Access and Feeds

Encryption, Security, and Open Source: Exposed Secrets Can Be Catastrophic

By Dick Weisinger

“The only method that currently exists for reliably protecting the world’s information is encryption,” wrote Edward Snowden for the Guardian. “The internet is more secure as a result.”

Encryption is great! But encryption can also be a headache! Securing encryption keys and passwords needs to be done thoughtfully.

Cryptocurrency speculators, for example, have lost fortunes when they’ve lost or forgotten their password or misplaced their crypto keys. Wiped out over night. Unlike normal financial transactions, cryptocurrency transactions can’t be rolled back.

Stefan Thomas, a German-born programmer living in San Francisco who was famously locked out of his multi-million dollar valued crypto account when he forgot his password, said that “this whole idea of being your own bank — let me put it this way: Do you make your own shoes? The reason we have banks is that we don’t want to deal with all those things that banks do.”

It’s becoming increasingly common for hackers to be searching open source repos for misplaced or forgotten crypto secrets: passwords, access tokens, and keys. Open development makes it easy for people to share software that they’ve written with others. Software often uses API and service calls that often require configuration to allow communication with an external API in a trustworthy way. It’s easy for the developer to forget to remove their personal configuration of keys and passwords before uploading a package of software to share on an open repository, like GitHub.

The problem has gotten to be so common that there is now a whole class of software scanner tools whose sole purpose is to find inadvertently exposed security secrets. The intent is for people to use these tools prior to making their software public to clean their code, but the tools are obviously also a boon for hackers.

Paul Bischoff, tech writer for Comparitech, wrote that “it took just one minute for attackers to find and start abusing the exposed AWS secret key. Based on the speed of the attacks, researchers assume that attackers use custom or modified tooling and scripts for such attacks. That’s bad news for programmers and developers. Even if a developer quickly realizes their mistake after committing code to GitHub, they might not be able to remove it before attackers get their hands on the exposed credentials.”

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Leave a Reply

Your email address will not be published. Required fields are marked *