[SecurityRatty] tag: notification

Check if Your Gmail is Hacked with Activity Monitor

Thu, 02 Oct 2008 03:30:02 +0000

This time I want to go over one new Gmail feature. It watches your account and displays a notification when someone else logs into your account. Basically a nice little feature from Gmail team that lets you check if someone has hacked into your Gmail account.

PSS World Medical applicants affected by job boards breach

Tue, 30 Sep 2008 18:41:20 +0000

In a breach notification letter sent to the New Hampshire State Attorney General, PSS World Medical states that the company “recently became aware of an incident involving unauthorized access” to company’s career board website. The unauthorized access resulted in the exposure of personal information belonging to job applicants and others that may have posted their [...]

Visa to develop e-payment applications for Android, Nokia phones

Fri, 26 Sep 2008 00:00:00 +0000

Consumers will receive what Visa calls 'near real-time' notification of purchase activity, based on parameters they set up.

QuickTime Crashing Zero-day Attack Code Published, Malicious Code Execution Possible

Thu, 18 Sep 2008 10:57:04 +0000

According to Aaron Adams, a Symantec Corp.’s DeepSight threat notification network researcher, new attack code that exploits an unpatched vulnerability in Apple Inc.’s QuickTime was published on milw0rm.com in Tuesday, just a week after the company updated the media player to plug nine other serious vulnerabilities. The exploit takes advantage of a flaw in the “<? [...]

Web 2.0 Attacks Revealed

Sun, 14 Sep 2008 20:00:00 +0000

This paper details various security concerns and risks associated with web 2.0 technologies such as Asynchronous Java script and XML (AJAX), Syndication, aggregation and notification of data in RSS or Atom feeds, mashups created by merging content from different sources. This paper also describes the security implications leading with the usage of web 2.0 technologies such as AJAX, RSS, and Mashups.

Emergency notification displays to bolster Virginia Tech alert systems

Wed, 20 Aug 2008 09:00:00 +0000

Virginia Tech, the scene of April 2007 campus killings, is adding 220 message displays to convey emergency alerts to students who are in classrooms where cell phones are not supposed to be used.

Technology Tales from Thailand: KBank Fraud Management

Wed, 20 Aug 2008 03:16:51 +0000

In The Magical ATM Card and SMS Message in Thailand we talked about booking flights and securely paying using a SMS PayCode and ATM transfer, avoiding the possibility of on-line credit card fraud; and in Keyloggers: Why Banks Need Two-Factor Authentication I described how KBank uses SMS-based one-time-passwords (OTP) to authenticate transactions.

In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card. I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction. The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature. (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes, I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard. Why?

My US-based VISA debit card was cloned sometime on or before August 8th. I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant. The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”). If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai. I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc). You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US. I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.

Virginia Tech intros another emergency notification system

Tue, 19 Aug 2008 20:00:00 +0000

When Virginia Tech's 28,000 students return to classes for the fall on Monday, they will benefit from another emergency mass notification system added over the summer in response to the April 2007 campus killings of 32 people by a lone gunman.

Unauthorized Well Fargo Transactions Endanger Private Details Of 7000 Clinets

Fri, 08 Aug 2008 17:35:58 +0000

According to New Hampshire State Attorney General breach notification, a significant number of unauthorized transactions had been made using Well Fargo’s access codes. Wells Fargo Bank, N.A. has been advised by a reseller of consumer data, including consumer credit bureau data, of suspicious transactions made using Wells Fargo access codes. The investigation confirmed that a significant [...]

Simulating Email in .NET

Fri, 01 Aug 2008 09:59:01 +0000

I use email as a notification mechanism a lot, and often in class I'll demo sending email via a technique that I use frequently when developing code. It allows you to simulate sending an email message.

The trick to doing this is not to hardcode things like host, port, etc. for your SMTP server when you use System.Net.Mail to send mail. Instead, use the default ctor for SmtpClient as I've done in the code below.

static void Main(string[] args)
{
    // note the use of the MailAddress class
    // this allows me to specify display names as well as email addresses
    MailAddress from = new MailAddress("admin@fabrikam.com", "Fabrikam Website");
    MailAddress to = new MailAddress("mari@fabrikam.com", "Mari Joyce");

    MailMessage msg = new MailMessage(from, to);
    msg.Subject  = "Testing 123";
    msg.Body = "This is only a test!";

    // note use of default ctor
    // this looks in config to figure out how to send mail
    new SmtpClient().Send(msg);
}

.csharpcode, .csharpcode pre { font-size: small; color: black; font-family: consolas, "Courier New", courier, monospace; background-color: #ffffff; /*white-space: pre;*/ } .csharpcode pre { margin: 0em; } .csharpcode .rem { color: #008000; } .csharpcode .kwrd { color: #0000ff; } .csharpcode .str { color: #006080; } .csharpcode .op { color: #0000c0; } .csharpcode .preproc { color: #cc6633; } .csharpcode .asp { background-color: #ffff00; } .csharpcode .html { color: #800000; } .csharpcode .attr { color: #ff0000; } .csharpcode .alt { background-color: #f4f4f4; width: 100%; margin: 0em; } .csharpcode .lnum { color: #606060; }

What you're telling .NET by using the default ctor for SmtpClient is, "please use my config file to figure out how to send mail". Now you can use the system.net/mailSettings/smtp section in config to specify the details of your mail server, and all of the code in your app that is written to use the default SmtpClient ctor will inherit these settings. Here's an example of what the config on a production server might look like (if you put passwords in your config files, be sure to encrypt those sections):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network">
        <network host="mail.fabrikam.com"
                 port="25"
                 userName="WebsiteMailAccount"
                 password="whatever"/>
      smtp>
    mailSettings>
  system.net>
configuration>

During development, I use different settings because I don't usually want to deal with the hassle of installing an SMTP server on my development box. Instead, I want email messages delivered as individual files in a directory on my hard drive (I always have a c:\mail directory on my development box for just this purpose):

<configuration>
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="SpecifiedPickupDirectory">
        <specifiedPickupDirectory pickupDirectoryLocation="c:\mail"/>
      smtp>
    mailSettings>
  system.net>
configuration>

Now when I run the program above, I get a .EML file in my c:\mail directory:

Outlook Express is normally registered as the viewer for .EML files, so double-click the file to view it:

If you've never seen this method of simulating email before, I hope you find it as useful as I have. Happy coding!