(Other) risks in finance
A few years ago, a Washington-based real estate developer received a document link from First American, a real estate industry financial services firm, about a deal he was working on. Everything about the documentation was perfectly fine.
The strange thing, he told reporters, was that if he changed a single digit in the URL, he would suddenly see someone else’s document. Please change to another document again. Without any technical tools or expertise, the developer was able to get his FirstAm record dating back to 2003-885. a million Overall, many of them contain sensitive data of the kind disclosed in real estate transactions, such as bank details, social security numbers, and of course names and addresses.
It was shocking that a very simple web vulnerability could expose nearly a billion records. But more serious consequences are befalling financial services companies every week. In its latest Data Breach Investigations Report, Verizon reveals that finance is the most targeted industry worldwide when it comes to basic web application attacks. And, according to Statista, these companies lose an average of about $6 million per successful breach. The IMF estimates that industry-wide losses from cyberattacks “could reach hundreds of billions of dollars annually, eroding bank profits and threatening financial stability.”
In response, management allocates millions more dollars each year to advanced defense systems such as XDR, SOC, and AI tools.But while the company has strengthened its defenses against APTs and matured its cybercriminal activity, as a security hole elementary Because FirstAm is rampant across the industry.
There is one category of vulnerability in particular that rarely comes up in board discussions. But when you start looking, it’s almost everywhere. And much easier than zero-days, deep fakes, and spear phishing for hackers to spot and attack these kinds of errors.
Vulnerabilities that everyone overlooks
 |
| Images created with Midjourney |
In 2019, three researchers from North Carolina State University tested a commonly understood but little-discussed hypothesis in cybersecurity.
Rumor has it that Github and other source code repositories created a boom in the software industry. Talented developers around the world can collaborate by donating, taking, and combining code to create newer, better software that builds faster than ever before. Credentials (private keys, tokens, etc.) are used to make various codes work well. These connecting joints allow every bit of software to open the door to another. It is protected by a security veil to prevent attackers from entering in the same way.
Or are they?
Between October 31, 2017 and April 20, 2018, NCSU researchers analyzed over 2 billion files from over 4 million Github repositories. This represents about 13% of all files on the site. These samples contained nearly 600,000 APIs and cryptographic keys (secrets embedded in the source code) for everyone to see. Over 200,000 of these keys are unique, and in all he has spread them across over 100,000 repositories.
Six months of data were accumulated for this study, but a few days or even hours were enough to make the point. The researchers highlighted how thousands of new secrets were leaked during each day of the study.
A recent study not only confirmed their data, but took it a step further. For example, in calendar year 2021 alone, GitGuardian identified over 6 million of his secrets published on Github. That’s about 3 out of every 1,000 commits.
At this point, one might wonder if secret credentials in the source code (“hard-coded”) are so common, is it really that bad? Number safety.
Risk of hard-coded credentials
Hardcoded credentials seem like a theoretical vulnerability until they are built into a real application.
Last fall, Symantec identified nearly 2,000 mobile apps exposing sensitive information. More than three-quarters had his AWS tokens leaked, allowing outside parties to access private cloud services, nearly half had their tokens leaked, and a further “many, possibly millions, of private Allow full access to files.
Just to be clear, these were legitimate public applications in use around the world today. Like five of his banking apps discovered by Symantec, it used the same third-party SDK for digital identity verification. Identity data is some of the most sensitive information an app possesses, but this SDK “may expose private authentication data and keys belonging to any banking and financial app that uses the SDK.” You have leaked your cloud credentials. That was not all, as “the user’s personal data (name, date of birth, etc.) was published in the cloud along with the user’s biometric digital fingerprint used for authentication.” In total, he exposed over 300,000 users’ biometric fingerprints from five banking apps.
If these banks survive a breach, they are lucky. A similar leak has previously spilled even larger fish.
like Uber. You would imagine that only a highly organized and capable cyber attacker could break into a technology company in Uber’s ranks. But in 2022 he’s a 17-year-old boy doing it all on his own. After being lured onto the company’s internal network by some simple social engineering, he found his Powershell script containing administrator-level credentials for Uber’s privileged access management system. From AWS to Google Drive, Slack, employee dashboards, code his repositories, that’s all he needed to compromise all sorts of downstream tools and services the company uses.
Without this, it might have been a more notable story. other Uber leaked secrets to hackers in a private repo breach in 2016, exposing the data of over 50 million customers and 7 million drivers.or other When they did so through a public repo in 2014, the personal information of 100,000 drivers was revealed along the way.
what to do
Finance is the single most targeted sector for cyber attackers worldwide. Also, every researcher examining thousands of vulnerable apps and millions of vulnerable repositories finds attackers hard-coded credentials essential to running a modern enterprise in this industry. It shows how easy it is to identify
But just as easily as bad guys can do it, so can good guys.Both AWS and Github try their best to monitor compromised credentials on their platforms. I’m here. Clearly, these efforts alone are not enough and cybersecurity vendors step in.
Learn from our experts about monitoring source code secrets.
Note – This article was written by Thomas Segura, Technical Content Writer at GitGuardian. Thomas has worked as an analyst and software engineer consultant for various large French companies.
