Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSINT Techniques for Pwning FinTech

Akash Mahajan
February 08, 2018

OSINT Techniques for Pwning FinTech

Attackers have been using OSINT techniques against companies successfully to identify and exploit information assets.
Unfortunately, conventional security assessment and guidance doesn’t address these exposures very well. This talk delves into what are some of the techniques Fintech companies should be using to build a complete picture of its Internet exposed assets. Once this big picture is available, they can figure out ways of staying secure.

Based on the techniques described, we share some of our findings. We will present aggregates around the various security issues discovered and general mitigations for those as checklists that can be followed..

Akash Mahajan

February 08, 2018
Tweet

More Decks by Akash Mahajan

Other Decks in Technology

Transcript

  1. OSINT Techniques for Pwning FinTech By Akash Mahajan, Director Appsecco

    Additional inputs by Abhisek Datta, Head Techie Appsecco 50p 2018 1
  2. Open Source INTelligence (OSINT) 101 • Person • Credentials •

    Usernames, Passwords, API Keys • Activities shared in public about • Tech they use, want to learn • Places they are at, photos • Machines • IP address • Domain/Host • TLS/SSL Certificates • Applications 50p 2018 6
  3. If you would like to learn more 50p 2018 7

    https://blog.appsecco.com
  4. What we will cover today • A “story” about when

    things do go wrong • A global sports body • Discovery of information • Information that could have potential domain takeover implications (Maybe) • Share our security checklist for you to take back and use • Explain threats and risks from OSINT using colourful diagrams 50p 2018 8
  5. What we will cover today • We will share the

    work we did prior to this talk • Show you some statistics about the OSINT exposure of a few fintech companies in India • Our approach on how we did, what we did 50p 2018 9
  6. What we will not cover today in the talk •

    Not going to talk about application security, network security at all • Because we assume that you have it covered using • PCI DSS, RBI guidelines • CERT empaneled companies doing 3rd party penetration testing for you • Any specifics of what we discovered • Attacks against your users as we focus on your infrastructure 50p 2018 10
  7. A Fable Because storytelling is a powerful way to understand

    things we don’t believe concern us. And the fact that we prefer not to name any names ever. 50p 2018 11
  8. Once upon a time… • There was a major sports

    authority • Their main website was the primary source of information about sports scores, videos etc. etc. • They had a bit of a management shuffle and two sides emerged • One side got bunch of things (not important to this story) • The other side got control of their primary domain name 50p 2018 12
  9. Twist in the tale • So on the day of

    a major sporting achievement their site was listed for sale for a measly price of $249 • Good sense prevailed and they scrambled their resources to renew the domain once again • Phew! In terms of sporting metaphors I guess they dodged a bouncer! 50p 2018 13
  10. Moral of this story is? • Make sure that you

    maintain control of what is important • Investing in a reminder application could save you from becoming the laughing stock of the entire world • Domains are precious. If some attacker had registered it, cloned the content of the main site and also added malware, unsuspecting users would have been infected and obviously not very happy 50p 2018 14
  11. The great sports twist • Remember this is still a

    story • The sports authority have an email address listed on their website • In our references for OSINT we mentioned how you can go through 1.4 billion leaked usernames and passwords • We found the same email in that dump 50p 2018 16
  12. What we won’t know for sure ever • If the

    username on the site is the username used to login to their email • If the same username was used to register the domain • But this is a cool story because The Lady, or the Tiger? 50p 2018 17
  13. OSINT on FinTech Sites What did we find? Our approach

    so that you can go back and try it at home 50p 2018 18
  14. Domain Admin Email Exposed +40% 50p 2018 19 domains didn’t

    have whois privacy, exposing their admin email address So What? • Attackers can try and go after the admin email addresses to hijack domains
  15. Domain Admin Email Exposed by .in +79% 50p 2018 20

    of the domains admin emails were exposed after looking at .in whois So What? • .in domain registrations don’t allow for any kind of data privacy as a requirement for registration
  16. Domain Admin Email Password Exposed +46% 50p 2018 21 of

    the domain admin emails exposed have passwords in public dumps So What? • If the domain admin users have a habit of reusing passwords, attackers already know that password
  17. Domain lockdown configuration in place 59% 50p 2018 22 of

    the domains had setup the lockdown configuration of ClientTransferProhibited So What? • Even if attackers get access to the domain registrar control panel and don’t have access to email inbox, they will not get their hands on the unlock code required to unlock the domain
  18. What can I do about OSINT? Can I protect myself?

    Is the world coming to an end? And other poignant questions that you may have 50p 2018 23
  19. Understand risks with examples 50p 2018 25 Potential risk Can

    you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope Virat Kohli will score another century while scowling Nope
  20. Does my registrar support 2FA? Yes q Understand how does

    the 2FA reset process works q Make a note of what will need to be done, in case 2FA needs to be disabled q Enable 2FA for login q Bonus Points – If authentication logs can be stored No q Change your provider 50p 2018 26
  21. Does my registrar support whois privacy? Yes q Understand how

    to enable domain whois privacy q Enable domain whois privacy before configuring the domain to do anything No q Change your provider q If not an option, accept that as a potential risk factor 50p 2018 27
  22. Does my exposed email support 2FA? Yes q Understand how

    does the 2FA reset process works q Make a note of what will need to be done, in case 2FA needs to be disabled q Enable 2FA for login q Bonus Points – If authentication logs can be stored No q Change your provider 50p 2018 28
  23. Should I bother having a .in domain? Yes q If

    it is a legal compliance requirement? q If it is a business & brand requirement? q You worry about your users, employees and partners/vendors getting phished No q In any case get the domain q Use a non-domain email ID as domain admin 50p 2018 29
  24. Protecting the domain admin email Dos q Enable 2FA q

    Ideally not SMS based but app based q Use a reputed 3rd party provider (like Gmail maybe) q Make sure your password is sufficiently random q Put in a process to change it after a fixed duration Don’ts q Use that email address for registering to other sites q Never reuse that password if you have to use the same email ID elsewhere 50p 2018 30
  25. Eating our own dogfood 50p 2018 31 appsecco.in Whois snippet

    http://viewdns.info/whois/?domain=appsecco.in We use reputed 3rd party email provider Appsecco mention in big password dump Would you like to know if your org is in the public DB? Come find me later
  26. Domain Hijacking 50p 2018 33 Threats & risks o Domain

    hijacking o Registrar hacked o Email theft o User phishing o Customer malware
  27. Password Reuse 50p 2018 34 Threats & risks o Unauthorised

    access o Lateral movement o Privilege escalation
  28. About Appsecco Pragmatic, holistic, business-focused approach Specialist Application Security company

    Highly experienced and diverse team Def Con speakers Assigned multiple CVEs Certified hackers OWASP chapter leads
  29. Security Questions? 50p 2018 36 We are at the conference

    on both the day, please feel free to stop us and ask us security questions. Appsecco Security Clinic at the conference [email protected] +91 99805 27812 @makash