Connect with us

Vulnerability in Travis CI has put thousands of projects at risk

Published

on

The issue is related to the Travis CI activation process and affects assemblies created between September 3-10, 2021.

Vulnerability in the web service for building and testing Travis CI software put thousands of open source projects relying on it are at risk. Thus, the service has about 600 thousand users and is used in more than 900 thousand open source projects. According to security researcher Felix Lange, a vulnerability in Travis CI can allow attackers to steal protected environment variables such as signing keys, access credentials, and API tokens.

The issue identified as CVE-2021-41077 is related to the Travis CI activation process and affects certain builds created between September 3-10, 2021.

As part of the activation process, developers must add a .travis.yml file to their open source project repositories. This file gives Travis CI instructions on what to do and may contain encrypted sensitive data. Another place where encrypted data can be defined is in the Travis CI web interface. However, this data is not intended to be disclosed. According to the service’s documentation, “encrypted environment variables are not available for retrieving requests from forks due to the risk of disclosing such information to unknown code.”

Ideally, when starting Travis CI, access to protected environment variables should be closed. However, due to the vulnerability, the variables can be accessed by anyone who will fork the public repository and print files during the build process.

Fortunately, the problem remained unresolved for a short time, about eight days (Lange, together with other researchers, notified the manufacturer about it on September 7). However, as a precautionary measure, all projects using Travis CI are advised to change their signing keys, access credentials and API tokens.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Want to learn how to work with cloud databases and take the DP-900 certification exam for free?

Published

on

Take a two-day training session from Microsoft on October 25 and 26.

From Microsoft experts, you will learn about the key principles of Azure services, proven approaches, and the specifics of working with relational and non-relational data.

Have time sign up for training

Continue Reading

Security

Women and minorities are more likely to be cyberattacks than other people

Published

on

Women are more likely than men to receive messages from unknown numbers containing potentially malicious links.

Demographics play a large role in how often people are victims of cybercrime. Low-income and vulnerable populations are disproportionately affected by cybercrime. As the results showed poll 5 thousand people in Germany, the UK and the US, conducted by experts from Malwarebytes, Digitunity and Cybercrime Support Network, minorities, as well as groups of people with low income and low educational level, are more likely to be victims of a cyber attack. Some groups are much more likely to face online threats.

For example, women are much more likely to receive text messages from unknown numbers containing potentially malicious links than men (79% versus 73%). Almost half (46%) of women said their social media accounts had been hacked, compared with 37% of men.

Black, Indigenous and People of Color (BIPOC) social media accounts are more likely to be attacked than whites (45% versus 40%); BIPOC populations are also more likely to experience identity theft (21% versus 15%). In fact, only 47% of BIPOC respondents escaped the financial consequences of cybercriminals.

Age is also an important factor. 36% of people aged 65 and over have been victims of credit card information theft.

21% of women and 23% of BIPOC respondents experienced “significant” stress when faced with suspicious online activity.

According to the report, the statistics are linked to the overall sense of security (or lack thereof) in cyberspace. While half of all respondents do not feel secure online and 31% do not feel safe online, the numbers are different for women. Women feel the least private online (53% versus 47% of men) and the least secure (35% versus 27% of men).

Socioeconomic class also matters. People with higher incomes (51%) feel more secure online than people with lower incomes (40%). The same is true for educational attainment – users with the highest educational attainment feel more secure (48%) than those who graduated only from college (44%) or high school (40%).

Continue Reading

Security

The United States launched a program to replace network equipment Huawei and ZTE

Published

on

The US government allocated $ 1.9 billion for the implementation of the program.

On Monday, September 28, the US Federal Communications Commission (FCC) announced the launch of a program to replace network equipment of telecom operators in rural areas. The government allocated $ 1.9 billion to implement the program, writes Reuters.

The program was approved in July 2021, and applications for participation in it will open on October 29 and will last until January 14, 2022. Its goal is to remove from the networks of American telecom operators equipment manufactured by Chinese companies recognized in the United States as a threat to national security, in particular Huawei and ZTE.

Last year, the FCC recognized Huawei and ZTE as a threat to national security, thereby depriving US companies of the ability to use the $ 8.3 billion government fund to buy equipment from them. In December, the FCC passed regulations requiring carriers using ZTE and Huawei equipment to “dispose of and replace” it.

The requirement is a big problem for telecom operators in rural areas, which do not have the financial ability to purchase new equipment and find specialists who are able to carry out such a replacement.

The latest FCC ruling expands the program from telecom operators with 2 million or less subscribers to operators with 10 million or less subscribers.

Continue Reading

Most Popular