I have recently read http://www.scmagazine.com.au/News/345109,memory-gaffe-leaves-aussie-bank-accounts-open-to-theft.aspx and I am very keen to learn how to protect my website users from this type of attack.
Can anyone provide more information on this attack and more specifically how to protect against it?
At the end of that article he writes "Westpac and NAB were the only banks tested to have encrypted the data." Seems like you would just need to encrypt it and not send anything in plain text.
Related
Every application that generates dynamic content must have a server whose address is embedded inside the application to enable communication with server.
Now in the case of WhatsApp definitely they have also embed the server's address inside the WhatsApp application. For example someone reverse engineer the WhatsApp apk and found the address of the server, as well as he also found the parameters and all the stuff that the application sends to the server (i-e session, token, authentication key etc etc) for successful communication, so is that mean he can use these same parameters structure and the server address in different third party app to play/communicate with the WhatsApp server? Because server is just an electronic device that works on the digital signals and thats it. Server don't know that these parameters are coming from the authorized WhatsApp apk or from third party apk.
If yes, then don't you guys think that there should be solution to that problem?
If no, then what are the techniques and algorithms they are using to stop requests from unauthorized/fake apps.
I believe not any employee from WhatsApp will answer here to share the algorithm, but i know SOF is full of geeks, if someone knows how WhatsApp stops these kind of issues please share, otherwise i will be still glad to know about the advice and ideas that you guys have in your mind for the best security practices.
How banking, paypal etc and messaging apps including WhatsApp works in that scenario and how they stop the issue that i described above?
Important:
I am not going to reverse engineer the WhatsApp, i am just creating a server and fighting with this issue to be solved to secure my server and only accept request from my app but stop requests from unauthorized/fake apps.
Thanks & respect to all in advance who will contribute.
There is no way to prevent malicious reverse-engineering, resulting in a fake app pretending to be the real thing. While you are working on your server, you need to do defensive programming, that is, your server shouldn't assume that the request was sent via the app. So, if you protect your server against all kinds of malicious and deliberate misuses, then your server is safe.
However, that's easier said than done, because your project is developed by a finite amount of people and - if it becomes successful then - the audience contains a swarm of smart bad people.
You will therefore need to detect a subset of features that you need to absolutely protect against misuses and prioritize testing and improving those, by thinking with the mind of a fictional hacker, who would like to either gain unearned profits or do harm to your project. Schizophrenic, I know, but you need to do that on the server. You also need to improve the security of less than critical features, but at a lower priority and log the requests you get, so if SHTF, then you will have at least a chance to deduce what caused it and how.
If the phone app is in your hands as well, then you might implement some additional authentication for each version, like generating a version token for each user that downloads your app. Since the version token generator algorithm would not be in the hands of hackers, they would have to solve that on a per user basis, which is extremely laborius to solve this for several users if done by hand and if they work it out in a way to make it automatic, their solution would be viable only for a version.
So, there is no 100% accuracy in this area, but you can make life very hard and miserable for people payed to hack through your application.
I need to find more information related to Mamba ransomware to reverse it. I am specifically looking out for IOCs in form of SHA values, IPs, URLs etc. Any related information will be very appreciated.
Thanks in advance
This ransomware propagated mostly through spearphish campaigns. The malicious code once downloaded starts its working by encrypting system drives. Then comes a ransom page threatening the victim to delete all the encrypted files until a ransom, mostly in form of bitcoin is paid to the attacker.
I think this is what you are looking for:
https://www.talentcookie.com/2017/08/mamba-ransomware-back/
I am writing an application in vb.net, to send data to an API in a cloud service hosted in Azure. Is there any benefit / harm in wrapping the data up in a class before sending it, as opposed to parameterised data. is the data still vulnerable to being stolen in transit. How could I protect that data?
It makes no difference whether you collect your data into a single class or send each bit as a single parameter over the wire your relevant information can still be extracted very easily.
If you are sending sensitive data over the internet you need to protect it in someway. You should at the very least make sure that you are connecting over an SSL connection. So you would need to purchase a certificate for your domain name and add it to Azure.
You also want to make sure that the API is using authentication, ideally written by someone who understands the implications of authentication design decisions (it is often surprisingly counter-intuitive)
If the data is particularly sensitive you should encrypt it with your own key before sending it and let the receiving server decrypt and process it if needs be, or if possible only store the encrypted data and decrypt on the client when you receive it again.
The most important thing though is to spend time researching, computer security is a big topic, having unsecured data can become an easy target for hackers and those looking to ransom your data.
An exceptionally good place to start is https://security.stackexchange.com/ there are some hugely knowledgable people there. (but you probably want to understand a little of what you're talking about before asking questions - inf security people aren't known for their helpful natures ;) )
I would like to provide extended RSS content (extended with unmoderated comments, for example) to premium users (moderators).
Would it be possible to somehow authenticate readers of feeds other than attaching a personal token string to the RSS URL?
Granted, this way a curious person only needs to steal an RSS link like this (much like one could steal a session id), but a password could be acquired just as easily, right?
How could I make this a bit more secure especially against PEBKAC issues?
Would you consider this an idea worth pursuing or should I just discard it and find some alternative? Could you suggest such an alternative?
You can use http authentication, like this java example.
It, and your url idea, are in the open, so https is needed to prevent user/pass/session theft.
You would then also need user and session code, and password recovery code. You could try advertising before doing the work. Create a link, "Click here to pay X dollars for premium rss", and see if anyone uses it. I think there was a stack overflow podcast that mentioned this, anyone remember which one?
I'm building a utility that will hopefully keep my wife in tune with how much money we have available.
I need a simple secure way of logging into my bank account and retrieving the balance.
Something like mechanize is the only method I can think of. I'm not even sure if that would work given the properly authenticated https that banks use.
Any ideas?
Write a perl script using LWP::UserAgent. It supports HTTPS connections. The only issue might be if the site requires javascript.
Web Client Programming with Perl has a few examples to get you started if you're not too familiar with perl.
If you really want to go there, get these extensions for Firefox: Live HTTP Headers, Firebug, FireCookie, and HttpFox. Also download cURL and a scripting language that can run cURL command-line tasks (or a scripting language like PHP or Perl that has access to cURL libraries directly).
I've started down this road for some idempotent GET tasks like getting PDFs of the S&P reports (of the stocks I track) from my online brokerage, and downloading the check images for my bank account. Both tasks are repetitive and slow ways of downloading data to my computer that the financial institutions don't provide any way of making it easier.
Here's why you shouldn't: (as a shortcut I'm going to call the archetypal large bank, brokerage, or other financial institution "BloatBank")
BloatBank is not likely to make public their API for accessing this kind of information. So it can change any time and all your hard work will be for naught. Whenever they change their mechanism, you'll have to adapt.
If BloatBank finds out you've been using automatic scripting to try to access your account information, they may ban you because you've violated their terms of service.
You might screw up, and the interaction between the hodgepodge of scripts on BloatBank's server, and your scripts that access your account, might cause a Bad Thing like closing your account. Testing this kind of script is tremendously difficult because you don't have any documentation about how their online service works, and you don't have a test account you can mess with.
(a variant of the above) You think you're safe because you're issuing GET requests. But BloatBank is just a crazy bank that doesn't know anything about REST, so there are some GET requests that can mess up your account.
If someone else does use your script to maliciously sniff your online password or mess with your account, any liability coverage from BloatBank may disappear because you've opened a security hole.
Why don't you teach your wife how to login to the bank herself? Or use Quicken (or Mint, etc) and teach her how to use the auto-download feature?
Have you checked out Watir? It is fantastic for automating web-browser actions. And since it's written in Ruby, you can take the results and store them in a DB (or email them to yourself) if needed.
If you are open to AIR, I'd say build an AIR app. I have worked with mechanize and I think it's cool. AIR gives you similar features with a richer GUI (see HTMLLoader and DOM manipulation of webpage).
If I were you, I'd simply pull the page and manipulate the DOM to suit my visual needs.
Please, if you find this easy to do for your bank please post your bank's name. If I have the same one I'll be closing my account.
More to your question. The process of loading a web page inside of your code rather than in a browser can be a black art, especially if their is any javascript involved. Your best bet would probably be embedding the IE Web Browser control in your app and then simulating key strokes and mouse clicks to arrive at your balance page. Then scrape the HTML for the balance.
I could try paying for Quicken and letting it do the balance downloading. Then I'd just need to find a way to get the number out of the software automatically.
This way I'm not violating any terms of service and I'm also reducing security risk since all "hacking" goes on locally.