Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Your Secrets are Showing!

Ian Lee
April 15, 2018
Technology
0
700

Your Secrets are Showing!

This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and / or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.

Every day, developers interact with a variety of source code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source code repositories can provide a wealth of information about a target environment, in addition to being of potential value all on their own.

Are you able to find this information in your environment? Do you know how to help your developers prevent these leakages in the first place? Remember "prevention is ideal, but detection is a must!"

Prepared by LLNL under Contract DE-AC52-07NA27344.

Ian Lee

April 15, 2018
Tweet

More Decks by Ian Lee

See All by Ian Lee
DevOps in HPC
ianlee1521
0
54
Monitoring HPC Security at LLNL
ianlee1521
0
110
Pass On What You Have Learned: Deploying to Production
ianlee1521
0
430
Building DevOps into HPC System Administration
ianlee1521
0
79
Keeping It All Safe: LLNL HPC Security Architecture
ianlee1521
0
140
Development of the TOSS 4 STIG
ianlee1521
0
180
You Must Unlearn What You Have Learned
ianlee1521
0
58
SC21: Addressing Cybersecurity Standards / Policies in HPC Environments
ianlee1521
0
96
Intro to Git for Security Professionals - WWHF WW 2021
ianlee1521
0
110

Other Decks in Technology

See All in Technology
ライブラリでしかお目にかかれない珍しい実装
mikanichinose
2
350
B2B SaaS × AI機能開発 〜テナント分離のパターン解説〜 / B2B SaaS x AI function development - Explanation of tenant separation pattern
oztick139
2
190
The Role of Developer Relations in AI Product Success.
giftojabu1
0
110
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
370
CysharpのOSS群から見るModern C#の現在地
neuecc
0
770
Can We Measure Developer Productivity?
ewolff
1
120
OCI Security サービス 概要
oracle4engineer
PRO
0
6.4k
FOSS4G 2024 Japan コアデイ 一般発表25 PythonでPLATEAUのデータを手軽に扱ってみる
ra0kley
1
150
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
190
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
250
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
200
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
3
1.3k

Featured

See All Featured
What's new in Ruby 2.0
geeforr
343
31k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
KATA
mclloyd
29
14k
Adopting Sorbet at Scale
ufuk
73
9.1k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
RailsConf 2023
tenderlove
29
900
Statistics for Hackers
jakevdp
796
220k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Done Done
chrislema
181
16k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. LLNL-PRES-749351 This work was performed under the auspices of the

    U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC Your Secrets are Showing! How to find if your developers are leaking secrets? BSidesSF 2018 Ian Lee, @IanLee1521, [email protected] Lawrence Livermore National Laboratory 2018-04-15

  2. LLNL-PRES-749351 2 § Computer Engineer in Livermore Computing @ LLNL

    § Cyber assessments (purple team) of High Performance Computing systems § Open Source Evangelist — software.llnl.gov About me

  3. LLNL-PRES-749351 3

  4. LLNL-PRES-749351 4 INTERNET

  5. LLNL-PRES-749351 5

  6. LLNL-PRES-749351 6

  7. LLNL-PRES-749351 7

  8. LLNL-PRES-749351 8

  9. LLNL-PRES-749351 9

  10. LLNL-PRES-749351 10 How does this play in to a Penetration

    Test?

  11. LLNL-PRES-749351 11 Got a shell!

  12. LLNL-PRES-749351 12

  13. LLNL-PRES-749351 13

  14. LLNL-PRES-749351 14

  15. LLNL-PRES-749351 15 VICTORY !!

  16. LLNL-PRES-749351 16

  17. LLNL-PRES-749351 17

  18. LLNL-PRES-749351 18

  19. LLNL-PRES-749351 19

  20. LLNL-PRES-749351 20

  21. LLNL-PRES-749351 21

  22. LLNL-PRES-749351 22

  23. LLNL-PRES-749351 23

  24. LLNL-PRES-749351 24

  25. LLNL-PRES-749351 25

  26. LLNL-PRES-749351 27

  27. LLNL-PRES-749351 28

  28. LLNL-PRES-749351 29

  29. LLNL-PRES-749351 30

  30. LLNL-PRES-749351 31

  31. LLNL-PRES-749351 32 Not just for attackers penetration testers

  32. LLNL-PRES-749351 33

  33. LLNL-PRES-749351 34

  34. LLNL-PRES-749351 35 CTRL + A, CTRL + D

  35. LLNL-PRES-749351 36

  36. LLNL-PRES-749351 37

  37. LLNL-PRES-749351 38

  38. LLNL-PRES-749351 39

  39. LLNL-PRES-749351 40

  40. LLNL-PRES-749351 41 Recap our Loot § User shells (bash, zsh,

    csh, etc) — environments, profiles, history § SSH — key pairs, known_hosts, config § Developer source code — git repositories, code hosting servers § Built in persistence — existing / new screen sessions

  41. LLNL-PRES-749351 42 § Training / Monitoring — Risks of hardcoding

    credentials / tokens / etc into source code and profiles — Know what is in your history — SSH configuration hardening — Are you monitoring your shell histories? § Static Source Code Analysis — https://www.owasp.org/index.php/Source_Code_Analysis_Tools — https://pypi.python.org/pypi/bandit/1.0.1 § Version Control-aware Analysis — https://github.com/18F/git-seekret — https://github.com/awslabs/git-secrets Hardening and Mitigation

  42. Questions? @IanLee1521 [email protected]