Re: fraud detection software for a bank

[Jeffrey Walton <noloader () gmail com>]

On Wed, Oct 24, 2012 at 2:22 AM, Kiran Karnad <kiran.karnad () mimos my> wrote:
> But how do we test if the tokens are from before this 
> (http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all&_r=0) or after?
That's an interesting question. The tokens were replaced because of
the potential for private key extraction due to PKCS padding
(http://blog.cryptographyengineering.com/2012/06/bad-couple-of-years-for-cryptographic.html).

I'm not sure its possible to check for an updated token, unless the
token API includes a version number and the version was incremented.
Perhaps you could try the attack and see if the token leaks timing
information due to padding oracles. And I'm not sure what you would do
remotely, either.

Jeff

> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ric Hdz
> Sent: Tuesday, 23 October, 2012 2:39 PM
> To: zero9zero () gmail com
> Cc: gold flake; listbounce () securityfocus com; marco cohen; security-basics () securityfocus com
> Subject: Re: fraud detection software for a bank
>
> Falcon software anti-fraud system
>
> Ricardo
>
> Gretings
>
> Sent from my iPad
>
> On 23/10/2012, at 01:23, "Burhan Muhammad" <zero9zero () gmail com> wrote:
>
> > I believe that this is not a matter of proprietary or open source. As mentioned by gold flake it is about trust.
> >
> > So what makes you think going open source? If reducing cost is your motives you might want to re-calculate again the 
> > TOTAL operation cost not just the software but including everything from software, developments to training.
> >
> > Open source will be more flexible (usually) but it needs time before you can achieve certain desired performance. 
> > Development may cost more than going for proprietary software.
> >
> > Hope this give you some insight.
> >
> > Regards,
> > Burhan Muhammad
> > Master of Business Information Technology Royal Melbourne Institute of
> > Technology
> >
> > -----Original Message-----
> > From: gold flake <ptinstructor () gmail com>
> > Sender: listbounce () securityfocus com
> > Date: Mon, 22 Oct 2012 15:58:28
> > To: marco cohen<marcocohen2 () gmail com>
> > Cc: <security-basics () securityfocus com>
> > Subject: Re: fraud detection software for a bank
> >
> > This is a fairly complicated issue and I am not sure an open source
> > solution is suitable, much less available.  Please talk to some market
> > leaders in this field or companies selling DLP solutions.  And for
> > god's sake be willing to spend some money on this.  As a bank, you are
> > not just protecting your customers' money but earning their trust.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------