Students practicing writing a program with post-it notes before jumping on to the computers

Hour of Code @ PayPal

By

On Dec 12th, as part of the Hour Of Code initiative, I taught programming to a room full of 5-11 year old children of PayPal employees. I have to say, I’m completely blown away by them. I thought I’d have to do a lot of teaching. However, once I showed them how the basic structures work and how to put a program together, they took off! I taught them about concurrent programming and debugging, disguised as a session on doing a dance animation. We started with post-it notes and a whiteboard to show them that computers are really dumb, and… Read more

Lessons Learned from the Java Deserialization Bug

By

(with input from security researcher Mark Litchfield) Introduction At PayPal, the Secure Product LifeCycle (SPLC) is the assurance process to reduce and eliminate security vulnerabilities in our products over time by building repeatable/sustainable proactive security practices embedding them within our product development process. A key tenet of the SPLC is incorporating the lessons learned from remediating security vulnerabilities back into our processes, tools, and training to keep us on a continuous improvement cycle. The story behind the Java deserialization vulnerability The security community has known about deserialization vulnerabilities for a few years but they were considered to be theoretical and… Read more

Enterprise Overhaul: Resolving DNS

By

Everyone assumes all software engineers are great with numbers. If only they knew the truth. How many people’s phone numbers can you recite? No peeking and emergency numbers don’t count! Don’t worry if you couldn’t name that many. Here’s the real embarrassing test of the day: How many sites’ IP addresses can you name? No pinging and local subnets don’t count! Most telephones still looked like this when DNS was invented. Not pictured: the phonebook. Back in the mid-1980s, the first Domain Name System (DNS) implementations started putting our IP addresses into server-based contact lists and the Internet has never… Read more

Secure Authentication Proposal Accepted by W3C

By

Today the World Wide Web Consortium (W3C) accepted a submission of proposed technical work from W3C members PayPal, Google, Microsoft, and NokNok Labs. This submission consists of three draft initially specifications developed by the FIDO Alliance to facilitate browser support for replacing passwords as a means of authentication on the Web with something more secure. It is expected that the W3C will take these draft documents as a starting point and, through its standard process, evaluate, enhance, and publish them as W3C Recommendations (link to W3C recommendations page).  The goal is for the final specification to be implemented by Web browsers. With… Read more

Recycle, Reuse, Reharm: How hackers use variants of known malware to victimize companies and what PayPal is doing to eradicate that capability

By and

“No need to reinvent the wheel.” We’ve heard it. We’ve used it. Is it a mark of laziness or leaving something as is because it’s effective? In the case of malware, it’s most certainly the latter. Several high profile hacks have received extensive news coverage in recent years. Seeing these attacks happen repeatedly leads cybersecurity experts to look for common threads in attack vectors and execution modes. Through years of data analysis, one trend is clear- while attacks vary many elements of the malware source codes are identical and are successfully reused. Below are some examples of attacks you may… Read more

Key Pinning in Mobile Applications

By and

On Tuesday, October 13, 2015, Hubert Le Van Gong of the PayPal Ecosystem Security team gave a presentation to our developer community on SSL key pinning as it applies to mobile application development. I had a chance to interview him before the presentation to discuss the value and proper methods for incorporating key pinning in Android and IOS app development. Highlights of the interview along with Hubert’s recommended approach for key pinning on each platform are below. For follow up questions please contact Hubert Le Van Gong. What is key pinning and how does it fit into the overall mobile… Read more

PayPal’s Brad Wardman Named General Chair of the Anti-Phishing Working Group’s Symposium on Electronic Crime Research

By

The PayPal Information Security team is proud to announce that Brad Wardman has been named the General Chair for the Anti-Phishing Working Group’s (APWG) annual Symposium on Electronic Crime (eCrime) Research. Brad is a data scientist within the security intelligence group where he actively researches and develops mitigation strategies for attacks against PayPal’s customers and infrastructure. Before joining PayPal, Brad completed his Ph.D. at the University of Alabama at Birmingham. His research interests include anti-phishing, open source intelligence strategies, automated attack neutralization, and crimeware. The 2016 symposium will be held June 1st-3rd in Toronto, Canada and has had in interesting… Read more

TLS Version and Cipher Suites Order Matter: Here’s Why.

By

As with a great many things, when it comes to internet security, the only constant is change. While the framework for secure web communication has been around since the development of SSL in 1994, the specific protocols and ciphers continue to evolve. In order to keep up with the changes, the InfoSec community must continually evaluate new potential threats in the context of security and ongoing usability of older systems. Just as system patches and OS upgrades are regularly released to fix known issues, new and improved protocols and cipher suites are developed that correct inherent flaws and mitigate new… Read more

PayPal Sponsors First of Its Kind Intel Capture the Flag Contest at DEFCON 23

By

DEFCON routinely presents the coolest and most thought provoking topics in the hacking community and this year did not disappoint, partially due to the first PayPal-sponsored Intel Capture the Flag (CTF) virtual manhunt contest. IntelCTF events challenge players to utilize their open source intelligence (OSINT) forensic skills in order to identify malicious actors intent on Internet mayhem. Players find strategically placed “flags” that are planted across the Internet as breadcrumbs, allowing them to solve the e-case of whodunit by simply connecting the virtual dots. This contest, (rated Beginner/Intermediate) which is the first of several that are scheduled for release in… Read more

From Require.js to Webpack – Part 2 (The How)

By

This is the follow up to a post I wrote recently called From Require.js to Webpack – Part 1 (the why) which was published in my personal blog. In that post I talked about 3 the main reasons my team decided to move from require.js to webpack: Common JS support NPM support a healthy loader/plugin ecosystem. Despite the clear benefits in developer experience (DX) the setup was fairly difficult and I’d like to cover some of the challenges we faced to make the transition a bit easier. From paths to alias to NPM The first thing you do when you’re converting from require.js to… Read more