All Travis CI Free Tier User Tokens Exposed By Design – Rotate Keys ASAP or Terminate; Hard to Exploit Hardware Vulnerability Found in Apple CPU; User Email Exposes 70,000 Customer Records at Kaiser Permanente

It appears that in CI/CD, exposing credentials is a feature, not a bug. Automate rotating your credentials and assume they are lost if you are using the free version of Travis CI. This is likely to affect many open source projects using Travis CI to manage code deployment. This particular issue has existed in some form for years.

Johannes Ullrich

This is described as the intended behavior for the Free Tier version of Travis CI. If you are going to continue to use the free tier version, the best mitigation, today, is to proactively rotate access tokens, minimizing the interval they are viable if discovered. Better still investigate other options with a higher bar on protection of access tokens and related information, and properly fund key components such as your CI/CD tools.

Lee Neely

This is a good example of needing to look at least two levels deep when thinking of vulnerabilities and risk. For this attack to succeed, among other things vulnerable software needs to be running on the processor. I can imagine the CPU test team running exhaustive tests when designing, sizing and testing the Pointer Authentication Code but not specifically trying enough combinations of unpatched/vulnerable OS and applications.

John Pescatore

The exploitability and significance of this vulnerability outside of a lab demo has been disputed in part due to the limitations imposed on collecting high resolution timing data. At this point, this isn't anything you should spend time worrying about. Skip this story.

Johannes Ullrich

This is essentially a proof of concept attack, and the Pac-Man write up is an interesting read. Expect Apple to continue to take steps to limit loading kernel modules to mitigate risks for this sort of attack.

Lee Neely

Kaiser Permanente says its time-to-detect was a few hours, so the bigger question is why were medical records for 70,000 customers accessible in an employee’s email? The question is not why such sensitive data was in email – it almost always is, because quite often IT does not provide users with collaboration and analysis tools (or the users ignore them) and good old spreadsheets or .csv files are exchanged between users to meet immediate business needs. Not all that hard to detect (auditors find it all the time) but a regular process should be in place to detect PHI in user email queues.

John Pescatore

Email mailboxes are a treasure trove for attackers as people often use their mailbox as a database for storing all types of data, including passwords, personal data, and other highly sensitive material. However, most companies do not apply appropriate security to their email systems thinking of it as being only a communications channel. Companies should ensure users have MFA deployed for all email users, monitor for unusual login patterns, apply DLP for sensitive content, and where possible restrict access to sensitive mailboxes or mailboxes of high value targets from known and trusted locations.

Brian Honan

Kaiser has multiple regions with segmented data. This breach impacted Kaiser Foundation health plan of Washington. While we have been focused on security of patient facing devices in healthcare, don’t overlook back-end systems such as email which are also under attack and can also benefit from MFA and context driven access controls.

Lee Neely

The compromise of an employee's e-mail account should not be sufficient to compromise PPI. One notes that, again for reasons of convenience, strong authentication is rarely required on e-mail. E-mail, along with browsing, messaging, and social media, is a major source of credential compromise and must be effectively controlled (strong authentication) and isolated from mission critical applications.

William Hugh Murray

Hopefully this interesting initiative will provide additional information and data on how we can tackle criminal gangs not just at the technical level but perhaps in other ways, such as financial measures and sanctions.

Brian Honan

Think about having all your locations and affiliates under attack. Then consider how you would respond, contain, eradicate and prevent recurrence. Do you have the plan and supporting relationships, practice and training? How about your suppliers? Don’t forget to verify your NDAs cover these use cases.

Lee Neely

You need to update to the new firmware. Also, if you’re enabling decomposition of Brotli or GZip files. change the Brotli decompressor for GZip. Better still, disable that decompression.

Lee Neely

Don’t expect browser updates to settle into a patch Tuesday rhythm anytime soon. With the attention to finding and exploiting browser vulnerabilities, make sure you can readily and actively keep your browsers updated, including a defined process where the relaunch, required to activate the new version, is enforced. Be certain you’re actively tracking not just Chrome, but chromium-based browsers as well. Don’t ignore your other browsers, they are also being researched for vulnerabilities.

Lee Neely

Another case of using the All Writs Act (which is very broad) to compel companies to release information relevant to an investigation. You may recall this was also used against Apple in the 2015 San Bernardino shooting case where the FBI wanted them to unlock the suspects phone. The trick is to make sure requests like this are not only specific to the active case, but also represent responses those served can actually provide.

Lee Neely

Any data collected is accessible via a court order. Most privacy policies and related legislation have specific exemptions built in to allow this. Not sure why anybody is surprised that this is happening.

Johannes Ullrich

This action involved the courts, was narrowly crafted, and was disclosed on a timely basis. However, it involved the use of the ancient "All Writs Act" which the ACLU has found troubling and which has not been recently tested by appeals.

William Hugh Murray

The market share of IE is below 1%, so not a big issue. Browser-specific applications should by now be anomalies – from a security perspective, Chrome-based browsers are the market share big dog that vulnerability management needs to focus on, but Safari, Firefox and Edge will stay in the mix.

John Pescatore

Use Edge with the IE Mode if needed. Suggest rigorous testing without IE Mode to determine your reliance on backwards compatibility, possibly eliminating browser lock in.

Lee Neely