Getty Images

A service that helps open source developers write and test software is leaking thousands of authentication tokens and other security-sensitive secrets. Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

Travis CI is a provider of an increasingly common practice known as continuous integration. Often abbreviated as CI, it automates the process of building and testing each code change that has been committed. For every change, the code is regularly built, tested, and merged into a shared repository. Given the level of access CI needs to work properly, the environments usually store access tokens and other secrets that provide privileged access to sensitive parts inside the cloud account.

The access tokens found by Aqua Security involved private accounts of a wide range of repositories, including Github, AWS, and Docker.

Aqua Security

Examples of access tokens that were exposed include:

The following graph shows the breakdown:

Aqua Security

A representative for Code Climate, the service shown in the chart above, said the credentials found by Aqua Security don't provide hackers with unauthorized access. "These are Test coverage tokens, used to report test coverage to Code Climates Quality product," the representative said. "Unlike the other tokens mentioned in this post, these tokens are not considered secret, and cannot be used to access any data."

Aqua Security researchers added:

We found thousands of GitHub OAuth tokens. Its safe to assume that at least 10-20% of them are live. Especially those that were found in recent logs. We simulated in our cloud lab a lateral movement scenario, which is based on this initial access scenario:

1. Extraction of a GitHub OAuth token via exposed Travis CI logs.

2. Discovery of sensitive data (i.e., AWS access keys) in private code repositories using the exposed token.

3. Lateral movement attempts with the AWS access keys in AWS S3 bucket service.

4. Cloud storage object discovery via bucket enumeration.

5. Data exfiltration from the targets S3 to attackers S3.

Aqua Security

Travis CI representatives didn't immediately respond to an email seeking comment for this post. Given the recurring nature of this exposure, developers should proactively rotate access tokens and other credentials periodically. They should also regularly scan their code artifacts to ensure they don't contain credentials. Aqua Security has additional advice in its post.

Post updated to add comment from Code Climate.

Link:
Credentials for thousands of open source projects free for the takingagain! - Ars Technica

To sign up for our daily email newsletter, CLICK HERE

A programming tool, also known as a software development tool, is a program or application that programmers use to create, debug, maintain, and support other programs and applications. The word usually refers to a set of very simple programs that may be assembled to complete a task, similar to how many hand tools can be used to repair a real object. Its difficult to tell the difference between tools and applications. Simple databases (such as a file holding a list of significant values) are frequently used by developers as tools. A full-fledged database, on the other hand, is normally considered of as a separate application or piece of software. CASE (computer-assisted software engineering) tools have been in demand for a long time.

Successful tools have been difficult to come by. In certain ways, CASE tools, such as UML, prioritized design and architecture support. IDEs, on the other hand, have been the most successful of these tools. One of the characteristics of a professional software engineer is the ability to use a number of tools effectively. A program is a sequence of instructions that instructs the computer to do a variety of tasks; often, the instruction it is to perform is dependent on what happened after it completed a previous instruction. This section outlines the two major ways in which youll provide these instructions, or commands as theyre commonly known. One method employs an interpreter, while the other uses a compiler.

Software are very useful for manipulating and interpreting the concepts. Just like the Arduino that makes our life as easy as we can design multiple applications using it. If you want to control the speed and direction of DC motor of robotics car we can implement this task using Arduino.

Best Programming tools:

The most famous and useful programming tools are:

Every day, software developers are confronted with a large amount of information to remember. New technologies, keyboard shortcuts, software requirements, and best practices are all things to be aware of. Many of us reach a limit on how much we can keep in our thoughts at some point. Evernotes free tier gives you an external brain, a place where you may store learnings, articles, information, and keyboard shortcuts or commands. Its always there when you need it because its cloud-based.

Trello is a project management app that is both simple and free. Its an app that lets you make columns or swim lanes and arrange cards in them. These cards can represent jobs that need to be performed or labor that needs to be done.

GitHub created Atom, a relatively new code editor. Its open source and free, and it looks fantastic. Its also quite simple to use. Atom is a terrific tool for hacking at scripts or working on side projects, even if you use a more feature-rich IDE for your development at work. Atoms markdown preview mode is one feature that sets it apart from other code editors. When working on Readme files and other documentation, you can enter notes in markdown and get an inline preview.

Unity is a free, end-to-end game engine that makes it easier than ever to develop professional, cross-platform games. Its usual for software developers to dismiss game development as cool but too difficult, but with an infusion of high-quality tutorials and ongoing updates to Unitys tooling, the barrier to entry has never been lower. By dabbling in a totally different sort of programming, youll obtain insights and ideas that will help you become a better programmer overall, and youll probably have a lot of fun doing it.

Code Climate is a code analysis tool that rates your software based on test coverage, complexity, duplication, security, style, and other factors. It comes with a two-week trial period. Even if youre not willing to pay, Code Climate can provide you with a wealth of information on the code quality of your most recent personal project, orif your team is on boardthe product or service youre developing. You definitely have a sense for code smells as a software developer: things that could be better. When you have a lot of things wrong with your code, it might be difficult to know where to start.

See original here:
What are the Most Famous Programming Tools and Techniques? - Programming Insider

(Washington, DC) Today, Mayor Muriel Bowser and community members broke ground on the Stead Park Recreation Center in the Dupont Circle Historic District. The $15.4 million project will preserve the history of Stead Park while modernizing the grounds and expanding the facility to create more accessible, integrated spaces for exercise, play, and community engagement. The project will also deliver the first Net Zero Energy-Ready recreation space within the Department of Parks and Recreation (DPR) portfolio, project-managed by the Department of General Services (DGS). Families in DC love our parks and open spaces, and we love delivering spaces and facilities that meet the needs of our communities which is what we will do right here at Stead Park, said Mayor Bowser. These continued investments and improvements are why the District, for the past two years, has been recognized for having the best park system in the nation. The project consists of a 1.5-acre park and an existing historic carriage house named for Mary Force Stead as the primary building entry. Upon completion in 2023, the project will offer additional indoor recreational spaces, improved playgrounds and outdoor gathering spaces, and improved lighting. The recreation center will also have a solar canopy that includes a high-performing renewable energy system to offset all or most of its annual energy consumption, operating with a net zero energy consumption to save tax dollars.Starting in 2017 we have been engaged with the community on what the future of Stead Park will become, said DGS Director Keith A. Anderson. I am pleased that we are breaking ground on a project that has recreational elements for everyone and that will save on energy costs for the District.The Stead Park modernization will honor Mary Force Steads wish that the space be maintained for the perpetual use of the children of Washington, as noted from the carriage house plaque honoring her memory. The Friends of Stead Park donated $500,000 to support this project.We at DPR are incredibly excited about the modernization of the existing carriage house at Stead and the construction of an addition to the recreation center that will help foster community engagement and provide quality recreational programming in this vibrant neighborhood of Dupont Circle, said DPR Director Delano Hunter.Mayor Bowsers Fiscal Year 2023 Fair Shot Budget invests over $365 million over the next six years to improve parks and recreation facilities across the District. Additionally, the Mayor invested $13.5 million for Recreation for A.L.L. a new DPR initiative to expand recreation offerings and ensure all District residents, particularly young people, have access to high-quality recreational programming.To learn more, visit https://dgs.dc.gov/page/stead-park-recreation-center-project.

Social Media:Mayor Bowser Twitter:@MayorBowserMayor Bowser Instagram:@Mayor_BowserMayor Bowser Facebook:facebook.com/MayorMurielBowserMayor Bowser YouTube:https://www.bit.ly/eomvideos

Continue reading here:
Mayor Bowser Breaks Ground on Modernization of Stead Park Recreation Center | mayormb - Executive Office of the Mayor

What's the most important programming language to learn in 2022? That's an open question, but one way to answer it is to look at languages that are currently trending.

Some of them are well-established coding languages that have long been popular. Others are newer languages that are just now entering their heyday. Either way, they're languages worth familiarizing yourself with.

Related: Is PHP Dying? No, but It Has an Image Problem

Here's a roundup of what are arguably the trendiest programming languages in 2022.

1. Python: When talking about hot programming languages in 2022, the list must start with Python. Probably no language is having a better year than Python, which recently slid into first place to become the very most popular language of all. You could argue that Python doesn't quite deserve that status, but the fact is that it enjoys it.

Related: COBOL Language Still in Demand as Application Modernization Efforts Take Hold

2. Go: Go (or Golang, as it's formally known) has long been a "cool" programming language partly because it traces its roots to Google (which is a hotbed of coolness, technologically speaking) and partly because it's fast to write, fast to compile, and fast to run.

3. OPA: Open Policy Agent, or OPA, isn't technically a programming language. It's a policy language that lets you define resources using code. That makes it a hot language, however, in a world increasingly obsessed with doing "everything as code."

4. Swift: If you develop anything for the world of Apple whether on macOS, iOS, or any other *OS platform Swift is a language you absolutely need to know today. It's also a relatively easy language to code in, by many accounts.

5. C: C, which turns 50 this year, may be old, but it remains relevant as ever and is still a hot programming language in 2022. It's messy, it's fast, and it's essential for a wide variety of programming tasks.

6. Java: It's arguably hard to get excited about Java a language that is tedious to code in and whose code is relatively slow. But the fact is that Java was the most popular programming language for years, and tons of stuff are still written in it. Whether you actually enjoy coding in Java or not, it remains an important language as of 2022.

7. JavaScript: JavaScript is not the same as Java, but they're similar in that tons of stuff are written in JavaScript, too. If you are creating web apps in particular, JavaScript is probably the most important language for you to learn today.

About the author

Read more:
Top 7 'Hot' Programming Languages of 2022 - ITPro Today

Snowflake has announced plans to bring Python "to the forefront of its Data Cloud platform with upgrades that extend support for the programming language.

At its annual user conference, Snowflake Summit, the database company announced an expansion of its Snowpark developer framework that will give users easy access to a bounty of open source Python packages and libraries.

Now moving from private beta to public preview, Snowpark for Python promises to "improve programmability for data scientists, data engineers and app developers", Snowflake says.

Snowflake first introduced Snowpark in preview back in January 2021, before pushing the service to general availability earlier this year. Broadly, the objective was to give developers a simple and efficient way to program data in their language of choice.

"Our goal was to eliminate inefficient data pipelines and optimize processes and tasks that companies may be using just to get everyone on the same (data) page, said the firm, at the time of the launch.

Ultimately, Snowpark enables teams with different skill sets to collaborate and work on the same data, process data faster and more easily, and make data security and governance a top priority.

When it first went live, the Snowpark sandbox offered support for Java and Scala only, but the latest update now brings another of the world's most popular programming languages into the fray.

To supplement the rollout of Snowpark for Python, Snowflake also lifted the lid on a series of related upgrades that are currently under development. These include a native integration with Streamlit and other facilities designed to support the development and deployment of machine learning products written in Python.

Separately, the firm announced a private preview for a new service that will allow customers to access data stored in on-premise servers from within the Snowflake ecosystem, affording organizations the benefits of the cloud-based platform without the hassle of data migration.

"We are investing in Python to make it easier for data scientists, data engineers and application developers to build even more in the Data Cloud, without governance trade-offs," said Christian Kleinerman, SVP Product at Snowflake.

"Our latest innovations extend the value of our customers' data-driven ecosystems, enabling them with more access to data and new watts to develop with it in Snowflake. [These capabilities] are changing the way teams experiment, iterate and collaborate with data to drive value."

Disclaimer: Our flights and accommodation for Snowflake Summit 2022 were funded by Snowflake, but the organization had no editorial control over the content of this article.

See more here:
Snowflake is going big on one of the world's most popular programming languages - TechRadar

Division of the Arts Opens Two Opportunities for Artists - State of Delaware News

Read the latest news on coronavirus in Delaware. More Info

COVID-19 Vaccines For Children 6 Months to 5 Years Receives Federal Authorization; DE Vaccines to Begin Week of June 20Date Posted: June 18, 2022

DPH Prepares for CDC to Authorize Vaccines for Children Under 5; Urges Safety During Event-Filled WeekendDate Posted: June 18, 2022

DOJ, Wilmington PD Indict Gun Offenders on 75 ChargesDate Posted: June 17, 2022

New Castle Court House MuseumDate Posted: June 16, 2022

John Dickinson Plantation Receives Award of ExcellenceDate Posted: June 15, 2022

Growing Horseshoe Crab Population Supports Migratory Shorebirds along Delaware Bay, Including Threatened Red KnotsDate Posted: June 15, 2022

Division of the Arts Opens Two Opportunities for ArtistsDate Posted: June 14, 2022

Delaware Mortgage Relief Program Approved By U.S. Department Of The TreasuryDate Posted: June 14, 2022

Heritage Commission Book of the Week: GATHs Literary Work and FolkDate Posted: June 13, 2022

Suspected Overdose Deaths for May in Delaware Set New Monthly High TotalDate Posted: June 8, 2022

Student State Board of Education Member Application Due June 24Date Posted: June 8, 2022

Delaware Natural Resources Police Youth Fishing Tournament Winners AnnouncedDate Posted: June 8, 2022

Summer of OpportunityDate Posted: June 8, 2022

Funding Available for Tree-Planting ProjectsDate Posted: June 7, 2022

Heritage Commission Book of the Week: William Hare Master PotterDate Posted: June 6, 2022

DNREC to Present Living Shoreline Social Marketing Webinar June 16Date Posted: June 6, 2022

Governor Carney Announces Judicial NominationsDate Posted: June 3, 2022

State Auditor McGuiness Releases The First of Nineteen Reports on Delawares Public School Staffing LevelsDate Posted: June 3, 2022

DNREC to Propose Major Source Air Pollution Permit Renewal for Delaware City Refining CompanyDate Posted: June 3, 2022

Governor Carney, Members of the General Assembly Announce Gun Safety PackageDate Posted: June 2, 2022

Delaware African and Caribbean Affairs Commission Celebrates National Caribbean-American Heritage MonthDate Posted: June 2, 2022

New Website Helps Families Find Summer Opportunities for Their ChildrenDate Posted: June 2, 2022

FREE New Castle History Camp, July 2529, 2022Date Posted: June 2, 2022

Prohibicin ampliada de las bolsas de plstico para llevar en vigor el 1. de julio de 2022Date Posted: June 2, 2022

Enhanced Plastic Carryout Bag Ban in Effect July 1, 2022Date Posted: June 2, 2022

Stay Cool, Hydrated, And Informed to Prevent Heat-Related IllnessDate Posted: June 1, 2022

Division Of Public Health Launches New Delaware WIC Educational WebsiteDate Posted: June 1, 2022

El Programa P-EBT de Delaware se Expandi a Nios Menores de 6 Aos en Hogares Que Reciben SNAPDate Posted: June 1, 2022

Delawares P-EBT Program Expanded to Children Under Age 6 in Households Receiving SNAPDate Posted: June 1, 2022

DNREC, Division of Public Health Offer Tips About TicksDate Posted: June 1, 2022

The Mezzanine Gallery to Exhibit Explorations through Materiality by Samara WeaverDate Posted: June 1, 2022

Program to Help Foster Youth Pursue Higher EducationDate Posted: May 31, 2022

Governor Carney, First Lady Tracey Quillen Carney Announce Compassionate Champion AwardeesDate Posted: May 31, 2022

Heritage Commission Book of the Week: Pierre S. du Pont IV: Governor of Delaware 1977-1985Date Posted: May 31, 2022

Delaware State Parks Expected to Set Visitation RecordDate Posted: May 27, 2022

Division of the Arts Announces the 2022 Award Winners Exhibition DatesDate Posted: May 27, 2022

Delaware Child Care Professional Bonus Registry Now OpenDate Posted: May 27, 2022

New DMV Support Pollinator Plate Creating a BuzzDate Posted: May 26, 2022

Milford School Psychologist Delaware 2022 Behavioral Health Professional Of YearDate Posted: May 26, 2022

DNREC Announces Beach Access Closures Due to Storm DamageDate Posted: May 26, 2022

Memorial Day Ceremonial EventsDate Posted: May 26, 2022

Governor Carney Formally Extends Public Health EmergencyDate Posted: May 26, 2022

In Another Likely Consequence of Pandemic, Delaware Overdose Deaths Increase 15% in 2021Date Posted: May 25, 2022

Governor Carney Terminates Limited State of Emergency in Kent CountyDate Posted: May 25, 2022

Delaware Emitir Beneficios de Emergencia Mensuales el 26 de MayoDate Posted: May 25, 2022

Delaware Will Issue Monthly Emergency Benefits On May 26Date Posted: May 25, 2022

Governor Carney Announces Governors Summer Fellowship Program Date Posted: May 25, 2022

New Tram Path, Other Improvements to Greet Fort Delaware State Park Visitors This SeasonDate Posted: May 25, 2022

Historical Affairs Programs In June 2022Date Posted: May 25, 2022

May 29th is 529 DayDate Posted: May 25, 2022

Take A Kid Fishing! Events AnnouncedDate Posted: May 25, 2022

Flag Lowering for the Victims at Robb Elementary School in Uvalde, TexasDate Posted: May 24, 2022

Governor Carney Activates Emergency Management Assistance Compact to Support Emergency Response to Barge FireDate Posted: May 24, 2022

Governor Carney Vetoes House Bill 371Date Posted: May 24, 2022

Crews Work to Contain Fire on Barge in Delaware BayDate Posted: May 23, 2022

Heritage Commission Book of the Week: East of the Mason-Dixon Line by Roger E. NathanDate Posted: May 23, 2022

DPH Encourages Delawareans To Consider Masking In Public Amid Rising Covid-19 CasesDate Posted: May 21, 2022

2021 U.S. Road Fatalities Projected Highest in 16 Years, Delaware at 15-year HighDate Posted: May 20, 2022

DHSS to Partner with Habitat for Humanity on Pilot Program for Minor Home Repairs for Older DelawareansDate Posted: May 19, 2022

Click It or Ticket Campaign Reminds Drivers: Buckle Up Every Trip, Every TimeDate Posted: May 19, 2022

Public Encouraged to Avoid Rescuing Young WildlifeDate Posted: May 19, 2022

Nonprofit Security Grant Applications Due June 1, 2022Date Posted: May 17, 2022

Delawares Plastic Carryout Bag Ban July 1, 2022Date Posted: May 17, 2022

DPH Offers Guidance And Resources On How To Navigate The Infant Formula Supply ShortageDate Posted: May 17, 2022

DNREC Names Two to Leadership RolesDate Posted: May 17, 2022

Governor Carney Honors Four Century Farm Families, 2022 Marks 35th Year of Delaware Century Farm ProgramDate Posted: May 16, 2022

Governor Carney Tests Positive for COVID-19Date Posted: May 16, 2022

Holodick Names Top High School Seniors 2022 Secretary ScholarsDate Posted: May 16, 2022

With Delaware Bay Beach Nourishment Projects Complete, DNREC Now Works Toward Restoring Atlantic CoastlineDate Posted: May 16, 2022

DE Heritage Commission Book of the Week: Captain Thomas MacdonoughDate Posted: May 16, 2022

School Behavioral Health Professionals HonoredDate Posted: May 16, 2022

The Wooden World Revealed at Lewes Zwaanendael MuseumDate Posted: May 13, 2022

Concord Pond to Be Treated for Invasive Aquatic Weed HydrillaDate Posted: May 13, 2022

DNREC To Update Vehicle Emission Testing RequirementsDate Posted: May 13, 2022

Dr. Karyl Rattay Announces Departure From Delaware Division Of Public Health Effective June 30, 2022Date Posted: May 13, 2022

Governor Carney Orders Lowering of FlagsDate Posted: May 13, 2022

Delaware Extends Electric Vehicle Rebate ProgramDate Posted: May 12, 2022

High Path Avian Influenza Confirmed In Black Vultures, Poultry Producers Encouraged To Take PrecautionsDate Posted: May 11, 2022

Governor Carney Signs Paid Family Leave LegislationDate Posted: May 11, 2022

Tonieboxes Now Available for Children at Delaware LibrariesDate Posted: May 11, 2022

McGuinesss National COVID-19 Data Quality Audit Template Shapes Public Emergency Response Efforts CountrywideDate Posted: May 10, 2022

DNREC, Delaware Center for the Inland Bays To Host Water Family Fest Saturday, May 14Date Posted: May 10, 2022

ICYMI: Dolly Parton in Delaware for the Imagination Library Statewide CelebrationDate Posted: May 9, 2022

DPH Diabetes & Heart Disease Prevention & Control Program Sponsors 20th Annual Diabetes Wellness ExpoDate Posted: May 9, 2022

Heritage Commissions Book of the Week: Allen McLane Patriot, Solider, Spy, Port CollectorDate Posted: May 9, 2022

US Wind and rsted Conducting Offshore Wind ResearchDate Posted: May 9, 2022

Gov. Carney Celebrates 150th Arbor Day in Rehoboth BeachDate Posted: May 6, 2022

Division of Small Business Launches Innovative New Website Service Designed to Support Delawares Small BusinessesDate Posted: May 6, 2022

DNREC, DEMA Sponsor Delaware Flood Awareness WeekDate Posted: May 6, 2022

Delaware Changes Summer Flounder, Scup and Black Sea Bass Recreational Fishing RegulationsDate Posted: May 5, 2022

DHSS Releases Second Annual Health Care Benchmark Trend ReportDate Posted: May 5, 2022

Drivers Needed for DARTs Upcoming Beach Bus SeasonDate Posted: May 5, 2022

DHSS Launches State Health Care Provider Loan Repayment ProgramDate Posted: May 5, 2022

DTI Announces New Chief Of Administration And Broadband ManagerDate Posted: May 5, 2022

DNRECs Monitoring Shows Overall Good Air Quality in DelawareDate Posted: May 4, 2022

Columbus Organization Will Continue to Connect Individuals to Services, SupportsDate Posted: May 4, 2022

May Is Viral Hepatitis Awareness Month; May 19 Hepatitis Testing DayDate Posted: May 4, 2022

Governor Carney Proclaims May 2022 as Trauma Awareness MonthDate Posted: May 4, 2022

The rest is here:
Division of the Arts Opens Two Opportunities for Artists - State of Delaware News - news.delaware.gov

Theres not one, but two side-channel attacks to talk about this week. Up first is Pacman, a bypass for ARMs Pointer Authentication Code. PAC is a protection built into certain ARM Processors, where a cryptographic hash value must be set correctly when pointers are updated. If the hash is not set correctly, the program simply crashes. The idea is that most exploits use pointer manipulation to achieve code execution, and correctly setting the PAC requires an explicit instruction call. The PAC is actually indicated in the unused bits of the pointer itself. The AArch64 architecture uses 64-bit values for addressing, but the address space is much less than 64-bit, usually 53 bits or less. This leaves 11 bits for the PAC value. Keep in mind that the application doesnt hold the keys and doesnt calculate this value. 11 bits may not seem like enough to make this secure, but keep in mind that every failed attempt crashes the program, and every application restart regenerate the keys.

What Pacman introduces is an oracle, which is a method to gain insight on data the attacker shouldnt be able to see. In this case, the oracle works via speculation attacks, very similar to Meltdown and Spectre. The key is to attempt a protected pointer dereference speculatively, and to then observe the change in system state as a result. What you may notice is that this requires an attack to already be running code on the target system, in order to run the PAC oracle technique. Pacman is not a Remote Code Execution flaw, nor is it useful in gaining RCE.

One more important note is that an application has to have PAC support compiled in, in order to benefit from this protection. The platform that has made wide use of PAC is MacOS, as its a feature baked in to their M1 processor. The attack chain would likely start with a remote execution bug in an application missing PAC support. Once a foothold is established in uprivileged userspace, Pacman would be used as part of an exploit against the kernel. See the PDF paper for all the details.

The other side-channel technique is a new take on an old idea. Hertzbleed is based on the idea that its possible to detect the difference between a CPU running at base frequency, and that CPU running at a boost frequency. The difference between those two states can actually leak some information about what the CPU is doing. Theres a pre-release PDF of their paper to check out for the details. The biggest result is that the standard safeguard against timing attacks, constant-time programming, is not always a reliable security measure.

It works because max frequency is dependent on the processor Thermal Design Power (TDP), the maximum amount of power a CPU is designed to use and amount of heat to dissipate. Different instructions will actually use different amounts of power and generate more or less heat based on this. More heat means earlier throttling. And throttling can be detected in response times. The details of this are quite fascinating. Did you know that even running the same instructions, with different register values, results in slightly different power draw? They picked a single cryptographic algorithm, SIKE, a quantum-safe key exchange technique, and attempted to extract a servers secret key through timing attacks.

There is a quirk in SIKE, also discovered and disclosed in this research, that its possible to short-circuit part of the algorithm, such that a series of internal, intermediary steps result in a value of zero. If you know multiple consecutive bits of the static key, its possible to construct a challenge that hits this quirk. By extension, you can take a guess at the next unknown bit, and it will only fall into the quirk if you guessed correctly. SIKE uses constant-time programming, so this odd behavior shouldnt matter. And here the Hertzbleed observation factors in. The SIKE algorithm consumes less power when doing a run containing this cascading-zero behavior. Consuming less power means that the processor can stay at full boost clocks for longer, which means that the key exchange completes slightly more quickly. Enough so, that it can be detected even over a network connection. They tested against Cloudflares CIRCL library, and Microsofts PQCrypto-SIDH, and were able to recover secret keys from both implementations, in 36 and 89 hours respectively.

There is a mitigation against this particular flaw, where its possible to detect a challenge value that could trigger the cascading zeros, and block that value before any processing happens. It will be interesting to see if quirks in other algorithms can be discovered and weaponized using this same technique. Unfortunately, on the processor side, the only real mitigation is to disable boost clocks altogether, which has a significant negative effect on processor performance.

[Frdric Basse] has a Google Nest Hub, and he really wanted to run his own Linux distro on it. Theres a problem, though. The Nest uses secure boot, and theres no official way to unlock the bootloader. Since when would a dedicated hacker let that stop him? The first step was finding a UART interface, hidden away on some unterminated channels of a ribbon cable. A custom breakout board later, and he had a U-Boot log. Next was to run through the bootup button combinations, and see what U-Boot tried to do with each. One of those combinations allows booting from a recovery.img, which would be ideal, if not for secure boot.

The great thing about U-Boot is that its Open Source under the GPL, which means that the source code should be available for perusal. Find a bug in that source, and you have your secure boot bypass. Open Source also allows some fun approaches, like running portions of the U-Boot code in userspace, and exercising it with a fuzzer. Thats the approach that found a bug, where a block size greater than 512 bytes triggers a buffer overflow. Its a generally safe assumption, as there arent really any USB storage devices with a block size greater than 512.

Never fear, a device like the Raspberry Pi Pico can run TinyUSB, which allows emulating a USB device with whatever block size you specify. A test determined that this approach did result in a repeatable crash on the real device. The code execution is fairly straightforward, writing a bunch of instructions that are essentially noop codes pointing to a payload, and then overwriting the return pointer. Code execution in the can, all that remained was to overwrite the command list and execute a custom U-Boot script. A thing of beauty.

The lowly ping command. How much can a single pair of packets tell us about a network and remote host? According to [HD Moore], quite a bit. For example, take the time given for a ping response, and calculate a distance based on 186 miles per millisecond. Thats the absolute maximum distance away that host is, though a quarter and half of that amount are reasonable lower and upper limits for a distance estimate. TTL very likely started at 64, 128, or 255, and you can take a really good guess at the hops encountered along the way. Oh, and if that response started at 64, its likely a Linux machine, 128 for Windows, and 255 usually indicates a BSD-derived OS.

Receiving a destination host unreachable message is interesting in itself, and tells you about the router that should be able to reach the given IP. Then theres the broadcast IP, which sends the message to every IP in the subnet. Using something like Wireshark for packet capture is enlightening here. The command itself may only show one response, even though multiple devices may have responded. Each of those responses have a MAC address that has can be looked up to figure out the vendor. Another interesting trick is to spoof the source IP address of a ping packet, using a machine you control with a public IP address. Ping every device on the network, and many of them will send the response via their default gateway. You might find an Internet connection or VPN that isnt supposed to be there. Who knew you could learn so much from the humble ping.

Internet Explorer is Really, Truly, Dead. If you were under the impression, as I was, that Internet Explorer was retired years ago, then it may come as a surprise to know that it was finally done in only this past week. This months patch Tuesday was the last day IE was officially supported, and from now on its totally unsupported, and is slated to eventually be automatically uninstalled from Windows 10 machines. Also coming in this months patch drop was finally the fix for Follina, as well as a few other important fixes.

Theres a new record for HTTPS DDOS attacks, set last week: Cloudflare mitigated an attack consisting of 26 million requests per second. HTTPS attacks are a one-two punch consisting of both raw data saturation, as well as server resource exhaustion. The attack came from a botnet of VMs and servers, with the largest slice coming from Indonesia.

Running the free tier of Travis CI? Did you know that your logs are accessible to the whole world via a Travis API call? And on top of that, the whole history of runs since 2013 seems to be available. It might be time to go revoke some access keys. Travis makes an attempt to censor access tokens, but quite a few of them make it through the sieve anyways.

Ever wonder what the risk matrix looks like for TPM key sniffing on boot? Its not pretty. Researchers at Secura looked at six popular encryption and secure boot applications, and none of them used the parameter encryption features that would encrypt keys on the wire. The ironic conclusion? discrete TPM chips are less secure than those built in to the motherboards firmware.

See more here:
This Week In Security: Pacman, Hetzbleed, And The Death Of Internet Explorer - Hackaday