from across internet. Attacks on such systems generally require some manner of physical access to introduce malware: an unauthorized person has to get their hands on the machine, typically briefly and unnoticed, to install malicious software, thus getting around the air-gap.

Perhaps the most widely reported air gap attack of this sort is said to have involved the covert introduction of the Stuxnet centrifuge-knackering malware around 2007, after three years of planning, to the nuclear fuel enrichment lab in Natanz, Iran, apparently from a USB stick.

Guri, head of research and development at Ben-Gurion University of the Negev, Israel’s Cyber-Security Research Center, told The Register in an email that air-gapped networks are not just for sensitive military facilities. They are used, he said, by many regulated industries to protect sensitive private data, intellectual property, and critical infrastructure.

In previous work, Guri and colleagues have explored various ways to attack air-gapped systems. Two years ago, for example, he and several other researchers developed a technique dubbed MOSQUITO to exfiltrate data from air-gapped systems using ultrasonic transmissions between speakers.

An obvious defense against acoustic data transmission is to disable any speakers on the protected device, a practice known as audio-gapping.

But Guri’s latest research shows that’s not enough. He and his team have found a way to turn the power supply in an isolated, muted machine into a speaker of sorts, one capable of transmitting data at a rate of 50 bits/sec.

He calls the attack POWER-SUPPLaY. The technique has the potential to be used against PC workstations and servers, as well as embedded systems and IoT devices that have no addressable audio hardware.

“We show that malware running on a PC can exploit its power supply unit (PSU) and use it as an out-of-band speaker with limited capabilities,” a paper [PDF] detailing the technique explained. “The malicious code intentionally manipulates the internal switching frequency of the power supply and hence controls the waveform generated from its capacitors and transformers.”

Source: OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit… • The Register

De Universiteit Antwerpen verbiedt het gebruik van videobelapp Zoom. De applicatie zou niet veilig genoeg en de universiteit wil geen risico’s nemen nadat men vorig jaar al eens het slachtoffer is geworden van een cyberaanval.

Ook Google en de Amerikaanse ruimtevaartorganisatie NASA namen onlangs het besluit om Zoom niet meer te gebruiken.

Bij de stad Antwerpen wordt Zoom nog volop gebruikt. ‘Door het nemen van gepaste veiligheidsmaatregelen en gebruikmakend van de beveiligingsopties van Zoom zelf werden onnodige risico’s vermeden’, zegt woordvoerder Dirk Delechambre.

Source: Universiteit Antwerpen verbiedt videobelapp Zoom – Emerce

Sorry Dirk, you’re wrong. There is no “safe” way to use the app.