Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your Secrets are Showing!

Ian Lee
April 15, 2018
Technology
0
510

Your Secrets are Showing!

This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and / or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.

Every day, developers interact with a variety of source code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source code repositories can provide a wealth of information about a target environment, in addition to being of potential value all on their own.

Are you able to find this information in your environment? Do you know how to help your developers prevent these leakages in the first place? Remember "prevention is ideal, but detection is a must!"

Prepared by LLNL under Contract DE-AC52-07NA27344.

Ian Lee

April 15, 2018
Tweet

More Decks by Ian Lee

See All by Ian Lee
Building DevOps into HPC System Administration
ianlee1521
0
19
Keeping It All Safe: LLNL HPC Security Architecture
ianlee1521
0
39
Development of the TOSS 4 STIG
ianlee1521
0
63
You Must Unlearn What You Have Learned
ianlee1521
0
36
SC21: Addressing Cybersecurity Standards / Policies in HPC Environments
ianlee1521
0
43
Intro to Git for Security Professionals - WWHF WW 2021
ianlee1521
0
92
Releasing Your First (Python) Open Source Project to the Masses!
ianlee1521
0
230
Intro to Git for Security Professionals
ianlee1521
0
380
2020 LLNL Computing Virtual Expo
ianlee1521
0
190

Other Decks in Technology

See All in Technology
SRE成熟度評価におけるポストモーテムLv.3ガイドライン
shotatsuge
7
1.2k
サーバーレス技術とDevSecOps: 安全かつ迅速なデプロイメントの新時代
gl_tsukasa
1
300
組織・プロセス・技術 - フロントエンドの生産性向上への複眼的アプローチ / 20230921
bengo4com
3
720
サーバーレスで仮想待合室を作ろう! / Serverless Virtual Waiting Room
_kensh
3
790
Product Ops: Conectando Estratégia e Execução de Produto
rigolon
1
150
リスキリングの特効薬!「技術コミュニティ」のススメ
mamohacy
1
710
四国クラウドお遍路_AWSアップデート2023
tsujiba
0
260
Better PHP - Keep your code up to date
wernerkrauss
1
120
Microsoft Azure Well-Architected Framework でセキュアに
masakamayama
1
180
モチベーションサイクルという観点でQAをしよう
mixi_engineers
PRO
1
140
仲間から嫌われがちだった私が、アジャイルに出会い、仲間から慕われるようになるまでの道のり / I was often disliked by my peers, but then I met Agile, How I came to be admired by my peers
pauli
0
540
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
370

Featured

See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Designing Experiences People Love
moore
133
22k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
GraphQLの誤解/rethinking-graphql
sonatard
44
8.5k
Rails Girls Zürich Keynote
gr2m
90
12k
Optimizing for Happiness
mojombo
368
67k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.6k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.3k
Faster Mobile Websites
deanohume
296
29k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k

Transcript

  1. LLNL-PRES-749351
    This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory
    under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
    Your Secrets are Showing!
    How to find if your developers are leaking secrets?
    BSidesSF 2018
    Ian Lee, @IanLee1521, [email protected]
    Lawrence Livermore National Laboratory
    2018-04-15

    View Slide

  2. LLNL-PRES-749351
    2
    § Computer Engineer in Livermore Computing @ LLNL
    § Cyber assessments (purple team) of High Performance Computing systems
    § Open Source Evangelist
    — software.llnl.gov
    About me

    View Slide

  3. LLNL-PRES-749351
    3

    View Slide

  4. LLNL-PRES-749351
    4
    INTERNET

    View Slide

  5. LLNL-PRES-749351
    5

    View Slide

  6. LLNL-PRES-749351
    6

    View Slide

  7. LLNL-PRES-749351
    7

    View Slide

  8. LLNL-PRES-749351
    8

    View Slide

  9. LLNL-PRES-749351
    9

    View Slide

  10. LLNL-PRES-749351
    10
    How does this play in to a Penetration Test?

    View Slide

  11. LLNL-PRES-749351
    11
    Got a shell!

    View Slide

  12. LLNL-PRES-749351
    12

    View Slide

  13. LLNL-PRES-749351
    13

    View Slide

  14. LLNL-PRES-749351
    14

    View Slide

  15. LLNL-PRES-749351
    15
    VICTORY !!

    View Slide

  16. LLNL-PRES-749351
    16

    View Slide

  17. LLNL-PRES-749351
    17

    View Slide

  18. LLNL-PRES-749351
    18

    View Slide

  19. LLNL-PRES-749351
    19

    View Slide

  20. LLNL-PRES-749351
    20

    View Slide

  21. LLNL-PRES-749351
    21

    View Slide

  22. LLNL-PRES-749351
    22

    View Slide

  23. LLNL-PRES-749351
    23

    View Slide

  24. LLNL-PRES-749351
    24

    View Slide

  25. LLNL-PRES-749351
    25

    View Slide

  26. LLNL-PRES-749351
    27

    View Slide

  27. LLNL-PRES-749351
    28

    View Slide

  28. LLNL-PRES-749351
    29

    View Slide

  29. LLNL-PRES-749351
    30

    View Slide

  30. LLNL-PRES-749351
    31

    View Slide

  31. LLNL-PRES-749351
    32
    Not just for attackers penetration testers

    View Slide

  32. LLNL-PRES-749351
    33

    View Slide

  33. LLNL-PRES-749351
    34

    View Slide

  34. LLNL-PRES-749351
    35
    CTRL + A, CTRL + D

    View Slide

  35. LLNL-PRES-749351
    36

    View Slide

  36. LLNL-PRES-749351
    37

    View Slide

  37. LLNL-PRES-749351
    38

    View Slide

  38. LLNL-PRES-749351
    39

    View Slide

  39. LLNL-PRES-749351
    40

    View Slide

  40. LLNL-PRES-749351
    41
    Recap our Loot
    § User shells (bash, zsh, csh, etc)
    — environments, profiles, history
    § SSH
    — key pairs, known_hosts, config
    § Developer source code
    — git repositories, code hosting servers
    § Built in persistence
    — existing / new screen sessions

    View Slide

  41. LLNL-PRES-749351
    42
    § Training / Monitoring
    — Risks of hardcoding credentials / tokens / etc into source code and profiles
    — Know what is in your history
    — SSH configuration hardening
    — Are you monitoring your shell histories?
    § Static Source Code Analysis
    — https://www.owasp.org/index.php/Source_Code_Analysis_Tools
    — https://pypi.python.org/pypi/bandit/1.0.1
    § Version Control-aware Analysis
    — https://github.com/18F/git-seekret
    — https://github.com/awslabs/git-secrets
    Hardening and Mitigation

    View Slide

  42. Questions?
    @IanLee1521
    [email protected]

    View Slide