Everyone makes mistakes. Unfortunately, the posting of sensitive information that could be used to access your servers and applications could have damaging effects to your company, brand, and customers. GitHub allows greater collaboration and better management of developing projects, but if the process of submitting code isn’t managed well it can put your project and servers at risk.
GitHub has a very flexible search tool which allows it to search all Public source code, which as of last week included private SSH keys. If a developer inadvertently commits the private RSA key used for a project, it was publicly available via a simple GitHub search which put any Cloud server using it at risk. Although GitHub removed the code search capability for SSH keys, the data and risk is still present via Google and other search engine queries.
As described in a ThreatPost article:
The storm began [January 24th] when a Twitter user reported finding a SSH password for a major Chinese website’s production server. Soon, a number of searches for RSA keys, SSH passwords and other credentials were circulating on Twitter, which likely led to GitHub’s decision to switch off its search. The search tool enables users to look into other code repositories stored on the site; some developers apparently were sending private credentials into public files that are searchable.
A number of posts to Twitter indicated people were finding hundreds of search results for RSA keys, configuration files and other valid credentials which if compromised could enable an attacker to impersonate a user or redirect traffic to a malicious site.
To help protect your organization from a targeted attack using mistakenly posted credentials, you may want to consider leveraging a tool to reduce an attackers ability to exploit the attack vector.
Using Halo GhostPorts automatically mitigates the risk of stolen credential exploitation by preventing unauthorized (albeit valid) SSH connections from the publicly posted private SSH key. Since GhostPorts is based on multi-factor authentication it adds another secure layer of access to servers. Whether the server is accessed via SSH, RDP or any other protocol, if the underlying credential was compromised by an errant commit the server is still secured. To enable a GhostPorts session, all it takes is clicking the “Enable GhostPorts” link after logging into portal.cloudpassage.com
Mistakes happen but with servers secured with GhostPorts, they are still protected and the project owner has time to realize the mistake, remove and change the private SSH Key and possibly change the process which allowed the SSH Key to become publicly available in the first place.