avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5026

Abstract

       </div>
        </div>
      </a>
    </div><p id="664b">Well, that’s not good. If we think though our threat model, there is a chance that someone could try to get the SMS code if we text it to a user. However, the SMS code is not the only thing the user will need. They will also need an MFA code. So we have a bit of protection there.</p><p id="3bf9">Since I am currently in development I’m going to stick with texting an administrator a job ID for the moment, because I am also planning to do other things to make it harder for someone other than my batch job administrators to use that code down the line. I could even build a whole mobile application to handle this part of the equation, but then I would have all the complexity that comes with building a securing a mobile app, so we’ll start with the SMS codes.</p><p id="8b79"><b>Session IDs and why cryptographically secure random values matter</b></p><p id="b3a0">One of the things to consider when generating a unique code is whether or not it is truly random. Many security vulnerabilities come from system implementations that do not use truly random values. What’s the problem with values that are not truly random? They may be easier for an attacker to guess. They may be able to break encryption an access systems.</p><p id="a24a">Consider a case where an organization has a website that uses Session IDs to identify a user currently active in the system and grant them access. In order to get that Session ID, the user had to login and prove who they were, and then the web application handed them back a Session ID.</p><p id="1841">What can the attacker do if they get ahold of a Session ID? Anything that user that initially obtained the session can do in the system. It’s as if the attacker is the user logged into the system because that’s how the user is identified when they submit an HTTP request.</p><p id="e6f0">Therefore Session IDs should generally only be valid for a short period of time and then expire, at which point the user has to re-authenticate. That way, if an attacker gets the Session ID, they can only use it for a limited period of time.</p><p id="c689">How could an attacker get the session ID? There are so may ways and that’s something I test for on <a href="https://2ndsightlab.com/cloud-penetration-testing.html">penetration tests</a>. But for the purposes of this blog post the manner in which the user may be able to obtain the Session ID is by guessing the session ID because it is not truly random. Perhaps the system generates a Session ID that is the first initial of the user’s first name and the last name of the user. An attacker logins in and sees this in the URL:</p><div id="97ee"><pre><span class="hljs-symbol">https:</span><span class="hljs-comment">//banksite.notsecure?sessionid=tradichel</span></pre></div><p id="5025">Obviously, if I login and see that I can just try to guess who the other users might be or I might even know some users. I can just change the session ID to get access to the system as if I was that user:</p><div id="3f67"><pre><span class="hljs-symbol">https:</span><span class="hljs-comment">//banksite.notsecure?sessionid=mjordan</span></pre></div><p id="8e31">Now let’s say that you decide instead to use Python’s random library:</p><div id="5f55" class="link-block">
      <a href="https://docs.python.org/3/library/random.html">
        <div>
          <div>
            <h2>random - Generate pseudo-random numbers - Python 3.10.7 documentation</h2>
            <div><h3>Source code: Lib/random.py This module implements pseudo-random number generators for various distributions. For…</h3></div>
            <div><p>docs.python.org</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div>
          </div>
        </div>
      </a>
    </div><p id="82a0">You might get a session that looks random, but it’s really not a cryptographically secure random number.</p><p id="778e"><b>Random Number Generator Attack</b></p><p id="d926">If you want to dig into how attackers might try to exploit non-random number generators here are some links:</p><div id="85a3" class="link-block">
      <a href="https://www.schutzwerk.com/en/43/posts/attacking_a_random_number_generator/">
        <div>
          <div>
            <h2>Attacking a random number generator</h2>
            <div><h3>In software dealing with security, randomness is often necessary to generate keys or tokens for resetting passwords or…</h3></div>
            <div><p>www.schutzwerk.com</p></div>
          </div>
          <div>
            <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*RMuh_4XGZAr9hThM)"></div>
          </div>
        </div>
      </a>
    </div><div id="2e51" class="link-block">
      <a href="https://stackoverflow.com/questions/31356466/is-python

Options

s-random-number-generation-easily-reproducible"> <div> <div> <h2>Is python's random number generation easily reproducible?</h2> <div><h3>The existing answers are great, but I'll just add a few points. Update: Actually, if you don't supply a seed, the…</h3></div> <div><p>stackoverflow.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*2d-iW8tONzUaI4io)"></div> </div> </div> </a> </div><div id="ecfd" class="link-block"> <a href="https://en.wikipedia.org/wiki/Random_number_generator_attack"> <div> <div> <h2>Random number generator attack - Wikipedia</h2> <div><h3>The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and…</h3></div> <div><p>en.wikipedia.org</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="51ea"><b>Cryptographically Secure Random Values</b></p><p id="4715">So if we can’t use python’s <b>random</b> module what can we use? There’s another module in Python that claims to generate cryptographically secure values called <b>secrets</b>.</p><div id="335d" class="link-block"> <a href="https://docs.python.org/3/library/secrets.html"> <div> <div> <h2>secrets - Generate secure random numbers for managing secrets - Python 3.10.7 documentation</h2> <div><h3>Generate secure random numbers for managing secrets</h3></div> <div><p> - Python 3.10.7 documentation Generate secure random numbers for managing secretsdocs.python.org</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><figure id="7f99"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*YXjr6vxpFXkxkfUGHVSSlA.png"><figcaption></figcaption></figure><p id="c0af">If we care about having the job ids that are truly unique so someone can’t guess and start a job id then we can use the above. We will have a lot of other controls around running jobs in our system so I’m not sure how much good a job ID alone would be to an attacker, but the difference in implementation time for me to use a more secure library is basically nothing. I’m going to use the most secure option whenever I can.</p><p id="0637">No matter what programming language you use you will want to ensure that you use a cryptographically secure random number generator, not a flawed library or module with known issues. Do your homework before you use some code you pulled off the Internet or grab the first library you come across when it comes to random number generation. Also inspect any code you use from open source libraries to ensure they are using a cryptographically secure random number generator.</p><p id="f812">We’ll be using the secrets Python module in a Lambda function to kick off our batch job process. Follow for updates.</p><p id="f7f3">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Cryptographically Secure Random

ACM.51 Generating a random value for batch job IDs

Part of my series on Automating Cybersecurity Metrics. Application Security. The Code.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In the last post, we considered our options for Lambda networking as we work through our architecture for this blog series.

Now we want to consider where we want to trigger a batch job and how that fits into our overall architecture.

I could just run off and use some code online to implement a batch job on AWS. But my goal is not simply to get a batch job working on AWS. That would be simple. What I want to do is build a secure architecture that allows me to deploy and operate batch jobs in a way that minimizes the chances of a data breach or security incident.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Still waiting for Google’s legal team to remove a few sites listed here that are copying the contents of this blog without permission:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

One of the things I would like to do is to require MFA to run batch jobs as mentioned when I started this series. I’ve been thinking about how to do this and whether there are holes in my idea and not sure yet but we’ll just start building it and evaluate it as we go.

The first thing I want to do is to create a unique batch job ID. In order to run a batch job, a batch job administrator will need a batch job ID and an MFA code. Both those two items come from two separate sources so that is is part of true MFA as I explained in my book at the bottom of this post. We are potentially getting the code on the same phone if we use a virtual MFA device. I’ll revisit that in a later post.

SMS Code Security

We can text the batch job ID to the batch job administrator. How secure is that? Well, recently some security researchers explained how it is possible to foil MFA codes sent to your phone at BlackHat 2022:

Well, that’s not good. If we think though our threat model, there is a chance that someone could try to get the SMS code if we text it to a user. However, the SMS code is not the only thing the user will need. They will also need an MFA code. So we have a bit of protection there.

Since I am currently in development I’m going to stick with texting an administrator a job ID for the moment, because I am also planning to do other things to make it harder for someone other than my batch job administrators to use that code down the line. I could even build a whole mobile application to handle this part of the equation, but then I would have all the complexity that comes with building a securing a mobile app, so we’ll start with the SMS codes.

Session IDs and why cryptographically secure random values matter

One of the things to consider when generating a unique code is whether or not it is truly random. Many security vulnerabilities come from system implementations that do not use truly random values. What’s the problem with values that are not truly random? They may be easier for an attacker to guess. They may be able to break encryption an access systems.

Consider a case where an organization has a website that uses Session IDs to identify a user currently active in the system and grant them access. In order to get that Session ID, the user had to login and prove who they were, and then the web application handed them back a Session ID.

What can the attacker do if they get ahold of a Session ID? Anything that user that initially obtained the session can do in the system. It’s as if the attacker is the user logged into the system because that’s how the user is identified when they submit an HTTP request.

Therefore Session IDs should generally only be valid for a short period of time and then expire, at which point the user has to re-authenticate. That way, if an attacker gets the Session ID, they can only use it for a limited period of time.

How could an attacker get the session ID? There are so may ways and that’s something I test for on penetration tests. But for the purposes of this blog post the manner in which the user may be able to obtain the Session ID is by guessing the session ID because it is not truly random. Perhaps the system generates a Session ID that is the first initial of the user’s first name and the last name of the user. An attacker logins in and sees this in the URL:

https://banksite.notsecure?sessionid=tradichel

Obviously, if I login and see that I can just try to guess who the other users might be or I might even know some users. I can just change the session ID to get access to the system as if I was that user:

https://banksite.notsecure?sessionid=mjordan

Now let’s say that you decide instead to use Python’s random library:

You might get a session that looks random, but it’s really not a cryptographically secure random number.

Random Number Generator Attack

If you want to dig into how attackers might try to exploit non-random number generators here are some links:

Cryptographically Secure Random Values

So if we can’t use python’s random module what can we use? There’s another module in Python that claims to generate cryptographically secure values called secrets.

If we care about having the job ids that are truly unique so someone can’t guess and start a job id then we can use the above. We will have a lot of other controls around running jobs in our system so I’m not sure how much good a job ID alone would be to an attacker, but the difference in implementation time for me to use a more secure library is basically nothing. I’m going to use the most secure option whenever I can.

No matter what programming language you use you will want to ensure that you use a cryptographically secure random number generator, not a flawed library or module with known issues. Do your homework before you use some code you pulled off the Internet or grab the first library you come across when it comes to random number generation. Also inspect any code you use from open source libraries to ensure they are using a cryptographically secure random number generator.

We’ll be using the secrets Python module in a Lambda function to kick off our batch job process. Follow for updates.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Secure Random
Cryptographically Random
Random Numbers
Cybersecurity
Python
Recommended from ReadMedium