Concerns over the security of companies’ development cultures were validated for an Australian cybersecurity specialist after a recent global scan of GitHub projects identified more than 200,000 servers where developers had left hardcoded passwords and other sensitive information in publicly available source code.
Cameron Stokes, a technical specialist with cybersecurity firm HivInt, decided to run a large-scale scan for vulnerabilities after reading about cases where developers had inadvertently left GitHub code – containing passwords for WordPress hosts and other sites – exposed in a way that they could be publicly scraped, analysed, and exploited.
Such credentials can be exploited to gain access to sensitive business systems and networks, and Stokes was initially expecting that he wouldn’t find more than “maybe 100 machines” on the assumption that the vulnerability was relatively uncommon.
A purpose-built automated scanner, however, searched all publicly-available Internet addresses and identified hundreds of thousands of repositories with sensitive data that would facilitate entry into its owners’ systems.
Such scans often turn up gold during penetration tests, Stokes told CSO Australia: “A few times it has been one of the pivotal things that got us from not having anything, to winning the game,” he said.
“Occasionally there’s nothing interesting in these sorts of things – but on the off chance you get something like Amazon Web Services keys, configuration files, and passwords, it’s usually good for pen testers.”
Many repositories are stored on servers that are spun up and then abandoned during the testing process, he said. And while the actual value of the data depends on what data is stored, its public availability reflects a breakdown in security protocols that many businesses are working hard to address as part of DevSecOps policies and practices.
The findings illustrate the real-world implications of business executives’ continued failure to give cybersecurity high enough priority within their organisations. Fully 31 percent of respondents surveyed in ISACA’s recently-released State of Cybersecurity 2018 report said that their board of directors had not adequately prioritised enterprise security – down slightly from the previous year but still a notable finding, particularly in light of one research study after another identifying systemic shortcomings in business security risk management.
“Although practitioners are well positioned to observe potential security issues, if the enterprise has no reliable feedback mechanism to communicate issues upward, risk can result from incorrect or inappropriate prioritisation at higher levels,” the report’s authors note.
“The board has priorities that may not be fully visible to security team members,” they note, arguing that business concerns about debt or exposure to a class-action lawsuit can divert resources from security investment no matter how important.
“One strategy to help mitigate these concerns is to implement more objective, consistent and actionable reporting to the board about security concerns” – for example, in the form of summary snapshots of security risk that will help the board “receive information about security that might be unavailable otherwise.”
Improving board-level attitudes are only one part of the overall cybersecurity defence, however, and the work of Stokes and others like him makes it clear that increasingly automated attackers are proving highly capable of finding ammunition to turn against unprepared business targets.
With many hackers thinking like gamers and training using video-game conceits, that ammunition can be disastrous for businesses trying to improve their risk exposure.
GitHub, for its part, was among 34 global organisations that joined forces in the Cybersecurity Tech Accord, a pact to strengthen the technology supply chain.
“Protecting the internet is becoming more urgent every day as more fundamental vulnerabilities in infrastructure are discovered,” chief strategy officer Julios Avalos wrote in its announcement, “and in some cases used by government organizations for cyber attacks that threaten to make the internet a theatre of war.”
“Reaching industry-wide agreement on security principles and collaborating with global technology companies is a crucial step toward securing our future. We believe security needs to be embedded into software development, and we’re building features to make that a reality.”
Stokes is in the process of notifying affected companies of their exposure – but if his experience is anything to go by, GitHub and other tech firms have their work cut out for them.
The specific vulnerability he explored is “due to misconfiguration more than a design flaw,” Stokes explained. “It’s potentially developer sloppiness, but there are a number of things that could cause repositories to be exposed and it’s hard to say what the actual root cause of this is. I don’t think people really realise how privileged this information is.”