03-18, 16:30–17:00 (Europe/Paris), Arena
Exposed secrets like API keys and other credentials are the crown jewels of organizations but continue to be a persistent vulnerability within security. The majority of security breaches leverage secrets at some point during the attack path. This presentation sheds light on the various methods used by attackers to discover and exploit these secrets in different technologies. This manual will include how to:
Abuse GitHub public API
Gain unauthorized access to private git repos
Decompile containers
Decompile mobile applications from the App and Play Stores
We combine novel research, real-life attack paths, and live demos to prove exactly the steps attackers take, revealing their playbook.
Recent research has shown that git repositories are treasure troves full of secrets. A year-long study showed that 10 million secrets were pushed into public repositories in 2022 alone. We will show exactly how adversaries abuse the public GitHub API to uncover these secrets, even leaking secrets live to show how quickly attackers discover and exploit it. Public source code, however, is only the tip of the iceberg as private code repositories have proven to be much more valuable targets. We will demonstrate how to gain unauthorized access to private git repositories and discover secrets deep in their history. This will include supply chain poisoning, developer phishing, and configuration exploitation among other techniques. Finally, this talk will dive into decompiling containers, packages, and mobile applications to be able to uncover the huge amount of secrets buried within revealing how shockingly common it is to find hard-coded secrets.
Knowing how attackers operate is essential in building effective defenses, understanding the attacker's playbook allows you to understand their next moves. This presentation is perfect for anyone wanting to know how to prevent attackers from getting old of your crown jewels.
Section 1 - Introduction to Secrets
Part 1: What are secrets
Most attendees will likely have a good understanding of secrets but to ensure everyone is on the same page we quickly break down exactly what they are and why they are so sensitive.
Part 2: How attackers use secrets, the anatomy of recent attacks
Secrets are more than just an opportunity for initial access, they can be discovered and used at all stages of an attack. In this section, we break down recent high-profile breaches to show how attackers discovered and used secrets at different stages including 2022 Uber Breach, 2023 CircleCI breach, and 2021 Codecov breach.
Section 2 - Exploiting secrets in source code
Part 1: Abusing the GitHub Public API
GitHub contains a huge amount of data, more than a billion commits were made publicly in 2022. The GitHub public events API https://api.github.com/events is a firehose of data that contains everything that happens publicly. This API can be abused to identify high-value targets such as company employees and used to discover literally millions of secrets.
Part 2: Scanning networks for exposed .git directories
Private repositories are a much more fruitful resource when it comes to discovering secrets. One way of gaining access to these private repositories is to scan public servers. Recent research shows 2 million IP addresses had .git folder structure accessible to the public. We break down how to scan networks for these folders and scan these for secrets.
Part 3: Finding misconfigurations in git servers
Git server misconfigurations are another very common way to gain access to private repositories. This was the case when all of Twitch’s source code was leaked due to a configuration change. In this section, we explore how to identify weak or broken access in git servers.
Part 4: Buying access and phishing
Buying access can feel like cheating but the nature of git means that multiple employees have access to repositories and if all else fails you can fall back to the trusted techniques of phishing for access or buying credentials from the dark web. During this section, we will show the example of the Uber breach in 2022 where credentials were phished and sold granting an attacker access to the network and source code.
Section 3 - Secrets in compiled applications
Part 1: Overview of secrets in compiled applications
Moving away from source code and git repositories we begin our exploration into how we can discover secrets in compiled applications, in both Docker images and Android mobile applications.
Part 2: Anatomy of a Docker Image
During this section, we use tools like Dive to show exactly how docker images are made up and how they can be easily reversed with tools.
Part 3: Scanning for secrets in docker images
We do a quick demo of using secrets detection tools to discover secrets inside docker images. We will also do new unreleased research to show how 5% of Docker images contain secrets and exactly what are the most common types of secrets to find. During this section we will look at the CodeCov breach to show how malicious actors have used these methods in a real attack.
Part 4: Secrets in Android and IOS mobile applications
During this section, we focus on research showing how common it is to discover secrets inside mobile applications. This will include research that shows about half of applications on the Play Store contain at least 1 plain text credential with 10% of these secrets being critical. We will also walk through the result from a penetration test involving a tier 1 bank that was breached due to hardcoded secrets in their mobile application.
Part 5: Demo - decompiling and scanning
Here we will show how to pipe together multiple open-source tools to be able to extract APKs and IPAs from the Google Play Store and Apple App Store, decompile them and quickly scan them for secrets.
Mackenzie is a developer and security advocate with a passion for DevOps and application security. As the co-founder and former CTO of the health tech company Conpago, he learned first-hand how critical it is to build secure applications with robust developer operations.
Today Mackenzie continues his passion for security by working with the GitGuardian research team to uncover the latest trends malicious actors are using. Mackenzie is also the host of The Security Repo podcast, an established security writer, an experienced global speaker, and appeared as an expert in documentaries and television broadcasts.