Open-source Intelligence

Have you ever thought that the Amazon AWS access credentials of your company can be found in GitHub?

Assume that, your company is relying on amazon web service and GitHub and the web application server has a strong fortified environment to defend the cyber-attacks. But if the attacker was successful in accessing sensitive information using the Open Source Intelligence technique then the CIA(confidentiality, Integrity, Availability) of the organisation is at stake. These types of attacks may not be identified by any defence mechanism.

Open Source Intelligence

What is OSINT?

Data/information available on open source platforms does have its advantages and disadvantages. Open Source Intelligence(OSINT) is the information gathered from legal public sources as part of the reconnaissance phase where the attacker/hacker uses this information to frame an exploit on an individual or on an organisation. Data available on public platforms like social media apps are the major source for the attacker to collect the information. Any piece of information from one or the other resource may be tangled to perform OSINT attacks.

Be it a startup or big organisations, they do not embrace OSINT to boost their cybersecurity defences sooner or later, this may become a problem as they are not able to identify and detect it.

Most commonly focused areas in OSINT process are based on the recent exploits by the security researchers.

Many startups and organizations are relying on third-party cloud providers like AWS, Azure and Google Cloud Platform (GCP), etc., and cloud repository services like GitHub, Bitbucket, etc., for their cloud computing purposes.

By default, all cloud service providers are giving security for their cloud infrastructure (Operational security, Internet communication, Storage services). But the cloud providers are not responsible for the Inter-Service Access Management.

Inter-Service Access Management.

The service owner can use the access management features provided by the infrastructure to specify exactly which other services can communicate with it. In cloud platforms, the service owner should follow the best security practice as it is not delt by the cloud platforms.

Lack of secure configuration knowledge on Access Management will result in publicly accessible AWS, GCP, Azure Inter-services. The most common services are listed below.

  • S3 Buckets
  • Google Cloud Buckets
  • Firebase Realtime Databases
  • Azure blob storages

Also due to the lack of security best practice on the source code repositories, developers often upload sensitive credentials along with the source code to their public repositories.

Because of this, a trend has emerged recently of scraping sites such as GitHub for sensitive information, such as passwords, access keys, and databases. Through this security researchers often find secrets keys of company’s infrastructure like AWS access keys, admin account credentials, sensitive API keys of their company products, SSH private keys, etc.

These days, companies are adopting the Dev-Ops culture to automate the continuous integration and continuous development process in their product development life cycle (CI/CD). For this process, the companies are using open-source CI tools like Travis CI, Circle CI, and GitLab CI. Due to the lack of misconfigurations in the CI tools, GitHub personal access tokens were exposed in Travis CI build logs.

 Conclusion:

Lack of security awareness and the methods used for OSINT, people do post or publish the data on the internet and fall pray to attackers.

References:

https://services.google.com/fh/files/misc/security_whitepapers_march2018.pdf
https://git-scm.com/docs/gitignore
https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/