Post Quantum Cryptography | When your .env is exposed on the cloud
#153 - NIST releases 3 post quantum cryptography algorithms | Secrets stored in environment variable files leads to AWS breach
Quantum computers are not exactly around the corner…
… but there is no harm in planning for a post quantum world
The concept of quantum computers is a little woozy. While traditional computers rely on the presence or absence of an electrical signal to set the bits of 0 and 1, quantum computers are a little different. The ‘qubits’ as they are called can exist in both states at the same time.
To cut a long story short (plus my limited understanding of all things quantum), these new fangled quantum computers have phenomenal processing power. This processing power can brute force traditional cryptographic algorithms in seconds.
So, it’s time for post quantum cryptography algorithms that would be tougher for quantum computers to break. NIST released four new algorithms:
Module Lattice based cryptography is based on a mathematical problem called ‘Shortest Vector Problem’ - the difficulty of finding the shortest vector path to a huge multi dimensional lattice.
Take Action:
Unless you are actively involved in quantum computers or quantum cryptography, this development is just for your knowledge. The quantum world is fascinating and should interest techies quite a bit.
Dot Env Files on AWS
Yet another way to expose your secrets on the cloud
Another day, another dollar.
A massive attack on AWS targets 230 million unique cloud accounts with exposed .env files.
Software programmers are now taught not to hard code secrets - passwords, tokens, access keys - into their code. So, how do they make sure that they have access to these secrets when they need to? They create a hidden file that stores environment variables or the .env (read dot e-n-v) file. This file has all the secrets and a name associated with the secrets. For example:
AWS_KEY = ADFsdfsdfo8sdg9898d
PASSWORD = top_Secret_passwordThis file is never supposed to be stored on any public platform and only used at runtime, as a part of the ‘environment variables’ of a running program.
However, time and again, software developers mistakenly update the .env file along with all other software files and end up in a soup.
Take Action:
There are quite a few things that you can do here as security professionals. The simplest being using secret scanning to ensure that you do not inadvertently git push your .env.
The other mechanism is to use attack surface scanning tools to scan your public surface regularly.
Then there are secure coding techniques like using one time use keys, temporary time bound access tokens, etc.
It’s something that I have covered in CyberInsights often. Last week’s post had an article on unique ways of secret scanning:
Oh, and by the way, the World Economic Forums report on the top 10 emerging technologies of 2024 is out. Guess what is on top? AI of course, but it is AI for scientific development. What’s more interesting is what is at number 2 - privacy enhancing technologies or PETs. Read the report for more details.