Author: Kanti Kalyan Arumilli

AWS – Discouraging the use of CLI!

Post author By Kanti Kalyan Arumilli
Post date 21 June 2022

After much thought and consideration, I think the use of AWS CLI should be discouraged unless a very very strong VPN authentication and pro-active monitoring are in place.

The reason is, more and more workforce are working remote, accessing the cloud remotely. If VPN connections are not properly secured and monitored, with today’s advanced spying equipment being used by spies for espionage (unfortunately in my case, identity thief R&AW spies are hacking me (Indian citizen) for cover-up of identity theft), it becomes extremely easy for them to log into VPN. And even with restrictions in place, stealing Access Key and Secret Key would be much easier.

Remember the advanced spying equipment has very advanced capabilities: viewing, recording video, screenshotting, listening, recording audio, whispering and even mind-reading capabilities. Lookup https://www.alightservices.com, Corrupted R&AW online – not associated – ALight Technology And Services Limited (alightservices.com),

https://www.simplepro.site/

And the female R&AW agent needs to frame someone as a “ok” or “okay” or “oray” or whatever because the female with the first name of “Kanti” is an identity thief and needs to frame someone or make some absurd claims.

Some of the greedy/criminal people have accepted to act as the so-called non-existent “ok” or “okay” for getting access to the advanced spying equipment – peeping toms, because the female controls the spying equipment. – Simple and striaghtforward logic.

Another most important consideration must be no sensitive information should be displayed on the screen.

Accessing AWS services by using properly tested and secure applications that have proper audit and logging should not be a problem in most scenarios.

Hypothetically, let’s say some sensitive data is stored in some dynamodb table and even if read-only permission is provided for access via CLI by using Secret Key and Access Key, there is a possibility of the data getting stolen. But in a proper well-tested application, the sensitive data might not be even displayed or even if displayed may be only masked data would be displayed. Or may even in some very rare cases, the actual data and masked data might be stored separately and maybe the applications just reads the masked data.

For example, irrespective of whether the data is stored in RDBMS or NoSQL database, in a hypothetical situation if some data like credit card number is being stored in a database and some page has to show 100 masked credit card numbers. It would be risky and even cpu consuming to decrypt 100 credit card numbers, and then calculate the masked values. Worst case scenario, if searching millions of encrypted credit card numbers based on last 4 digits. It’s safer to store the last 4 digits.

At least in ALight Technology And Services Limited, I would personally discourage the usage of CLI in most scenarios.

AWS – Discouraging the use of CLI!

Tags AWS, Security

Architecture Security SimplePass

An Architecture for Secure communication between two clients!

Post author By Kanti Kalyan Arumilli
Post date 12 June 2022

In the world of computing, we are familiar with and understand the need for secure communications and secure data transfer. When using public-private keypairs, the public key is provided and the data is encrypted using the public key, transmitted and then the private key is used for decryption.

In this article, we will discuss an approach for securely pairing two clients that can’t communicate directly and for securely communicating with the clients using a server. In this example, let’s say we have a web server, two instances of an application that has some offline data (data not stored on the server), the two clients have to pair anonymously without providing much information to the server and need to transfer some sensitive data.

This is a sample tech implementation that can be implemented in SimplePass for synchronization between devices, without exporting file, copying file and importing. Remember, SimplePass does not need any account creation, so what the application server knows about you is absolutely nothing. SimplePass does not even collect emails. Assuming complete safety, privacy are needed for applications, this blog post suggests a way to get this accomplished. This approach requires minimal server processing and memory needs and no information is stored on the server. This feature is not implemented in SimplePass yet and I don’t have any plans of implementing in the near term, but thought of sharing the idea.

For this example, we will say the first instance of the client application that needs to send data as “sender”, the client application that needs to receive data as “receiver”, a web server capable of sending push notifications or being able to hold some key-value pairs in memory.

The tasks that need to be accomplished are:

Securely pair the sender and receiver without giving away too much information to the server but with the server’s help.
Securely communicate data from sender to helper with the server’s help.

When the user of “sender” needs to send data, they need to pair with the target “receiver”. They would open a section of the client application, generate a random code – for example “abcd1234” and synch with the server.
A request to the server is sent with the client ID, and the generated random code. The server would hold a unique ID for this transaction and a data structure with the client ID, unique ID as properties and some kind of a time-out let’s say 15 minutes. If the random code exists in the server’s dictionary, the request would be rejected.
The user would use the second device -“receiver” and enter the unique ID from the “sender” device, generates another “receiver” specific random code And synchs with the server. For example let’s say “zxcv0987” is the “receiver” random code.
The “receiver” would also generate a public/private key-pair, and uploads the public key-pair to the server.
The server looks up its internal data dictionary for the “sender” requested random code, the “sender” random code has to exist and there can be multiple “receiver” random codes, but the “receiver” random codes need to be unique. The server holds each “receiver”‘s random code and public key in memory.
The “sender” application displays the list pairing request “receivers” random code, here in this case – “zxcv0987”. The “sender” would approve the “receiver” random code. If an unknown “receiver” random code gets visible, the user can safely assume his communications and activities are being monitored by hackers such as Uttam, Thota Veera, Thota Bandhavi, Cuban Michael or Ray, Karan/Diwakar/Karunakar and whoever is an “is”, “already”, “ek”, “es” or any other hacker or any other spy, and the user can deny the unrecognized codes.
Steps 3 – 5 can be done when trying to synchronize with multiple devices and the same level of security and privacy can be applied.
Now the “sender” would click something like export. The “sender” application receives the list of public keys for each approved “receiver”. The “sender” encrypts data using the public key for each “receiver” and sends the data to the server, the “receiver” receives the data and decrypts using its own private key for the session.
The “receiver” after decrypting data, tells the server to clean up and all related resources for the “receiver” can be cleaned up.
All of the above steps need to be performed within the set time-out, to minimize the resource usage on the server.

In the above scenario, the server is holding some data that it can’t even read because the server does not have a private key. The only processing happening on the server are some key lookups – very minimal computing. Even the memory requirements for holding the ID, random codes and public key are minimal. In the approach described above complete privacy, security, and hacker-proof are maintained with minimal memory and CPU usage.

There is a flaw in today’s OTP/Authentication codes i.e if server side apps are not checking for one time usage and even if there s one time use checking what if the hackers or spies enter the OTP / Authetication code before the actual user? More and more implementations should become hacker-proof and thwart the onLINE hacking/spying/hate/propaganda group.

If the data being transferred is being held in memory, the memory load cannot be predicted.

I think this is a very simple and nice approach for synchronizing data among applications like SimplePass that maintain the privacy of users and don’t need any kind of accounts and can still synchronize data across devices in a secure way.

Tags Architecture, Privacy, Security, SimplePass

Welcome

Classic example of corruption in India!

Post author By Kanti Kalyan Arumilli
Post date 31 March 2022

Bofors scandal was a major scandal where 64 crores INR was misused in a arms deal. India’s investigation agency CBI investigated for several years and cleared all the names and said 250 crores INR was spent. After few years the truth is only 4.77 crores INR were spent in the investigation. It’s like making claims of spending 4 times the scandal amount for investigation but in reality, very less was spent. So what happened to the remaining 245.23 crores INR? Would the CBI investigate CBI?

References:

Bofors Scandal – Wikipedia

CBI misled Delhi High Court that Rs 250 crore spent on Bofors probe: Supreme Court told

AWS C# Github

New accompanying Github repository!

Post author By Kanti Kalyan Arumilli
Post date 29 March 2022

A new Github repository has been created at https://github.com/ALightTechnologyAndServicesLimited/Internal for holding code samples for all the future content of ALight Technology And Services Limited‘s technical blog or technical videos.

Youtube Channels:

www.youtube.com/channel/UCfWg1fhujnIf6b621UZ_SGg

www.youtube.com/channel/UCBuu5ksejp5uPIJmPuReSTA

Happy development. 🙂

Tags AWS, C#, Github

AWS

How to secure AWS account using MFA

Post author By Kanti Kalyan Arumilli
Post date 28 March 2022

Tags AWS, MFA

Security Wordpress

WordPress Security And MFA!

Post author By Kanti Kalyan Arumilli
Post date 7 March 2022

WordPress Security And MFA!

After updating the website in December 2021 month-end to use WordPress, several internal updates and plugins were done for securing the website, improving the performance of the website. Over the past 30 days over 2,605 malicious requests were blocked using some security plugins. MFA was activated tying into Google Single-SignOn and Duo MFA. In other words logging into WordPress as admin requires Biometric authentication – YubiKey Bio. The useful plugins were Duo Two-Factor Authentication, Social Login, Social Sharing by miniOrange, Shield Security. Currently, the free versions of these plugins have enough functionality. The pro versions have many more excellent features. Sometime in the future, I might consider the pro versions. But I would highly recommend anyone using WordPress to secure your WordPress websites using these plugins. Even if you don’t have a YubiKey Bio, I would still suggest securing your installations using Duo push notifications. The installation of the plugins and configuring are very easy and stright-forward.

WordPress Security And MFA!

Tags Security, Wordpress

C# Cloudwatch

Read Cloudwatch Logs Programatically using C#

Post author By Kanti Kalyan Arumilli
Post date 22 February 2022

In AWS, Cloudwatch is an extremely useful service for ingesting and retrieving logs, metrics, alarms etc… This particular blog post is about how to retrieve logs from cloudwatch.

Cloudwatch logs are organized in the following hierarchy: Region -> LogGroup -> Streams. Inside each stream are log messages which have 3 attributes: Message, Timestamp, Ingestion Time. Currently, I am using Cloudwatch for various logs such as Linux syslogs, web server logs, Cloudtrail events etc… How to programmatically ingest logs of .Net applications directly or using NLog or using Cloudwatch agent would be topics of future blog posts. This blog post assumes that the .Net code is running under an appropriate role that has appropriate permissions.

Install AWSSDK.CloudwatchLogs nuget package.

// Instantiating a Cloudwatch client
AmazonCloudWatchLogsClient client = new AmazonCloudWatchLogsClient(RegionEndpoint.EUWest2);


// Getting Log Groups - Code snippet
var logGroupsresponse = await client.DescribeLogGroupsAsync();

if(logGroupsresponse.HttpStatusCode == HttpStatusCode.OK)
{
   foreach(var logGroup in logGroupsresponse.LogGroups)
   {
         // Process
   }
}


// Getting Streams - Code snippet
var streamResponse = await client.DescribeLogStreamsAsync(
    new DescribeLogStreamsRequest
    {
        LogGroupName = "LogGroupName"
    });

if(streamResponse.HttpStatusCode == HttpStatusCode.OK)
{
   foreach(var stream in streamResponse.LogStreams)
   {
         // Process
   }
}


// Getting Log Messages - Code snippet
var logEventsresponse = await client.GetLogEventsAsync(
    new GetLogEventsRequest
    {
        LogGroupName = "Log Group Name",

        LogStreamName = "Log Stream Name"
    });

if(logEventsresponse.HttpStatusCode == HttpStatusCode.OK)
{
   foreach(var logMessage in logEventsresponse.Events)
   {
         // Process
   }
}

The above code snippets show instantiating, retrieving list of Log Groups, Streams within a particular log group, events within a specified Log Group and Stream.

There are additional parameters that can be specified in the requests. The most important being StartTime, StartFromHead for GetLogEventsRequest, NextToken, LogStreamNamePrefix, OrderBy for DescribeLogStreamsRequest.

Once all the important logs are ingested, an application can be built for monitoring threats or for viewing logs etc… As mentioned above, there will be more posts regarding Cloudwatch, logs, monitoring etc…

Welcome

Welcome!

Post author By Kanti Kalyan Arumilli
Post date 22 February 2022

This blog is for technical related information. As a one-person company, recently, I have been doing a lot of development and some system administration. This blog is to share code snippets – primarily C#, ASP.Net MVC, Javascript, HTML and some server administration, AWS / Azure cloud administration related knowledge. Once in a while, I might post some R and Python code snippets on a necessary basis, I did dabble with R and Python a few years ago to learn Data Analysis, Machine Learning and A.I. But I did not take up Data Analysis, Machine Learning and A.I as a career, but have some knowledge. This blog serves as a reference for myself and for other .Net developers. In other words, like millions of other people, this blog helps for sharing knowledge. My 2 cents to the blogosphere.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.