Las Vegas is famous for many reasons: gambling, bright lights, extravagant entertainment, and Elvis. It is also home to two of the largest security events on Earth: DEFCON and BlackHat. But before those massive events kick off, another slightly smaller event brings security practitioners and developers together: BSides Las Vegas 2023.
BSidesLV, as it is also known, is also special as it is the original and largest BSides event. Started in 2009 as a response to DEFCON becoming a bit too large in some people's opinion, the organizers planned a much more intimate conference earlier in the same week. That gathering has inspired BSides regional events worldwide, spanning 220 cities across 62 countries. If you can't make it to Las Vegas for this particular event, there is likely a BSides in your local area we encourage you to find and attend.
It would be impossible to completely cover the full 10 tracks of the event and the dozens of talks and workshops that occurred, but here are a few highlights from your author's experience.
Among the various speaking and training tracks at the event, one that stood out to us at GitGuardian was PasswordsCon. This track featured ten talks on a variety of subjects concerning password security, from cracking passwords using tools like hashcat to infiltrating printers and networks they are on. I was fortunate enough to present a talk explaining the State of Secrets Sprawl findings and how to think about elevating your security posture with the Secrets Management Maturity Model. Several attendees mentioned afterward they were grateful to have the model as a roadmap to judge their current maturity and were going to take steps to improve their organizations' code security.
Security issues with passwordless solutions
Aldo Salas, Application Security Lead at HYPER and OWASP chapter lead, brought us a session that asked, "Could Passwordless be Worse than Passwords?" The immediate answer was "no." Passwordless solutions are not fundamentally less secure, but he shared research that uncovered several ways passwordless solutions could be compromised.
Passwordless means more than just not using a password. Passwordless solutions include using public/private keys, such as SSH key pairs, using "magic links" to gain access and biometrics. Passwordless technology adheres to FIDO2 standards set by the Fast IDentity Online Alliance.
Part of the FIDO standard requires implementing a user name, a display name, and a member ID when performing Web Authentication, WebAuthn. In his research, Aldo discovered a scenario where an adversary could execute an account takeover of a system by simply adding a new device and declaring themselves a known user. This is reported in CVE-2022-2193. Even though the system he researched followed FIDO2 standards, the specification failed to make it clear that user data should always be verified. He also discovered an exploit, CVE-2022-1477, that allowed account takeover using parameter tampering. Again, the spec assumes you will implement additional checks for this and does not enumerate this need.
Another more basic potential issue with passwordless is the threat of a stolen or lost device, such as using a Yubikey or smartphone. Any adversaries with access to your hardware device could act as you. In such a scenario, it might not be possible to reset authentication.
Aldo concluded that even though there are some vulnerabilities with passwordless systems, this is actually an overall better approach than relying on passwords alone. Combining FIDO best practices with other security checks, such as those outlined in the OWASP Top 10, lets you deliver a better customer experience without compromising security.
Securing medical devices
"Hospitals are under attack!" according to Matt Weir, password cracking legend, MITRE researcher who worked on the infamous `RockYou` password list, and creator of the Probabilistic Context Free Grammar, PCFG, password cracking tool. In his talk "Password911: Authentication Adventures in Healthcare," he shared that ever-increasingly sophisticated ransomware attacks are targeting hospitals. Some of which are originating from some surprising places such as Voice over IP phone systems and medical devices.
Matt shared his research into Controlled Substance Infusion Pumps, which are very common devices used to administer regulated medications to patients. These devices are commonly given wireless network access using hardcoded credentials baked into the firmware. His team was able to retrieve real network credentials from devices purchased from certain web auction sites.
A firmware-based access approach brings other issues as well. It means the secure networks would need to update each and every device in the case of an attack; just issuing a new credential would potentially interfere with life-saving care. There is also a specific vulnerability he uncovered that firmware updates are not scanning for malicious code. This would make it possible for a remote hacker to potentially cause serious damage though forcing an update.
His talk was a call to action for security researchers to find innovative ways to improve medical systems security without disrupting patient care. Hospitals have special requirements. Some of the best practices we can use in a server room are not practical in the operating room. He said we must make it easier for teams in hospitals to implement security. His team at MITRE has released a playbook for threat modeling medical systems to help us all figure out a better and safer path forward.
Finding and exploiting passwords in the wild
Regular readers of the GitGuardian blog will recognize the name Mackenzie Jackson, Senior Developer Advocate at GitGuardian. He shared his recent research into secrets sprawl in his talk, "The attacker's guide to exploiting secrets in the universe." He looked into three specific ways attackers find secrets to abuse: GitHub dorking, gaining access to private code, and decompiling mobile apps.
Dorking originated in 2002 as a way to leverage Google to find security holes in the configuration and computer code of websites. Basically, it is a way to bypass certain safety guardrails by searching for data in a very specific way. Using some basic text formatting, he uncovered hardcoded secrets in multiple GitHub public repositories live in front of the audience. He also showed how easy it is to search the GitHub public API for 'juicy' emails from some major corporations as a way to narrow the search for valuable secrets.
There are several ways malicious actors gain access to private repos, but Mackenzie reported code leaks were a usual path. As described in previous GitGuardian posts, Twitch experienced a significant code leak in the last few years, exposing millions of lines of code and thousands of credentials publicly. Meanwhile, if an attacker breaches a company's perimeter, private repos no longer stay private from nefarious eyes, as was the case with CodeCov in 2021.
Mackenzie also showed how simple it is to find secrets in mobile applications. Android apps are packaged as `.apk` folders, and Apple uses the `.ipa` folder suffix. These are just glorified `.zip` files in all reality. He showed how quick and easy it was to open these packages and see the full contents, including code that sometimes contained hard-coded plaintext credentials.
This session is a good reminder that just because you obfuscate your secrets, trying to hide them in layers of complexity, it will not stop a determined hacker from finding and exploiting them. The best secrets are those that never make it into your code base. No matter what language or platform you build for, ggshield can scan your files locally to ensure you don't accidentally share a secret ever again.
MFA alone is no guarantee of safety
While multifactor authentication, MFA, is a great security practice and everyone should be using it, Chris Merkel, Senior Director, Cyberdefense at Northwestern Mutual, explained that attackers can still compromise user sessions without some additional precautions. In his talk "Authentication Proxy Attacks: Detection, Response, and Hunting," he covered the reality that MFA comes in many forms and are not all created equal.
Chris shared his ranking of types of phishing-resistant MFA, listed here from most secure to least secure:
- OTP, Number Match
- Mobile App Push
Fido2 and WebAuthn, while not completely flawless, as reported by Aldo in PasswordsCon, are by far the most secure way to implement MFA. Biometrics and asymmetric keys take a lot of work to overcome. One-Time Passwords, OTPs, rely on a physical device that can be stolen or misplaced. Mobile App Push works by relying on special communication from users' smartphones to complete the login, but phones can be cloned and stolen. And relying on SMS or voice message to complete a login has a lot of risks, especially as phone numbers are easy to spoof and messages can be intercepted or faked.
All of these types of MFA are susceptible to a certain kind of proxy attack called "token replay" which is on the rise, with over 59,000 such attacks reported in August 2022 alone. In this type of attack, a phishing email or 'smishing' text message is sent to the user, which takes the user to a cloned login page. The attackers pass the credentials through to the real site and then display an MFA page asking for the credentials. Once supplied, the user is passed through to the legitimate site and would be unaware a phishing attack was carried out. Meanwhile, the attacker has the login info and the session token from the user's login, allowing them access to that same system as the user.
There are multiple ways to guard against such an attack, including looking for 'impossible travel,' where two login attempts are made in a short amount of time from places too far apart to make sense. For example, if the legitimate user logs in from Mexico City and there is another attempt that looks like the same user from Toronto just 10 minutes later, that is physically impossible and should sound an alarm. While attackers can use certain tools, like VPNs, to get around this geolocation, it is still something teams should be actively monitoring.
Security teams also need to be on the lookout for suspicious activities like sudden unexpected changes to the user account and device information. Logins from previously unseen IP ranges or new Authenticator registries on unknown devices are also signs of a token replay attack.
One last tactic he recommended is educating users to check the color codes on login screens. Every legitimate service uses a carefully chosen set of specific colors. For example, the GitGuardian login page uses `#1B2D56`, aka `rgb(27, 45, 85)`, a beautiful shade of dark blue for the main body text color. People building fake pages will likely pick a similar color but not copy the exact palette. If you encounter a login screen that looks slightly off, you can always navigate to the known safe page and check the color palette to ensure it 100% matches. You should immediately report it as a phishing attempt to your security team if it does not match.
CISA: The newest security-focused agency on the block
Many organizations have been working to keep us safe for a long while now, such as NIST and ENISA. In November 2018, a new US government was created to protect critical infrastructure from nation-state hackers; Cybersecurity and Infrastructure Security Agency, CISA. BSidesLV attendees were lucky enough to hear from the Director of CISA, Jen Easterly, in an "Everything Is On Fireside Chat" hosted by Keren Elazari, lead organizer of BSides Tel Aviv.
Jen described 'critical infrastructure' as everything that keeps our society functioning, from power plants to banks. As the world becomes increasingly dependent on code and technology, the larger the threat landscape becomes. She said that large language models, LLMs, are evolving at three times the pace of Moore's law, making it that much harder to predict what the next exploit will look like or where it will emerge.
What gives her hope is the spirit of the security community at events like BSides and BlackHat. In her time at the agency, she has worked to build up an army of hackers and researchers who are working to solve ever-shifting security issues, and she sees events that promote capture the flag (CTF), pentesting, and red teaming exercises as a recruitment tool for the next stage of cyber defense.
Jen said part of their mission is to make it unacceptable to produce insecure software. The future we must embrace is one of radical transparency. To that end, CISA has published a guide called "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by Design and Default," which she encouraged us all to share. It is written in the language of business, putting forth an imperative that business owners must also own security for their companies and the country.
She concluded the shat by saying they are still looking for the best and brightest to join the fight, and they have over 200 roles still open for folks who are up for the challenge.
Proud to be part of the BSides community
GitGuardian is proud to have been a sponsor of BSides Las Vegas. Through the talks our team gave and our many wonderful conversations in the Middle Ground common room, we hope we were able to help point folks in the right direction when it comes to secrets detection and remediation, as well as intrusion and leak detection as we introduced many people to honeytokens for the first time.
No matter where you are in the world, there is a good chance a BSides event will happen near you sometime soon. Many BSides also have a virtual component making it very easy to participate. Getting involved in your local community, no matter what form it takes, is the best way to grow your skills and learn about new emerging technologies. We hope to see you at a BSides soon.