Sealing the Leaks: Incident Response Stories about Breaches Caused by Leaked Code

as we got a dynamic duo we're gonna have a ninja and a Gentleman up on this stage right here so our next speakers are Alex CEO and co-founder of code seal with two decades in the cyber security field is this expert on instant response and forensics and now Eric is joined by Shakib yes hello guys yeah that's Alec yeah yeah and Alec is joined by shaquette now shaked Klein Orbach he is a co-founder of uh code seal with more than a decade in experience in the software industry he has Smile for your fans to kids now for your fans Alec now here's something you didn't know about this guy right here he is the first hacker Ninja on the Israeli ninja television show now that's an honor that's impressive take it away oh come over here okay you don't bring it in don't take it away bring it in for a photo op all right let's smile for our adoring fans right there thank you Swami all right Elegance again take it away thanks and weird things on stage change the screens swap the screens so uh warning this is going to be a highly dangerous and chaotic presentation it's also going to be a quick one so hold on to your seats all right okay we good to go it's up there yeah it works and that's my friends that's why I don't use a Macbook let me tell you yeah we can dance we can dance if we want to okay so Alex you're a veteran you've been on this stage before haven't you not on this not on this one but on the one yeah very good very good but chaquette is here for the first time and we love our first time speakers so please I want you to give all your love all your attention all your energy to our first time speakers and everybody's standing up there in the back rows we got plenty of seat plenty of room down here with us yeah we'll reset the clock when the presentation starts thank you very much Maestro okay that looks like oh and and who won yeah all right looks like we can start sticker notes no speaker notes no speakers great let's hope we can do it um okay so uh viewer this question is advised for this presentation it's going to be very short but sweet I hope um we're going to present ourselves and the the and the session itself we're gonna talk about incident stories about preaches caused by leaked source code we're actually going to talk about two different things one uh source code oh you only already well it was fast never mind never mind so hi I'm Eric nice to meet you I'm CEO at code seal uh what I do on a day-to-day basis is fixing leaked chords in the wild press hey just like Mario and Luigi we'll talk about it later um and I've been in more than 200 incidents to date meaning that I've seen a lot of stuff going on when it comes to incident response and later on we're going to connect it and see how it actually is connected to leaked source code hi I'm Shakir I'm the Chief Architect at code seal I come from a development background and later on I evolved to the devsecops world I'm also a part-time bug Bounty Hunter and a white hat so I reported a lot of issues to different Israeli companies and got nothing from it basically and yeah that led me to uh to be the co-founder of code seal and mainly exposing secrets in the wild like Luigi hey it's me so first thing uh we want to make sure that it's clear we believe in responsible disclosure this means that we try to go through the bug Bounty programs if they are available but if not we contact the companies that we find things about them and let them know uh that something happened so this a little disclaimer all of the stories in the flash session are real we only centered of course the company names because we can't disclose them why are we here part one as a part of outgoing thing that we're seeing we're seeing a lot of companies that actually get hacked by source code meaning that there's some source code in the wild that contains Secrets or contains credentials and we're seeing it going to into two parts one part is companies that get hacked because of source code that's out there in the wild and another one is of course companies that are already breached and have their source code leaked outside so we're going to talk about two main different things and you you can see today everyone is a part of the statistics Gita Microsoft Toyota Rockstar the list goes on and usually when we come to cecils and we ask them whether they think the source code is important or not we get the answer of no and usually they don't they don't really understand what underlies in the source code their secrets there's credentials and of course there's undiscovered zero days vulnerabilities um the second reason is because we want to make sure that it's clear that there is a difference between external attack surface and external code surface that means that um like I don't know like endpoints and uh different things like that are different than um your source code your packages your Docker images and so on this is part of your blind spots like you have a view of your internal let's say maybe you have a view of your um internal uh um code surface but you don't most likely you don't have the same for your external ones and this is basically as you can see in the graph it's the unknown unknowns like whatever you don't know it's probably very bad and even if you have a private Network or I don't know you require a VPN that doesn't mean that public things don't exist and your code or your secrets or whatever you can come up with can go public and someone will find it one of the examples is uh why this happens is people make mistakes and you probably know and you probably do it yourself most most of you at least used your personal account together with your work account on your organization machines and probably mixed it more than once so some numbers this is taken directly from Verizon dbir 2023 the whole uh the whole report of of incident response and breaches and the statistics currently talks about that the three primary ways is of course the first one which is stolen credentials phishing and exploitation of vulnerabilities but this is on a year-to-year rise we're seeing that from a year to year more credentials are being stolen and more credentials are being used by external threat actors and that means again that some of the numbers talk about what is the and how is the entry point uh created and who does it and we usually talk about external hackers 74 of the of the incidents checked use stolen credentials or social engineering and again what we're seeing is this grows year by year consecutively and so that means to summarize everything is fine so let's uh get into the fun part [Music] case studies um the first case study the first topic we're going to talk about is source code management as you know probably as GitHub bitbucket gitlab and any other that you can come up with so we have the we have the first one it included multiple companies and the public research University the data League credentials this is the simple use case you probably know and familiar with and we went to GitHub we search for credentials found them and we were able to access their allegedly internal private Cloud we reported it uh responsibly discloses and everything was fine the second case leaked credentials and internal endpoints you probably don't care much about your internal endpoints in the wild but you'll see why it's important in a second so this is very similar to this previous case but in this case we didn't have access to their internal private cloud there are two maybe more ways to bypass that one is an insecure endpoint that basically means that maybe you have a cloud service or um I don't know a developer or a devops that made a mistake or intentional and exposed an endpoint at some point in time that was not exposed before uh during in that point someone can use it and bypass your restriction restriction to accident Network the other thing is the necessary if and that's actually a more interesting one so one of our previous or latest bug Bounty findings was the ssrf in a security company where we were able to hit different internal URLs and we wanted to prove the criticality of this issue what we did we we were only missed we we were only missing the the sensitive endpoint that exposed the intern the interesting stuff and we went to GitHub and started to look for it once we found the kubernetes services they were like random names we used it in the ssrf attack and proved the criticality and we actually got a critical for that the last one is when things don't really work and companies come to us from the with a post case issue because they were pawned and they don't know why so this is uh this includes different companies but one of them had their AWS credentials uh available on GitHub this is what we found when they contacted us and they had their entire iws used for mining bitcoins the second one the second company either the same more or less the same issue but their source code was leaked and then of course that got to reputational damage or emotional damage okay so the last thing we're gonna talk about is uh image registries most of the people don't pay attention to image Registries that means Docker and all those other places that the code my reside in we managed to find for a big cyber security conglomerate you can guess who it is valid credentials on Docker Hub and with that Docker app we managed with those credentials we managed to go into their inside internal jira etc etc what we're trying to explain is image Registries contains a whole lot of data they contain just Treasure Trove that nobody is looking at and and we're talking about npm piping even WordPress so what we're trying to alleviate and what we're trying to to say is secrets and credentials are not only on GitHub and our on sem they're also available really wildly on Registries as well so the I know better than you think that we wanted to to say is usually when we come to companies the first thing that we disclose the data the first time we disclose the data we get the ddaa syndrome which is the deny digest accept admit meaning that they usually deny they take the the repository or the registry down then they then they then they digest the the data they accept that something wrong happened and then they they admitted something wrong happened and again where we usually when we say it to cisos senses are not really dwelling in the code and in upsec and all of that they really don't know or understand the impact that that loose code May create so we are turning around to to tell it to devsecops and and the application security teams more and more laughs um so a few takeaways um what can you do today you can clean secrets from your code so assets of course from your sem Docker images artifact Etc but then you have to ask yourself if that's enough what about pull request what about issues and so on the second thing you can do you can Harden your network access but again is it enough as we saw before an ssrf might be enough to bypass it third thing is enforcing a better arbuck over your entire SAS Solutions Monday jira GitHub and this is only in the case that you actually you are actually aware of which Solutions you have if you and even if you do what happens when a token an admin token licks to the wall and last one is continuously search for your code Assets in public sem's Docker Registries and artifacts but as we saw in the example before people make mistakes and your developers or whoever uses different tokens might expose it in the while that's it yeah thanks everyone thank you [Applause] guys