 So, what we are going to talk about is OSint for owning or calling fintech, Frank, this is a clickbait title, you will get value from this talk, there is there are a bunch of cool takeaways in terms of a checklist and we are around both the days. So, feel free to come talk to us about security that is covered here and otherwise I am Akash I will be doing the talk, but Abhishek who is in the first row you know he is given his additional inputs and there are two more of us wearing apseco t-shirts the lambda which looks like it is all in our face, we are around please come please talk to us. So, obviously how many of you are familiar with the term OSint? Perfect. So, the introduction makes sense. I am going to assume that this track is meant for people who want to understand security issues at a level where you know their concepts not just some fancy technical terms. Is that ok to make that assumption today? Ok cool you are in a room listening to someone, but that does not stop you from saying yes no maybe or go away. I understand there is a crypto currency talk happening in another track. So, thank you so much for staying back. So, I am going to talk about what is OSint and what is it that we can do with it? There are many many things you can do with many many things right we will not confuse ourselves, we will stick to couple of use cases and see how they are useful for us in this scenario. Attackers and this is my assertion here. Attackers tend to go after people and machines right at a very simplified thing right. These are the two things that that get exploited either there are computers, servers, laptops, desktops, apps, devices getting exploited through some code or you know social engineering or something or people are getting exploited or in hack. Usually people manage these servers, machines and applications ok. So, people are an important a critical aspect of this and this will stay true till we have any kind of a robot uprising or scan it right. Yesterday I was in a discussion around AI and finance it was around table by CIS and 50p. It was extremely useful to get the point of view of lawyers and all about how it worries them, how law will take over and how law will manage when there are like decisions and intelligence provided by programs and you know we do not know what the outcome will be. So, till we reach there people are important. So, what is OS Inc? The basic slide for you you are a person you have access to credentials. Credentials are your username, passwords, API keys whatever allows you to you know say to a system that you know this is me and I have something that is not in the system, but the system understands that value like a pre shared value. When you enter the password the server knows the password it is able to compare yeah this is the password that I expected. So, this is who you are that is how you are identifying yourself. People also share activities on social media they go to Stack Overflow and you know tell people that what they want to learn and they go to bunch of other places like a restaurant say what they like to eat or at least what they like to click the photo of what they like to eat right and all these things are available for people to attackers to figure out can I make sense of this somehow can I misuse it somehow. Machines typically have identifiers like an IP address a domain or a host right and there are certificates because now everyone says you know we should be end to an encrypted and CLS SSL in the range of let us encrypt. There are many other things like Michael Lee was saying that hey why are we not talking about all the code that gets committed to GitHub and bunch of these things I understand right there are many things let us let us talk about this. What I am saying is attackers are able to make sense of this data and utilize it somehow okay. So, that is where we are at currently and machines typically run applications which are written by people and these are some of the places that attackers like to go and figure out right why LinkedIn because LinkedIn is a place where your company might be posting job openings right or it will tell me what are the people you know what are their what is the profile what are they good at maybe there are senior Java architect and they work at company X. So, maybe that company X has a use for a senior Java architect right and then there is a link to a professional blog of that person and that person is talking about you know what this cool thing I use with the spring boot I it is SSO and I am doing this deploying it to some Google cloud or whatever and you are like okay this is what they want to learn or you know maybe they will learn this they are senior they will start using it in the company okay this is just to understand the overall scenario right what what can you do with Google Google indexes everything it indexes IP addresses it indexes domains and hosts and sometimes even before you go to the actual website of company X you will figure out that these are the different domains or sub domains this company X has and sometimes Google is able to index things when you know the application is giving an error the error does not exist anymore but it is in the Google index right Google makes it really simple to create a custom search engine a custom search engine is something where you just say hey these are the five websites I will be searching only between these five websites so give me an index which is more refreshed than the general Google search that is available okay so it is free for I think a thousand queries or something and beyond that is five dollars for up to a million the pricing is just dirty GitHub you may be familiar that people try and search GitHub repositories for secrets being committed something happened to Zomato recently last year I think that is the company you were talking about with the leaky bucket just just my guess Twitter Facebook being all these allow you to as an attacker if you were an attacker find out more about people and machines without actually interacting with those people and interacting with those machines you see the basic premise here we are doing data collection but passively we are finding about something or someone but they may not be aware that we are trying to find more things about them right so my wife you know is active on Instagram and Facebook and sometimes I ask her like hey who are these people on your Instagram feed and like you know I knew this person in college and whatever I'm like but who's this and they're like oh this is the person they are working with I'm like what's your interest and she's like no this is called social media stalking right so it's a thing if you'd like to learn more I'm going to plug my blog here it's completely nice and open and free please feel free to look at things the four references that I'm putting here are the ones that we're using today so we have a blog about how we got a dump of passwords of you know billions of user names passwords it doesn't matter where the username and password was leaked from right that is not what we're trying to find out but what we're trying to find out is that there is a dump of username and passwords and we needed cheap storage and we needed a place to quickly query it right so we did that with the gcp we have a guide to subdomain enumeration we I think list nine different methods on passively figuring out all the possible subdomains for our company's online presence without actually going to the server of or the dns of the online the dns server of the company we also have a nice getting started on osn if this is an area of interest for you and I would like to believe that after this talk you would be interested in finding out what is your company or your organization exposing online we also have something about certificate transparency I will not really go into what this is but every certificate that is generated now a tls certificate most people call it ssl by most large providers who provide these certificates these third party trusted certificates they need to go into a log so that anyone can verify that who generated a certificate for a particular domain these logs have streaming apis and you are able to find out interesting things like hey oh this company has suddenly you know generated a certificate for an app which does not seem like it's outside right there is no way record for this domain subdomain must be an internal app right they're doing tls internally which is a security requirement and a recommendation so what we will cover today we will cover a story about when things do go wrong we will talk about a global sports body we're not naming names we will talk about discovery of some information we will talk about information that could have potential potential domain takeover implications domain takeover means that some the attacker could potentially control the domain and obviously then whatever the mail server is the a record and all that we will share a security checklist for you to take back and use and we will some you know explain threats and risks using colorful diagrams in boring terms they call threat modeling diagrams we will not explain how to build them but we are around come talk to us later we will also share the work we did prior to this talk when we decided that we are going to talk about you know cohescent and in this particular space of payments and fintech we will show you some stats about the exposure of a few fintech companies in India and approach very very light once you see that slide you will you are ready to try this out what we will not cover we are not going to talk about application security network security at all I think Shadab did a really good job anyway because you know we assume that you're already following some of the guidelines right you're a payment company or you're interested in payments you are aware of these things people doing third party pen testing for you if you still have questions around that we will take it after the talk and you know talk about regular security stuff we are not obviously naming names we are not giving any raw data we are not interested in sharing any of that at all we are explaining how we did it so we are not going to talk about hey how do I you know detect fraud by my users against my app right because there are many other ways of doing that we're just going to talk about your infrastructure today okay so we will start with a story we will give you a simple story about what happened with a global sports body once upon a time there was a sports body then main website was a source of information for scores and other things they had like a management shuffle at some point and two sides emerged and one side got a bunch of things not really important but the other side got control of the primary domain so the twist is one of the days there was like a major win some achievement the primary domain was listed for registration for $249 if you follow sports news you would know which one but good sense prevailed it would have been extremely embarrassing if the domain had been bought by an attacker and you know clone the website to show sports scores but with maybe malware field ads or something in sporting metaphors I think they dodged the bouncer one of the story is make sure you maintain control of what is important what's important for you the primary domain not many people think about the primary domain it's the way they operate the you know all their APIs that's the base URL and whatever it is it could be the sales and marketing domain or it could be the one that you know with all the API keys or API URLs point to right whichever it is you have to maintain control of this you should invest in a reminder application so that you know not a laughing stock of the world right and it's not something that has happened only to incompetent sports body it can it has happened to technical companies tech companies domains are precious if an attacker had registered clone the contents added malware users would have been infected and not very happy about it right so that would have been a problem so that's the main takeaway invest in a calendar which has reminders I think you can use Google Calendar it's free I think I have an animation here the twist in the twist is still a story not did not happen in real life right they have a about page in the story they have an about page which lists an email address in our references we pointed out that there is this massive password dump right which you can like store and query for there is a password for that email address in that dump that's the twist and we do we won't know for sure right ever is if the username on the site and the username used to login to the email is it the same we will not know because we didn't try and log in and if the same username was used to register domain right if you have registered a domain you go to a registrar's website typically you have to provide an email id it's called the admin domain admin email it's a cool story because we will never know it's the story of the lady or the tiger only the people born before I think 1990 would know the reference but if you don't it's okay google it after the story let's talk about OSINT on fintech right what did we find and what can you go back and try at home the first thing that we did was we made a list of fintech websites to understand you know what's what's the exposure in India what kind of websites are there what are the companies doing in India and like the global sports body 40 percent of the total data did not enable who is privacy what is whose privacy whose privacy enables you to mask the actual domain email id it will give you some some kind of a you know sarogate which you will receive the email in your inbox but the person sending you the email will not know what the actual domain id is attackers can try and go after the admin email id address to hijack domains why will they try and hijack domains another story this happened to a bitcoin company around four years ago when you know bitcoin wasn't really this big a deal the attackers managed to compromise a large vps provider a virtual private server provider i'm pretty sure some of you will have servers on that not naming names the only reason they compromise the provider was because they wanted to gain access to this particular bitcoin application and server but the collateral damage was a lot of other people's management access to that vps provider you know the place where you go and log in and say start server stop server and backup start backup and all that the control panel or whatever right those credentials were also stolen by the attackers the attackers had no need for that so they just released it right in public and using that are you familiar with this tool called nmap network mapper so it's a tool cli based tool which allows you to do like you know figure out what are the devices in your network and get more information about it the site which hosts nmap nmap is a tool used across the world by security professionals by it professionals a lot of people you know with critical things to take care of that website itself got caught in this and for couple of hours they download available on that website for nmap if you wanted to download and compile it yourself the source code in a tar dot gz file was backdoored okay so it can go to that that's what attackers can do now we have a interesting problem of being in India using this registry for dot in domains which by law doesn't allow you to mask who is privacy so 79% of the ones you were protected with domain domain who is privacy right so in the last set what we said was 40% were exposing 60% or not of the 60% people who had domain who is privacy enabled out of that we were able to get the domain email ID of 79% our assumption is that this same email ID was used to register the .com or the .io as was to register the .in because the .in registry does not allow you to have any kind of privacy as per the requirement of registry .in don't allow any kind of data privacy and that's a requirement you can't register a .in without accepting that and you have to make sure that it's up to date and all that so you know now we have like a larger number of people to look at what were you what were we trying to do with it 46% of the total domain email IDs that we discovered for that email there is there are multiple passwords in that dump and sad to say there are only I think two passwords out of the whole data set which use a special character okay it is the reality of the world that people who manage servers reuse credentials and do not believe in you know sufficiently random passwords okay. If the domain admin users have a habit of reusing passwords and it's typically a case when people have simple an easy to remember passwords attackers already know the password they can go after the registrar website and try and log in they can go after the primary email provider it could be anything out of the total that setup that we looked at 59% had set up the lockdown configuration of client transfer prohibited there are bunch of these additional flags that registrars provide to you with this flag enabled what you get is if the attacker does not have access to the email inbox of that particular admin they will not get the hands on the unlock code because the unlock code for you know disabling the client transfer prohibited will only reach the email inbox of the listed admin email you know domain contact right so what you are percent of the total had not even enabled this check it does not cost anything it's part of your registrar right you just have to go ahead and do it so what can I do about OSS can I protect myself well is the world coming to an end we don't want to make it like sound like it's a big bad thing it's the dump has been there forever I don't know if you know this Dropbox leak 68 million passwords around four years ago so if you still have access to your files you know maybe the attackers are not interested in your files right the thing to understand in you know work with is always to manage and understand risk this is just a good picture I am not going to explain each item here it looks nice you can do analyze and whatever anyone in on the internet can try my DNS records right that's a risk that's how DNS is created there is nothing you can do about it so accept it okay if you want something to be extremely safe do like a split horizon DNS or run an internal DNS so that your people are able to use domains to read something but it's not in the public whatever right maybe people are able to see who my domain registrar is can I do something about it absolutely nothing it's okay my ISP hosting company government is insecure can I do something about it nope accept that as a risk it'll impact everyone right my OS processor hardware companies insecure I added that because meltdown and factor you can't do much about it and will Virat Kohli ever score a century without is calling no right he does not smile that's just a cricket metaphor because I like cricket so nothing to do with the presentation otherwise so the checklist does my registrar support 2FA please understand how the 2FA reset process works in our experience the number one reason why people do not enable who understand the advantages and benefits of 2FA authentication do not enable it is because they are worried what if I lose my device right which is why you have to understand what the reset process is for that particular app or website make a note of what needs to be done if you lose your device or you know somehow you lose you forget something figure out what the process is because if someone is providing that as a security feature they would have thought of usability is it good usability is it useful useful is different but they would have thought of it you should do that first and when you are clear about these two things enable 2FA in this day and age not doing this makes no sense there is nothing that you are gaining from not enabling this if the authentication logs every time you enable 2FA can be stored bonus right if your registrar allows for it most will not but most will you know give you a username password you can always scrape that data if the answer is no change your provider there is that is the only recommendation here does my registrar support who is privacy yes great understand how to enable it enable domain who is privacy before configuring the domain to do anything don't allow bots and scrapers to get data about your you know whose details and put it on some random website and then you remember to enable it that defeats the purpose because historical data is easy to find and if your registrar does not support change your provider if that's not an option accept there is a potential risk because it's not in if you are exposed email provider supports 2FA understand how it works enable 2FA if logs can be stored great I know I think with the G Suite apps now you are able to get logs you can offload the logs you can add some alerting on that if you want to change your provider if your email provider does not support 2FA there is no reason to have an email provider does not supporting 2FA I mean unless you're like with the government or something should I bother having a doting domain interesting question yes if it's a legal compliance requirement I'm not sure if it is if it's a business or a brand requirement you are in India you want to be known for doing stuff in India maybe you want a doting domain you know you worry about user employee and partner vendors getting fished just imagine you do not register the dot in you only have the dot com or the dot IO and the attacker registers the dot in makes a page which looks similar in login and starts sending mails to people they know are your users customers and all that it'll be a problem right I would recommend in any case get the domain use a non-domain email ideas domain admin okay this is going to be a controversial thing but that's what I believe it should happen you should protect the domain email ID by doing some do's enable 2FA not sms based idly app based user reputed third party provider like gmail I personally think that they are likely to be far more safer and secure than most of us in the room make sure your password is sufficiently random put in a process to change it after a fixed duration I know this is the painful part but you should try don't use that email address for registering to other websites just don't do that email IDs are free they give you free space don't do that never reuse that password if you have the same email ID elsewhere for some reason you need to maybe you do for whatever reason right do not reuse the password I am not saying don't do password reuse I am not saying change your entire lifestyle right if that's a problem at least do it for one particular case every process can have exceptions right we do the same for our dot in we have a dot in I work for coming to lab seco so I am the registrant and there is a third party email provider you can follow this URL we will upload the slides as well after the talk you can follow this URL and see if your email sorry your domain is leaking this information we went through the big bad password dump to see if you know there was a mention of our domain somewhere it wasn't so a win for us basically tells us that we are too small and our employees have had some disciplines we are a security company right so they had the good sense to not use the app seco email ID everywhere so that was good if you would like to know if your org is in the public DB come see me later right the dump is ready you just have to run a query right I promise we will not look at the password we will just look at the user names you just want to know if it's there right we don't really care about the password colorful diagrams are a great way to understand risks and security if you have questions about this we will take them later because time if first diagram is to explain domain hijacking right I said domain hijacking is bad attackers can do bunch of things let's see what the diagram tells us right what are the diagram tells us that you have an admin to manage the domain using that domain management process you can do things like set up mail records you tell the on the domain that hey you know what my mail is handled by rack space by google by microsoft or i run my own mail server whatever right those records are managed by the domain management and any other domain record for example to use bunch of third party services those services use pre verification before you can add your domain to utilize that service they say can you add this file to your website or can you add this text record to your you know domain records right you could lose access to your domain on a third party if you lose access to the domain management does that make sense like for example we use a issue tracking task management software in our office and to be able to use the single sign on feature offered by them single sign on meant that when we go to the login of that third party task management software we put in our corporate email id it sends us to the you know the place where we authenticate with our provider and then come back to the site I am sure you have seen that workflow somewhere yes yes okay we will nodding so okay yes for them to enable it for apseco.com domain that is our primary domain right we had to verify that we are in control of the domain in customer support language we are the owners of the domain right the reality is whose server is in control of creating that record can add that domain now do not ask me what they will do by misusing a third party by adding a domain maybe they have a use case I do not know right just just saying employees typically look at mail records domain records and do things with that right employees says you know what I built this fancy new app which is supposed to go on my kubernetes cluster it is called cluster 101 dot whatever domain hey can you you know add the a record right so the IT person in the company will be like you know what give me the external IP of your cluster and public IP or the node IP or whatever and I will add it right so they do some editing here but they may not be able to remove stuff and all that and obviously customers online the domain becomes the way the customer identifies you the same way you know it is a ICIC or HDFC or whatever bank branch by seeing the board outside you understand if you are a customer the only way you know that oh there is a branch because it you can see a board outside if you're paranoid you're like you know what I will go to the official website of my bank and check if a branch is supposed to exist in this locality or not you understand online the domain is doing that for you that's how we have translated what's an offline security construct online so it's important what are the threats and risks hijacking sometimes registrars get hacked this has happened to a bunch of security companies this has happened to large internet providers where the first you know the provider who had they had registered the domain with that was hacked which enabled changing of records and domain hijacking was possible email theft some simple one people change the mx record right the mail exchange record and now the emails which are meant for your mail server are going to the you know the server which is the domain is saying is configured and it's not yours user phishing obviously if the email is no longer in your control phishing is perfect your client will not be able to tell the difference customer malware right people want to go after your users and do some malware stuff password reuse I promise is the last colorful diagram we have fun slides after this users do I need to explain this one how many of you reuse passwords no names names everyone in my team does the same it's just easy right in my personal case the first time I started using a password manager was when I realized that I end up signing up on so many websites that I don't remember where I've signed up it is very frustrating like I know I got a sign up confirmation email in my inbox but what is this keyword I should search for so the solution I came up was that yeah you know what I will use a password manager because one of the things it will store is the URL where I signed up right I did not even think of a security use case so whatever works for you I'm really glad you're all young you can remember all the websites you sign up at in your head but you know what everyone gets older everyone gets older they're not there's nothing even about that risk so threats and risks are unauthorized access lateral movement privilege escalation oh you're done you just started three this is obviously a slide this is about my company we offer pragmatic security advice we do cool things we are a very technical company so feel free to ask all your technical questions to us uh outside this is these are the four of us at the conference today and tomorrow you're wearing absolute t-shirt I don't have another one so I'm not going to wear this one tomorrow but you see my face and uh oh yeah we're running a clinic I'm not sure what time they will let us know but we are around it'll be somewhere in the vicinity we will again take questions on security uh all application security network security questions are fine OSN security questions are fine we will answer those for the presentation we were being a little