Watch Out For Releasing Your Secrets On GitHub …

Watch Out For Releasing Your Secrets On GitHub …

The great thing about the Cloud is that you can quickly automate your infrastructure using scripts. But the details of your account will often be stored within the code (typically as a header file). So if someone gets access to the code, they can determine your Cloud account, and could then compromise the infrastructure. For example, with Amazon we can create S3 data buckets, and then connect to them with a Python script:

from boto.s3.connection import S3Connection
conn = S3Connection('<aws access key>', '<aws secret key>')

The script will contain both the AWS Access key and the AWS Secret key.

Many companies, too, are now moving towards GitHub as a place that they store code, and where they then orchestrate their infrastructure. But GitHub becomes a single point of attack against an organisation as login credentials could be integrated into their code. If there is poor access control on GitHub logins, the code could reveal sensitive secret keys.

A recemt attack involved compromising Uber’s Amazon Web Services (AWS) account and which involved getting access to Uber’s private GitHub repository. From there the attackers managed to determine Uber’s AWS account credentials and could download personally identifiable data. In AWS a secret key is adding into the code and then the code is often placed in a Gitbub repository.

The recent Uber hack occurred from a download from a third-party, and none of their own systems were hacked. It is thought that the hack includes 600,000 driver details, and 57 million Uber users, including names, emails, and mobile phone numbers. With GDPR coming along, companies will be fined up to 4% of global turnover, if it is proved they have been negligent.

There has been a rise in the number of bots which crawl GitHub for secret API keys, including in using up processing power and in stealing credentials. In a recent case, DevFactor found that someone has racked-up $2,375 in CPU time for Bitcoin mining, and where 140 servers were started on the account. In 2013, Luke Chadwick, in a similar back, ran up a $3,493 bill for Litecoin mining.

Overall it is extremely difficult to hide the credentials of the account is someone has access to the code. To reduce the risks, Amazon have rolled-out the AWS Identity and Access Management (IAM) web service, and which controls who is authenticated (signed in) and authorized (has permissions) to use the resources. The root user has overall control and then can create other users who have limited access rights. This root user should always have the highest level of security applied to it, as it will be most prized account for an intruder.