Morioh
Login
Wiley Mayer

Wiley Mayer

3 years ago

After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret. Once they’re out in the wild, it doesn’t matter how complex the password is or what hash algorithm was used to encrypt it somewhere else. In this post, I’m going to share concepts, methods, and tools used by researchers both for finding secrets and exploiting them. I’ll also list mitigation action items that are simple to implement.

It’s important to mention that the attack & defend “game” is not an even one; an attacker only needs one successful attempt to get in, whereas the defender has to succeed 100% of the time. The hard part is knowing where to look. Once you can list your virtual “gates” through which hackers can find their way in, you can protect them with rather simple mechanisms. I believe their simplicity sometimes shadows their importance and makes a reason to be overlooked by many teams.

So here’s a quick and simple, yet not one to overlook TL;DR:

  • Enforce MFA everywhere — Google, GitHub, Cloud providers, VPNs anywhere possible. If it’s not optional, reconsider the system in use
  • Rotate keys and passwords constantly, employ and enforce rotation policies
  • Scan your code regularly. Preferably as part of the release process
  • Delegate login profiles and access management to one central system where you control and monitor

These are the 20% actions for 80% effect to prevent leaks and access-control holes.

API keys are all over the internet exposed to the world. This is a fact. Often times for no good reason. Developers forget them all around:

  • For debug purposes
  • For local development
  • For future maintainers as comments

Blocks such as this one are all over the internet:

While many hackers actually sit and read through javascript files, the vast majority of them will automatically scan with tools like meg and then scan them for patterns. How do they do that? After using a scanner like “meg” they scan their findings for a string that matches different templates. An example of another great tool by the same author that does exactly that is gf which is just a better grep. In this instance, using truffleHog or the trufflehog option in the gf tool can find the high-entropy string that most API keys identify with. The same goes for searching API_KEY as a string that yields results (too) many times.

#devsecops #infosec #devops #security #cybersecurity

How hackers steal your keys and secrets

medium.com

How hackers steal your keys and secrets

After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret.

1.15 GEEK