11 Replies - 391 Views - Last Post: 22 February 2019 - 10:00 AM

#1 sheshach   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 18
  • Joined: 31-December 18

Why would a security researcher keep track of GitHub repos?

Posted 18 February 2019 - 04:12 AM

I have a little GitHub repo setup for version control reasons, not really for distribution, but I didn't mind if someone came along to take a look. I tagged it as "security" since it's a password manager, and recently was just playing around on GitHub where I found the area it shows me how many people have viewed the repo.

Surprisingly, there was a referrer from Twitter. I thought maybe it was someone mocking how badly written my program was or something, but it seemed to be just some kind of aggregator. It links to a security-related GitHub repo, along with some general statistics, and that's that. https://twitter.com/InfoSec_Pom

What's the point of this? I'm not real familiar with the InfoSec world, so I'm not quite sure why this would be useful. Just to keep up with the bleeding-edge better? Is he going back to these and taking a look at them? Seems like there would be far too many to really digest what's going on.

Anyway I was just curious and couldn't really think of a better place to ask.

Is This A Good Question/Topic? 0
  • +

Replies To: Why would a security researcher keep track of GitHub repos?

#2 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 14928
  • View blog
  • Posts: 59,603
  • Joined: 12-June 08

Re: Why would a security researcher keep track of GitHub repos?

Posted 18 February 2019 - 08:04 AM

It's probably just a bot scraping new genre specific repos and posting links.

.. or, you know, ask the twitter account.
Was This Post Helpful? 0
  • +
  • -

#3 sheshach   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 18
  • Joined: 31-December 18

Re: Why would a security researcher keep track of GitHub repos?

Posted 19 February 2019 - 02:08 PM

But what's the point of doing that? I know there's probably not a clear answer, just wondering.

I'd rather not create a Twitter account.
Was This Post Helpful? 0
  • +
  • -

#4 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 14928
  • View blog
  • Posts: 59,603
  • Joined: 12-June 08

Re: Why would a security researcher keep track of GitHub repos?

Posted 19 February 2019 - 02:14 PM

What's the point of what?

Asking the twitter account owner? Simply put you would get the information straight from the horse's mouth.

A bot scraping content and reposting? Makes having genuine content less time consuming.
Was This Post Helpful? 0
  • +
  • -

#5 sheshach   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 18
  • Joined: 31-December 18

Re: Why would a security researcher keep track of GitHub repos?

Posted 19 February 2019 - 02:51 PM

View Postmodi123_1, on 19 February 2019 - 02:14 PM, said:

A bot scraping content and reposting? Makes having genuine content less time consuming.

Well, less interesting than I imagined if it is just content generation.

It just seems like a lot of work for something that doesn't seem to have much point. I wouldn't have thought about it as just content generation, because that doesn't really seem like content anyone would want to go out of their way to see. Or at least, that they couldn't see by going to GitHub and using a search filter.

My initial thought it was just something someone put together to practice web scraping, but thought maybe I was just missing the point. That made me think that it could be more useful, at least from a security researcher's perspective, if it were finding repositories that were recently updated in order to aggregate a list of previously-vulnerable software.
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 14928
  • View blog
  • Posts: 59,603
  • Joined: 12-June 08

Re: Why would a security researcher keep track of GitHub repos?

Posted 19 February 2019 - 02:57 PM

I doubt they actually looked at your content.. it pulled the latest from github api, and shoved it off.

Again - all supposition when you have the opportunity to ask the account owner themselves.
Was This Post Helpful? 1
  • +
  • -

#7 Martyr2   User is offline

  • Programming Theoretician
  • member icon

Reputation: 5369
  • View blog
  • Posts: 14,283
  • Joined: 18-April 07

Re: Why would a security researcher keep track of GitHub repos?

Posted 19 February 2019 - 03:51 PM

Tons of reasons why security researches keep track of github repos...

1) They scrape looking for accidentally posted credentials (I recently saw somewhere a post talking about the percentage of repos that have passes in the wild)
2) More likely reason is they are gathering statistics...
a) What languages are used and how much of the project is a given language?
B) How often is it posted to, how active is it
c) How much code is changed on a commit and by who

People should realize that if you post your code to github or any public repository that it is going to not only be seen but scraped, analyzed, summarized etc into tons of statistical reports etc. There is a lot of security research going into what is being posted on repositories like github. I think most of it is positive and helps the community because they take their stats and show the community what to do to code and take care of their code better.

But these are just some of the reasons. There are a ton of reasons people do these things. :)
Was This Post Helpful? 1
  • +
  • -

#8 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 6825
  • View blog
  • Posts: 23,203
  • Joined: 05-May 12

Re: Why would a security researcher keep track of GitHub repos?

Posted 19 February 2019 - 05:33 PM

And they could be looking at what other projects/libs you are dependent on. Your code may not have vulnerabilities, but the projects/libs that you depend on maybe vulnerable. Those can be leveraged against your code. Also, if there are vulnerabilities in your code and somebody else depends on your code, or forks your code, then you pass on your vulnerabilities to them.

When we submit our code for Veracode scanning, the scan not only scans our code, but also gives us an analysis of the various libraries that we use. In the past we could pass it off as "not our code, not our problem", but now IT security is putting more pressure on us to either use a version of the library that doesn't have the vulnerability; fork the library and remediate the vulnerability; or add wrappers in our code to wrap the library calls to remediate the vulnerability. Gone are the days of us being able to just say "we opened a bug report/support ticket with the library owner".
Was This Post Helpful? 1
  • +
  • -

#9 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 6825
  • View blog
  • Posts: 23,203
  • Joined: 05-May 12

Re: Why would a security researcher keep track of GitHub repos?

Posted 20 February 2019 - 09:17 AM

View Postsheshach, on 18 February 2019 - 06:12 AM, said:

... I tagged it as "security" since it's a password manager, ...

... It links to a security-related GitHub repo, ...

On a related note, this article was just published on the Washington Post:

Password managers have a security flaw. But you should still use one.
Was This Post Helpful? 1
  • +
  • -

#10 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2791
  • View blog
  • Posts: 11,009
  • Joined: 03-December 12

Re: Why would a security researcher keep track of GitHub repos?

Posted 20 February 2019 - 09:20 AM

View PostMartyr2, on 19 February 2019 - 04:51 PM, said:

Tons of reasons why security researches keep track of github repos...

1) They scrape looking for accidentally posted credentials (I recently saw somewhere a post talking about the percentage of repos that have passes in the wild)


Previous company did have a contractor push a credential file to a repo once. Took two weeks to find out that it had happen and then a frantic 2 days to change a few hundred credentials afterwards.
Was This Post Helpful? 0
  • +
  • -

#11 sheshach   User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 18
  • Joined: 31-December 18

Re: Why would a security researcher keep track of GitHub repos?

Posted 21 February 2019 - 07:32 PM

View PostSkydiver, on 20 February 2019 - 09:17 AM, said:

View Postsheshach, on 18 February 2019 - 06:12 AM, said:

... I tagged it as "security" since it's a password manager, ...

... It links to a security-related GitHub repo, ...

On a related note, this article was just published on the Washington Post:

Password managers have a security flaw. But you should still use one.

What a weird coincidence, I was just adding memory locking to the password manager I made, reasoning, "No professional app would not lock their memory." I wonder if these issues are on Windows 10 only? If I remember right, I think Linux uses some kind of thing called ASLR that makes the memory addresses a program is given pretty random. Makes me wonder how they actually write those applications to snoop on the memory.

It does seem like it's a little bit of an overstated problem too considering how compromised your system would have to be for someone to snoop through your memory in the first place. My main interest in memory locking was to prevent swapping to disk.

Anyway, back on topic in regards to all these ideas.... I wouldn't have thought of the login credentials. I was thinking more along some of the other lines. I wonder if there are bots that can source the page source and look for login credentials automatically, or if it has to be mostly human intervention.
Was This Post Helpful? 0
  • +
  • -

#12 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 6825
  • View blog
  • Posts: 23,203
  • Joined: 05-May 12

Re: Why would a security researcher keep track of GitHub repos?

Posted 22 February 2019 - 10:00 AM

I believe that Windows XP SP2 and higher also started randomizing loading addresses for processes to help cutdown on predicable memory addresses for processes and/or DLLs. You could still override the randomization to force a load address.

As a quick aside, I believe the readme for Git for Windows has something regarding this -- if you decide to hand install Git instead of using the setup program, you need to run some special batch file for Bash to work correctly because Bash or one of the tools expects to load at a particular address.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1