This document summarizes Micha Borrmann's presentation at PHDays 2012 about credit card security. It discusses how, through penetration testing, Borrmann was able to guess credit card CVV numbers by brute forcing combinations. Over time, fraud detection systems improved and made it harder to directly guess CVVs. However, Borrmann found ways to bypass these systems, such as changing IP addresses after multiple failed attempts. The document also examines how credit card payments work through third party providers and how the browser communication could be manipulated.
The Internet of Things is rising fast, but how to run it safely and efficiently using standards?
OMA Lightweight M2M is the brand new IoT protocol for managing smart objects. It provides answers to the typical IoT needs: monitoring, configuring, securing and upgrading devices.
It’s bandwidth efficient and fits in constrained embedded environments while providing friendly and discoverable RESTful API.
This tutorial aims at giving you a hands-on experience with Lightweight M2M by showing you the power and simplicity of the Eclipse Leshan library for managing real world IoT application.
Agenda:
- Introduction to CoAP and Lightweight M2M
- Demo and live discovery of a connected smartwatch
- Presentation of Eclipse Leshan, a lightweight M2M implementation for Java
- Code your own Java server, and start managing fleet of smartwatches!
- Presentation of more advanced lightweight M2M topic: firmware upgrade, security, bootstrap, Wakaama and Tinydtls
- Code a smartwatch application using Lightweight M2M
In this talk, I will be covering the story of my team's adoption of Postman—from QA to development to customer-facing documentation. I will cover how PingIdentity's use of convenience methods in tests make working with our REST API more convenient. I will also cover advanced use of imported Node modules to manually step through the OAuth/OIDC process and how Postman Environment usage helps us manage credentials and tokens and standardize service collections to build out automated tests.
The Transmission Control Protocol (TCP) is used by the vast majority of applications to transport their data reliably across the Internet and in the cloud. TCP was designed in the 1970s and has slowly evolved since then. Today's networks are multipath: mobile devices have multiple wireless interfaces, datacenters have many redundant paths between servers, and multihoming has become the norm for big server farms. Meanwhile, TCP is essentially a single-path protocol: when a TCP connection is established, the connection is bound to the IP addresses of the two communicating hosts and these cannot change. Multipath TCP (MPTCP) is a major modification to TCP that allows multiple paths to be used simultaneously by a single transport connection. Multipath TCP circumvents the issues mentioned above and several others that affect TCP. The IETF is currently finalising the Multipath TCP RFC and an implementation in the Linux kernel is available today.
This tutorial will present in details the design of Multipath TCP and the role that it could play in cloud environments. We will start with a presentation of the current Internet landscape and explain how various types of middleboxes have influenced the design of Multipath TCP. Second we will describe in details the connection establishment and release procedures as well as the data transfer mechanisms that are specific to Multipath TCP. We will then discuss several use cases for the deployment of Multipath TCP including improving the performance of datacenters and
mobile WiFi offloading on smartphones. All these use cases are key when both accessing cloud-based services or when providing them. We will end the tutorial with some open research issues.
This tutorial was given at the IEEE Cloud'Net 2012 conference in novembrer 2012.
The pptx version containing animations that are not shown here is available from http://www.multipath-tcp.org
EMV is a standard for smart payment cards and terminals. EMV stands for – EuroPay, MasterCard and Visa, the three companies who were the founder of the standard. This standard is maintained by EMVCo – a consortium with payment brands like Visa, MasterCard, JCB, American Express, China UnionPay, Discover as members.
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptGirish Chandra
Introducing TPA(Third Party Auditor) to the cloud.It sends the information about the data stored in the cloud.It informs the user when any unauthorized user tries to steal his data from the cloud.
Wi-Fi Protected Setup - Pixie Dust Attack. An offline bruteforce attack that leaves certain routers vulnerable. Works for Boardcom and Ralink chipset based Wi-Fi routers.
The Internet of Things is rising fast, but how to run it safely and efficiently using standards?
OMA Lightweight M2M is the brand new IoT protocol for managing smart objects. It provides answers to the typical IoT needs: monitoring, configuring, securing and upgrading devices.
It’s bandwidth efficient and fits in constrained embedded environments while providing friendly and discoverable RESTful API.
This tutorial aims at giving you a hands-on experience with Lightweight M2M by showing you the power and simplicity of the Eclipse Leshan library for managing real world IoT application.
Agenda:
- Introduction to CoAP and Lightweight M2M
- Demo and live discovery of a connected smartwatch
- Presentation of Eclipse Leshan, a lightweight M2M implementation for Java
- Code your own Java server, and start managing fleet of smartwatches!
- Presentation of more advanced lightweight M2M topic: firmware upgrade, security, bootstrap, Wakaama and Tinydtls
- Code a smartwatch application using Lightweight M2M
In this talk, I will be covering the story of my team's adoption of Postman—from QA to development to customer-facing documentation. I will cover how PingIdentity's use of convenience methods in tests make working with our REST API more convenient. I will also cover advanced use of imported Node modules to manually step through the OAuth/OIDC process and how Postman Environment usage helps us manage credentials and tokens and standardize service collections to build out automated tests.
The Transmission Control Protocol (TCP) is used by the vast majority of applications to transport their data reliably across the Internet and in the cloud. TCP was designed in the 1970s and has slowly evolved since then. Today's networks are multipath: mobile devices have multiple wireless interfaces, datacenters have many redundant paths between servers, and multihoming has become the norm for big server farms. Meanwhile, TCP is essentially a single-path protocol: when a TCP connection is established, the connection is bound to the IP addresses of the two communicating hosts and these cannot change. Multipath TCP (MPTCP) is a major modification to TCP that allows multiple paths to be used simultaneously by a single transport connection. Multipath TCP circumvents the issues mentioned above and several others that affect TCP. The IETF is currently finalising the Multipath TCP RFC and an implementation in the Linux kernel is available today.
This tutorial will present in details the design of Multipath TCP and the role that it could play in cloud environments. We will start with a presentation of the current Internet landscape and explain how various types of middleboxes have influenced the design of Multipath TCP. Second we will describe in details the connection establishment and release procedures as well as the data transfer mechanisms that are specific to Multipath TCP. We will then discuss several use cases for the deployment of Multipath TCP including improving the performance of datacenters and
mobile WiFi offloading on smartphones. All these use cases are key when both accessing cloud-based services or when providing them. We will end the tutorial with some open research issues.
This tutorial was given at the IEEE Cloud'Net 2012 conference in novembrer 2012.
The pptx version containing animations that are not shown here is available from http://www.multipath-tcp.org
EMV is a standard for smart payment cards and terminals. EMV stands for – EuroPay, MasterCard and Visa, the three companies who were the founder of the standard. This standard is maintained by EMVCo – a consortium with payment brands like Visa, MasterCard, JCB, American Express, China UnionPay, Discover as members.
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptGirish Chandra
Introducing TPA(Third Party Auditor) to the cloud.It sends the information about the data stored in the cloud.It informs the user when any unauthorized user tries to steal his data from the cloud.
Wi-Fi Protected Setup - Pixie Dust Attack. An offline bruteforce attack that leaves certain routers vulnerable. Works for Boardcom and Ralink chipset based Wi-Fi routers.
What does PSD2 and SCA mean? How will this change the customer journey? How can 3DS2 help enhance the CX and boost acceptance rates? And how are Worldpay leading the way to help our customers plan for this fundamental shift?
Document de présentation projeté le 11 Juin 2016 pour la formation en monétique, sur le thème: Comment créer de la richesse et de la valeur ajoutée par le biais de la monétique?
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
La carta de crédito comercial es mucho más ágil que el crédito documentario, puesto que no requiere el uso de un banco corresponsal, otorgándole al banco emisor la facultad de
enviarla directamente al exportador. Al mismo tiempo que brinda al exportador la capacidad de presentarla para su pago al banco que considere más conveniente.
Some of the examples to show you how google dorks can be dangerous for the website which do not care about their security. Only for Education purpose. For more Details http://www.kartnap.com/wp/
What does PSD2 and SCA mean? How will this change the customer journey? How can 3DS2 help enhance the CX and boost acceptance rates? And how are Worldpay leading the way to help our customers plan for this fundamental shift?
Document de présentation projeté le 11 Juin 2016 pour la formation en monétique, sur le thème: Comment créer de la richesse et de la valeur ajoutée par le biais de la monétique?
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
La carta de crédito comercial es mucho más ágil que el crédito documentario, puesto que no requiere el uso de un banco corresponsal, otorgándole al banco emisor la facultad de
enviarla directamente al exportador. Al mismo tiempo que brinda al exportador la capacidad de presentarla para su pago al banco que considere más conveniente.
Some of the examples to show you how google dorks can be dangerous for the website which do not care about their security. Only for Education purpose. For more Details http://www.kartnap.com/wp/
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Rob Ragan
Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning…
This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are:
BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu.
DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones.
GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.
FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures.
SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine.
MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?"
AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them.
DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks.
That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again.
http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
A Survey of Online Credit Card Fraud Detection using Data Mining TechniquesIJSRD
Nowadays the use of credit card has increased, because the amount of online transaction is growing. With the day to day use of credit card for payment online as well as regular purchase, case of fraud associated with it is also rising. To reduce the huge financial loss caused by frauds, a number of modern techniques have been developed for fraud detection which is based on data mining, neural network, genetic algorithm etc. Here a survey of techniques for online credit card fraud detection using Hidden Markov Model, Genetic Algorithm and Hybrid Model, and comparison between them has been shown.
The recent batch of mega retailers that have been compromised, including Target, Neiman Marcus and Michaels, has revealed just how vulnerable payment systems are. Even with sophisticated tools, strong security policies, updated regulatory requirements such as PCI v3 and other measures to mitigate these attacks, hackers are still able to compromise the systems by taking advantage of inherent vulnerabilities in payment systems.
In this webcast, payment systems expert Slava Gomzin, author of Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, will show us how retailers such as Target were compromised, what went wrong, failures in PCI to address all vulnerabilities and how these types of breaches can be prevented in the future.
Webcast participants will also receive a free sample chapter of Slava’s book on “Payment Application Architecture,” which provides a detailed overview of how payment systems work, protocols and their weaknesses.
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
Presentation by Kurt Schmid, Managing Director Digital Payment at Netcetera, at the Swiss Payment Forum, November 2018.
- Where we are coming from?
- Wallets, OEM Pays versus Issuer Pays?
- Proximity and eCommerce payment trends
- The business case and strategic value for issuers?
Self-sovereign identity (SSI) is a new identity model that gives the user control and ownership over her data.
To dive into what this means and the benefits it offers, Evernym's Andy Tobin gave a webinar on October 17, 2019 introducing the topic of self-sovereign identity and its role in transforming customer experiences and unlocking competitive advantage.
In this webinar you will learn:
• Which benefits you gain from 3D-Secure 2.2 adaptations?
• Tips and tricks on how to make a seamless transition to 3DS 2.2 version!
• How to increase the security level and improve the user experience?
• Get an overview of 3D Secure from the expert perspective.
For more information contact us at https://3dsecure.asseco.com/
MTBiz is for you if you are looking for contemporary information on business, economy and especially on banking industry of Bangladesh. You would also find periodical information on Global Economy and Commodity Markets.
Excellent Presentation done by Chris West, CDGcommerce owner. In this presentation Chris will educate you on how to better protect your business against fraudulent transactions using AVS scrubbing, VbV/MSC, among several others tools provided by CDGcommerce.
www.cdgcommerce.com
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
1. Основные понятия и определения: продукт, пакет, связи между ними.
2. Как узнать, какие изменения произошли в продукте?
3. Проблемы changelog и release note.
4. Решение: инструмент ChangelogBuilder для автоматической подготовки Release Notes
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
1. Обзор Windows Docker (кратко)
2. Как мы построили систему билда приложений в Docker (Visual Studio\Mongo\Posgresql\etc)
3. Примеры Dockerfile (выложенные на github)
4. Отличия процессов DockerWindows от DockerLinux (Долгий билд, баги, remote-регистр.)
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
1. Проблемы в построении CI процессов в компании
2. Структура типовой сборки
3. Пример реализации типовой сборки
4. Плюсы и минусы от использования типовой сборки
1. Что такое BI. Зачем он нужен.
2. Что такое Qlik View / Sense
3. Способ интеграции. Как это работает.
4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды.
5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).
Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.
Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений?
На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей.
К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.
Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных.
Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.
Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Guessing CVV, Spoofing Payment and Experiences with Fraud Detection Systems
1. PHDays 2012 (May 30 / May 31 / 2012 / Moscow)
Credit Cards:
Guessing CVV, Spoofing Payment and Experiences
with Fraud Detection Systems
Micha Borrmann
SySS GmbH
May 31, 2012
2. About my Point of View
In most cases I run black box tests against systems and
applications
I’m employed at a company which is offering professional
penetration tests exclusively
My point of view is from the attacking perspective; I do neither
know the application source code nor detailed network maps
All descriptions were found in the course of real professional
penetration tests (with strong NDAs): no company names will be
published
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 2 / 22
3. First Project
Long time ago (2007), a popular website ordered a professional
penetration test
However, they represented a minority of analyzed sites, as I found
no SQL injection and only few of the typical issues
But there was a possibility at the website for account verification,
which could be used with a valid credit card
It means, a valid credit card number had to be typed into the web
site to verify an account
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 3 / 22
4. Using a Credit Card on the Web
Card Holder Name
Credit card number
Expiration date
Card Security Code (CVV)
Card security code
The card security code (CSC), sometimes called Card Verification
Data (CVD), Card Verification Value (CVV or CVV2), Card Verification
Value Code (CVVC), Card Verification Code (CVC or CVC2),
Verification Code (V-Code or V Code), or Card Code Verification (CCV)
are different terms for security features for credit or debit card
transactions, providing increased protection against credit card fraud.
http://en.wikipedia.org/wiki/Card_security_code
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 4 / 22
5. CVV
Generation of card security codes
CVC1, CVV1, CVC2 and CVV2 values are generated when the card is
issued. The values are calculated by encrypting the bank card number
(also known as the primary account number or PAN), expiration date
and service code with encryption keys (often called Card Verification
Key or CVK) known only to the issuing bank, and decimalising the
result.
http://en.wikipedia.org/wiki/Card_security_code#Generation_
of_card_security_codes
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 5 / 22
6. PCI (Payment Card Industry)
https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 6 / 22
7. PCI (Payment Card Industry)
Sensitive
authentication
data must not
be stored after
authorization
(even if
encrypted).
https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 6 / 22
8. Guessing CVV?
Client
Not our business
There are a lot of fraud detection systems bank-side and your
check will fail
You can check it if you want (yeah!)
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 7 / 22
9. Guessing CVV?
Client
Not our business
There are a lot of fraud detection systems bank-side and your
check will fail
You can check it if you want (yeah!)
Result (using the MasterCard of my boss)
A script which can easily be written runs all possible CVV (000 to
999) for a given credit card number (needs around some hours)
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 7 / 22
10. Guessing CVV?
Client
Not our business
There are a lot of fraud detection systems bank-side and your
check will fail
You can check it if you want (yeah!)
Result (using the MasterCard of my boss)
A script which can easily be written runs all possible CVV (000 to
999) for a given credit card number (needs around some hours)
999 error messages were received and 1 success message
The CVV to a given credit card number was successfully guessed
Where was the fraud prevention system?
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 7 / 22
11. Brave CVV Guessing
Only expiration date, credit card number and CVV had to be put in
(no card holder name)
CVV is not possible to know
What happens if the expiration date is not known either?
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 8 / 22
12. Brave CVV Guessing
Only expiration date, credit card number and CVV had to be put in
(no card holder name)
CVV is not possible to know
What happens if the expiration date is not known either?
Check
36 parallel scripts were run (for the next 36 months as expiration date)
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 8 / 22
13. Brave CVV Guessing
Only expiration date, credit card number and CVV had to be put in
(no card holder name)
CVV is not possible to know
What happens if the expiration date is not known either?
Check
36 parallel scripts were run (for the next 36 months as expiration date)
Result
The issuing bank called my boss as they detected strange activities on
his MasterCard and the card was revoked immediately.
Fraud detection systems do exist!
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 8 / 22
14. Expiration Date
It is not absolutely neccessary to guess it because it is not tagged
as secure
Written on a lot of receipts, sometimes also with the entire credit
card number
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 9 / 22
15. Expiration Date
It is not absolutely neccessary to guess it because it is not tagged
as secure
Written on a lot of receipts, sometimes also with the entire credit
card number
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 9 / 22
16. Expiration Date
It is not absolutely neccessary to guess it because it is not tagged
as secure
Written on a lot of receipts, sometimes also with the entire credit
card number
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 9 / 22
17. The Never Ending Story Starts
In November 2007 a hack into a big German website was in the
media
The website used to sell tickets for self-print out
The stolen data also included CVV data
A German TV team asked: What do you know about credit card
security?
The answer was: We can guess the CVV of your credit cards
The TV guys asked for a demonstration
Used another website (not my customer’s website), as the attack
was not against a website but against a credit card number
I had checked my script one day before the appointment with the
TV guys successfully (with the new credit card of my boss)
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 10 / 22
18. First CVV Guessing in the Media
The website changed their setup and behaviour on that day, when
the TV guys were in my office
More live demonstration than I expected before
They xeroxed a front side of a VISA and a MasterCard and this
sheet of paper was given to me
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 11 / 22
19. First CVV Guessing in the Media
The website changed their setup and behaviour on that day, when
the TV guys were in my office
More live demonstration than I expected before
They xeroxed a front side of a VISA and a MasterCard and this
sheet of paper was given to me
Well, after waiting less than two hours, I got the current CVV
values!
No fraud detection system could be detected
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 11 / 22
20. First CVV Guessing in the Media
The website changed their setup and behaviour on that day, when
the TV guys were in my office
More live demonstration than I expected before
They xeroxed a front side of a VISA and a MasterCard and this
sheet of paper was given to me
Well, after waiting less than two hours, I got the current CVV
values!
No fraud detection system could be detected
Statement from Credit Card Industry
VISA: Additional measurements enforce, that stolen credit card data
are only minimally useable by criminals
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 11 / 22
21. The Story Goes On
In May 2011 a journalist of the German magazine DIE ZEIT was
investigating about insecurity and he detected the formerly
published attack of CVV guessing.
He asked me, is it still possible?
Well, let’s try!
I also got two credit card data (credit card number and expiration
date): 1 MasterCard and 1 VISA (both represent more than 90%
of the market in Germany)
It was not possible for me to simple increase the numbers for the
CVV as there was an automatic fraud detection system. Wow!
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 12 / 22
22. Analyzing the Detected Anti Fraud System
After 3 invalid CVV within 15 minutes a message came back
indicating that such a solution seems to be active:
Payment declined by AFDS (AFDS-HFC)
AFDS sounds like Automatic Fraud Detection System, isn’t?!
You can wait for 15 minutes after 3 invalid attempts, but it takes
too much time
Need for speed?
Change the source IP number!
It can be scripted with open proxies, Tor Project ...
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 13 / 22
23. Strange Results
Result
4 years after the first public demonstration, an automatic fraud
detection system simply to be bypassed was detected
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 14 / 22
24. Strange Results
Result
4 years after the first public demonstration, an automatic fraud
detection system simply to be bypassed was detected
VISA
Two valid useable CVV for the given VISA card were detected. One
was printed on the backside the other one is an additional value.
Maybe, there is a collision attack within the generating algorithm.
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 14 / 22
25. Entertainment
The article in the magazine DIE ZEIT was read by a radio
journalist
He did not believe that this was a true story (in summer 2011)
He interviewed me for a radio station and he sent me two credit
card numbers and the expiration dates via text message (but of
course, no CVV and no cardholders name)
I used the name “Joe Smith” as cardholder’s name but you can
expect the result
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 15 / 22
26. Entertainment
The article in the magazine DIE ZEIT was read by a radio
journalist
He did not believe that this was a true story (in summer 2011)
He interviewed me for a radio station and he sent me two credit
card numbers and the expiration dates via text message (but of
course, no CVV and no cardholders name)
I used the name “Joe Smith” as cardholder’s name but you can
expect the result
I successfully detected the CVV
This radio interview was also heared by Ukrainian people
There was another interview and the first non-German notice
about it: http://www.dw.de/dw/article/0,,15295808,00.html
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 15 / 22
27. Bypassing Credit Card Payment, First Minds
Do you remember the first little film with the increasing numbers
on my laptop screen?
The numbers on the screen were mostly for the TV guys
However, during the time the cameraman was behind me, I
detected a strange behaviour:
an invalid CVV was responded with a redirect to
https://webshop.com/error.php
but the valid CVV was responded with a redirect to
https://webshop.com/success.php
Big question
What happens if I go to https://webshop.com/success.php directly?
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 16 / 22
28. Using a Payment Provider
These providers are popular because the web shops do not store
credit card data and do not need a PCI certificate
How does the communication between the web shop and the
payment provider work?
directly
via the browser of the user (this is useful for manipulations, yeah)
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 17 / 22
29. Using a Payment Provider (via the User’s Browser)
webshop.com paymentprovider.com
user
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 18 / 22
30. Using a Payment Provider (via the User’s Browser)
webshop.com paymentprovider.com
ifr
am
e
at
pa
ym
en
tp
ro
vi
de
r.
co
m
user
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 18 / 22
31. Using a Payment Provider (via the User’s Browser)
webshop.com paymentprovider.com
ifr )
am VV
e C
at g
pa d in
ym clu
en ( in
tp a
ro
D at
vi
de ard
r. tC
co
m edi
Cr
user
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 18 / 22
32. Using a Payment Provider (via the User’s Browser)
webshop.com paymentprovider.com
ifr hp )
am 2 ror.p VV
e 3 0 r C
at e /e g
pa C od com d in
ym P op. clu
en TT sh
H eb ( in
tp a
ro s ://
w
D at
vi tp d
de ht ar
r. C
co it
m ed
Cr
user
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 18 / 22
33. Using a Payment Provider (via the User’s Browser)
webshop.comht paymentprovider.com
ifr tp
am s: hp )
e
//w
eb 2 ror.p
0 r C VV
3
at sh e /e g
pa op
.c C od com d in
ym om P op. clu
en /s TT sh
H eb ( in
tp uc
a
ro ce
ss s ://
w
D at
vi .p tp d
de hp ht ar
r. C
co it
m ed
Cr
user
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 18 / 22
34. Using a Payment Provider (via the User’s Browser)
Result
If you get a message like “thank
you for your order” than it
seems that your payment was
webshop.comht paymentprovider.com
ifr tp successfully spoofed
am s: hp )
e
//w
eb 2 ror.p
0 r C VV
3
at sh e /e g
pa op
.c C od com d in
ym om P op. clu
en /s TT sh
H eb ( in
tp uc
a
ro ce
ss s ://
w
D at
vi .p tp d
de hp ht ar
r. C
co it
m ed
Cr
user
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 18 / 22
35. Successfully Bypassing Credit Card Payment
Successfully tested against a friendly shop in January 2008
On some payment providers, the web shop can enable an optional
(!!!) security feature: a hash is calculated over a string which
includes a password and the total to be paid and this hash is
additionally transferred
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 19 / 22
36. Successfully Bypassing Credit Card Payment
Successfully tested against a friendly shop in January 2008
On some payment providers, the web shop can enable an optional
(!!!) security feature: a hash is calculated over a string which
includes a password and the total to be paid and this hash is
additionally transferred
Has anybody ever heard of a replay attack?
An article for a German computer magazine (c’t) was held back
until the trade fair CeBIT 2008
This kind of attack was described and presented at the CeBIT
(March 2008)
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 19 / 22
37. Successfully Bypassing Credit Card Payment
Successfully tested against a friendly shop in January 2008
On some payment providers, the web shop can enable an optional
(!!!) security feature: a hash is calculated over a string which
includes a password and the total to be paid and this hash is
additionally transferred
Has anybody ever heard of a replay attack?
An article for a German computer magazine (c’t) was held back
until the trade fair CeBIT 2008
This kind of attack was described and presented at the CeBIT
(March 2008)
In summer 2008 I was penetration testing a foreign web shop
It was possible for me to successfully spoof a valid credit card
payment for the first time; the box with the product was shipped to
Germany
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 19 / 22
38. Other topics with payment providers
Parameter fraud_detection=yes
Not only related to payment with credit cards
Thibault Koechlin from NBS System talked about Naxsi
(http://code.google.com/p/naxsi/) this morning
NBS System has written an advisory for a similar attack:
http://www.nbs-system.co.uk/blog-2/security/
magento-paypal-vulnerability.html
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 20 / 22
39. Other topics with payment providers
Parameter fraud_detection=yes
Not only related to payment with credit cards
Thibault Koechlin from NBS System talked about Naxsi
(http://code.google.com/p/naxsi/) this morning
NBS System has written an advisory for a similar attack:
http://www.nbs-system.co.uk/blog-2/security/
magento-paypal-vulnerability.html
Attention
This kind of bypassing payment is not only related to credit card
payment (see advisory related to Paypal) and can not be secured with a
web application firewall
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 20 / 22
40. Summary and Hints
Be careful with credit card receipts
Check your credit card balance
Do not expect fraud detection systems for CVV guessing
Do not trust automatic fraud detection systems for CVV guessing
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 21 / 22
41. Summary and Hints
Be careful with credit card receipts
Check your credit card balance
Do not expect fraud detection systems for CVV guessing
Do not trust automatic fraud detection systems for CVV guessing
Do not call CVV a security feature
Do not expect IT security awareness from your payment provider if
you are in charge for a web shop
Do not trust data from the web shops if you are a payment provider
Think about the unthought issues if you are a web programmer
M. Borrmann (SySS GmbH) PHDays 2012 May 31, 2012 21 / 22