How to Avoid Getting Hacked and Leak Credentials?

Published on: 2023-1-30 How to Avoid Getting Hacked and Leak Credentials?

Interested how a developer or a software organization can significantly decrease risk of security breach? We discuss some basic organizational and technical measures that you can use today.

The summer of 2022 was truly atrocious when it comes to software and service security. A week didn't go by without news about various companies getting hacked and customer data being put up for sale.

One of the egregious examples was possibly LastPass, a security company.

Hindsight is 20/20 and no software, nor an organization, is perfect and resilient to every possible security breaches. But let's explore what we can do to minimize the risk.

Secure Software Supply Chain

The case of LastPass should echo through the industry as a warning. At the same time, it's not the first time developers and their elevated access have caused a breach. Let's unwind a bit.

On August 22nd, a developer credentials were stolen and later used to target another employee. This eventually led attackers to access the cloud storage that hold customer data, their encrypted vaults and most of the unencrypted information.

The company did not disclose every detail, but the fact that engineers credentials were exfiltrated should serve a cautionary tale.

LastPass's case is not the only one. Back in 2018, an exposed publisher credentials were used to hijack a popular NPM package. A new version with malware stealing additional credentials was pushed and reached, at least, 4500 accounts before it was neutralized.

You don't have to think about State-Sponsored Hackers and Stuxnet level of sophistication. Modern, commercial software is typically built with hundreds of dependencies. It could take one compromised library, to poison a large swath of software projects.

How can you defend yourself against these attacks?

Firstly, monitor web news and CVE https://www.cve.org/ advisories daily. Don't dismiss any news as too little. Nor, don't wait for the next morning. In case of mentioned NPM credentials has, the original maintainer was asleep when the hack took place. Threat actors will pry on the fact that vulnerability will be easier to exploit during the middle of the night or on a weekend.

Secondly, engage in vulnerability scanning. If you host your code with GitHub, you can enable Code Scanning feature which will notify you about known vulnerability in your code or in the dependency you rely on.

If you don't leverage GitHub, or can't leverage their scanning mechanism for some reason, there is always Snyk. Like GitHub scanner, Snyk will support you and your engineering teams in discovering certain classes of security issues in your code. Snyk will also notify you about vulnerability in used dependencies. Given that Snyk is a UK company could ease your concerns regarding confidentiality and data security. With UK being GDPR Adequate country, using Snyk software can be easier to justify, than Microsoft (US corporation) owned GitHub.

Developer Credentials Security

In both aforementioned cases, developers credentials were abused to further escalate the breach. Don't underestimate the security vulnerability that endpoint devices pose to your organization.

Moreover, the explosion of remote work, and global employment opportunities, mean that your employees are their own IT department. Long gone are the days when an IT administrator hands over a locked down laptop to an employee, connected to a closed, monitored network.

There are at least two layers you should consider addressing at the minimum.

Technical Measures for Endpoint Security

Create a separate network layer for privileged access. Whether you host your infrastructure on bare-metal or in the cloud, aim for creating separate network segments that isolate public facing infrastructure from development and elevated access systems. Secondly, make sure that your employees connect to your internal network via VPN and are granted access only to systems that are strictly necessary to perform their tasks.

When I say VPN, I don't mean popular VPN services like ExpressVPN or NordVPN. These are useful for other purposes. In this case, I mean your own managed VPN. Setting up corporate VPN is relatively easy, especially with web admin tools like the ones offered by OpenVPN.

Be sure to enforce Two-Factor Authentication to your network. Should the endpoint be compromised, if the access keys are copied, the attacker might be able to roam freely within your network. With 2FA enable, you create yet another barrier preventing effective credential's exfiltration.

Source Code Access

Let's talk developers. If your organization has developers, they will wield disproportionate access and privileges by the sheer fact that they can access and produce source code. Chances are that once developers publish source, an automated process will push it to production, and put it right in front of your customers and their data. Many organizations, motivated by removing red-tape from developer's workflow, will rely on convention, rather than strict bulkheads. Committing to production branch without a peer review, will be prohibited by social contract, rather than strict security measures.

In this is the case in your engineering organization, make sure that developers access to source code repository cannot be easily hijacked. Besides requiring Two-Factor authentication to the source code repository, make sure that developer access keys are secure.

It is straightforward to get started with GitHub or GitLab with locally generated SSH keys. These keys are only secure if they never leave the developer workstation. Their security quickly diminishes when a developer machine is compromised.

When protected with only with password, these kinds of secret keys are at risk of being stolen and exploited if attacked planted a keylogger. With a copy of the secret key and password, it is mostly game over. Attacker can own your source code.

Introducing Hardware Keys

Using YubiKey or NitroKey style hardware security keys can eliminate the risk of security keys being stolen. The security chip on these devices allows to securely authorized access without exposing secret material. Even when stolen or lost, these devices will require a PIN access and after just three failed attempts, the device will be locked.

Using USB hardware token or a smartcard can be very secure approach to handling secrets preventing exfiltration.

Both vendors, YubiKey and NitroKey offer different types of devices, which leverage PIV (Personal Identity Verification), OpenPGP, or FIDO2 mechanism. You are sure to find a mode of operation that suits your deployment.

Use Password Managers Wisely

Despite the bad taste that the LastPass hack has left without security community, password managers are a great tool. Password manager solves a critical problem of re-using passwords or choosing passwords with low complexity. So enforce usage of a password manager. Whether it is popular 1Password or open-source Bitwarden or business friendly Dashlane, there is plenty to pick from.

But avoid putting all your eggs in one basket. Password managers of today offer much more than just password storage. Depending on product you pick, you will have One-Time Password service, SSH-Agent and Payment Details autofill. These are super convenient tools.

However, putting your One-Time Passwords (OTP) and your passwords in the same storage defies the purpose of Two-Factor Authentication. Your password manager, when comprised, opens all doors. What's convenient for you might also be convenient for the attacker.

The SSH-Agent built in to password manager enabled developers to access code on multiple machines with ease. Yet again, this convenience centralizes multiple security measures in a single tool. Portability, accompanied by security, is easily fixed with hardware key. There truly is little reason to not use a hardware key when SSH authentication is required.

Organizational Measures

The technical measures are often worthless without minimization of both access and data. If practical, an organization should implement measure that prevent a single person wielding too much power over operating systems. Likewise, not every data should be readable by every employee.

Access Minimization

If you ever worked in an Investment Bank, you probably witnessed some wicked complex deployment process. Seven circles of hell leading to single release. In a perverse instance, it might be nothing more than Cover-Your-Ass strategy. But any organization worth its salt will have some process in place to make sure there are enough eyes looking at the code to avoid intentional, malicious code as well as unintentional accidental mistakes.

Start-ups are not Investment Banks. And are famous for being a Wild West of software delivery. Rock star coders threatening to quit at the first sight of “The Process”. But it is lack of basic controls (aka process) that can escalate to crippling and business ending breach.

MEME Girl explaining that organization should prioritize people over the process but that does not mean no process at all.

Implement a practical process, that reflects your organizational maturity and dial it to reflect risk. There is no one size fits all.

Data Minimization

Silicon Valley hates GDPR for many reasons. One of which is the GDPR principle of minimizing the amount of Personal and Sensitive data stored. I would argue, that even without GDPR, it is a great approach to minimize the impact of a security breach should one occur. The little of data you store, the little of it can leak.

Data minimization can start with your web analytics solution. Checkout Wide Angle Analytics, our strictly GDPR-compliant solution.

You obviously need some data to run your service. And you might be lured to capture data which you think will useful. Perhaps you want to capture a user's date of birth to send them a freebie on their birthday. One could argue that this is not necessary to provide quality service, and such storing it is the opposite of frugal.

The best way to secure your data, is to store as little as possible of it.

Summary

Here I covered just a few facets of security and how to secure developers against security breach. I merely scratched the surface of technical and organizationals measures that can be implemented.

In my opinion, these are however some of the bare minimums which should be considered.

TL;DR:

Limit scope of password managers
Use hardware token
Have some, enforced process during delivery
Minimize data and system access
Use VPN when accessing non-Internet facing services
Monitor vulnerability announcements
Scan your code

🤗 Stay safe!