The tale of Neho’s misplaced keys and unwanted open houses
Imagine you’re hosting a lavish party at your swanky penthouse. The who’s who of the town are there, sipping champagne and nibbling on hors d’oeuvres. The chandeliers are sparkling, the jazz music is setting the mood, and the atmosphere is buzzing with the latest gossip and laughter. It’s the kind of night that Gatsby would be proud of.
In the midst of this, you’re the gracious host, floating from one group to another, ensuring everyone’s glasses are filled and they’re having a good time. But uh oh! A sudden realization hits you like a bolt from the blue. You’ve lost the keys to your secret vault where you’ve stashed all your prized possessions. The vault that houses your rare collection of vintage watches, family heirlooms, and more!
Panic ensues. Your heart starts racing, your palms get sweaty, and your mind is running through a hundred different worst-case scenarios. You try to keep a calm facade, but inside, you’re crumbling like a pack of cards.
That was pretty much the predicament Neho, a Swiss real estate agency, found itself in earlier this year. Except, their lost ‘keys’ were not physical ones, but digital. And their vault was not in a penthouse, but on the cloud. The ‘party’ was their daily operations, and the ‘guests’ were their users. The ‘prized possessions’ were their and their clients’ sensitive data. And the panic? That was quite real and palpable.
The uninvited guests and the party foul
Neho helps almost 120,000 property hunters with their woes every month. But a teeny tiny misconfiguration on their site left their doors wide open for cybercriminals to waltz right in. The cybercriminals crashed the party, found the open bar and the secret recipe to Neho’s famous cocktail, and spiked the punch.
But to be fair, the recipe was practically lying on the counter. Nonetheless, all their secrets — a mix of database information, email IDs, AWS credentials, API keys, and digital marketing credentials for Facebook, Google, and Twilio were up for grabs.
The morning after
The hangover from this breach was a doozy. The leaked keys were in a .env file discovered by the research team at Cybernews which potentially allows cybercriminals to sign malware as Neho-related software and bypass security measures. Using SMTP credentials for Postmark, an email-sending service, a malicious actor could use the company’s official email to deploy phishing campaigns. The researchers also stumbled upon the host, username, and password for Mailgun email services which can lead to the same results.
The leaked data also reveals that Neho uses Aircall, and as mentioned earlier, Twilio, a communication tool for making and receiving phone calls and text messages and all of this basically leaves their candy store’s backdoor open to vishing and DDoS attacks.
Neho is playing it cool like a jazz musician improvising a wrong note into a new melody. They say they got rid of the exposed environment file immediately and also like to stress that they rotated their keys often and that the file was “for the most part holding obsolete data alongside inactive services that we don’t use anymore”. Slow claps.
Learn from Neho (and manage your secrets better)
Secrets such as API keys, access tokens, and SSH keys are the basis of role-based access control (RBAC) in modern cloud-native and hybrid environments, and this makes them the backbone of every security posture an individual or an organization chooses to implement.
Source: Self-designed (Canva)
‘Managing secrets’ is a multi-step and ever-evolving process:
- Storing secrets – Modern secrets stores or vaults store the secrets in their database and rely on strong encryption and access control to safeguard the secrets.
However, this isn’t enough since the individuals copy and paste these secrets as and when required. This implies that the individual responsible for creating these secrets and the ones using them are the reasons why the secrets are susceptible to exposure in the first place.
- Rotating secrets – While rotating secrets simply refers to the practice of periodically updating the secrets, it is just as important as storing them securely in the first place (mainly to avoid the possibility of a brute-forcing attempt to unlock them).
- Controlling access to the secrets – An important factor that every individual in secrets management encounters is to allow users to find relevant secrets for all the resources that are accessible to them. Keeping track of this access control is harder than we can think of, and securely keeping this track increases the complexity of the process.
You may also be interested in:
How can Entro help?
Entro is the world’s first holistic cybersecurity platform that offers a one-of-a-kind secrets security service for organizations with a cloud-native stack that enables you to monitor and manage all secrets in your organization throughout their lifetimes. Entro implements proactive measures to secure your secrets, such as real-time discovery, monitoring, anomaly detection, and access control. It ensures that authentication and authorization of access to various cloud resources and services are done securely to maintain a robust security posture.
Entro’s approach to secrets management includes mechanisms for detecting, safeguarding, and enriching secrets with context across all channels, including vaults, source code, chat, wikis, logs, and third-party vendor tools. But it doesn’t end there. Here’s what it really brings to the table:
- Discovery of all secrets
Entro helps you discover all your secrets going all the way from the ones stored within the vaults, secret stores, collaboration tools (Jira, Confluence, and weapons from Neho’s arsenal like Twilio, Aircall, Mailgun), to CI/CD and beyond. The security team will know how many secret keys they have and where they are.
- Secret enrichment
Secrets can be long strings, so Entro enriches them with metadata which includes information such as the owner, creation date, creator when it was last rotated, cloud service, privileges, and more.
- Anomaly detection and continuous monitoring
Entro continuously monitors the secrets for misuse or abuse using ML-based advanced analytics and context-aware insights for real-time threat detection.
- Misconfiguration Alerts
Entro’s platform notifies the stakeholders of any misconfiguration around the vaults, secrets stores, or secrets that can save you from repeating history.
- Principle of Least Privileges
Entro can detect if excess privileges are assigned to a secret. The platform can also be used for mitigation steps to decrease the attack surface by reducing the levels of permission.
- Bring your own Vault
Several Vaults out there allow the organizations to store their secrets in a way that is comfortable for each organization and, therefore, Entro enables the Dev teams to plug whichever ever vault (Hashicorp vault, AWS secrets manager, etc.) or secrets stores (K8s secrets, GitHub Secret, etc.) they want directly into the platform.
Boiling it down, Entro is your trusted party planner in the digital space. There was pure chaos at Neho’s party when they lost their keys to the vault. That’s a party disaster you don’t want to experience. The exposed .env file, which contained PostgreSQL and Redis databases credentials, is like leaving your vault keys on the bar counter. Entro ensures that your keys are always secure and in the right hands. It provides end-to-end coverage for secrets, including full context, so you always know who has access to your vault. With it, you can host your digital party with confidence, knowing that your secrets are safe and secure. So, let’s keep the party going and avoid a Neho-like disaster with Entro.
The Neho incident is a sobering reminder of the importance of managing digital secrets. It is evident that managing secrets and ensuring they have the right access control are both critical to a secure environment. So, stop keeping your house keys under your doormats and call Entro when you’re finally ready to up the stakes and reclaim control over your secrets.
Reclaim control over your secrets
All secret security right in your inbox
Want full security oversight?