Your Secrets are Showing!

C416a04a16b233e65afd993815c167dd?s=47 Ian Lee
April 15, 2018

Your Secrets are Showing!

This talk will zoom in to the cache of goodies which developers leave lying around that an attacker could leverage access valuable information and / or to pivot through a target environment. It will also highlight some of the tools available to developers and InfoSec professionals to find and prevent these sorts of information leakages.

Every day, developers interact with a variety of source code repositories and environments, often both inside their corporate firewalls and outside on public hosting platforms such as GitHub.com and Amazon AWS. These source code repositories can provide a wealth of information about a target environment, in addition to being of potential value all on their own.

Are you able to find this information in your environment? Do you know how to help your developers prevent these leakages in the first place? Remember "prevention is ideal, but detection is a must!"

Prepared by LLNL under Contract DE-AC52-07NA27344.

C416a04a16b233e65afd993815c167dd?s=128

Ian Lee

April 15, 2018
Tweet

Transcript

  1. LLNL-PRES-749351 This work was performed under the auspices of the

    U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC Your Secrets are Showing! How to find if your developers are leaking secrets? BSidesSF 2018 Ian Lee, @IanLee1521, ian@llnl.gov Lawrence Livermore National Laboratory 2018-04-15
  2. LLNL-PRES-749351 2 § Computer Engineer in Livermore Computing @ LLNL

    § Cyber assessments (purple team) of High Performance Computing systems § Open Source Evangelist — software.llnl.gov About me
  3. LLNL-PRES-749351 3

  4. LLNL-PRES-749351 4 INTERNET

  5. LLNL-PRES-749351 5

  6. LLNL-PRES-749351 6

  7. LLNL-PRES-749351 7

  8. LLNL-PRES-749351 8

  9. LLNL-PRES-749351 9

  10. LLNL-PRES-749351 10 How does this play in to a Penetration

    Test?
  11. LLNL-PRES-749351 11 Got a shell!

  12. LLNL-PRES-749351 12

  13. LLNL-PRES-749351 13

  14. LLNL-PRES-749351 14

  15. LLNL-PRES-749351 15 VICTORY !!

  16. LLNL-PRES-749351 16

  17. LLNL-PRES-749351 17

  18. LLNL-PRES-749351 18

  19. LLNL-PRES-749351 19

  20. LLNL-PRES-749351 20

  21. LLNL-PRES-749351 21

  22. LLNL-PRES-749351 22

  23. LLNL-PRES-749351 23

  24. LLNL-PRES-749351 24

  25. LLNL-PRES-749351 25

  26. LLNL-PRES-749351 27

  27. LLNL-PRES-749351 28

  28. LLNL-PRES-749351 29

  29. LLNL-PRES-749351 30

  30. LLNL-PRES-749351 31

  31. LLNL-PRES-749351 32 Not just for attackers penetration testers

  32. LLNL-PRES-749351 33

  33. LLNL-PRES-749351 34

  34. LLNL-PRES-749351 35 CTRL + A, CTRL + D

  35. LLNL-PRES-749351 36

  36. LLNL-PRES-749351 37

  37. LLNL-PRES-749351 38

  38. LLNL-PRES-749351 39

  39. LLNL-PRES-749351 40

  40. LLNL-PRES-749351 41 Recap our Loot § User shells (bash, zsh,

    csh, etc) — environments, profiles, history § SSH — key pairs, known_hosts, config § Developer source code — git repositories, code hosting servers § Built in persistence — existing / new screen sessions
  41. LLNL-PRES-749351 42 § Training / Monitoring — Risks of hardcoding

    credentials / tokens / etc into source code and profiles — Know what is in your history — SSH configuration hardening — Are you monitoring your shell histories? § Static Source Code Analysis — https://www.owasp.org/index.php/Source_Code_Analysis_Tools — https://pypi.python.org/pypi/bandit/1.0.1 § Version Control-aware Analysis — https://github.com/18F/git-seekret — https://github.com/awslabs/git-secrets Hardening and Mitigation
  42. Questions? @IanLee1521 ian@llnl.gov