Security News

GitHub's new policies allow removal of PoC exploits used in attacks
2021-06-05 16:56

Soon after uploading the exploit, Jang received an email from Microsoft-owned GitHub stating that PoC exploit was removed as it violated the Acceptable Use Policies. GitHub faced immediate backlash from security researchers who felt that GitHub was policing the disclosure of legitimate security research simply because it was affecting a Microsoft product.

GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks
2021-06-05 10:01

Code-hosting platform GitHub Friday officially announced a series of updates to the site's policies that delve into how the company deals with malware and exploit code uploaded to its service. Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network.

NHS-backed org reacted to GitHub leak disclosure with legal threats and police call, complains IT pro
2021-05-14 10:02

IT pro Rob Dyke says an NHS-backed company not only threatened him with legal action after he flagged up an exposed GitHub repository containing credentials and insecure code, it even called the police on him. What happened next united infosec professionals across the world as well as triggering a crowdfundraiser and a behind-the-scenes legal war: we're told Apperta sent Dyke legal demands, and followed those up by alleging to the cops that he broke Britain's computer security laws.

GitHub Prepares to Move Beyond Passwords
2021-05-11 19:46

GitHub, the ubiquitous host for software development and version control, is now supporting security keys when using Git over SSH. In a post on Monday, GitHub security engineer Kevin Jones said that this is the next step when it comes to increasing security and usability. These security keys, which include YubiKey, Thetis Fido U2F Security Key and Google Titan Security Keys, are easy to pop into your pocket and cart around between machines, with most connecting via USB, NFC or Bluetooth.

GitHub now supports security keys when using Git over SSH
2021-05-10 20:09

GitHub has added support for securing SSH Git operations using FIDO2 security keys for added protection from account takeover attempts. "Once generated, you add these new keys to your account just like any other SSH key," GitHub Senior Security Engineer Kevin Jones said.

Twilio's private GitHub repositories cloned by Codecov attacker, cloud comms platform confirms
2021-05-05 12:27

Cloud comms platform Twilio has confirmed its private GitHub repositories were cloned after it became the latest casualty of the compromised credential-stealing Codecov script. Twilio said: "We have Codecov tools, including the Bash Uploader component, in use in a small number of our projects and CI pipelines." The company added that these particular projects were "Not in the critical path to providing updates or functionality to our communication APIs" and that it has "Remediated the potential exposure by thoroughly reviewing and rotating any potentially exposed credentials."

Cybersecurity Community Unhappy With GitHub's Proposed Policy Updates
2021-04-30 11:10

GitHub wants to update its policies regarding security research, exploits and malware, but the cybersecurity community is not happy with the proposed changes. The community has been asked to provide feedback until June 1 on proposed clarifications regarding exploits and malware hosted on GitHub.

GitHub disables Google FloC user tracking on its website
2021-04-28 05:25

It turns out, this header, now being returned by GitHub sites, is actually meant for website owners to opt-out of Google FLoC tracking. BleepingComputer also noticed the entire github.com domain had this header set, indicating GitHub did not want its visitors to be included in Google FLoC's "Cohorts" when visiting any GitHub page.

GitHub blocks Google FLoC tracking
2021-04-28 05:25

It turns out, this header, now being returned by GitHub sites, is actually meant for website owners to opt-out of Google FLoC tracking. BleepingComputer also noticed the entire github.com domain had this header set, indicating GitHub did not want its visitors to be included in Google FLoC's "Cohorts" when visiting any GitHub page.

Homebrew fixes Cask repo GitHub Actions bug that would have let anyone sneak malicious code onto machines
2021-04-26 04:39

The Homebrew package manager for macOS and Linux has fixed an issue that could have been exploited by miscreants to run malicious code on people's computers. Specifically, the project's GitHub Actions setup could have been abused to sneak arbitrary Ruby code into its Cask repositories, security researcher RyotaK discovered and disclosed via HackerOne.