GitHub: Millions of Secrets Exposed

Introduction

In 2023, developers inadvertently leaked a staggering 12.8 million secrets on public GitHub repositories, marking a concerning 28% increase from the previous year. This revelation underscores the security challenge faced by GitHub, as highlighted in a recent report by GitGuardian, a leading security vendor in the software development realm.

Persistent Security Gap

Despite the alarming number of leaked secrets, GitGuardian found that a staggering 90% of these exposed secrets remained active even five days after the initial leakage. Shockingly, only a mere 2.6% were revoked within one hour of receiving notification via email.

The Threat of Malicious Repository Forks

The report adds to the ongoing security challenges faced by GitHub. Since mid-2023, attackers have exploited GitHub’s ecosystem, employing sophisticated tactics to infiltrate legitimate repositories and spread malware. These incidents serve as a reminder of the ongoing challenges in securing the software supply chain.

Commonly Leaked Secrets

The most commonly leaked secrets included Google API keys, MongoDB credentials, OpenWeatherMap tokens, Telegram Bot tokens, Google Cloud keys, and AWS IAM. These leaked credentials could potentially grant unauthorised access to sensitive enterprise resources, posing a significant threat to organisational security.

Growing Popularity of AI Services

GitGuardian’s report also shed light on the growing popularity of AI services, with a notable increase in leaks of OpenAI API keys and HuggingFace user access tokens. These findings underscore the need for heightened security measures in the rapidly evolving landscape of artificial intelligence.

Sectoral Impact

The IT sector emerged as the worst offender, accounting for 65.9% of the total leaked secrets, followed by education, science & technology, retail, manufacturing, and finance and insurance.


It’s concerning to see India leading the charge in secret leaks, underscoring the necessity of bolstering security practices in CI/CD pipelines. This serves as a reminder of the critical need for enhanced vigilance in safeguarding sensitive data.

Call to Action

GitGuardian urged organisations to not only detect but also remediate these leaks effectively. While detection is crucial, remediation efforts are equally essential in mitigating the risks associated with leaked secrets. Additionally, organisations can enhance their security posture by leveraging advanced authentication frameworks such as PureAUTH’s CASPR module.

This module ensures codebase integrity with cryptographic verification. By implementing robust security measures and utilising advanced authentication solutions, organisations can better safeguard their data.

Conclusion

In conclusion, the findings from GitGuardian’s report underscore the pressing need for organisations to prioritise security measures to safeguard sensitive data and prevent unauthorised access to critical resources. The threat posed by millions of malicious repository forks since mid-2023 further highlights the importance of bolstering GitHub’s security infrastructure. By adopting advanced authentication frameworks such as CASPR, organisations can bolster their defences against security threats and ensure the integrity of their codebase.

PureID helps enter prises to remove secrets like passwords, static keys, access tokens with its passwordless technology. By adopting it’s other  advanced authentication frameworks such as ZITA – Just-In-Time-Access & CASPR code-commit protection, organisations can bolster their defences against security threats and ensure the integrity of their codebase.

Investigating Fidelity Investments Life Insurance Data Breach: A Closer Look

In recent weeks, Fidelity Investments Life Insurance has come under scrutiny following a significant data breach affecting thousands of customers. Here’s what you need to know about the incident:

1. Data Breach Details:

  • The breach, which occurred between October 29 and November 2, 2023, stemmed from an unauthorised party accessing sensitive consumer data held by Fidelity Investments Life Insurance.
  • Approximately 28,000 customers were impacted by the breach, with their personal information compromised.
  • The breached data includes names, social security numbers, dates of birth, states of residence, and financial information, particularly bank account and routing numbers used for premium payments on life insurance policies.
  • This data can contribute to an increase in phishing attacks, and uplift the risk of identity theft or financial fraud for the customers.

2. Third-Party Involvement:

  • The breach was traced back to Infosys McCamish Systems, a third-party service provider utilised by Fidelity Investments Life Insurance.
  • Infosys McCamish notified Fidelity Investments of the breach in early November, prompting an investigation into the incident.

3. Ongoing Investigation:

  • Infosys McCamish has engaged external experts to conduct a thorough investigation into the breach.
  • While the investigation is ongoing, Fidelity Investments Life Insurance officials believe that a range of sensitive customer data was compromised during the breach.

4. Customer Notifications:

  • Fidelity Investments Life Insurance has begun notifying affected customers about the breach and the potential exposure of their personal information.
  • The company emphasises its commitment to protecting customer data and pledges to take appropriate actions in collaboration with Infosys McCamish.

5. Prior Incidents:

  • This isn’t the first time Infosys McCamish has caused security breaches.
  • In a separate incident, Infosys McCamish notified Bank of America about a breach affecting over 57,000 customers enrolled in deferred compensation plans.

6. Response and Assurance:

  • Fidelity Investments Life Insurance reassures customers that they have not impacted their systems by the breach and that they have detected no related activity within Fidelity’s environment.

7. Legal Investigation:

  • The law firm of Federman & Sherwood has initiated an investigation into the data breach at Fidelity Investments Life Insurance, aiming to assess the impact on affected individuals.

8. Call for Action: Implementing Zero Trust Measures

  • To mitigate the risk of data breaches like this in the future, companies can adopt a zero trust approach.
  • By implementing strict access controls, continuous monitoring, and least privilege access policies, organizations can significantly reduce the likelihood of unauthorised access to sensitive data, hence lowering the risk of data and reputation loss because of a third party vendor breach.

As the investigation unfolds and affected customers are notified, Fidelity Investments Life Insurance remains focused on addressing the breach, safeguarding customer data, and ensuring transparency throughout the process.

Stay tuned for further updates as the situation develops.

#getzerotrust #gopasswordless

Atlassian Pawned by hacker group : Blame Game is on

SiegedSec, the same hacking group that made headlines last year after leaking eight gigabytes of data from the state governments of Kentucky and Arkansas, has hacked the software company Atlassian. The group has shared two floor maps for the Sydney and San Francisco offices and a JSON file containing information about approximately 13,200 Atlassian employees, including their names, email addresses, work departments and phone numbers.

Atlassian Pawned by hacker group Siegedsec. The post by Siegedsec.

SiegedSec post

“THAT’S RIGHT FOLKS, SiegedSec is here to announce we have hacked the software company Atlassian,” the hacking group said in a message that was posted along with the data. “This company worth $44 billion has been pwned by the furry hackers uwu.”

Reason and responsibility:- 

“On February 15, 2023, we became aware that an unauthorised party had compromised and published data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources,” said Atlassian spokesperson Megan Sutton.

Atlassian Pawned by SiegedSec

Envoy, however, was just as quick to rebuff Atlassian’s claims. Envoy spokesperson April Marks said that the startup is “not aware of any compromise to our systems,” adding that initial research had shown that “A hacker gained access to an Atlassian employee’s valid credentials to manipulate and access the Atlassian employee directory and office floor plans held within Envoy’s app.”

Soon after the startup’s denial, Atlassian changed its stance to align more closely with Envoy. They later said an employee posted their credentials on a public repository by mistake.

Damage Control:- 

Atlassian said they disabled the account of the said employee so there is no more threat to Atlassian’s Envoy data. Therefore Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk.”

“The safety of Atlassians is our priority, and we worked quickly to enhance physical security across our offices globally. We are actively investigating this incident and will continue to provide updates to employees as we learn more.”

Mitigation:- 

It has become increasingly common for hacker groups to target individual employees or devices to gain access to enterprise systems. If an attacker is able to obtain an employee’s credentials, they can use that information to infiltrate the organization. To mitigate this risk, some experts recommend using a passwordless solution like PureAUTH. By eliminating passwords, organizations can significantly reduce the likelihood of future breaches and minimize their exposure to unforeseen vulnerabilities.

Password Managers are the Hot Targets 

Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.

There are many lessons that we all need to learn from these recurring incidents. This post stands to uncover few points that we have seen have not been discussed by the info-sec community.

The Catch-22 – Phish or no Phish?

LastPass warned its users of a likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks on accounts associated with their LastPass vault.

Password Managers getting phished is an alarming situation

This statement goes against what all the password managers like LastPass claim . “Use of password manager protects users from phishing attacks“.

In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites 

The Impact

In their blog post, Lastpass reported that customer’s personal information like email, phone number, address, IP address have been compromised. Still, LastPass is not talking about is the additional information they collect from their users on their mobile app. 

The screenshots below show the permissions that Lastpass app takes on a user’s phone.

Password Manager LastPass Breach: App settings
Permission take by LastPass app on an Android device

These permissions enable the application provider like LastPass to collect more information about the user than required. 

Password Manager LastPass Breach: App settings
User Information collected by LastPass app

In the event of a breach, the severity and privacy impact will be catastrophic if such additional information collected from the user’s phone is involved.

The Passwords

Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors. 

Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network. 

While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of  using secret key and Password Authenticated Key Agreement systems, which makes their systems safer.

With the device specific keys mentioned by 1Password, syncing of the passwords across multiple devices becomes a risky affair. It requires password to be decrypted on another device and the user’s chosen master password along with the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords in transit. 

Conclusion

After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are. 

Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.

For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless