Protecting Against Privilege Escalation

When we talk about system security, we are talking the main components of our environment. Our data and files reside on some systems. Because of that, security of those is important to be maintained. Threat and Vulnerability are inherent to all systems. They are everywhere. One of those is privilege escalation.

Privilege escalation is an exploitation of vulnerability when someone gain privileges other than what originally intended for him. This means that he is able to access the system using other accounts for his benefit. There are two types of it, vertical and horizontal.
 
Vertical Privilege Escalation
This happens when an attacker uses a vulnerability in the system to gain privileges above what is intended for him. This could be damaging the system or stealing information.
 
Horizontal Privilege Escalation
This happens when an attacker uses a vulnerability in the system to gain privileges of another user who has the same privilege as him. For example, John and Liz both are users under financial departments. Both have access to payment data. John may attempt to gain Liz access so that he can amend some payment data but the system logs Liz as the one who do it.
 
How to protect our system from Privilege Escalation
The most common vulnerabilities that can lead to this are Cross-site Scripting (XSS), Improper Cookie handling and weak passwords. These are protection we have to do:

Validate inputs

System creates, maintains, and destroys cookie properly

Avoid to use weak password

Implementing a rule to force user to use complex or strong password and set password age limits

Implementing separation of privilege principle. It is dividing a system into smaller parts and each of those parts has specific duties to perform.

Implementing least of privilege principle. This suggests that software modules or processes only have rights to perform the actions intended to be done by that module or process.

Design Authorization or Access Control System

Authorization and Authentication mostly come in pair. Layered upon authentication, authorization is a process to confirm that an authenticated entity has the needed rights and privileges to access and perform actions on resources. It is Access Control job to carry out authorization policy. There are three main access control model used today.

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

 
Each has its own advantages and disadvantages. Some organizations may choose and use multiple access control models that fits to their particular systems or environment.

Before we discuss more detail about those, we need to identify the Subject and Object first. Subject is an entity that is requesting access and Object is resource that Subject will act upon. Subject can be a human user or a system process.

Discretionary Access Control (DAC)

DAC restricts access to objects based on the identity of the subject and is distinctly characterized by the owner of the resource. He/She has right to decide who can access and what level of privileges or rights is given. Usually, it is implemented using Access Control Lists (ACL). The relationship between the individuals (subjects) and the resources (objects) is direct and the mapping of individuals to resources by the owner is what constitutes the ACLs. This method can be integrated with Role-Based Access Control. In this case, we map between user’s roles (as Subject) and resources.

This is an example for Access Control List from Windows.

 

Mandatory Access Control (MAC)

MAC is based on hierarchical model. Access to objects is restricted to subjects based on the sensitivity of the information contained in the objects. The sensitivity is represented by a level and label. All users are assigned a clearance level and all objects are assigned a security label. In this case, access is determined based on matching a subject’s clearance level with the object’s sensitivity level.

For example, we have data and its categories are top secret, secret, confidential, internal and public. We also have clearance levels are chief department, manager, supervisor and ordinary users. A manager has rights to access all data with secret category and below. Chief department has rights to access all available data. And ordinary users can only access internal and public data.

In this model, access is controlled by the administrator and it can be quite cumbersome to manage. An administrator can quickly become overwhelmed as the systems grow more complex. It is disadvantage to MAC model.

Role-Based Access Control (RBAC)

So far, it is common model I used in my systems. Access is given based on roles instead of individual user. And those role are managed by the administrator. The administrator determine all available roles within his organization and then map those to job functions and tasks.

What this mainly provides is that the resource is not directly mapped to the Subject but only to the role. Since individuals can change over time, while roles generally don’t, Subject can be easily assigned to or revoked from roles.

[Book Review] Windows Security Essentials

Every asset in an organization always has risk. That is my first mind set when starting to read this book. The challenge is to minimize the risk and maintain its level to a level where we can handle it. One way to minimize risk is implementing security controls. It should be applied as a holistic security. Holistic security covers people, processes and technology elements where our systems or applications are. It also include physical place where our hardware are placed.

If you have system(s) running on Windows, you can read this book, Windows Security Essentials. This book covers the basic of security in a Microsoft environment. Some interesting topics in this book are

Understanding how risk and threat impact security principles

Recognizing malware in all its forms

Defending against social engineering attacks

Identifying the three aspects of user authentication

Securing access using NTFS permissions

Protecting clients, servers, and networks

Understanding encryption, certificates and PKIs

The one thing I like from this book is about understanding risk and hardening our system. It explaining from the basic with explanation that is easy to understand. I get more knowledge about NTFS and how to secure it with permissions.

[Book Review] Visual Quickstart Guide – Unix and Linux

I need to refresh my knowledge about basic commands in Linux. I browse some reference books but I do not want to read detailed information. So, I try to find some linux pocket books. I get ‘Visual Quickstart Guide – Unix and Linux (Fifth Edition)‘ by Deborah S. Ray and Eric J. Ray.

Overall, yeah.. it is not for advanced users or one who is looking detailed information. It lists only common commands that we can use in daily administration tasks. Those are:

How to work with Directories and Files (e.g. ls, mkdir, find, touch, tar, gzip, etc)

How to manipulate files and control their ownership and permissions

How to write basic scripts

How to edit files using vim and nano

How to sending and reading emails

How to access internet (e.g. using ssh, telnet, ftp, etc)

How to get information about the system

 
Beyond that, this book also provides references about commands, flags and arguments. Those can be used as your handy utilities when you do your tasks.

Common Unix/Linux directories

Common Unix/Linux directories and their contents.

Directory	Contents
/bin	Essential programs and commands for use by all users
/boot	Files used in booting the operating system
/dev	Device folder, such as alarm, cdrom, cpu, cdrw, etc.
/etc	System configuration files and global settings
/etc/sysconfig	Files that control the system configuration
/etc/X11	Configuration files for X Window System
/lib	Shared libraries
/home	Home directories for users
/lost+found	Recovering files which are not properly closed due to many reason such as power failure
/misc	This directory is used for automatically mounting directories on removable devices and remote directories
/mnt	The mount points for file systems mounted after the system is booted
/opt	Optional application software packages
/proc	Location of virtual file system
/root	Home directory for root user
/sbin	Essential system binaries
/tmp	Temporary files
/usr/bin	Commands and programs that are less central to basic Unix system functionality than those in /bin but still useful and often important
/usr/include	Standard include file and header files for C programs
/usr/lib	Libraries for installed packages
/usr/local	Most files and data that were developed or customized on the system
/usr/share	Shared data file
/var	Changeable data, including system logs, temporary data from programs, and user main storage

Is your password strong enough?

I have a problem to memorize especially password. I have to memorize many passwords for applications in the Internet. However, I believe that I am not the only one with this problem 🙂

How to memorize passwords?

I see comic above and understand that the most important thing is hard to crack and easy to remember. Those combinations are our goal. Let’s open this site, https://howsecureismypassword.net/. You may compare both passwords and will find the second one takes more time to be cracked. I do not know how that site calculate the strength of password but we can use to compare each password we enter.

Rule #1 : Length is important. Some advices suggest at least 12 characters. If you can go till the length of password field, it is better 🙂

Rule #2 : Use mixture of upper-case and lower cases, numbers and symbols.

Rule #3 : Not a single word and it is common word in any language. Are you not sure about it? Please go to OWASP SecList Project. That project has millions single common words that can be used to crack your password.

Rule #4 : Change regularly (e.g. every 6 months)

Rule #5 : Do not using password that you have used recently.

Rule #6 : Not your telephone numbers, username, your spouse’s or kid’s name and their birthdate, mother’s maiden name or anything that someone might associate with you.

Rule #7 : Do not use common substitution (e.g. 4 for a or 5 for s)

Rule #8 : Do not use one password for all accounts although it is quite strong enough.
Once it has been cracked, all your accounts are compromised.. sad..

Rule #9 : You may have your application service in your password (read my example below).

Let’s we try to apply those rules. I want to create a strong password for my Facebook account. I like to hear song especially 70’s, 80’s and 90’s songs… I take a song with title If from Bread. I take this password

Facebook If A Picture Paints A Thousand Words

Rule #1 : Yeah.. there are 45 characters (including spaces).
Rule #2 : Done. I have spaces and combination of upper-case and lower-case.
Rule #3 : Of course it is not single word.
Rule #6 : Do not use common substitution (e.g. 4 for a or 5 for s)
Rule #9 : I put Facebook 🙂 It makes my password strong as well.

When I try to use https://howsecureismypassword.net, I get 603 unvigintillion years to crack it using a desktop PC.

Now… after read this.. how strong is your password? The choice is yours…..

Protect yourself from phishing

Phishing is a form of electronic communication that masquerade as a trustworthy entity. The goals are to acquire sensitive information such as password or credit card details. It is a psychological attack used by criminals to trick you. At the beginning, they used emails to do so. But now, it has evolved to become message-based attack (e.g. instant messaging or social media post).

Before they spread attacks, they have prepared the system to receive response from victims. They craft a convincing-looking message using “good” grammar as if a good or reputable company send email to its customer. Then, they send to millions of people around the world. Actually, they do not know who will fall victim. They just wait whoever clicking on a malicious link or opening an infected attachment or responding it.

There is another kind of phishing. It is spear phishing. Actually, it is same as phishing, except that instead of sending to random recipients, criminals send it to selected recipients. In this case, they have done a research to whom they are targeting. If you want to know more about spear phishing, you can read this incident (0xHACKED: Brown University Accounts Distributing Phishing Emails) that happened recently.

Let’s say you have been targeted by them. Perhaps, you wonder from where they get your email address. The answer is very simple. It can from social media such as Facebook, Twitter, Instagram, LinkedIn, etc. Or, you may put it on-line through public blogs or forums. Please be aware that they have tool to craw this kind of information. In cyber security, we call it as Email scavenger. It is a type of web crawler program that searches the Internet and collects all email addresses it finds posted on web pages.

Now, the big question is how to stop it? Only YOU can do that. These are phishing indicator

Is the email being sent by someone you do not know or do not work with?
Check “FROM”, “To” and “CC” addresses. Are those personal accounts and using public email service (e.g. @gmail.com, @yahoo.com, etc) ?

Check greetings. Does it being sent to you? Or, does it use “Dear Customer”? If a trusted organization has a need to contact you, they should know your name, right?

Be suspicious of grammar or spelling mistakes.

Be suspicious of any email that requires an immediate action.

If you do not know the sender, DO NOT OPEN its attachment(s). DO NOT CLICK any link(s). For hyper links, hover your mouse over that link and you will see its destination.

Be suspicious of any message that sounds to good to be true. Remember.. there is no free lunch

 
Hope it helps you…. 🙂

How to design Logging feature

Logging is an important feature and must be available in the system. It will be useful for auditing purpose. Some applications I ever developed do not have an interface for user to configure this feature. So, team who maintains it has a responsibility to get the records directly from its storages (e.g. database or files).

There are may benefit to have logs. It captures all information about what the user is doing in the system, e.g. adding a new record, etc. It also captures all exceptions or errors thrown either from application itself or the system environment.

Please take note that hacker is able to manipulate the logs. He usually amends or remove some entries/record in the logs to hide his action after he exploit the system. In this case, we need to think thoroughly when designing logging feature in a system.

Let us see what is a minimum requirement for logging feature.

There is an interface to configure setting for logging. User should be able to configure these settings:
a. Turning on/off logging feature in which environment(s) (e.g. development, test, production, etc)
b. What kind of information that can be logged (e.g. application events, operating system events, error/exception, etc)
c. The verbosity of the logs (e.g. info, error, warning, etc)

Only authorized users have access to change the configuration setting for logging.

Logs are never overwritten and can only be appended to. If you have an issue with capacity, the logging verbosity needs to planned carefully.

There is no delete function to delete any entries/records in logs.

 
Now, the choice is yours regarding how you will implement your logging feature in your system.

Secret Key Management Framework

If your application manages sensitive data, the main challenging task during design phase is choosing cryptographic techniques. First, we must understand your business requirement regarding how the system should process with those data. We have to think through not just how to store it but I mean the whole processes. It can be when data are transferred from one point to another point or during processing in server memory.

In Cyber Security, we know this term, Code Breaking. Have you ever watched Tom Cruise breaks secret code in his Mission Impossible movies? Or, You may have a dream to be James Bond, where secret messages is uncovered through some clever techniques. Wait a minute.. do you think that it is so easy? Sorry, the answer is NO.

Cryptanalysis is a knowledge of finding vulnerabilities in cryptographic. That techniques are used by hacker to try break secret code. We can also use it with the intention to uncovering and addressing any weakness in our cryptographic. It is useful that we have and implement the knowledge of it during design phase. What should we consider?

It is critical to put work factor as our consideration when choosing a cryptographic techniques. Work factor is an effort (with available resources) to break protection mechanism. Please take note that work faction is exponentially dependent on the key size or key length. It is measured in bits or bytes. And it contains a sequence of symbols that we use for encryption and decryption processes. So, it means that we have to keep our key secretly.

To break secret code, a hacker need time and computational power. All cryptographic algorithms (by right) can be broken, except for one-time-pad. So, how do we make sure that our key is kept securely? This is Key Management Framework that is taken from Official (ISC)2 Guide To the CSSLP CBK.

To protect the secrecy of our key, we extremely need a good key management. From CSSLP guideline, we can see that key management life cycle starting from generation, exchange, storage, rotation, archiving and destruction. Key must be random during generation. That is a main criteria. Then, it must be protected when it is shared so that it not disclosed to anyone who are not eligible to have it. We also need to prepare properly a place where we store that key. It can be a hardware security module (HSM) such as the Trusted Platform Modules (TPM) chip.

We also need to do rotation or change our key regularly with a new one. The change is also need to be done immediately upon key disclosure. Before we discard old key, we need to decide whether we have to archive it in another secure place. We do this because there are some data in our system are using it as key during encryption and description. If we want to keep our data as it is, that means we need to archive that old key. Otherwise, we have to decrypt our data and encrypt again using new key. If the key is destroyed without being archived, the corresponding key to decrypt the existing data will be unavailable. It is leading to a denial of service (DoS) should there be a need to retrieve the data for forensics or disaster recovery purposes.

Put security in mind when designing a software

When you develop a software, it can meet all quality requirements but it does not guarantee that it is secure. However, if we put security in mind during design phase, it become an added value to increase the quality of your software. Let’s see what benefit we get if we do this.

We can say that design phase is starting phase to implement all requirements stated in requirement specification. A good software does not come from good and secure code only. It also comes from good design. If we always implement or practice to put security concept when designing our software, it becomes less prone to errors. Anyone who maintains this software will be very happy because it is easy to be maintained. Again, this condition improves the quality of your software, right?

The other benefit is that we are able to detect every business flaw early. For example, there is a requirement for password recovery. Previously (or it may still be practiced nowdays), we encounter that some sites are using question and answer model to recover user’s password. The drawback of this model is that hacker’s has an ability to guess the answer because the number of answers are limited. Questions about mother name or when user born are easy to get from Facebook. That is the power of social media. Hackers can use social engineering techniques to retrieve all personal information of his target from social engineering. Another question that is easy to be guessed is what color user likes. The answers are limited to common colors that we know. In this case, we need to find other solution for this so that it is difficult for hacker to guess.

At the end, we can have time and cost saving since there is minimal-to-no disruption to business operation.