Access and Feeds
blog-alfresco

The most popular and comprehensive Open Source ECM platform

Let us know more

Encryption, Security, and Open Source: Exposed Secrets Can Be Catastrophic

Home Open SOurce Encryption, Security, and Open Source: Exposed Secrets Can Be Catastrophic

By Dick Weisinger

“The only method that currently exists for reliably protecting the world’s information is encryption,” wrote Edward Snowden for the Guardian. “The internet is more secure as a result.”

Encryption is great! But encryption can also be a headache! Securing encryption keys and passwords needs to be done thoughtfully.

Cryptocurrency speculators, for example, have lost fortunes when they’ve lost or forgotten their password or misplaced their crypto keys. Wiped out over night. Unlike normal financial transactions, cryptocurrency transactions can’t be rolled back.

Stefan Thomas, a German-born programmer living in San Francisco who was famously locked out of his multi-million dollar valued crypto account when he forgot his password, said that “this whole idea of being your own bank — let me put it this way: Do you make your own shoes? The reason we have banks is that we don’t want to deal with all those things that banks do.”

It’s becoming increasingly common for hackers to be searching open source repos for misplaced or forgotten crypto secrets: passwords, access tokens, and keys. Open development makes it easy for people to share software that they’ve written with others. Software often uses API and service calls that often require configuration to allow communication with an external API in a trustworthy way. It’s easy for the developer to forget to remove their personal configuration of keys and passwords before uploading a package of software to share on an open repository, like GitHub.

The problem has gotten to be so common that there is now a whole class of software scanner tools whose sole purpose is to find inadvertently exposed security secrets. The intent is for people to use these tools prior to making their software public to clean their code, but the tools are obviously also a boon for hackers.

Paul Bischoff, tech writer for Comparitech, wrote that “it took just one minute for attackers to find and start abusing the exposed AWS secret key. Based on the speed of the attacks, researchers assume that attackers use custom or modified tooling and scripts for such attacks. That’s bad news for programmers and developers. Even if a developer quickly realizes their mistake after committing code to GitHub, they might not be able to remove it before attackers get their hands on the exposed credentials.”

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)
November 21st, 2022
Category: Open SOurce, Security
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

  • Legal Terms & Disclaimers

    This blog site is accessed from the website of Formtek, Inc. All visitors to or users of this blog site are subject to the terms and conditions and privacy policy that govern the Formtek website, links for which are provided above.

    Some of the individuals posting to this blog site, including the moderators, work for Formtek. Postings by these individuals are the personal opinions of these individuals, not of Formtek. Their posted content is provided for informational purposes only and is not meant to be an endorsement or representation by Formtek or any other party. Postings to this blog site may be outdated, invalid or inaccurate by the time you read them. Individuals posting to this blog site make no statements, representations or warranties as to the timing, validity, accuracy or reliability of their postings.

    This blog site may contain links to third party sites. Access to any third party site linked to this blog site is at your own risk. None of Formtek, the blog site moderator(s) and the individuals posting on this blog site that work for Formtek is responsible for the timing, validity, accuracy or reliability of any information, data, opinions, advice or statements made on these third party sites. These links are provided merely as a convenience and do not imply any endorsement.

    Postings to this blog site are available to the public. You should not post, link to or otherwise upload any information considered confidential to this blog site. All postings to this blog site are moderated. Postings will appear if and when they are approved by the moderator. Notwithstanding any approval by the moderator, by posting information to this blog site, you agree to be solely responsible for the information you post, link to, or otherwise upload to the blog site. You agree to release Formtek from any liability related to that information or to your use of the blog site. You grant Formtek a worldwide, perpetual, irrevocable, royalty-free, fully-paid, and transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any information you post, link to or otherwise upload to this blog site.

    • © Copyright 2003-2024   Formtek, Inc.