Author Archives: Prasanna

The Art Of Shaving Your Head!

rajini motte boda thalaiva boss bald

The lockdown has forced people to look and feel differently. While the fashion of beard still continues to rule, ponytails and long hairs are not so much in the vogue these days. Quite a few people have asked me how do I manage to shave my head. Yes, I do it myself and what started off in 2015, is now a monthly or weekly routine.

Hoping this will help all you people who are on the fence whether to give their heads a cleanup either with the help of a barber, partner or all by themselves.

Shaving the head is not for the faint-hearted and Very few people understand the change a bald head brings about. It’s a process, it’s a journey to lose one’s identity. No wonder the first thing many criminals do after a crime is to shave their head 🙂 or at least that’s what I have read and understood from reading the news paper reports.

Jokes apart, it’s a tedious process to get rid of the hairs on your head, especially if you are going to do yourself. The first time I decided to let go of the hair, it was by myself. There were lot of thoughts on what would others say especially the family, friends and colleagues who will pose a zillions of questions ! More importantly what would you say to yourself ? The moment I got the courage and calmness to accept, rest of the process was just technical.

Here are few things that you should know before embarking on this journey:

  • It’s a time consuming process, you need to be patient and willing to spend some time
  • You must invest in right tools
  • Be ready to clean up the mess!
  • Face the consequences (including funny faces from young and old, get questioned on why? )

Prerequisites:

  • A good trimmer
  • Good razor
  • Shaving foam & an aftershave
  • Towel
  • Mirror(s)
  • Old newspaper/waste papers

Preparation:

Shaving your head takes a good amount of time and it’s not something you can do on a daily basis. It can take anywhere between 20–60 minutes depending on which part of the learning curve you are. Its best done when you are relaxed and have sufficient time in hand. I prefer weekends when I don’t have to rush into any meetings. And this is the time you will need to invest every time you want to shave your head.

You do not start off by trying to shave with a razor directly. That would be disaster in the making. Buy yourself a good hair-trimmer, I was using a Panasonic trimmer for close to 10 years until the battery died. I even dismantled and got it working with a standalone battery but I screwed up while putting the covers back and broke a tiny hinge.

old trimmer, whose yellow hinge i broke

A trimmer is an engineering marvel, so many tiny parts working in such harmony. Unfortunately here in India it is not easy to get the original replacement blades and you might as well pick a new trimmer instead of trying to source the replacement items for the same price!

The choice of trimmers is yours: Corded or battery operated, and each one has its own pros and cons. Corded ones are usually powerful and trim the hairs faster and better. But if you live in a household where there is frequent power-cuts I suggest buying a trimmer that also provides battery.

I currently use this which supports both corded and cordless operation, it has a battery backup as well.

A big and a good mirror is beneficial, bonus points if you have a smaller hand held mirror that will come in handy to see the back of your head.

pic courtesy: https://bit.ly/3A2jzO5

You can move the trimmer as shown above.

I would advise putting a newspaper on the top of the sink (make sure there are no traces of water and its dry) and putting all the cut hair onto it directly. There’s a trick on how to do it. Using a trimmer start from the back of the head (as shown in the pic) and move it slowly till it reaches forehead. After every stroke make sure you clean the blades with a brush. You can bend and drop the cut hairs directly onto the newspaper . Repeat the process multiple times to shave all the hair. Be careful when you shave the hair behind your ears as you move the trimmer, chances are you might get a cut. Once you have shaved fully its good enough for a stubbly look or you can proceed further to shave using a razor for a smooth finish. If you intend to shave, I strongly suggest using a shaving foam instead of gel or cream as its easier. Buy a good brand of foam, after all its your head.

For the razor I have used Schick till the blades ran out and now have settled down with Gillete Mach-3. I have never bothered with the pro-glide or razors with n number of blades 🙂 I also tried with a foil shaver but its not good for the head.

Paste the foam all over your head and give it a minute to settle down and then like the trimmer, start from the back of the head and all the way till forehead. Rinse the blades generously. I use a mug of water with a few drops of dettol. Be careful when shaving behind ears, be slow otherise the sharp blades can result in small cuts on ears. Once done with the shaving I use aftershave / balm. No preference, use the one you are comfortable with, but do dab few drops and not take the shower directly after a shave.

Now comes the hard part. If you love a hot shower like I do, lower the temperature or keep it luke warm as your head now no longer has the cushion of hairs otherwise the hotness will hit you.

Take a look at your bald head in the mirror and savour it. You will find a new in you.

pic couresy: https://thebaldbrothers.com/20-bald-quotes/

You are vulnerable

All seasons are harsh on the bald head. In summer the sunlight is intense, while in winters the chill hits your head. I had a tough time at the office sitting in an Air-Conditioned environment and you will find it colder than usual so much that, you may catch sinus. Invest in good hats, caps and scarfs, baclavas or even the neck warmers. Same is if you commute in metro trains where the temperature is much colder (especially Bengaluru Metro).

I now have close to 5 caps and an equal number of scarves. Go on and show off the fashionista in you. Nights are harsher than days and usually wrap my head with a scarf while sleeping for atleast the first 1–2 nights, otherwise the next morning will have a runny nose. If you exercise regularly, buy few headbands or scarves as there are no hairs to hold off the sweat.

Be ready to be the center of attraction and also some pun, especially when surrounded by the kids. India is not kind to bald men. People make fun of you, stereotype you as motte, taklu, boda and what not. Even there are some religious restrictions that you cannot shave heads…

Anyways, now that you have let go of your hair, enjoy everything that comes with it…I no longer have to worry about carrying a comb, not worry about the shampoo or the conditioner, take headbath only twice a week etc

Smile when you bump into a bald head, next time.

Responding to AWS Abuse Alerts

If you have never received the dreaded AWS Abuse notifications on your cloud instances then you need not read the rest of the article 🙂

However, if you recently adopted AWS and received such a notice, then the following tips might come in handy.

  • Do not panic
  • To ensure you are NOT falling for any phishing campaign, please pay a close watch on the sending email addresses. AWS sends the abuse notices from the following email addresses:

Amazon EC2 Abuse <ec2-abuse@amazon.com>

  • The abuse notices are usually sent to the email addresses associated with Root account and to the email addresses that are explicitly added in alternate contacts in the settings page. Please ensure emails going to these addresses are monitored. If you have a multiple people that needs to be alerted, create a Distribution List and add them in alternate contacts of AWS Settings. The abuse reports clearly mentions the following details:
  • Instance IDs
  • Public IP address of instances involved in malicious behaviour
  • Ports and Protocols
  • Destination IP, Ports and URLs
  • Start Time and End Time (if it has indeed ended)
  • Type of malicious activity like port scan, crypto mining, bot behaviour
  • Read through the notice carefully, based on the notice you can figure out the type of the incident your instances are involved in
  • Note that AWS does not provide any technical support on these issues
  • First thing is to block inbound and outbound public connections to the reported host. You can use Security Group of the host for this. There would definitely be downtime of this host, so please know the repercussions
  • You might want to leave the access open to only whitelisted IP addresses to examine the host
  • If multiple hosts are involved, better to use Network ACL as its applied at the subnet level
  • Go through the logs, bash history, running services and processes. You can use netstat or lsof commands
  • You might have to preserve the instance for forensics purposes. Use shutdown rather than terminate. This article has good points with regards to forensics on AWS
  • Once you have taken the necessary remediation steps, do not forget to reply to the AWS team with the action you have taken (this is important)
  • A very important prerequisite for any Incident Response is solid logging setup. Make sure you have it set up for all the hosts. Cloudtrail provides valuable insight on API calls made.
  • Some challenges exist in a microservice architecture where hosts are transient, make sure all the nodes are configured properly for logging.
  • Leverage Open Source or commercial software for logging.
  • Highly recommended to run Network or Host based IDS. There are lot of open source solutions that you can deploy if cost is a concern. Ex: OSSEC, Wazuh (OSSEC fork),

I have collated some of the notices that I handled first-hand as part of my consulting and some sourced through friends. Typical notices are as follows:

Example 1:

“Dear Amazon EC2 Customer,

We’ve received a report that your instance(s):

Instance Id: xxxxx

IP Address: xx.xx.xx.xx

has been placing spam (unsolicited messages, typically advertisements) on websites hosting online discussions, such as Internet forums; check the information provided below by the abuse reporter.

This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please confirm that all necessary steps to cease this activity have been taken on your side and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.

It’s possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233

provides some suggestions for securing your instances.

Case number: xxxxxxxxxxxx

Additional abuse report information provided by original abuse reporter:

* Destination IPs:

* Destination Ports:

* Destination URLs:

* Abuse Time: Wed Sep 30 14:39:00 UTC

* Log Extract:

<<<

Reported-From:

Category: abuse

Report-Type: regbot

Service: regbot

>>>

* Comments:

Probable Cause & Response:

Improper configuration of Apache web server. Someone forgot to turn off the Proxy Requests ON causing random people to connect and send spam. Required us to dig through the logs, check running services and processes.

Remember it only takes a small window of time for a malicious user to discover and exploit vulnerabilities. Strongly recommend having a Host Based IDS like OSSEC on each of the servers even if they are not publicly exposed

Example 2:

Hello,

We’ve received a report(s) that your AWS resource(s)

EC2 Instance Id: i-0xxxxxxxxx

[IP Address]

has been implicated in activity which resembles scanning remote hosts on the internet for security vulnerabilities. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We’ve included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you’re unaware of this activity, it’s possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:

Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message.

Regards,

AWS Abuse

Abuse Case Number: xxxxxxxx

— -Beginning of forwarded report(s) — -

* Log Extract:

<<<

— — — — — — — — — — — — — –

AWS Account: xxxxxxxxx

Report begin time: 29-Apr-2016 08:11:37 UTC

Report end time: 29-Apr-2016 08:12:35 UTC

Protocol: TCP

Remote IP: xx.xxx.xx.xx

Remote port(s): multiple ports (1505 ports in total)

Total bytes sent: 61200

Total packets sent: 1530

Total bytes received: 0

Total packets received: 0

>>>

* Comments:

<<<

>>>

Probable Cause & Response:

In this case, someone indeed forgot to take prior approval while carrying out port scanning. This could also occur if a malicious user or malware was trying to scan public servers as part of reconnaissance

NOTE: A few days back AWS waived off prior requirement of taking approval from AWS for pentesting

Example 3:

This was not AWS Abuse report 🙂 but I just added to to create some awareness

A friend of mine called up stating that his company’s AWS account was hacked. Though he mentioned that they had changed the root account password, there was a spike in the number of instances being spun/spinned up and his boss’s credit card was charged for 1.5 lakhs INR (about 2000$).

Apparently they were using the root account for operations and had not created different user accounts, forget about IAM roles!

As soon as I instructed them to revoke the AWS API Keys, the spike in usage dropped and meanwhile they were busy talking to the credit card company for a refund/chargeback. Ofcourse it was a costly lesson for them for not using the best practices of MFA, using separate accounts, roles and etc

A good practice would be to list down all the assets based on region in a simple spreadsheet. This can come in handy when responding to notices especially if you are using different regions in AWS. There are some good open source as well as commercial tools that will help you effectively manage security posture of your AWS environment. I will probably write a detailed article on using some of these but if you can check out following tools:

  • Scout Suite
  • Trusted Advisor Reports (You get exhaustive report with Business Support)
  • Nessus — Cloud configuration audits

A couple of months back AWS also released steps on automating responses to abuse alerts. I haven’t tried this yet and will share my experience once done. You can read about it here:

Found this useful? buymeacoffee.com/prax

Tuning OSSEC Email Notifications

One of the common complaints you will encounter while working with Intrusion Detection Systems (IDSs) are about false positives and continuos notifications. OSSEC is no different, despite a global upper rule for email notifications, it continues to bombard emails for events with lower severity ratings.

Although the documentation of OSSEC states this explicitly , it does not mention which exact rules can trigger these email notifications:

“Some rules have an option set to force OSSEC into sending an alert email. This option is <options>alert_by_email</options>. One of these rules is 1002. To ignore these rules you will have to create a rule to specifically ignore it, or overwrite the rule without the alert_by_emailoption.

I sifted through the OSSEC configurations to list out the rules generating email notifications lower than the threshold limit(which is level 7 by default):

If you want to disable the email alerts, you would need to edit one or more of the above rules. I have provided the line numbers so that you can quickly refer them. I had difficulty in embedding the table above so its a screenshot (I did try airtable, but didn’t quite like it to be using here). You can download the .csv files for reference from here —

https://github.com/gravityfuel/ossec-tuning

Let’s take syslog_rules.xml as an example. As per the configuration, this is a level 2 rule and implying that it should not trigger any email notifications for the events if the global configuration for email notifications is set to Level 7 and above. But in reality, this particular rule triggers a lot of notifications if the server is public facing and the corresponding syslog entry contains any of the preconfigured key words:

Rule:

<rule id=”1002″ level=”2″>

<match>$BAD_WORDS</match>

<options>alert_by_email</options>

<description>Unknown problem somewhere in the system.</description>

</rule>

Trigger Condition:

<var name=”BAD_WORDS”>core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted</var>

Based on your environment, you can tune this further by either deleting some of the bad words or prevent this rule from triggering email alert by adding no_email_alert options

<options>no_email_alert</options>

or by commenting the default rule

<! — <options>alert_by_email</options> →

Once modified, the rule would look something like this:

<rule id=”1002″ level=”2″>

<match>$BAD_WORDS</match>

<options>no_email_alert</options>

<description>Unknown problem somewhere in the system.</description>

Ofcourse, above is only one of the many ways of minimizing notifications. Do comment on how you deal with incessant and false positive notifications.