@CloudExpo Authors: Pat Romanski, Zakia Bouachraoui, Elizabeth White, Yeshim Deniz, William Schmarzo

Related Topics: @CloudExpo, Linux Containers, Open Source Cloud, Agile Computing, Cloud Security, @DXWorldExpo, @ThingsExpo

@CloudExpo: Article

Gitrob on the Network | @ThingsExpo #BigData #IoT #M2M #Security

Gitrob scans the github repositories & matches filenames against a range of patterns for files containing sensitive information

Gitrob on the Network

Developers generally like to share their code, and many of them do so by open sourcing it on GitHub, a social code hosting and collaboration service. Many companies also use GitHub as a convenient place to host both private and public code repositories by creating GitHub organizations where employees can be joined.  Sometimes Employee might publish things that might be sensitive in nature and these things might lead to compromise of a system.

Gitrob is a tool that Michael Henriksen developed that scans the github repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.

The first thing the tool does is to collect all public repositories of the organization itself. It then goes on to collect all the organization members and their public repositories, in order to compile a list of repositories that might be related or have relevance to the organization.

When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files.  This step might take a while if the organization is big or if the members have a lot of public repositories.

All of the members, repositories and files will be saved to a PostgreSQL database. When everything has been sifted through, it will start a Sinatra web server locally on the machine, which will serve a simple web application to present the collected data for analysis.

Okay we are going to start with installing Postgresql database on a default Kali linux.

# apt-get install postgresql-server-dev-9.1

# apt-get install ruby1.9.1-dev

# service postgresql start

# su postgres

$ createuser -s gitrob --pwprompt

Enter password for new role:

Enter it again.

$ createdb -O gitrob gitrob


# svn co https://github.com/michenriksen/gitrob

# cd gitrob/trunk

# gem install bundler

# gem install gitrob

log into your github account and grab the API key.  https://github.com/

# gitrob --configure

agree with the terms (y, n)

Enter Postgresql hostname: [localhost]

Enter Postgresql port: [5432]

Enter Postgresql username: gitrob

Enter Postgresql password for gitrob (masked): xxxxxx

Enter GitHub access tokens (blank line to stop): <this is the API key from your github account>

<enter again>

Now its installed and ready to go.

# gitrob -h

# gitrob -o apigee


Figure 1

Some findings that we have found with ruby and potential cryptographic keys.

Figure 2

Figure 3

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

CloudEXPO Stories
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools have cloud orchestration plugins that can be leveraged, but there are also cloud-native tools that can dramatically improve the efficiency of managing your application lifecycle. In his session at 18th Cloud Expo, Alex Lovell-Troy, Director of Solutions Engineering at Pythian, presented a roadmap that can be leveraged by any organization to plan, analyze, evaluate, and execute on moving from configuration management tools to cloud orchestration tools. He also addressed the three major cloud vendors as well as some tools that will work with any cloud.
Extreme Computing is the ability to leverage highly performant infrastructure and software to accelerate Big Data, machine learning, HPC, and Enterprise applications. High IOPS Storage, low-latency networks, in-memory databases, GPUs and other parallel accelerators are being used to achieve faster results and help businesses make better decisions. In his session at 18th Cloud Expo, Michael O'Neill, Strategic Business Development at NVIDIA, focused on some of the unique ways extreme computing is being used on IBM Cloud, Amazon, and Microsoft Azure and how to gain access to these resources in the cloud... for FREE!
Digital transformation has increased the pace of business creating a productivity divide between the technology haves and have nots. Managing financial information on spreadsheets and piecing together insight from numerous disconnected systems is no longer an option. Rapid market changes and aggressive competition are motivating business leaders to reevaluate legacy technology investments in search of modern technologies to achieve greater agility, reduced costs and organizational efficiencies. In this session, learn how today's business leaders are managing finance in the cloud and the essential steps required to get on the right path to creating an agile, efficient and future-ready business.
CI/CD is conceptually straightforward, yet often technically intricate to implement since it requires time and opportunities to develop intimate understanding on not only DevOps processes and operations, but likely product integrations with multiple platforms. This session intends to bridge the gap by offering an intense learning experience while witnessing the processes and operations to build from zero to a simple, yet functional CI/CD pipeline integrated with Jenkins, Github, Docker and Azure.