Your Secrets are Showing!

C416a04a16b233e65afd993815c167dd?s=47 Ian Lee
April 15, 2018

Your Secrets are Showing!

This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and / or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.

Every day, developers interact with a variety of source code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source code repositories can provide a wealth of information about a target environment, in addition to being of potential value all on their own.

Are you able to find this information in your environment? Do you know how to help your developers prevent these leakages in the first place? Remember "prevention is ideal, but detection is a must!"

Prepared by LLNL under Contract DE-AC52-07NA27344.

C416a04a16b233e65afd993815c167dd?s=128

Ian Lee

April 15, 2018
Tweet

Transcript

  1. 1.

    LLNL-PRES-749351 This work was performed under the auspices of the

    U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC Your Secrets are Showing! How to find if your developers are leaking secrets? BSidesSF 2018 Ian Lee, @IanLee1521, ian@llnl.gov Lawrence Livermore National Laboratory 2018-04-15
  2. 2.

    LLNL-PRES-749351 2 § Computer Engineer in Livermore Computing @ LLNL

    § Cyber assessments (purple team) of High Performance Computing systems § Open Source Evangelist — software.llnl.gov About me
  3. 40.

    LLNL-PRES-749351 41 Recap our Loot § User shells (bash, zsh,

    csh, etc) — environments, profiles, history § SSH — key pairs, known_hosts, config § Developer source code — git repositories, code hosting servers § Built in persistence — existing / new screen sessions
  4. 41.

    LLNL-PRES-749351 42 § Training / Monitoring — Risks of hardcoding

    credentials / tokens / etc into source code and profiles — Know what is in your history — SSH configuration hardening — Are you monitoring your shell histories? § Static Source Code Analysis — https://www.owasp.org/index.php/Source_Code_Analysis_Tools — https://pypi.python.org/pypi/bandit/1.0.1 § Version Control-aware Analysis — https://github.com/18F/git-seekret — https://github.com/awslabs/git-secrets Hardening and Mitigation