Guy Binyamin
Cyber Security Specialist, Varonis
Tel Aviv, Israel
Actions
Guy Binyamin is a security specialist with the Varonis forensics team, contributing to DFIR, penetration testing, and attack simulations. He has spent his entire career in cybersecurity, working in both offensive and defensive roles at Comsec Global Consulting and Varonis.
Links
Area of Expertise
Topics
From Code to Cloud: What We Accidently Share on GitHub
Millions of lines of code are publicly published on GitHub every day. This vast repository of code includes projects from developers worldwide, ranging from personal experiments to professional work. Most of this code is never reviewed by anyone other than the author. Sometimes, the author publishes old code without reviewing it, which could be something they wrote for personal use or during their job. These lines of code can occasionally contain sensitive information, such as passwords and secrets. When searching through a large amount of code, we will almost certainly find these secrets.
Cloud secrets are usually accompanied by the tenant ID. Using some Azure magic, we can find any tenant ID by the tenant’s name without authenticating. The tool I created takes advantage of this capability and uses the GitHub API to search for that tenant ID and extract all associated secrets and credentials. This process allows us to uncover potentially exposed secrets that could be exploited if not properly secured.
In this session, I will go over the use of the tool I created as both an offensive and defensive tool by tracking leaked secrets and credentials. On the offensive side, it can be used to identify credentials and potential points of entry to the targeted organization. On the defensive side, it helps organizations monitor and mitigate the risk of leaked credentials, ensuring their systems remain secure.
Playing the Adversary – Testing Cyber Resilience at the Enterprise Scale
Enterprise pen testing and cyber risk assessments are not as simple as scanning for open ports, buckets, and exposed credentials. To properly test an enterprise’s defenses requires putting them under realistic stress and conditions. To do so, your red team needs the right infrastructure, automation, and simulations to reveal vulnerabilities or gaps in resiliency at scale. Join our session to learn automation best practices for cloud-based C2 infrastructure design and deployment, how to create realistic adversary simulations, and see best practices on client-based threat simulations.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top