Mar 01, 2024NewsroomDevSecOps / Cybersecurity

GitHub on Thursday announced that it’s enabling secret scanning push protection by default for all pushes to public repositories.

“This means that when a supported secret is detected in any push to a public repository, you will have the option to remove the secret from your commits or, if you deem the secret safe, bypass the block,” Eric Tooley and Courtney Claessens said.

Push protection was first piloted as an opt-in feature in August 2023, although it has been under testing since April 2022. It became generally available in May 2023.

The secret scanning feature is designed to identify over 200 token types and patterns from more than 180 service providers in order to prevent their fraudulent use by malicious actors.

The development comes nearly five months after the Microsoft subsidiary expanded secret scanning to include validity checks for popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack.

It also follows the discovery of an ongoing “repo confusion” attack targeting GitHub that’s inundating the source code hosting platform with thousands of repositories containing obfuscated malware capable of stealing passwords and cryptocurrency from developer devices.

The attacks represent another wave of the same malware distribution campaign that was disclosed by Phylum and Trend Micro last year, leveraging bogus Python packages hosted on the cloned, trojanized repositories to deliver a stealer malware called BlackCap Grabber.

“Repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well,” Apiiro said in a report this week.

Jan 09, 2024The Hacker NewsSaaS Security / Data Security

Collaboration is a powerful selling point for SaaS applications. Microsoft, Github, Miro, and others promote the collaborative nature of their software applications that allows users to do more.

Links to files, repositories, and boards can be shared with anyone, anywhere. This encourages teamwork that helps create stronger campaigns and projects by encouraging collaboration among employees dispersed across regions and departments.

At the same time, the openness of data SaaS platforms can be problematic. A 2023 survey by the Cloud Security Alliance and Adaptive Shield found that 58% of security incidents over the last two years involved data leakage. Clearly, sharing is good, but data sharing must be put in check. Most SaaS applications have mechanisms to control sharing. These tools are quite effective in ensuring that company resources aren’t open for display on the public web. This article will look at three common data leakage scenarios and recommend best practices for safe sharing.

Learn how to see the files that are publicly shared from your SaaS

Turning Proprietary Code Public

GitHub repositories have a long history of leaking data. These data leaks are usually caused by user error, where the developer accidentally exposes private repositories or an admin changes permissions to facilitate collaboration.

GitHub leaks have impacted major brands, including X (formerly Twitter) whose proprietary code for its platform and internal tools leak onto the internet. GitHub leaks often expose sensitive secrets, including OAuth tokens, API keys, usernames and passwords, encryption keys, and security certificates.

When proprietary code and company secrets leak, it can put business continuity at risk. Securing code within GitHub repositories should be a top priority.

Surprising Risks of Publicly Accessible Calendars

On the surface, publicly shared calendars might not seem to be much of a security risk. Calendars aren’t known for sensitive data. In reality, they contain a treasure trove of information that organizations would not want falling into the hands of cybercriminals.

Calendars contain meeting invitations with videoconference links and passwords. Keeping that information open to the public could result in unwanted or malicious attendees at your meeting. Calendars also include agendas, presentations, and other sensitive materials.

The information from calendars can also be used in phishing or social engineering attacks. For example, if a threat actor with access to Alice’s calendar sees that she has a call with Bob at 3 o’clock, the threat actor can call Bob while posing as Alice’s assistant and request that Bob email some sensitive information before the meeting.

Collaborating with External Service Providers

While SaaS apps simplify working with agencies and other service providers, these collaborations often involve members who come into the project for short periods of time. Unless managed, the shared documents and collaboration boards give everyone working on the project access to the materials for all time.

Project owners will frequently create one user name for the agency or share key files with anyone who has the link. This simplifies administration and may save money in terms of licenses. However, the project owner has ceded control over to who can access and work on the materials.

Anyone within the external team not only has access to proprietary project files but they often retain that access after they leave the company if they remember the username and password. When resources are shared with anyone with a link, they can easily forward the link to their personal email account and access the files whenever they want.

Figure 1: Users retain access to shared Google Docs even after the employee who shared the documents has left the company

Discover which configurations are exposing your data to the public.

Best Practices for Safe File Sharing

Sharing resources is an important aspect of business operations. SaaS Security firm Adaptive Shield recommends companies follow these best practices whenever sharing files with external users.

• Always share files with individual users, and require some form of authentication.
• Never share via “anyone with the link.” When possible, the admin should disable this capability.
• When applications allow, add an expiration date to the shared file.
• Add an expiration date to file-sharing invitations.
• Remove share permissions from any public document that is no longer being used.

Additionally, organizations should look for a SaaS security tool that can identify publicly shared resources and flag them for remediation. This capability will help companies understand the risk they are taking with publicly shared files and direct them toward securing any files at risk.

Learn how a Resource Inventory can identify all publicly accessible resources.