Category Archives: security

Protecting Your Brand’s Online Identity: Safeguarding Your Social Media Accounts from Hacking and Misuse

Social media handles of organisations they represent are often associated with the company’s brand and identity itself. If someone else gains control of the handle, they can damage the company’s reputation by posting inappropriate or misleading content.

It is said that nearly 20% of small and medium businesses have had their social media accounts hacked.

Social Media Checklist and Security

Here are some interesting incidents from the past: 

  • Concerned about fake news and hate speech, Sweden’s public radio closes Twitter accounts LINK
  • Prime Minister Narendra Modi’s Twitter account was hijacked in 2021
  • Popular Gaming Company PubG’s official YouTube account was  hacked 
  • Union Ministry of Information and Broadcasting’s Twitter account was hacked last year
  • Elon Musk’s twitter account has been hijacked repeatedly in the past to pump and dump Bitcoin scams.

Recent incidents targeting the accounts of the brands and large organisations have prompted regulators to call for additional measures to safeguard social media accounts. 

In fact, In India Reserve Bank of India (RBI) in its master directives for NBFCs has explicitly called out for its safeguard:

RBI Master Directive on Social Media 

What should you do to safeguard your Organisation’s Social Media Accounts ?

If you are managing company’s social accounts, here’s a checklist to ensure they are secure:

  1. Use official company email IDs to manage and map social accounts. I have seen personal email accounts used for managing brands. This could also lead to problems once the employee quits. Also, as these non-company email IDs are un-managed it is difficult to enforce security controls around them.
  2. Enable multi-factor authentication (MFA) to require two components for login. Even in case of password leak or theft, the hackers would still need the MFA to gain access. 
  3. Do not reuse passwords across different accounts. Hackers often try to see if a password found in a leak can be reused elsewhere.
  4. Get company’s official accounts verified for assurance and credibility. Prioritize and get this done as too many fake listings are causing a great loss for the customers. 
  5. If your company is using third-party tools or plugins, routinely review them for any vulnerabilities. A common phenomenon I have encountered during web security audits is that websites hosted using CMS like WordPress, Drupal etc often use the plugins which are integrated for social shares, marketing, analytics etc. If these plugins are not updated, chances are they can be hacked and gain entry into the websites. If your corporate website is hosted separately from the web applications,  the damage is limited. If not this could lead to much serious data breaches.
  6. If you engage third-party agencies, or consultants, ensure you review their security practices and is in line with all the regulatory requirements. Regulators like RBI, SEBI mandate that even the Third-Parties should have the same security practices outlined for regulated entities.
  7. Regularly monitor accounts for any suspicious activity or unauthorized access.
  8. Backup all social media account data regularly to minimize the impact of any security incidents or data loss.
  9. Limit access to social media accounts to only authorized personnel and use role-based access controls. Managing multiple email accounts for social media channels can be challenging sometimes. You can create a distribution list if multiple people log in to the account and then set different passwords.
  10. Consider using social media management tools to help manage and secure accounts more effectively.
  11. If you are a CISO / Security professional for your company, please do spend some time with Marketing and Customer Support teams on they handle these channels with regards to logging in, content review. Please also pay attention on they handle sensitive information shared by customers over these channels.
  12. Create a crisis communication plan to prepare for any potential security incidents, including who to contact, what to do, and how to respond to the public. You can write Standard Operating Procedures on these and share internally so that its easier in the event of a data breach.

Brand verification

Brand Verification is essential to confirm that social accounts truly represent your company. All platforms offer the option for brands to verify their accounts as official. Brand verification provides multiple benefits:

  • Assures customers that they are interacting with official company accounts
  • Adds credibility to information shared through verified accounts
  • Prevents rouge accounts from creating channels using our company name
  • Makes it easier to take down spam and unauthorized accounts

Verification Process Links:

Verification links for popular social media accounts are listed here:

If you found this useful, please like and reshare.

About Me: I help fast growing startups, fintechs and other companies  in the areas of Cyber Security. If you need pragmatic guidance or help in this regard, do not hesitate to get in touch with me: email@vprasanna.com 

Podcasts and Audiobooks for Commute

pic courtesy: unsplash

The traffic is back! This is what you would hear from your friends, colleagues who have resumed commuting to the office and my opinion is no different. I shuffle between self-drive, cab, and public transport and can feel the noticeable increase in the traffic between the covid and present days. Cycling is ruled out due to the distance 🙂

The usual options during the commute were to listen to the Radio, Songs on CD (incase you remember)/USB drive, but I rarely listen to these nowadays. I remember reading somewhere that many FM radio stations are closing due to low patronage. Couple of the ways I have managed to deal with the commuting boredom or stress is listening to Podcasts and Audiobooks. Podcasts are the best things to have happened in the recent past and I think its a win – win to both the content creators and content listeners. Bear with the Podcaster talking about their sponsors at the beginning and the end and you can listen to uninterrupted content. Don’t like something, skip it and you are in total control in terms of interests.

As I work in the InfoSec, I started off with the podcasts around this topic to keep myself up-to-date, but later added other areas once the routine set in. I have found some of these podcasts very enriching and hence thought of sharing. Irrespective of commute or not, it is better to set aside some time in the day for listening to audio books or podcasts:

The Darknet Diaries

podcast darknetdiaries

If you work in the security field or just even an enthusiast, this is a great one. Jack Rhsyider interviews the people from the wide range of spectrum in the security industry ranging from hackers to CxOs, Hacktivists, self proclaimed vigilantes, Rappers, Social Engineers, Regime Survivors and more. My favorite episode was one about the investigation on Linkedin Incident , which actually led to breaches in other companies. If you are on the defensive side of the security, you can actually use this as a benchmark for enhancing security in your own companies. All the TTPs will unravel as you listen and you can connect the dots.  What I also like about this podcast is the music from BreakMaster Cylinder (fancy name eh!) which is pleasant to hear unlike the opening and closing notes of many podcasts.

Work Life by Adam Grant

work life

This is not related to InfoSec but do not miss this one as it touches various aspects of professional and personal life skills. Some of the episodes that have I have found very helpful include “The 4 Deadly Sins of Work Culture“, “How to Rethink a Bad Decision“, “Networking for People who hate Networking”

Some of the pointers in the podcasts talks about identifying the traits of the organisation culture before joining using a method called as culture audits. The podcast episode mentioned above in itself deserves a separate writeup and I will share some thoughts on them in future

Huberman Lab Podcast

Huberman lab podcast

Andrew Huberman is a neurobiologist. What the heck does Neurobiologist have to do with security for me to be recommending this ? Well, there are couple of changes I did based on this podcast and is helping me in my journey of physical and mental fitness including sleeping well ! Huberman podcasts are usually long (~1.5 hours on an average) and very detailed. Topics include managing stress, sleeping well, improving gut health. Handy tip: Do make you are not actually driving while listening this to Huberman’s podcast as any missed out attention will require listening from scratch 🙂

CISO Series Podcast

ciso series podcast

 If you are someone who works in the field of Information Security you will enjoy listening to this show as the speakers talk from a corporate angle dealing with vendors, the board, the management, peering teams. The podcasts are short with most of them ranging from 10-20 minutes and is hosted by David Spark.  A few topics that I liked include: “A look back at the Foolish Security Policies of Past and Present”, “After a Breach Its really easy to calculate Risk“, “Finding the perfect Time to Quit Your Job“,

When Audiobooks launched, I was skeptical initially but soon one book led to another and currently there are close to 20+ audiobooks in the library some of which I have listened to again. I listen to them not just during the commute but also during workouts, walks and even as a break from work. Most of the podcasts I listen to are themed around Information Security with the exception of few. Here are some of the books I have been listening/reading (mostly in audio book format) and it includes both fiction and non-fiction as well

Cult of the Dead Cow

cult of the dead cow

 

 

 

 

Fascinating book on the journey of Hacker Culture, the origin of DefCon, Blackhat, hacktivism, CyberLegal stuff and a lot more

Why I Am an Atheist and Other Works
Why I Am an Atheist and Other Works
This is the collection of letters Indian Revolutionary Bhagat Singh wrote while he was imprisoned

Permanent Record
Permanent Record
Biography on Snowden, great  insights on inner workings of surveillance program at NSA

The Phoenix Project
Phoenix Project
Book that made concept of DevOps popular

Ikigai
IKIGAI
Self-help / motivational

Talking to Strangers
Talking to Strangers
Non-fiction and a book that touches upon Inherent biases and how it affects our judgements

Zero to One
zero to one
From the Startup guru Peter Thiel, its actually notes from his lecture classes which a student compiled

Essential Calvin and Hobbes
Calvin and Hobbes
Calvin fan, hence 🙂 PS: This is a kindle ebook

An Astronaut’s Guide to Life on Earth Chris Hadfield
an astronauts guide
Fan of Space and Astronauts, hence

The Goal
The Goal
More like a precursor to The Phoenix Project, can draw parallel to modern day monolits

Outliers
outliers
Name says it all

The order of Time
The Order of Time
A good read on the captured history of time measurement. Felt this was philosophical as well during the listening of audiobook, probably will listen to it again.

Atomic Habits (still listening)
ATOMIC habits

The Almanac of Naval Ravikant (still reading)
The almanack of naval ravikant

What are your tips to beat the commuting boredom ? Feel free to share through comments:

Fintech Security & Compliance — Part 1

Fintech Security & Compliance — Part 1

image created using wordclouds

Fintech is one of the most happening sectors in India & world over with a wide array of services being delivered in lending, insurance, payments, stocks and mutual funds. While founders, product and engineering managers are busy in building the products and delivering them to the people in a rapid and scalable way, there is one huge challenge they must overcome. And that’s the Cyber Security aspect of it. I have had the opportunity to architect and implement controls around these requirements in the last few years and would like to share some thoughts here.

In India, Fintech regulators are:

  • Securities & Exchange Board of India (SEBI)
  • Reserve Bank of India (RBI)
  • Insurance Regulatory and Development Authority of India (IRDAI)

Each of these regulators have their own cybersecurity requirements and these span across multiple domains of cybersecurity like IT Governance, Information Security Audits (IS Audits), IT Outsourcing, IT Risk Management, Business Continuity Management (Good luck on a single region currently offered by the leading cloud vendor in India 🙂 ), Policies, Physical & Environment Security and etc

Apart from these, compliance with PCI DSS/PA DSS is a common requirement for all the fintechs handling credit card transactions. When it comes to PCI DSS, the magnitude of security requirements vary based on the volume of transactions. There are Four Merchant levels starting with Level 4 wherein a merchant handles 20,000 plus transactions and compliance requires that you fill a Self Assessment Questionnaire to Level 1 where 6 million plus transactions are handled annually. Level 2 and 1 have very comprehensive requirements to fulfil and are audited by a third-party.

Not all the Fintechs have the license to operate independently and they leverage the agreements with Banks/Financial institutions to offer the services. It would be surprising to know that banks themselves can offer most of the services which fintechs are offering. The key underlying factor here is Technology, which perhaps banks are yet to come to terms with. When it comes to security requirements and compliances, banks pass on these to the partnering fintechs. So multiple audits in a year are not unheard of in the fintech space.

RBI has Master Directions for entities operating in the banking/non-banking space covering Lending, Loans, Prepaid Payment Instruments, Non-Banking Finance Company (NBFC), Peer to Peer Lending companies, Full fledged banks, Payments Banks and so on.

IRDA has two two major cyber security requirements and one of them is meant exclusively for insurance offered on e-com channels like web/mobile/app channels called ISNP — Insurance Self Networking Platform. As most of the new-age insurance companies are ecom based, they are forced to comply with both (there is some overhead here).

IRDA’s requirement has a cybersecurity checklist with 307 controls and also mandates a Chief Information Security Officer (CISO) to be appointed by the insurance company! While these may be easier to implement for a legacy company with the monolithic architecture, startups usually find these difficult and herein lies the challenge.

SEBI’s framework for Stock Brokers and Depository participants is published here — What I found cool about SEBI’s directives on Cyber Security in comparison to RBI and IRDA is its forward looking approach and in sync with current demands and realities. For example they suggest using Bcrypt / PDKDF2 for hashing passwords, usage of passphrases vs complex passwords:

Also has a reference to Crypto Shredding, must confess I did not know such a terminology existed:

It makes me wonder if the major innovations in the fintech space in India is in the segment operated by the SEBI for reasons like these.

I am thinking of writing in detail about the challenges in complying with the security directives by the regulators in coming writeups but for now will focus on what this augurs for cybersecurity professionals in startups/fintechs.

There is going to be a huge demand for not just Developers, Product Managers, Architects, Data Scientists, but also Cyber Security professionals. When I say Cyber Security, it does not just limit to Pentesters / AppSec / Network / Cloud Security professionals. I see a demand for Data Privacy, Compliance and Legal folks who can understand, interpret complex regulations from the Regulators like RBI, SEBI & IRDA and help implement them in a creative, scalable and rapid way. I am currently working for an emerging Fintech company and a good chunk of my time is spent with the Legal team apart from the engineering folks in interpreting and helping fit newer technologies and controls around regulations, compliances, working on contracts, assessments, Third Party Risk management and etc

As a cyber security professional, I wouldn’t have expected to work this closely with the legal team, but no complaints and am beginning to see things from multiple perspectives! Remember that most startups live by the mantra:

“It is better to ask for forgiveness than permission”

At the end of the day, it’s all about solving problems.

If you have any questions, comments, feel free to post them here and I will try to answer them.

#fintech #cybersecurity #fintechsecurity #RBI #SEBI #IRDA #PCIDSS

Responding to AWS Abuse Alerts

If you have never received the dreaded AWS Abuse notifications on your cloud instances then you need not read the rest of the article 🙂

However, if you recently adopted AWS and received such a notice, then the following tips might come in handy.

  • Do not panic
  • To ensure you are NOT falling for any phishing campaign, please pay a close watch on the sending email addresses. AWS sends the abuse notices from the following email addresses:

Amazon EC2 Abuse <ec2-abuse@amazon.com>

  • The abuse notices are usually sent to the email addresses associated with Root account and to the email addresses that are explicitly added in alternate contacts in the settings page. Please ensure emails going to these addresses are monitored. If you have a multiple people that needs to be alerted, create a Distribution List and add them in alternate contacts of AWS Settings. The abuse reports clearly mentions the following details:
  • Instance IDs
  • Public IP address of instances involved in malicious behaviour
  • Ports and Protocols
  • Destination IP, Ports and URLs
  • Start Time and End Time (if it has indeed ended)
  • Type of malicious activity like port scan, crypto mining, bot behaviour
  • Read through the notice carefully, based on the notice you can figure out the type of the incident your instances are involved in
  • Note that AWS does not provide any technical support on these issues
  • First thing is to block inbound and outbound public connections to the reported host. You can use Security Group of the host for this. There would definitely be downtime of this host, so please know the repercussions
  • You might want to leave the access open to only whitelisted IP addresses to examine the host
  • If multiple hosts are involved, better to use Network ACL as its applied at the subnet level
  • Go through the logs, bash history, running services and processes. You can use netstat or lsof commands
  • You might have to preserve the instance for forensics purposes. Use shutdown rather than terminate. This article has good points with regards to forensics on AWS
  • Once you have taken the necessary remediation steps, do not forget to reply to the AWS team with the action you have taken (this is important)
  • A very important prerequisite for any Incident Response is solid logging setup. Make sure you have it set up for all the hosts. Cloudtrail provides valuable insight on API calls made.
  • Some challenges exist in a microservice architecture where hosts are transient, make sure all the nodes are configured properly for logging.
  • Leverage Open Source or commercial software for logging.
  • Highly recommended to run Network or Host based IDS. There are lot of open source solutions that you can deploy if cost is a concern. Ex: OSSEC, Wazuh (OSSEC fork),

I have collated some of the notices that I handled first-hand as part of my consulting and some sourced through friends. Typical notices are as follows:

Example 1:

“Dear Amazon EC2 Customer,

We’ve received a report that your instance(s):

Instance Id: xxxxx

IP Address: xx.xx.xx.xx

has been placing spam (unsolicited messages, typically advertisements) on websites hosting online discussions, such as Internet forums; check the information provided below by the abuse reporter.

This is specifically forbidden in our User Agreement: http://aws.amazon.com/agreement/

Please confirm that all necessary steps to cease this activity have been taken on your side and reply this email to send your reply of action to the original abuse reporter. This will activate a flag in our ticketing system, letting us know that you have acknowledged receipt of this email.

It’s possible that your environment has been compromised by an external attacker. It remains your responsibility to ensure that your instances and all applications are secured. The link http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233

provides some suggestions for securing your instances.

Case number: xxxxxxxxxxxx

Additional abuse report information provided by original abuse reporter:

* Destination IPs:

* Destination Ports:

* Destination URLs:

* Abuse Time: Wed Sep 30 14:39:00 UTC

* Log Extract:

<<<

Reported-From:

Category: abuse

Report-Type: regbot

Service: regbot

>>>

* Comments:

Probable Cause & Response:

Improper configuration of Apache web server. Someone forgot to turn off the Proxy Requests ON causing random people to connect and send spam. Required us to dig through the logs, check running services and processes.

Remember it only takes a small window of time for a malicious user to discover and exploit vulnerabilities. Strongly recommend having a Host Based IDS like OSSEC on each of the servers even if they are not publicly exposed

Example 2:

Hello,

We’ve received a report(s) that your AWS resource(s)

EC2 Instance Id: i-0xxxxxxxxx

[IP Address]

has been implicated in activity which resembles scanning remote hosts on the internet for security vulnerabilities. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We’ve included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you’re unaware of this activity, it’s possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:

Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message.

Regards,

AWS Abuse

Abuse Case Number: xxxxxxxx

— -Beginning of forwarded report(s) — -

* Log Extract:

<<<

— — — — — — — — — — — — — –

AWS Account: xxxxxxxxx

Report begin time: 29-Apr-2016 08:11:37 UTC

Report end time: 29-Apr-2016 08:12:35 UTC

Protocol: TCP

Remote IP: xx.xxx.xx.xx

Remote port(s): multiple ports (1505 ports in total)

Total bytes sent: 61200

Total packets sent: 1530

Total bytes received: 0

Total packets received: 0

>>>

* Comments:

<<<

>>>

Probable Cause & Response:

In this case, someone indeed forgot to take prior approval while carrying out port scanning. This could also occur if a malicious user or malware was trying to scan public servers as part of reconnaissance

NOTE: A few days back AWS waived off prior requirement of taking approval from AWS for pentesting

Example 3:

This was not AWS Abuse report 🙂 but I just added to to create some awareness

A friend of mine called up stating that his company’s AWS account was hacked. Though he mentioned that they had changed the root account password, there was a spike in the number of instances being spun/spinned up and his boss’s credit card was charged for 1.5 lakhs INR (about 2000$).

Apparently they were using the root account for operations and had not created different user accounts, forget about IAM roles!

As soon as I instructed them to revoke the AWS API Keys, the spike in usage dropped and meanwhile they were busy talking to the credit card company for a refund/chargeback. Ofcourse it was a costly lesson for them for not using the best practices of MFA, using separate accounts, roles and etc

A good practice would be to list down all the assets based on region in a simple spreadsheet. This can come in handy when responding to notices especially if you are using different regions in AWS. There are some good open source as well as commercial tools that will help you effectively manage security posture of your AWS environment. I will probably write a detailed article on using some of these but if you can check out following tools:

  • Scout Suite
  • Trusted Advisor Reports (You get exhaustive report with Business Support)
  • Nessus — Cloud configuration audits

A couple of months back AWS also released steps on automating responses to abuse alerts. I haven’t tried this yet and will share my experience once done. You can read about it here:

Found this useful? buymeacoffee.com/prax