ACM.51 Generating a random value for batch job IDs
This is a continuation of my series on Automating Cybersecurity Metrics.
At the time of this writing we are the point in our architecture where we want to trigger a batch job.
I could just run off and use some code online to implement a batch job on AWS. But my goal is not simply to get a batch job working on AWS. That would be simple. What I want to do is build a secure architecture that allows me to deploy and operate batch jobs in a way that minimizes the chances of a data breach or security incident.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Still waiting for Google’s legal team to remove a few sites listed here that are copying the contents of this blog without permission:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
One of the things I would like to do is to require MFA to run batch jobs as mentioned when I started this series. I’ve been thinking about how to do this and whether there are holes in my idea and not sure yet but we’ll just start building it and evaluate it as we go.
The first thing I want to do is to create a unique batch job ID. In order to run a batch job, a batch job administrator will need a batch job ID and an MFA code. Both those two items come from two separate sources so that is is part of true MFA as I explained in my book at the bottom of this post. We are potentially getting the code on the same phone if we use a virtual MFA device. I’ll revisit that in a later post.
SMS Code Security
We can text the batch job ID to the batch job administrator. How secure is that? Well, recently some security researchers explained how it is possible to foil MFA codes sent to your phone at BlackHat 2022:
Well, that’s not good. If we think though our threat model, there is a chance that someone could try to get the SMS code if we text it to a user. However, the SMS code is not the only thing the user will need. They will also need an MFA code. So we have a bit of protection there.
Since I am currently in development I’m going to stick with texting an administrator a job ID for the moment, because I am also planning to do other things to make it harder for someone other than my batch job administrators to use that code down the line. I could even build a whole mobile application to handle this part of the equation, but then I would have all the complexity that comes with building a securing a mobile app, so we’ll start with the SMS codes.
Session IDs and why cryptographically secure random values matter
One of the things to consider when generating a unique code is whether or not it is truly random. Many security vulnerabilities come from system implementations that do not use truly random values. What’s the problem with values that are not truly random? They may be easier for an attacker to guess. They may be able to break encryption an access systems.
Consider a case where an organization has a website that uses Session IDs to identify a user currently active in the system and grant them access. In order to get that Session ID, the user had to login and prove who they were, and then the web application handed them back a Session ID.
What can the attacker do if they get ahold of a Session ID? Anything that user that initially obtained the session can do in the system. It’s as if the attacker is the user logged into the system because that’s how the user is identified when they submit an HTTP request.
Therefore Session IDs should generally only be valid for a short period of time and then expire, at which point the user has to re-authenticate. That way, if an attacker gets the Session ID, they can only use it for a limited period of time.
How could an attacker get the session ID? There are so may ways and that’s something I test for on penetration tests. But for the purposes of this blog post the manner in which the user may be able to obtain the Session ID is by guessing the session ID because it is not truly random. Perhaps the system generates a Session ID that is the first initial of the user’s first name and the last name of the user. An attacker logins in and sees this in the URL:
https://banksite.notsecure?sessionid=tradichel
Obviously, if I login and see that I can just try to guess who the other users might be or I might even know some users. I can just change the session ID to get access to the system as if I was that user:
https://banksite.notsecure?sessionid=mjordan
Now let’s say that you decide instead to use Python’s random library:
You might get a session that looks random, but it’s really not a cryptographically secure random number.
Random Number Generator Attack
If you want to dig into how attackers might try to exploit non-random number generators here are some links:
Cryptographically Secure Random Values
So if we can’t use python’s random module what can we use? There’s another module in Python that claims to generate cryptographically secure values called secrets.
If we care about having the job ids that are truly unique so someone can’t guess and start a job id then we can use the above. We will have a lot of other controls around running jobs in our system so I’m not sure how much good a job ID alone would be to an attacker, but the difference in implementation time for me to use a more secure library is basically nothing. I’m going to use the most secure option whenever I can.
No matter what programming language you use you will want to ensure that you use a cryptographically secure random number generator, not a flawed library or module with known issues. Do your homework before you use some code you pulled off the Internet or grab the first library you come across when it comes to random number generation. Also inspect any code you use from open source libraries to ensure they are using a cryptographically secure random number generator.
We’ll be using the secrets Python module in a Lambda function to kick off our batch job process. Follow for updates.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
All the posts in this series:
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
