"If a person has control over any function, it can also be used to control the computer"(week 14)

 

"If a person has control over any function, it can also be used to control the computer"

img url:https://media.istockphoto.com/vectors/the-red-fishing-hook-is-stealing-password-on-a-laptop-vector-id1173707516?k=20&m=1173707516&s=170667a&w=0&h=XOJ7iaSoLUmupXMpm1r-PSGGEAUdAdBrzZ4-O29mvdI=


Last year, Laxman Muthiyah, a security researcher, found out that it was possible for any attacker to assign themselves admin privileges for any Facebook page they desired.[1] The operation was done through Broken Access Control, which happens when access permissions are misconfigured by the attacker allowing them to gain access to functions they are not supposed to have.[2] With this access they may delete, modify, or copy, different data, files, and account information amongst other things.

The opportunity of Broken Access Control to take place relies completely on how securely designed and coded the webpage or application is. In Facebook’s case, it was a flaw in their code which allowed Laxman to give himself admin privileges. Luckily, Laxman was merely bug-hunting, and his intentions were not malignant in nature. He proceeded to report the bug to Facebook and was rewarded with a monetary prize.

Here is the request Laxman used to gain admin privileges:

Request :-

POST /<page_id>/userpermissions HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>

Response:-

true

 

Broken Access Control is one of the many instances in which attackers make use of gateways and functions to gain access and control. While Laxman’s case was inoffensive, it is a common occurrence for attackers to gain access and control through different techniques, such as Broken Access Control.

Other technique very commonly used by attackers is phishing. A phishing attack occurs when attackers trick you, by sending fake emails for example, into giving them valuable information, or in this case, control of the computer.[3] One example could be a fake email with a web link. This web link could install malware into the computer or give complete control to the attacker. Other instances of phishing have shown web links guiding to sites replicating bank or company portals, asking the victim to insert their personal data and passwords without knowing that the site is fake.


(An example of Phishing website)
img url:https://thehackernews.com/images/-_8BYD9vs4hs/TtHsJbhHQeI/AAAAAAAADss/CoMLPkj_LU8/s728-e100/Untitled.jpg 


Such happened in December last year in the United States, that an employee of a wireless communications manufacturer in New York was arrested in relation to a data breach. His name is Nickolas Sharp, and he is accused of “stealing gigabytes of confidential files.” After gaining access and stealing the files, he attempted to extort the firm for nearly two million dollars for their return and an explanation of how he managed to gain access and control.[4]

But how did he do it? Well, he worked as an Amazon Web Services cloud administrator. This position gave him enough access privileges, which he misused alongside a VPN, giving him access through what he called a “backdoor” which gave him complete access to download confidential data.

 

In cybersecurity there exists the principle, “if a person has control over any function, it can also be used to control the computer.” Whether it is by gaining admin privileges for a Facebook page through Broken Access Control, fishing valuable information through fake emails, or gaining access to confidential data misusing access privileges, a single function can compromise the entire computer, and even an entire organization or company.

 

Sources:

Comments

Post a Comment

Popular posts from this blog

A Review Of The Case For Copyright Reform (week 5)

Image
  Review Of The Case For Copyright Reform[1] Copyright law is the biggest pet peeve for any Youtuber who has taken YouTube seriously, or even aspiring musicians who completely transform the sounds that they sample. It is so bad that copyright claiming videos has been deemed a valid source of income for some ‘entrepreneurs’ who have dedicated bots scrambling around YouTube to find any form of copyrighted content no matter the context or situation the copyrighted content was used in, that is that there was no regard for the intent behind the usage or whether the footage/ sound byte even has any relevance to the content at hand. The situation has become so toxic that creators get copyright claimed just for saying the words of the song with no music or even humming the tune silently would be grounds enough for the bots to determine that you violated copyright law. This is all even though the Fair Use law states that it is the intent of the creator and the quantity used, that it is not ju
Read more

The Impact Of Copyleft On An Individual Project (week 6)

Image
  The Impact Of Copyleft On An Individual Project According to Wikipedia, copylefting is the practice of granting the right to freely distribute and modify intellectual property with the requirement that the same rights be preserved in derivative works created from that property[1]. The most popular iteration or form of copylefting can be found in the shape of the GNU General Public license which was written personally by the legendary programmer and member of the American Free Software Movement Mr Richard Matthew Stallman[2]. He decided to take this course of action when a rival company requested him to share his work on a LISP compiler, however when Mr Stallman requested for the modified version of his compiler from the company the company refused and refrained from sharing the software. Mr Stallman had been victim to this form of injustice many times in the past but he stated that this was the turning point in him deciding to developing the GNU General Public License.[4] img url:
Read more

Netiquette (week 7)

Image
  Adhere to the same standards of behaviour online that you follow in real life img src: https://media.istockphoto.com/vectors/comic-book-with-cloud-and-cursing-vector-id1065946200 I am of the opinion that the internet is a true reflection of what a human would be without the constraints of consequence or punishment. People express extreme depravity and commit horrible moral blunders just because their behaviour does not fall under constant scrutiny. A prime example of how far people can fall is the case of Christian Weston Chandler. An example of how a person was controlled and influenced for more than a decade by other horrible people online. He was not a sane person and clearly had a few mental diseases, he did not understand how to respond to trolls and kept responding to them. It is speculated that his autism led to him believing everything that his trolls told him, after a decade of being misled, he lost all sense of reality until he was coaxed by a horrible troll to violate hi
Read more