OSINT Techniques for Pwning FinTech By Akash Mahajan, Director Appsecco Additional inputs by Abhisek Datta, Head Techie Appsecco 50p 2018 1

Introduction What is OSINT? And what is it that we can do with it? 50p 2018 2

Attackers go after Created by Iconicbestiary - Freepik.com 50p 2018 3 People Machines

Usually 50p 2018 4 People manage servers, machines, applications

At the least till we have 50p 2018 5 Robot Uprising

Open Source INTelligence (OSINT) 101 • Person • Credentials • Usernames, Passwords, API Keys • Activities shared in public about • Tech they use, want to learn • Places they are at, photos • Machines • IP address • Domain/Host • TLS/SSL Certificates • Applications 50p 2018 6

If you would like to learn more 50p 2018 7 https://blog.appsecco.com

What we will cover today • A “story” about when things do go wrong • A global sports body • Discovery of information • Information that could have potential domain takeover implications (Maybe) • Share our security checklist for you to take back and use • Explain threats and risks from OSINT using colourful diagrams 50p 2018 8

What we will cover today • We will share the work we did prior to this talk • Show you some statistics about the OSINT exposure of a few fintech companies in India • Our approach on how we did, what we did 50p 2018 9

What we will not cover today in the talk • Not going to talk about application security, network security at all • Because we assume that you have it covered using • PCI DSS, RBI guidelines • CERT empaneled companies doing 3rd party penetration testing for you • Any specifics of what we discovered • Attacks against your users as we focus on your infrastructure 50p 2018 10

A Fable Because storytelling is a powerful way to understand things we don’t believe concern us. And the fact that we prefer not to name any names ever. 50p 2018 11

Once upon a time… • There was a major sports authority • Their main website was the primary source of information about sports scores, videos etc. etc. • They had a bit of a management shuffle and two sides emerged • One side got bunch of things (not important to this story) • The other side got control of their primary domain name 50p 2018 12

Twist in the tale • So on the day of a major sporting achievement their site was listed for sale for a measly price of $249 • Good sense prevailed and they scrambled their resources to renew the domain once again • Phew! In terms of sporting metaphors I guess they dodged a bouncer! 50p 2018 13

Moral of this story is? • Make sure that you maintain control of what is important • Investing in a reminder application could save you from becoming the laughing stock of the entire world • Domains are precious. If some attacker had registered it, cloned the content of the main site and also added malware, unsuspecting users would have been infected and obviously not very happy 50p 2018 14

Invest in a calendar which has reminders 50p 2018 15 calendar

The great sports twist • Remember this is still a story • The sports authority have an email address listed on their website • In our references for OSINT we mentioned how you can go through 1.4 billion leaked usernames and passwords • We found the same email in that dump 50p 2018 16

What we won’t know for sure ever • If the username on the site is the username used to login to their email • If the same username was used to register the domain • But this is a cool story because The Lady, or the Tiger? 50p 2018 17

OSINT on FinTech Sites What did we find? Our approach so that you can go back and try it at home 50p 2018 18

Domain Admin Email Exposed +40% 50p 2018 19 domains didn’t have whois privacy, exposing their admin email address So What? • Attackers can try and go after the admin email addresses to hijack domains

Domain Admin Email Exposed by .in +79% 50p 2018 20 of the domains admin emails were exposed after looking at .in whois So What? • .in domain registrations don’t allow for any kind of data privacy as a requirement for registration

Domain Admin Email Password Exposed +46% 50p 2018 21 of the domain admin emails exposed have passwords in public dumps So What? • If the domain admin users have a habit of reusing passwords, attackers already know that password

Domain lockdown configuration in place 59% 50p 2018 22 of the domains had setup the lockdown configuration of ClientTransferProhibited So What? • Even if attackers get access to the domain registrar control panel and don’t have access to email inbox, they will not get their hands on the unlock code required to unlock the domain

What can I do about OSINT? Can I protect myself? Is the world coming to an end? And other poignant questions that you may have 50p 2018 23

Manage and understand risk 50p 2018 24

Understand risks with examples 50p 2018 25 Potential risk Can you do anything about it? Anyone on the internet can try my DNS records Nope People are able to see who my domain registrar is Nope My ISP/Hosting company/Government is insecure Nope My OS/Processor/Hardware company is insecure Nope Virat Kohli will score another century while scowling Nope

Does my registrar support 2FA? Yes q Understand how does the 2FA reset process works q Make a note of what will need to be done, in case 2FA needs to be disabled q Enable 2FA for login q Bonus Points – If authentication logs can be stored No q Change your provider 50p 2018 26

Does my registrar support whois privacy? Yes q Understand how to enable domain whois privacy q Enable domain whois privacy before configuring the domain to do anything No q Change your provider q If not an option, accept that as a potential risk factor 50p 2018 27

Does my exposed email support 2FA? Yes q Understand how does the 2FA reset process works q Make a note of what will need to be done, in case 2FA needs to be disabled q Enable 2FA for login q Bonus Points – If authentication logs can be stored No q Change your provider 50p 2018 28

Should I bother having a .in domain? Yes q If it is a legal compliance requirement? q If it is a business & brand requirement? q You worry about your users, employees and partners/vendors getting phished No q In any case get the domain q Use a non-domain email ID as domain admin 50p 2018 29

Protecting the domain admin email Dos q Enable 2FA q Ideally not SMS based but app based q Use a reputed 3rd party provider (like Gmail maybe) q Make sure your password is sufficiently random q Put in a process to change it after a fixed duration Don’ts q Use that email address for registering to other sites q Never reuse that password if you have to use the same email ID elsewhere 50p 2018 30

Eating our own dogfood 50p 2018 31 appsecco.in Whois snippet http://viewdns.info/whois/?domain=appsecco.in We use reputed 3rd party email provider Appsecco mention in big password dump Would you like to know if your org is in the public DB? Come find me later

Threat Models Sometimes colourful diagrams are a great way to understand risks 50p 2018 32

Domain Hijacking 50p 2018 33 Threats & risks o Domain hijacking o Registrar hacked o Email theft o User phishing o Customer malware

Password Reuse 50p 2018 34 Threats & risks o Unauthorised access o Lateral movement o Privilege escalation

About Appsecco Pragmatic, holistic, business-focused approach Specialist Application Security company Highly experienced and diverse team Def Con speakers Assigned multiple CVEs Certified hackers OWASP chapter leads

Security Questions? 50p 2018 36 We are at the conference on both the day, please feel free to stop us and ask us security questions. Appsecco Security Clinic at the conference [email protected] +91 99805 27812 @makash