DEV Community

loading...
Cover image for How hackers steal your keys and secrets

How hackers steal your keys and secrets

Omer Hamerman on September 22, 2020

After hunting for security bugs I've realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API key...
pic
Editor guide
Collapse
codemouse92 profile image
Jason C. McDonald

Mostly wise, but I have a couple of concerns.

Rotate keys and passwords constantly, employ and enforce rotation policies

Security researchers no longer recommend this with passwords. It doesn't work. Use a unique, complex password for each login that requires one...but understand that complex does not imply esoteric. Long phrases are currently considered the best strategy. If you have no reason to suspect a breach or significant possibility of a breach on an account, rotating the password does not decrease the chances of one. In fact, password rotation usually only leads to bad password strategies.

I could argue the same for keys, especially as they're even harder to crack than passwords, and far more likely to result in an unrecoverable account if you lose them.

That said, rotation policies may make more sense from a computer-to-computer perspective, if (and only if) there's any risk of exposure.

Enforce MFA everywhere - Google, GitHub, Cloud providers, VPNs, anywhere possible. If it's not optional, reconsider the system in use

While I mostly agree with MFA, it is also not a guarantee of security — see sim card attacks — and it has its own hazards. If the service provides MFA, e.g. a code sent to a specific device, but no secure account recovery method, you may want to think twice. If you lose or destroy your phone (not that anyone has ever done that!) or it gets stolen, you're permanently locked out of any account that lacks recovery means. (PayPal is a prime example. No, they will not help. They'll go out of their way to FRUSTRATE helping, in fact.)

(One more note on that topic: there have been multiple security researchers who have warned that most consumer biometrics are less secure than passwords. Many fingerprint readers and facial recognition only check for partial match, and can be fooled. Consumer-focused biometrics should only be paired with a more secure authentication method, e.g. a key or password. Yes, I just said password.)

Be secure. But also be certain you aren't locking yourself out of Fort Knox permanently. It sucks at least as much as a breach.

Collapse
omerxx profile image
Omer Hamerman Author

I actually agree with 100% of your points and it makes me think whether I should sharpen my message;
I'm discussing mostly software teams and companies (obviously not only but that's the target audience). With that in mind, I address both personal user passwords and authentication keys.
To answer your points directly:

  • Password complexity - completely right, when I talk about complexity it's important to stress the importance of length rather than complexity. I would argue however, that everyone are far better off with a personal password manager like 1Password instead of managing their own passwords. That's another key point when talking about rotation.

  • MFA - again, correct, this is brought in the context of web login profiles for the 3rd party services team use daily. This is most certainly not a replacement for a password but an extra layer of security. And again - the context is a password leaking out. MFA in that context makes it usually useless.

Summing up, yes, of course, everything should be done with reason. In my experience, 99% of the teams need the push towards better security strategy rather than limiting the layers of protection they put on their processes. That being said, it's a great and important discussion which I must agree with. TBH just thinking about it raises some cases I've dealt with before, mainly in large organizations where the authentication processes and policies were so extremely hard that it actually did hurt productivity and progress.

Thank you for taking the time to read and respond!

Collapse
codemouse92 profile image
Jason C. McDonald

Thanks for your response! I agree with you as well.

I'd add one thing to the topic of password managers: while you should definitely use one, it's best to still use phrase-based passwords that can be entered reasonably by a human. There are still times that situation occurs in the real world, as much as we like to pretend our password manager will always work perfectly. This is particularly true of central accounts like GitHub and email.

Besides that, you really should keep a copy of your most important passwords and keys on paper in a fire safe, in case of electronic catastrophe, or your own untimely demise.

In other words, the one time you need to enter your password by hand is the one time you're going to regret an esoteric password. false-overspend-foe-float-stack is going to be a better password for human use than 3FaqtgSr2T9pgVJRwGxauzDmn, as just as secure. (Bonus, you have a realistic chance to spot when the former is wrong or outdated.)

If websites are still demanding their numbers and special characters, you can incorporate a consistent pattern unique to you. Numbers and symbols don't actually reduce the probability of cracking as once thought, so merely adding them to the phrase you would have used is perfectly fine; it's the phrase that's the secret, ultimately.

Thread Thread
omerxx profile image
Omer Hamerman Author

Again - 100% :)
I remember a really good post explaining what you just mentioned scientifically, in terms of computation complexity and comparing short complex passwords to long sensible strings.
I'd try to find it and maybe add it here.

Thanks again!

Thread Thread
omerxx profile image
Omer Hamerman Author

I'd be happy to quote some of your responses and incorporate in the post. I think they're extremely valuable to the readers!
With credit of course. Would that be okay with you?

Thread Thread
codemouse92 profile image
Jason C. McDonald

Go for it! Thanks.

Collapse
vald0phoenix profile image
Vladyslav Krylasov

A good option is to use Yubikeys because in case of Google Authenticator if you lost phone then you're doomed but Yubikey stores codes on hardware what's really great. Moreover, you can have several backup keys, so if you even lose one you can insert another key into any machine, phone with type C and be happy.

Good password protection can be built on top of pass & xkcdpass utils.

  • pass can be used as storage
  • xkcdpass can be used as a strong thing against computer brute force but simple for a human being to remember
Collapse
omerxx profile image
Omer Hamerman Author

True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

Thread Thread
vald0phoenix profile image
Vladyslav Krylasov

The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.

Thread Thread
omerxx profile image
Omer Hamerman Author

Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.

For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...

Thread Thread
vald0phoenix profile image
Vladyslav Krylasov

Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.

Thread Thread
omerxx profile image
Thread Thread
organicnz profile image
Tarlan Isaev

Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."

Collapse
zoedreams profile image
☮️✝️☪️🕉☸️✡️☯️

consider adding check style hooks to github actions to scan for metasploits and common passwords included into your source code. last thing you want is soe derp adding some sql into the end of all your users passwords.. do'h

Collapse
omerxx profile image
Omer Hamerman Author

Hey,
Yes, you’re getting here into the realm of static code analysis.
I did mention ways of simple code scan to identify leaked strings, but I consider STA to be a field of its own that requires commercial solutions.

I wasn’t aware of the style check on GitHub and would look it up.
Thanks!

Collapse
zoedreams profile image
☮️✝️☪️🕉☸️✡️☯️

the new github actions are fantastic for that.

Collapse
corymcdonald profile image
Cory McDonald

In my line of work, we've had sim-swapping attacks happen to a few employees. To mitigate this everyone is issued a hardware based MFA. Everyone gets 2 YubiKeys so just in case they lose one they can restore access to their accounts.

Additionally we have 1Password and separate vaults for each team. When an employee leaves the company the support team goes and rotates all the passwords in each vault the person had access to.

Personally I've made the cursed mistake of pushing up AWS secrets to Github. It's recommended everyone add git-secrets to their pre-commit workflow to prevent pushing up anything resembling a secret.

Collapse
omerxx profile image
Omer Hamerman Author

This is fantastic.
Both the security processes you guys use and the pre-commit tools by AWS I did not know.
Thanks for sharing!

Collapse
sarsamurmu profile image
Sarsa Murmu

Great article. Didn't know that using these ways a hacker can pass through security.

Collapse
omerxx profile image
Omer Hamerman Author

Thank you Sarsa!
Certainly. lots of times I hear about "hacks" and sophisticated methods where the truth lies somewhat between; scans can be sophisticated and thought through, but eventually it's a way to figure out someone's password and use it to log in.
I guess the percentage of real sophistication, research and bypassing complex mechanisms is extremely low. And so when it comes to security we actually do have a lot to do to prevent the vast majority of vectores and leave very little attack surface.

Collapse
organicnz profile image
Tarlan Isaev

Fantastic article, mate! Thanks for sharing :)

Collapse
omerxx profile image
Omer Hamerman Author

Thank you 💪😁

Collapse
iamdavidlevai profile image
Dávid Lévai

This is a unique kind of post. I really like these. Well done!

Collapse
omerxx profile image
Omer Hamerman Author

Thanks mate! Much appreciated

Collapse
mccurcio profile image
Matt Curcio

Comprehensive and very informative article!
Thanks

Collapse
brendan8c profile image
Сова

Good time people!
How me protect shape on the site?
From bots and xss..
I am frontend dev. Backend dev i don't know..

Collapse
omerxx profile image
Omer Hamerman Author

Hey!
For XSS I suggest looking in OWASP's overview and their cheat sheet. XSS has lots and lots of techniques and I'd say it's a kind of its own skill. Make sure you use the suggested headers and avoid the usual pitfalls. The risky type is usually stored XSS in cases where the stored script is visible to other users. I'd make sure I know the basics and think how my application works and whether the risk it presents is worth diving in.

E.g. if my application is a message board, and posting a message is visible to lots of my users, a stored XSS may have a more serious effect then, let's say a self reflected XSS.

If users are at risk - put your efforts there. I hope this helps

Collapse
brendan8c profile image
Сова

Thank you! Another question..
How install (AntiXSS) on my website?
Can you write how to do it step by step?

  1. Download 2. install 3. connect dependencies I have not connected this before. You have to understand this, I'm a front-end developer, it's a little difficult for me.
Thread Thread
omerxx profile image
Omer Hamerman Author

Not sure what you’re referring to but if that’s a library that helps you set different XSS features it sounds like a good idea. Regardless, I still think it’s important to learn the actual basics so you can know how and when to use it correctly. It’s also good to understand the basic important concepts to know where a layer of protection is coming short.

Thread Thread
brendan8c profile image
Сова

Yes these library (github.com/voku/anti-xss)
I don't know, how work an her..
This is hard for me

Thread Thread
omerxx profile image
Omer Hamerman Author

Hey,
Basically, this is a library that offers it's own functionality to escape special character and HTML edge cases to prevent different kinds of XSS. In regards to usage, they have pretty straightforward instructions.

Don't know whether this is the best tool for the job but I can't recommend anything else since I'm not aware of any.

It's good that you care, understand the risk, and try to prevent the damage from happening.
Good luck

Thread Thread
brendan8c profile image
Сова

Hi )
I connected everything to protection.
How can I validate the form?
I want to check whether my protection is working or not.
If I paste this into the alert (document.cookie) form it will be sent to my mail. I will not see any JavaScrip code displayed.
I need a method to test my XSS protection.
In other words, what I need to do is to make an XSS attack on my form so that I can see if my defense has worked or not.
I hope I have explained it clearly.
I am sorry my English is bad.

Thread Thread
omerxx profile image
Omer Hamerman Author

Hi,

Like I mentioned earlier, you probably want to learn the basics on your own and then validate your protection by "attacking" your own page. Here's a great video with explanations on different techniques. The guy has also a practice area where you can practice what you've learned: youtube.com/watch?v=EoaDgUgS6QA

When you protect something, be aware of what it is you are protecting from. "XSS" is a wide range of techniques that can abuse pages. If you protect from a certain technique - e.g. HTML tags, try exploiting your own form with something like <img src/onerror=alert(1)>.
Here's another cheatsheet by Portswigger where you can see an endless list of methods: portswigger.net/web-security/cross...