Bulletproof Shoes

Presented at LocoMocoSec 2019, April 17, 2019, 3 p.m. (45 minutes)

Version control software has come a long way, and the barrier to creating an open source project has been lowered to a point of being negligible. Experienced and inexperienced developers alike use hosted version control systems, such as GitHub, to share their code with the world. This open sharing of ideas is beneficial, but does come with occasional risks - accidentally publishing credentials or sensitive data, to name one. This issue has become so prevalent that all major hosts have documentation on the removal of sensitive data, but it has also led to the creation of numerous tools which trawl repositories for such sensitive information (which, in the malicious case, is then stolen and abused). These repository-scanning tools mean that time is of the essence. When a user accidentally publishes a credential, the damage an attacker can cause is limited only by the privilege of that credential. An AWS credential, once leaked, could allow an attacker to spin up EC2 instances for mining bitcoin. A Slack token could allow an attacker to access the information in a Slack workspace, or perform other malicious actions based on the scope of the token. Therefore, it’s important for us to stop the abuse of such tokens before they fall into the wrong hands. In this talk we will discuss our “token nuker” - the tool we use to search for accidentally published Slack tokens and revoke them before they can be abused. We will cover the history, evolution, and current state of our automation, in what we hope will serve to benefit other security teams and application developers.

Presenters:

• Nikki Brandt - Slack
  Nikki Brandt is a Product Security Engineer at Slack, where she currently leads the security review process and performs internal security assessments of the platform. Before joining Slack, Nikki was a senior security consultant at Matasano Security and NCC Group, and a security engineer at Eero.
• Fikrie Yunaz - Slack
  Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle.

Links:

• https://locomocosec2019.sched.com/event/IxtC/bulletproof-shoes
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2019 Kauai/Bulletproof Shoes - Fikrie Yunaz, Nikki Brandt.mp4
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2019 Kauai/Bulletproof Shoes - Fikrie Yunaz, Nikki Brandt.eng.srt (subtitles)
• https://www.youtube.com/watch?v=7BqSxSmelX8

Similar Presentations:

• Black Hat USA 2018 / Detecting Credential Compromise in AWS
• Wild West Hackin' Fest 2018 / Extracting Data from Slack: Hackers Will, You Should!
• DEF CON 15 (2007) / One Token to Rule Them All: Post-Exploitation Fun in Windows Environments