DEV Community

Cover image for How hackers steal your keys and secrets

How hackers steal your keys and secrets

Omer Hamerman on September 22, 2020

After hunting for security bugs I've realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API key...
Collapse
 
codemouse92 profile image
Jason C. McDonald • Edited

Mostly wise, but I have a couple of concerns.

Rotate keys and passwords constantly, employ and enforce rotation policies

Security researchers no longer recommend this with passwords. It doesn't work. Use a unique, complex password for each login that requires one...but understand that complex does not imply esoteric. Long phrases are currently considered the best strategy. If you have no reason to suspect a breach or significant possibility of a breach on an account, rotating the password does not decrease the chances of one. In fact, password rotation usually only leads to bad password strategies.

I could argue the same for keys, especially as they're even harder to crack than passwords, and far more likely to result in an unrecoverable account if you lose them.

That said, rotation policies may make more sense from a computer-to-computer perspective, if (and only if) there's any risk of exposure.

Enforce MFA everywhere - Google, GitHub, Cloud providers, VPNs, anywhere possible. If it's not optional, reconsider the system in use

While I mostly agree with MFA, it is also not a guarantee of security — see sim card attacks — and it has its own hazards. If the service provides MFA, e.g. a code sent to a specific device, but no secure account recovery method, you may want to think twice. If you lose or destroy your phone (not that anyone has ever done that!) or it gets stolen, you're permanently locked out of any account that lacks recovery means. (PayPal is a prime example. No, they will not help. They'll go out of their way to FRUSTRATE helping, in fact.)

(One more note on that topic: there have been multiple security researchers who have warned that most consumer biometrics are less secure than passwords. Many fingerprint readers and facial recognition only check for partial match, and can be fooled. Consumer-focused biometrics should only be paired with a more secure authentication method, e.g. a key or password. Yes, I just said password.)

Be secure. But also be certain you aren't locking yourself out of Fort Knox permanently. It sucks at least as much as a breach.

Collapse
 
omerxx profile image
Omer Hamerman

I actually agree with 100% of your points and it makes me think whether I should sharpen my message;
I'm discussing mostly software teams and companies (obviously not only but that's the target audience). With that in mind, I address both personal user passwords and authentication keys.
To answer your points directly:

  • Password complexity - completely right, when I talk about complexity it's important to stress the importance of length rather than complexity. I would argue however, that everyone are far better off with a personal password manager like 1Password instead of managing their own passwords. That's another key point when talking about rotation.

  • MFA - again, correct, this is brought in the context of web login profiles for the 3rd party services team use daily. This is most certainly not a replacement for a password but an extra layer of security. And again - the context is a password leaking out. MFA in that context makes it usually useless.

Summing up, yes, of course, everything should be done with reason. In my experience, 99% of the teams need the push towards better security strategy rather than limiting the layers of protection they put on their processes. That being said, it's a great and important discussion which I must agree with. TBH just thinking about it raises some cases I've dealt with before, mainly in large organizations where the authentication processes and policies were so extremely hard that it actually did hurt productivity and progress.

Thank you for taking the time to read and respond!

Collapse
 
codemouse92 profile image
Jason C. McDonald • Edited

Thanks for your response! I agree with you as well.

I'd add one thing to the topic of password managers: while you should definitely use one, it's best to still use phrase-based passwords that can be entered reasonably by a human. There are still times that situation occurs in the real world, as much as we like to pretend our password manager will always work perfectly. This is particularly true of central accounts like GitHub and email.

Besides that, you really should keep a copy of your most important passwords and keys on paper in a fire safe, in case of electronic catastrophe, or your own untimely demise.

In other words, the one time you need to enter your password by hand is the one time you're going to regret an esoteric password. false-overspend-foe-float-stack is going to be a better password for human use than 3FaqtgSr2T9pgVJRwGxauzDmn, as just as secure. (Bonus, you have a realistic chance to spot when the former is wrong or outdated.)

If websites are still demanding their numbers and special characters, you can incorporate a consistent pattern unique to you. Numbers and symbols don't actually reduce the probability of cracking as once thought, so merely adding them to the phrase you would have used is perfectly fine; it's the phrase that's the secret, ultimately.

Thread Thread
 
omerxx profile image
Omer Hamerman

Again - 100% :)
I remember a really good post explaining what you just mentioned scientifically, in terms of computation complexity and comparing short complex passwords to long sensible strings.
I'd try to find it and maybe add it here.

Thanks again!

Thread Thread
 
omerxx profile image
Omer Hamerman

I'd be happy to quote some of your responses and incorporate in the post. I think they're extremely valuable to the readers!
With credit of course. Would that be okay with you?

Thread Thread
 
codemouse92 profile image
Jason C. McDonald

Go for it! Thanks.

Collapse
 
vald0phoenix profile image
Vladyslav Krylasov • Edited

A good option is to use Yubikeys because in case of Google Authenticator if you lost phone then you're doomed but Yubikey stores codes on hardware what's really great. Moreover, you can have several backup keys, so if you even lose one you can insert another key into any machine, phone with type C and be happy.

Good password protection can be built on top of pass & xkcdpass utils.

  • pass can be used as storage
  • xkcdpass can be used as a strong thing against computer brute force but simple for a human being to remember
Collapse
 
omerxx profile image
Omer Hamerman

True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

Thread Thread
 
vald0phoenix profile image
Vladyslav Krylasov • Edited

The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.

I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).

I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?

I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.

Thread Thread
 
omerxx profile image
Omer Hamerman

Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.

For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...

Thread Thread
 
vald0phoenix profile image
Vladyslav Krylasov • Edited

Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.

Thread Thread
 
omerxx profile image
Omer Hamerman

Thanks mate!

Thread Thread
 
organicnz profile image
Tarlan Isaev 🍓

Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."

Collapse
 
corymcdonald profile image
Cory McDonald

In my line of work, we've had sim-swapping attacks happen to a few employees. To mitigate this everyone is issued a hardware based MFA. Everyone gets 2 YubiKeys so just in case they lose one they can restore access to their accounts.

Additionally we have 1Password and separate vaults for each team. When an employee leaves the company the support team goes and rotates all the passwords in each vault the person had access to.

Personally I've made the cursed mistake of pushing up AWS secrets to Github. It's recommended everyone add git-secrets to their pre-commit workflow to prevent pushing up anything resembling a secret.

Collapse
 
omerxx profile image
Omer Hamerman

This is fantastic.
Both the security processes you guys use and the pre-commit tools by AWS I did not know.
Thanks for sharing!

Collapse
 
omerxx profile image
Omer Hamerman

Hey,
Yes, you’re getting here into the realm of static code analysis.
I did mention ways of simple code scan to identify leaked strings, but I consider STA to be a field of its own that requires commercial solutions.

I wasn’t aware of the style check on GitHub and would look it up.
Thanks!

Collapse
 
sarsamurmu profile image
Sarsa Murmu

Great article. Didn't know that using these ways a hacker can pass through security.

Collapse
 
omerxx profile image
Omer Hamerman

Thank you Sarsa!
Certainly. lots of times I hear about "hacks" and sophisticated methods where the truth lies somewhat between; scans can be sophisticated and thought through, but eventually it's a way to figure out someone's password and use it to log in.
I guess the percentage of real sophistication, research and bypassing complex mechanisms is extremely low. And so when it comes to security we actually do have a lot to do to prevent the vast majority of vectores and leave very little attack surface.

Collapse
 
organicnz profile image
Tarlan Isaev 🍓

Fantastic article, mate! Thanks for sharing :)

Collapse
 
omerxx profile image
Omer Hamerman

Thank you 💪😁

Collapse
 
thedevdavid profile image
David

This is a unique kind of post. I really like these. Well done!

Collapse
 
omerxx profile image
Omer Hamerman • Edited

Thanks mate! Much appreciated

Collapse
 
mccurcio profile image
Matt Curcio

Comprehensive and very informative article!
Thanks