I think the CyberSecurity market is going to increase multi-fold, because I know the capabilities of the anonymous spies/hackers/mafia’s invisible drone equipment. They would put the blame on “five eyes” etc… But why would “five eyes” help for infiltrating their own countries? Does not make sense. I.T industry under threat by the equipment mafia/spies. Mafia = organized crime! The equipment has been mis-used for organized crime, they can be and should be considered mafia, although rogue R&AW spies. They have even stole money from bank account.
I think Operating Systems should be secure. For example, normal people don’t run servers etc… block incoming connections. Everyone don’t have printers / other laptops in the network. Remote access / admin shares are not needed. When necessary, I.T professionals know what to do.
Create secure filesystem areas for sensitive info for special apps such as VPNs etc…
Password based logins are no longer secure. Enable bio-metric or hardware keys based login and provide the ability to disable password based login. Even mobiles should do this.
Don’t show sensitive information in alerts such as SMS – the invisible drone equipments guys did several OTP thefts on several occassions, They even stole money from my own bank accounts.
Websites should not show config keys etc… in plain text. I think Azure and AWS should allow the ability to export keys directly into KeyVault or SecretsManager etc… For example some blob storage key or IAM role keys – allow specifying the name for storage and directly store.
Seriously the world of computing is under threat from the mafia psychopath’s equipment. They did steal money, they did organized crime, murder attempts, they did try to put the blame on others, they did shadow, stalk, harass, blackmail, threaten etc… Probably signature forgeries, money laundering etc…
This blog post is specifically for AWS EC2 but the same concepts can be used in any Ubuntu based environments.
This is part of my personal effort in enhancing the cyber-security of my own startup – ALight Technology And Services Limited and ALight Technologies USA Inc. I am using multi-cloud environment for additional security. I have workloads in Azure, AWS! Azure has more important workloads. I am trying to come up with a plan where if an attacker hacks one of the accounts, the critical workload in Azure should not be accessible. This is pretty much like creating multiple layers of security. In other words this is like multi-MFA accounts security with various multi-factor authentication methods.
At least during locked-down period, the multi-MFA accounts security level would enhance the security. During maintenance window this level of security wouldn’t be possible and I am planning some monitoring, alerts and automatic mitigations if abnormal activity gets detected during maintenance windows based on logs, metrics. And even automatic terminations for any higher abnormal activity. Almost like a self-developed, zero trust system, intrusion detection and prevention system.
Here are several related blog posts:
The spy-attackers-toes (I think extremist division of R&AW, spying organization of my own country, India) = terrorist odour can utmost do screenshots but cannot directly access the servers. This is one man’s effort against an army of anonymous spy-hackers. Shame on the bribery/extortion/ransom takers. sugarified word – taking – harsh reality = extortion/ransom, instead they could have opted to asking for help.
In AWS configure a SNS topic to send alerts to emails / SMS to phone. Add the emails and phone numbers, subscribe and validate the emails and phones.
Create a role for use with EC2 instances and give permission for publish to the SNS topic.
When launching the SNS use associate the IAM role with permission for publishing.
Install aws cli.
> sudo apt install awscli
Create a script for example / var/LoginAlert/LoginAlert.sh
Replace the ARN and Region with your own ARN and Region of the SNS topic.
Instead of “aws sns publish”, we can use any other executable such as writing some customcode and writing into some database for audit purposes, send alert via various other methods such as Slack etc… Or may be even a curl request to Slack.
In my startup – ALight Technology And Services Limited, I don’t have any employees. I do everything myself. I know .Net web development. These other activities are something new for me.
Most of you know, I have been looking for secure, efficient way of accessing servers hosted in my AWS and Azure accounts. This effort is part of productionizing WebVeta and securing the servers.
I have written some blog articles about OpenVPN in the past and how-to automate changing keys using some C# code at random for higher security.
This blog post is about few other alternatives and some tips.
WireGuard is another free VPN software! But the problem 256-bit key. i.e less secure but high throughput. One possible way is by rotating the key on a timely basis. There is another software known as Pro Custodibus, that helps in rotating keys and managing keys + MFA!
OpenVPN is very highly configurable and can support 2048 bit keys and above.
The above blog post talks about how to install and use some C# code for re-generating server and client side keys. The above blog post allows keys + password protection for the ovpn file i.e 2 layers of higher security.
OpenVPN has the following interesting options for further security / monitoring and alerting:
Using some of these options and commands, alerts can be generated by either using scripts or programs. I would use C#, but any programming language or even shell scripts can be used.
Using –auth-user-pass-verify 3rd level of security can be added i.e an additional username + password security can be added.
–single-session allows one and only one session, no session re-negotiation – Probably perfect for my scenario.
TailScale is a very nice VPN management software and has a very generous free-tier of upto 100 devices and 3 users. With a little bit of custom programming and using TailScale the security can be increased and can be easily managed. However, one of the biggest problems I saw was registering servers. TailGate displays a URL in plain-text, the URL needs to be entered in browser and authenticated for registering a server in TailGate. If anyone knows the URL and if they authenticate before you, they can try to take-over the server and of-course you can immediately terminate server etc…
I think re-gistering servers should be 2 way i.e
In the website allow copying some random GUID (don’t show the GUID in plain text).
In the server after tailscale up, prompt for the GUID, treat the GUID like password, allow pasting but don’t echo the GUID.
Generate another unique GUID on the server and display.
User copies the server-side GUID and pastes in the website.
Now pair the servers
Even if someone somehow steals the first GUID and pastes in their server, the second GUID generated by their server would be different and can’t be paired.
If someone steals the second guid, their browser-side first guid associated with their account would be different and can’t be paired.
The feature would be very simple, instead of displaying the URL, the URL would be encrypted, use the client-mode part of tool for decrypting, copy and paste in small-sized browser window and approve.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.