OSINT Techniques for Pwning FinTech

Transcript

1. OSINT Techniques for Pwning FinTech By Akash Mahajan, Director Appsecco

   Additional inputs by Abhisek Datta, Head Techie Appsecco 50p 2018 1

2. Introduction What is OSINT? And what is it that we

   can do with it? 50p 2018 2

3. Attackers go after Created by Iconicbestiary - Freepik.com 50p 2018

   3 People Machines

4. Usually 50p 2018 4 People manage servers, machines, applications

5. At the least till we have 50p 2018 5 Robot

   Uprising

6. Open Source INTelligence (OSINT) 101 • Person • Credentials •

   Usernames, Passwords, API Keys • Activities shared in public about • Tech they use, want to learn • Places they are at, photos • Machines • IP address • Domain/Host • TLS/SSL Certificates • Applications 50p 2018 6

7. If you would like to learn more 50p 2018 7

   https://blog.appsecco.com

8. What we will cover today • A “story” about when

   things do go wrong • A global sports body • Discovery of information • Information that could have potential domain takeover implications (Maybe) • Share our security checklist for you to take back and use • Explain threats and risks from OSINT using colourful diagrams 50p 2018 8

9. What we will cover today • We will share the

   work we did prior to this talk • Show you some statistics about the OSINT exposure of a few fintech companies in India • Our approach on how we did, what we did 50p 2018 9

10. What we will not cover today in the talk •

    Not going to talk about application security, network security at all • Because we assume that you have it covered using • PCI DSS, RBI guidelines • CERT empaneled companies doing 3rd party penetration testing for you • Any specifics of what we discovered • Attacks against your users as we focus on your infrastructure 50p 2018 10

11. A Fable Because storytelling is a powerful way to understand

    things we don’t believe concern us. And the fact that we prefer not to name any names ever. 50p 2018 11

12. Once upon a time… • There was a major sports

    authority • Their main website was the primary source of information about sports scores, videos etc. etc. • They had a bit of a management shuffle and two sides emerged • One side got bunch of things (not important to this story) • The other side got control of their primary domain name 50p 2018 12

13. Twist in the tale • So on the day of

    a major sporting achievement their site was listed for sale for a measly price of $249 • Good sense prevailed and they scrambled their resources to renew the domain once again • Phew! In terms of sporting metaphors I guess they dodged a bouncer! 50p 2018 13

14. Moral of this story is? • Make sure that you

    maintain control of what is important • Investing in a reminder application could save you from becoming the laughing stock of the entire world • Domains are precious. If some attacker had registered it, cloned the content of the main site and also added malware, unsuspecting users would have been infected and obviously not very happy 50p 2018 14

15. Invest in a calendar which has reminders 50p 2018 15

    calendar

16. The great sports twist • Remember this is still a

    story • The sports authority have an email address listed on their website • In our references for OSINT we mentioned how you can go through 1.4 billion leaked usernames and passwords • We found the same email in that dump 50p 2018 16

17. What we won’t know for sure ever • If the

    username on the site is the username used to login to their email • If the same username was used to register the domain • But this is a cool story because The Lady, or the Tiger? 50p 2018 17

18. OSINT on FinTech Sites What did we find? Our approach

    so that you can go back and try it at home 50p 2018 18

19. Domain Admin Email Exposed +40% 50p 2018 19 domains didn’t

    have whois privacy, exposing their admin email address So What? • Attackers can try and go after the admin email addresses to hijack domains

20. Domain Admin Email Exposed by .in +79% 50p 2018 20

    of the domains admin emails were exposed after looking at .in whois So What? • .in domain registrations don’t allow for any kind of data privacy as a requirement for registration

21. Domain Admin Email Password Exposed +46% 50p 2018 21 of

    the domain admin emails exposed have passwords in public dumps So What? • If the domain admin users have a habit of reusing passwords, attackers already know that password

22. Domain lockdown configuration in place 59% 50p 2018 22 of

    the domains had setup the lockdown configuration of ClientTransferProhibited So What? • Even if attackers get access to the domain registrar control panel and don’t have access to email inbox, they will not get their hands on the unlock code required to unlock the domain

23. What can I do about OSINT? Can I protect myself?

    Is the world coming to an end? And other poignant questions that you may have 50p 2018 23

24. Manage and understand risk 50p 2018 24

25. Understand risks with examples 50p 2018 25 Potential risk Can

    you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope Virat Kohli will score another century while scowling Nope

26. Does my registrar support 2FA? Yes q Understand how does

    the 2FA reset process works q Make a note of what will need to be done, in case 2FA needs to be disabled q Enable 2FA for login q Bonus Points – If authentication logs can be stored No q Change your provider 50p 2018 26

27. Does my registrar support whois privacy? Yes q Understand how

    to enable domain whois privacy q Enable domain whois privacy before configuring the domain to do anything No q Change your provider q If not an option, accept that as a potential risk factor 50p 2018 27

28. Does my exposed email support 2FA? Yes q Understand how

    does the 2FA reset process works q Make a note of what will need to be done, in case 2FA needs to be disabled q Enable 2FA for login q Bonus Points – If authentication logs can be stored No q Change your provider 50p 2018 28

29. Should I bother having a .in domain? Yes q If

    it is a legal compliance requirement? q If it is a business & brand requirement? q You worry about your users, employees and partners/vendors getting phished No q In any case get the domain q Use a non-domain email ID as domain admin 50p 2018 29

30. Protecting the domain admin email Dos q Enable 2FA q

    Ideally not SMS based but app based q Use a reputed 3rd party provider (like Gmail maybe) q Make sure your password is sufficiently random q Put in a process to change it after a fixed duration Don’ts q Use that email address for registering to other sites q Never reuse that password if you have to use the same email ID elsewhere 50p 2018 30

31. Eating our own dogfood 50p 2018 31 appsecco.in Whois snippet

    http://viewdns.info/whois/?domain=appsecco.in We use reputed 3rd party email provider Appsecco mention in big password dump Would you like to know if your org is in the public DB? Come find me later

32. Threat Models Sometimes colourful diagrams are a great way to

    understand risks 50p 2018 32

33. Domain Hijacking 50p 2018 33 Threats & risks o Domain

    hijacking o Registrar hacked o Email theft o User phishing o Customer malware

34. Password Reuse 50p 2018 34 Threats & risks o Unauthorised

    access o Lateral movement o Privilege escalation

35. About Appsecco Pragmatic, holistic, business-focused approach Specialist Application Security company

    Highly experienced and diverse team Def Con speakers Assigned multiple CVEs Certified hackers OWASP chapter leads

36. Security Questions? 50p 2018 36 We are at the conference

    on both the day, please feel free to stop us and ask us security questions. Appsecco Security Clinic at the conference [email protected] +91 99805 27812 @makash