avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2023

Abstract

overy system delivers a seamless user design with the high accessibility users have come to expect. If a user forgets their password on Mogul, they go through a familiar front-end experience similar to resetting an email or social media password. They click on a ‘Forgot Password’ button, a link is sent, they receive an email, click the link, and the password is reset. However, on the back-end, Mogul built a smart wallet system using smart contracts for decentralized wallet recoverability. When users reset a wallet, they actually create a new authentication wallet that is programmed to have the capabilities of interacting with the smart wallet. Yet, on the front-end to the user, it looks like a simple password reset.</p><ul><li><b>Manual Transaction Signatures Eliminated:</b></li></ul><p id="f765">Users can send free and frictionless transactions within the platform without manual signatures. When you use other DeFi wallets, you generally have to interact with a Web 3 interface to manually confirm a transaction and pay a costly gas fee, especially as the network congests. For example, with Metamask and Web3, a user needs to give permissions to access their wallet and then the user needs to confirm the transaction:</p><figure id="5453"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*2Mf9SQSXGWdh9ndV"><figcaption></figcaption></figure><p id="333b">This process would need to happen for each action on Mogul. Not everyone who could benefit from Mogul’s technology is able to understand the nuances involved in a blockchain transaction, so Mogul offers sponsored, frictionless in-platform actions.</p><p id="5ebc">While other wallets require tech-savviness just to maneuver around, Mogul has re-engineered an incredibly complex system in a very simple way.</p><h1 id="8d0a">Smart Wallet Recovery Done Right</h1><figure id="ec20"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*DL3FUoeScVR5WMIa"><figcaption></figcaption></figure><p id="c212">Our wallet recovery process u

Options

ses the Mogul Guardian by default, which allows for safe and secure decentralized recoverability. This system provides a user with a new authentication wallet through a standard password reset flow.</p><p id="4c95">The system delivers a new authentication wallet to communicate with user funds.</p><p id="c638">A Mogul user can choose between using the default Mogul Guardian system, or reset their guardian(s) to their preference where more than one Guardian can be chosen. Guardians could be friends, hardware wallets, or a mixture of both. Thus, users can create a multi-channel authentication system for decentralized password and key recovery.</p><p id="c957">For example, if a user doesn’t want to use the Mogul Guardian, that user can designate Tracy (or Tracy, Bob, and Alice) as the guardian(s) and thereby make them the only entity that can change the authentication wallet, requiring their wallet’s permissions to do so.</p><p id="732c">The film industry can benefit from the Mogul Smart Wallet because it is easy-to-use and does not require the tech know-how that was asked from previous generations of blockchain wallets.</p><p id="a531">Mogul removes major points of friction to deliver a seamless end-user experience that makes using blockchain technology feel as natural as using the Internet when browsing the web.</p><p id="eaf7">We are always listening to our users. We welcome suggestions and feedback through our <a href="https://mogulproductions.com/contact">contact page</a>.</p><p id="c69c"><b>ABOUT MOGUL PRODUCTIONS (MOGUL)</b> <i>Mogul Productions, established 2019, is a blockchain-based film financier and production company with a presence in Canada, the United States of America and Europe.</i></p><p id="ed5a"><i>The Mogul platform connects contributors, film industry professionals and fans through technology that allows all users to engage and participate with each project throughout theirs entire lifecycle, from financing through to production and distribution.</i></p></article></body>

Specifying the Roles an IAM Identity Can Assume

ACM.33 Limiting the Confused Deputy Attack in IAM Policies

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: IAM | AWS Security | Application Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post we used AWS CloudFormation conditions and mappings to overcome a security problem with trust policies — the confused deputy attack.

In the post on the confused deputy problem I referred to the IAM documentation that explains how to limit the ability for a user to assume a role with a IAM Policy like this:

Recall that an IAM Policy places restrictions on an identity as opposed to a resource or role assumption as I explained here:

Let’s review the policy for our IAM Admin user that we created earlier. Navigate to the IAM console and search for your IAM Admin are review permissions. Notice that we have allowed the IAM user to assume a role that starts with the name BatchRole.

Question:

This is implemented without a condition like the example above. This policy instead whitelists the role resources the user can assume. Does it work?

Run the script in the root directory one more time.

When the script asks me for a code to assume the role it does fail with an unauthorized message:

Why didn’t we get the unauthorized message when we tested the first time? Maybe I missed it. It also could be that the trust policy had not completely updated by the time the batch job test ran. As I mentioned, IAM is eventually consistent, meaning it doesn’t lock out users while making changes. AWS will enforce the new policy as the change gets pushed out to all systems.

Let’s update our IAM policy to use the new prefix for IAM roles.

Our IAM administrator policy exists at:

iam/iam_admins/cfn/policy.yaml

Change this:

To this:

Deploy the change by executing the deploy script found here:

iam/iam_admins/deploy.sh

like this:

./deploy.sh

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Notice how easy it was to deploy one change compared to a huge monolithic CloudFormation template. You may have seen such templates elsewhere. Don’t do it. Think ahead and build your CloudFormation templates so you can change and test individual resources easily.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Now if you were to try to test the script again you would still get an error.

./test.sh

That’s because the role BatchRoleDeployBatchJobCredentials no longer exists and that’s what we have configured the AWS CLI to use as explained in these two posts:

Head over to IAM and search for the role:

Now just search for Deploy:

Our role has been renamed to start with IAM as expected. Edit your AWS config file as explained in the posts above to use this role instead of the old batch job role.

Now I can assume the role.

This proves that our version of an IAM Policy works just as good as a policy with a condition. In fact, I think it’s a bit cleaner. Defining specific ARNs likely has stricter type checking than the logic used behind the scenes to parse conditions. If you’re wondering why that is, it’s explained in this series on secure code:

Next we’ll look at resource policies and the confused deputy attack.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Confused Deputy
Iam Policies
AWS
Cloudsecurity
Recommended from ReadMedium