• Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
Flyy Tech
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
Flyy Tech
No Result
View All Result

Cryptographically Secure Random. ACM.51 Generating a random value for… | by Teri Radichel | Cloud Security | Sep, 2022

flyytech by flyytech
September 15, 2022
Home Security
Share on FacebookShare on Twitter


ACM.51 Generating a random value for batch job IDs

This is a continuation of my series on Automating Cybersecurity Metrics.

At the time of this writing we are the point in our architecture where we want to trigger a batch job.

I could just run off and use some code online to implement a batch job on AWS. But my goal is not simply to get a batch job working on AWS. That would be simple. What I want to do is build a secure architecture that allows me to deploy and operate batch jobs in a way that minimizes the chances of a data breach or security incident.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Still waiting for Google’s legal team to remove a few sites listed here that are copying the contents of this blog without permission:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One of the things I would like to do is to require MFA to run batch jobs as mentioned when I started this series. I’ve been thinking about how to do this and whether there are holes in my idea and not sure yet but we’ll just start building it and evaluate it as we go.

The first thing I want to do is to create a unique batch job ID. In order to run a batch job, a batch job administrator will need a batch job ID and an MFA code. Both those two items come from two separate sources so that is is part of true MFA as I explained in my book at the bottom of this post. We are potentially getting the code on the same phone if we use a virtual MFA device. I’ll revisit that in a later post.

SMS Code Security

We can text the batch job ID to the batch job administrator. How secure is that? Well, recently some security researchers explained how it is possible to foil MFA codes sent to your phone at BlackHat 2022:

Well, that’s not good. If we think though our threat model, there is a chance that someone could try to get the SMS code if we text it to a user. However, the SMS code is not the only thing the user will need. They will also need an MFA code. So we have a bit of protection there.

Since I am currently in development I’m going to stick with texting an administrator a job ID for the moment, because I am also planning to do other things to make it harder for someone other than my batch job administrators to use that code down the line. I could even build a whole mobile application to handle this part of the equation, but then I would have all the complexity that comes with building a securing a mobile app, so we’ll start with the SMS codes.

Session IDs and why cryptographically secure random values matter

One of the things to consider when generating a unique code is whether or not it is truly random. Many security vulnerabilities come from system implementations that do not use truly random values. What’s the problem with values that are not truly random? They may be easier for an attacker to guess. They may be able to break encryption an access systems.

Consider a case where an organization has a website that uses Session IDs to identify a user currently active in the system and grant them access. In order to get that Session ID, the user had to login and prove who they were, and then the web application handed them back a Session ID.

What can the attacker do if they get ahold of a Session ID? Anything that user that initially obtained the session can do in the system. It’s as if the attacker is the user logged into the system because that’s how the user is identified when they submit an HTTP request.

Therefore Session IDs should generally only be valid for a short period of time and then expire, at which point the user has to re-authenticate. That way, if an attacker gets the Session ID, they can only use it for a limited period of time.

How could an attacker get the session ID? There are so may ways and that’s something I test for on penetration tests. But for the purposes of this blog post the manner in which the user may be able to obtain the Session ID is by guessing the session ID because it is not truly random. Perhaps the system generates a Session ID that is the first initial of the user’s first name and the last name of the user. An attacker logins in and sees this in the URL:

https://banksite.notsecure?sessionid=tradichel

Obviously, if I login and see that I can just try to guess who the other users might be or I might even know some users. I can just change the session ID to get access to the system as if I was that user:

https://banksite.notsecure?sessionid=mjordan

Now let’s say that you decide instead to use Python’s random library:

You might get a session that looks random, but it’s really not a cryptographically secure random number.

Random Number Generator Attack

If you want to dig into how attackers might try to exploit non-random number generators here are some links:

Cryptographically Secure Random Values

So if we can’t use python’s random module what can we use? There’s another module in Python that claims to generate cryptographically secure values called secrets.

If we care about having the job ids that are truly unique so someone can’t guess and start a job id then we can use the above. We will have a lot of other controls around running jobs in our system so I’m not sure how much good a job ID alone would be to an attacker, but the difference in implementation time for me to use a more secure library is basically nothing. I’m going to use the most secure option whenever I can.

No matter what programming language you use you will want to ensure that you use a cryptographically secure random number generator, not a flawed library or module with known issues. Do your homework before you use some code you pulled off the Internet or grab the first library you come across when it comes to random number generation. Also inspect any code you use from open source libraries to ensure they are using a cryptographically secure random number generator.

We’ll be using the secrets Python module in a Lambda function to kick off our batch job process. Follow for updates.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

All the posts in this series:

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts





Source_link

flyytech

flyytech

Next Post
“Fingerprints” of climate change are clear in Pakistan’s devastating floods

“Fingerprints” of climate change are clear in Pakistan’s devastating floods

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

X Doesn’t Mark The Spot, Ryzen 7600, 7700, And 7900 CPUs

X Doesn’t Mark The Spot, Ryzen 7600, 7700, And 7900 CPUs

January 10, 2023
Sony Xperia 10 IV review: Compact with a long-lasting battery

Sony Xperia 10 IV review: Compact with a long-lasting battery

November 27, 2022

Trending.

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

January 14, 2023
Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

October 23, 2022
How to View Ring Doorbell on a Roku TV

How to View Ring Doorbell on a Roku TV

December 20, 2022
Review: Zoom ZPC-1

Review: Zoom ZPC-1

January 28, 2023
Allen Parr’s false teaching examined. Why you should unfollow him.

Allen Parr’s false teaching examined. Why you should unfollow him.

September 24, 2022

Flyy Tech

Welcome to Flyy Tech The goal of Flyy Tech is to give you the absolute best news sources for any topic! Our topics are carefully curated and constantly updated as we know the web moves fast so we try to as well.

Follow Us

Categories

  • Apple
  • Applications
  • Audio
  • Camera
  • Computers
  • Cooking
  • Entertainment
  • Fitness
  • Gaming
  • Laptop
  • lifestyle
  • Literature
  • Microsoft
  • Music
  • Podcasts
  • Review
  • Security
  • Smartphone
  • Travel
  • Uncategorized
  • Vlogs

Site Links

  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

Recent News

Google Pixel phones had a serious data leakage bug – here’s what to do! – Naked Security

Google Pixel phones had a serious data leakage bug – here’s what to do! – Naked Security

March 21, 2023
TikTok users are making fan edits of Butters from South Park

TikTok users are making fan edits of Butters from South Park

March 21, 2023

Copyright © 2022 Flyytech.com | All Rights Reserved.

No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs

Copyright © 2022 Flyytech.com | All Rights Reserved.

What Are Cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT