How hackers steal your keys and secrets

How hackers steal your keys and secrets

After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret.

After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret. Once they’re out in the wild, it doesn’t matter how complex the password is or what hash algorithm was used to encrypt it somewhere else. In this post, I’m going to share concepts, methods, and tools used by researchers both for finding secrets and exploiting them. I’ll also list mitigation action items that are simple to implement.

It’s important to mention that the attack & defend “game” is not an even one; an attacker only needs one successful attempt to get in, whereas the defender has to succeed 100% of the time. The hard part is knowing where to look. Once you can list your virtual “gates” through which hackers can find their way in, you can protect them with rather simple mechanisms. I believe their simplicity sometimes shadows their importance and makes a reason to be overlooked by many teams.

So here’s a quick and simple, yet not one to overlook TL;DR:

  • Enforce MFA everywhere — Google, GitHub, Cloud providers, VPNs anywhere possible. If it’s not optional, reconsider the system in use
  • Rotate keys and passwords constantly, employ and enforce rotation policies
  • Scan your code regularly. Preferably as part of the release process
  • Delegate login profiles and access management to one central system where you control and monitor

These are the 20% actions for 80% effect to prevent leaks and access-control holes.

API keys are all over the internet exposed to the world. This is a fact. Often times for no good reason. Developers forget them all around:

  • For debug purposes
  • For local development
  • For future maintainers as comments

Blocks such as this one are all over the internet:

While many hackers actually sit and read through javascript files, the vast majority of them will automatically scan with tools like meg and then scan them for patterns. How do they do that? After using a scanner like “meg” they scan their findings for a string that matches different templates. An example of another great tool by the same author that does exactly that is gf which is just a better grep. In this instance, using truffleHog or the trufflehog option in the gf tool can find the high-entropy string that most API keys identify with. The same goes for searching API_KEY as a string that yields results (too) many times.

devsecops infosec devops security cybersecurity

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Automating Security in DevOps: Top 15 Tools

Cybersecurity is a big concern for many companies. With data breaches happening more and more as attacks increase in sophistication, teams are looking at all of the options they have to prevent them.

7 Best DevOps Security Practices: DevSecOps and Its Merits

This article discusses a more elaborate meaning of the two primary methodologies applied in the development cycles by software developers and operational engineers. By understanding what DevOps and DevSecOps are, we can then figure out and appreciate the significance of securing them. That way, the article can provide some of the applied security best practices.

A Coordination Game Between DevOps and InfoSec

Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product.

How to Extend your DevOps Strategy For Success in the Cloud?

DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.

DevSecOps as an extension of DevOps

A couple of months ago we’ve heard about Docker and vulnerabilities found on some of their images. It’s easy to imagine what could happen if one of our applications would be running on one of those images.