Bitcoin Forum
November 06, 2024, 05:23:51 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: ❎Need web/Php and penetration testers❎  (Read 1749 times)
NyeFe (OP)
Hero Member
*****
Offline Offline

Activity: 699
Merit: 501


View Profile
February 22, 2015, 09:54:04 PM
Last edit: February 22, 2015, 10:08:33 PM by NyeFe
 #1

We're working on NyeFe, which is similar to bitpesa and robocoin, however cheaper, allows the use of Visa, debt card, includes user stores (similar to eBay) and additional payment methods.

We need extra web developers to push the project, so it can be release in less than 4 months. Penetration testers are need to exhaust our security, so we can identify security breaches, sooner, rather than later.


MicroDApp.com—Smart Contract developers. Lets build a decentralized future!
icanscript
Hero Member
*****
Offline Offline

Activity: 686
Merit: 502



View Profile
February 22, 2015, 10:07:53 PM
 #2

I'm always willing to help out where I can, I have quite a bit of security background and php experience.
XinXan
Hero Member
*****
Offline Offline

Activity: 1064
Merit: 505


View Profile
February 23, 2015, 05:07:47 AM
 #3

You want us to hack your web?
funtotry
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


Ever wanted to run your own casino? PM me for info


View Profile
February 23, 2015, 05:10:03 AM
 #4

General things to keep in mind with your DB. Make sure no MYSQL injection is possible, secure ALL user input. Any most importantly encrypt passwords and maybe even emails with SHA256. This means if the hacker gets in your database he wont know the users real passwords and emails which he could use to log into other sites if they use the same password for multiple sites. Please spend the money on a quality tester so that your site and money is safe, you should not cheap out on security.

NyeFe (OP)
Hero Member
*****
Offline Offline

Activity: 699
Merit: 501


View Profile
February 23, 2015, 05:48:30 AM
 #5

General things to keep in mind with your DB. Make sure no MYSQL injection is possible, secure ALL user input. Any most importantly encrypt passwords and maybe even emails with SHA256. This means if the hacker gets in your database he wont know the users real passwords and emails which he could use to log into other sites if they use the same password for multiple sites. Please spend the money on a quality tester so that your site and money is safe, you should not cheap out on security.

The security is bigger than that. Everything except names are encrypted or hashed (AES 196bit, sha1, sha256) on a different database separate from the server, and another client, connected via client-server model to backup data which cannot be encrypted. In this day and age where every business is getting hacked, you can never be too secure.

MicroDApp.com—Smart Contract developers. Lets build a decentralized future!
doof
Hero Member
*****
Offline Offline

Activity: 765
Merit: 503


View Profile WWW
February 23, 2015, 06:34:03 AM
 #6

General things to keep in mind with your DB. Make sure no MYSQL injection is possible, secure ALL user input. Any most importantly encrypt passwords and maybe even emails with SHA256. This means if the hacker gets in your database he wont know the users real passwords and emails which he could use to log into other sites if they use the same password for multiple sites. Please

Hash an email and you wont be able to email your customers!
hoop
Legendary
*
Offline Offline

Activity: 1524
Merit: 1001


NOBT - WNOBT your saving bank◕◡◕


View Profile WWW
May 31, 2015, 10:12:16 AM
 #7

I would suggest you read up on server security in general, rather than hoping 'encryption' by itself will magically solve all your problems for you.

            ██████████  ██████████▄▄
         █████████████  ██████████████▄▄
   ▄███  █████▄                  ▀▀███████▄
  ██████   ▀█████▄          ████     ▀▀█████
 █████        ▀█████▄       ████        █████
 ████            ▀████      ████         ████
 ████         ██▄   ▀█  ██▄ ████         ████
 ████▌        █████▄    ████████        ▐████
 ▐████        ████████    ▀█████        ████▌
  █████       ████ ▀██  █▄   ▀██       █████
   █████      ████      ████▄         █████
    █████▄    ████       ▀█████▄    ▄█████
     ▀█████▄  ████          ▀█████▄   ██▀
       ▀█████▄                 ▀█████
         ▀██████▄▄          ▄▄██████▀
            ▀▀████████  ████████▀▀
                ▀▀████  ████▀▀
Take care of your financial privacy
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
A blockchain loyalty scheme and more
██
██
██
██
██
██
██
██
██
██
██
██


███████████████
███          ██████████████████
████████████████████████████████
███                          ███
███                          ███
███             ██           ███
███       ██   ██   ██       ███
███      ██    ██    ██      ███
███       ██  ██    ██       ███
███                          ███
███                          ███
████████████████████████████████


           ████    ████
       █████████ ████████
                           
████████████████████████████
█████████████████████████████
██████████████████
██████████████████ ███████████
██████████████████ ██    █████
██████████████████ ███████████
██████████████████
█████████████████████████████
████████████████████████████


        ▄█████▄
      ▄█████████
     ████    ███▌
    ███       ██▌
   ▐██ ███  ████
   ▄███████████
  ███████████▀
 ████  ███ ██▌
▐██       ███
▐███    ████
 █████████▀
  ▀█████▀
██
██
██
██
██
██
██
██
██
██
██
██
ANN         Discord
Twitter    Telegram
Nobt-plataform
altcoinhosting
Hero Member
*****
Offline Offline

Activity: 896
Merit: 1006


View Profile
May 31, 2015, 10:28:27 AM
 #8

My servers have been compromised numerous times in the last 16 years... What i've learnt (the hard way)

95% of my security breaches happened because of unpatched scripts (commercial, open source or homebrewn).
To have some basic security you need to:

- chose a secure OS, i would personally recommand suse or RHEL if you're actually working with money. I would personally stay away from windows server (altough they've become pretty secure over the last couple of years)
- harden your OS... an example for RHEL5: https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf
- make sure you don't install any software that isn't strictly necessary, always chose for the most secure option (for example, i like to use postgresql instead of mysql if my script is properly written and allows me to chose)
- make sure your OS, installed binarys and installed scripts are always up-to-date
- if you do your own scripting, make sure what you're doing. One of the most used techniques (SQL injection) was already mentioned, but there are numerous other errors a scripter can make
- if possible, find somebody to do a decent penetration test (i guess that's what you're trying to do here)...
- spend some time thinking about rules and procedures for your staff, it wouldn't be the first time a business is compromised by social engineering instead of "real" hacking

I probably forgot some extra points of attention. And don't forget: the only service that can't be compromised is the service you never put online. Everything can be compromised, even the most secure and well-written systems.

My main point is: don't put all your eggs into one basket, make sure your whole concept is as secure as possible instead of just checking if all your scripts follow security standards...





NyeFe (OP)
Hero Member
*****
Offline Offline

Activity: 699
Merit: 501


View Profile
May 31, 2015, 10:45:00 AM
Last edit: May 31, 2015, 11:40:34 AM by NyeFe
 #9

@altcoinhosting Thank you very much for taking the time to inform us about the threats you faced. The information provided has been very helpful indeed.

Sorry for not informing everyone, but this topic has been closely for some time now. We completed the test successfully. Thank you for your support  Kiss


                                We've publicly released one of many lists of features, for testing

                                                


MicroDApp.com—Smart Contract developers. Lets build a decentralized future!
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!