"If a person has control over any function, it can also be used to control the computer"(week 14)

 

"If a person has control over any function, it can also be used to control the computer"

img url:https://media.istockphoto.com/vectors/the-red-fishing-hook-is-stealing-password-on-a-laptop-vector-id1173707516?k=20&m=1173707516&s=170667a&w=0&h=XOJ7iaSoLUmupXMpm1r-PSGGEAUdAdBrzZ4-O29mvdI=


Last year, Laxman Muthiyah, a security researcher, found out that it was possible for any attacker to assign themselves admin privileges for any Facebook page they desired.[1] The operation was done through Broken Access Control, which happens when access permissions are misconfigured by the attacker allowing them to gain access to functions they are not supposed to have.[2] With this access they may delete, modify, or copy, different data, files, and account information amongst other things.

The opportunity of Broken Access Control to take place relies completely on how securely designed and coded the webpage or application is. In Facebook’s case, it was a flaw in their code which allowed Laxman to give himself admin privileges. Luckily, Laxman was merely bug-hunting, and his intentions were not malignant in nature. He proceeded to report the bug to Facebook and was rewarded with a monetary prize.

Here is the request Laxman used to gain admin privileges:

Request :-

POST /<page_id>/userpermissions HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>

Response:-

true

 

Broken Access Control is one of the many instances in which attackers make use of gateways and functions to gain access and control. While Laxman’s case was inoffensive, it is a common occurrence for attackers to gain access and control through different techniques, such as Broken Access Control.

Other technique very commonly used by attackers is phishing. A phishing attack occurs when attackers trick you, by sending fake emails for example, into giving them valuable information, or in this case, control of the computer.[3] One example could be a fake email with a web link. This web link could install malware into the computer or give complete control to the attacker. Other instances of phishing have shown web links guiding to sites replicating bank or company portals, asking the victim to insert their personal data and passwords without knowing that the site is fake.


(An example of Phishing website)
img url:https://thehackernews.com/images/-_8BYD9vs4hs/TtHsJbhHQeI/AAAAAAAADss/CoMLPkj_LU8/s728-e100/Untitled.jpg 


Such happened in December last year in the United States, that an employee of a wireless communications manufacturer in New York was arrested in relation to a data breach. His name is Nickolas Sharp, and he is accused of “stealing gigabytes of confidential files.” After gaining access and stealing the files, he attempted to extort the firm for nearly two million dollars for their return and an explanation of how he managed to gain access and control.[4]

But how did he do it? Well, he worked as an Amazon Web Services cloud administrator. This position gave him enough access privileges, which he misused alongside a VPN, giving him access through what he called a “backdoor” which gave him complete access to download confidential data.

 

In cybersecurity there exists the principle, “if a person has control over any function, it can also be used to control the computer.” Whether it is by gaining admin privileges for a Facebook page through Broken Access Control, fishing valuable information through fake emails, or gaining access to confidential data misusing access privileges, a single function can compromise the entire computer, and even an entire organization or company.

 

Sources:

Comments

Post a Comment

Popular posts from this blog

A Review Of The Case For Copyright Reform (week 5)

Image
  Review Of The Case For Copyright Reform[1] Copyright law is the biggest pet peeve for any Youtuber who has taken YouTube seriously, or even aspiring musicians who completely transform the sounds that they sample. It is so bad that copyright claiming videos has been deemed a valid source of income for some ‘entrepreneurs’ who have dedicated bots scrambling around YouTube to find any form of copyrighted content no matter the context or situation the copyrighted content was used in, that is that there was no regard for the intent behind the usage or whether the footage/ sound byte even has any relevance to the content at hand. The situation has become so toxic that creators get copyright claimed just for saying the words of the song with no music or even humming the tune silently would be grounds enough for the bots to determine that you violated copyright law. This is all even though the Fair Use law states that it is the intent of the creator and the quantity used, that it is not ju
Read more

The Impact Of Copyleft On An Individual Project (week 6)

Image
  The Impact Of Copyleft On An Individual Project According to Wikipedia, copylefting is the practice of granting the right to freely distribute and modify intellectual property with the requirement that the same rights be preserved in derivative works created from that property[1]. The most popular iteration or form of copylefting can be found in the shape of the GNU General Public license which was written personally by the legendary programmer and member of the American Free Software Movement Mr Richard Matthew Stallman[2]. He decided to take this course of action when a rival company requested him to share his work on a LISP compiler, however when Mr Stallman requested for the modified version of his compiler from the company the company refused and refrained from sharing the software. Mr Stallman had been victim to this form of injustice many times in the past but he stated that this was the turning point in him deciding to developing the GNU General Public License.[4] img url:
Read more

Censorship And Privacy (week 11)

Image
  Censorship And Privacy Censorship according to Wikipedia is the suppression of speech, public communication or other information. It is usually done when the material in question is considered harmful, sensitive or inconvenient[2]. Censorship has been successful in the preventing the propagation of harmful child pornography and to control the ever-increasing efforts to unveil national secrets. It is clear that censorship has a clear need and has a legitimate reason to exist. However, it can be incredibly easy to misuse or mishandle as the definition of “obscenity” is very loose and is mostly subjective. It is very hard to draw that line and have it be completely concrete. img url: https://live.staticflickr.com/4625/26250258608_fd4301df00_b.jpg An example of blatant and rampant censorship can be observed on the political portion of Twitter. Twitter has grown the last ten years to be one of the biggest social media websites in existence. It’s popularity has attracted all sorts of p
Read more