Categories
Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application
Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.


If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
101

Dotfuscator 101

Reading Time: 4 minutes

In this blog we will dive into Dotfuscator  as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects. 

For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:

What is Dotfuscator for .NET?

Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft. 

How does Dotfuscator work?

PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.

  • First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
  • Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code. 
  • Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming. 
  • Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese! 
  • Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found. 
  • For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich! 

When should you use Dotfuscator?

Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.

Where does Dotfuscator work?

Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.  

Why should you use PreEmptive Dotfuscator?

PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here

For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!


Categories
Press Releases

New Release: PreEmptive DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute

Categories
101

Top 3 Reasons to Use PreEmptive

Reading Time: 3 minutes

Cyber attacks are part of our everyday discussions and most likely will continue to be present throughout the next 12-18 months. With the rise in nation state attacks, and consistent expansion of IOT tools developers have to stay focused on the prescience of cyber threats. For those who followed our #DataPrivacyWeek on our social platforms, we explained that our personal lives are very much intertwined with our work lives, with many folks working remotely, we are more likely to be part of those data breaches we read in the news, as a side effect of network security risks. In this article we will dive into the primary reasons your team can benefit from PreEmptive to protect your applications. 

While we were focused on supply chain attacks, ransomware threats, we overlooked another but equally prominent risk – mobile app breaches. There were over 200 BILLION mobile application downloads in 2021 and that number will most likely increase as we progress through 2022. This means, if you’re a programmer developing an app or creating a program that consists of custom code, securing your work is more important than ever. Here are the top 3 reasons why you should use PreEmptive to add a security layer to your applications:

Reason 3: Protecting Your Hard Work

We understand the countless hours that go into coding, whether that was spent on debugging, creating or troubleshooting your code’s infrastructure, it takes hard work. Many developers have projects that have been in the works for lengths at a time and have firm deadlines to meet. So when a project is complete it feels like gold! We tend to concentrate on completing our projects and ensuring that functionality/usability is up to standard. But, security is often an afterthought. PreEmptive In-App security features have been helping programmers prevent, detect, and respond to attacks without breaking or slowing down your applications – giving you a peace of mind throughout development. Sure, we all want to complete our projects on time or earlier than expected, but if we treat our projects like we treat our phones by putting a lock on it, then that finish line will look even sweeter. 

Reason 2: Knowing the Functionality of Your Security

Data breaches are a hot topic, so searching for the right security platform has become even more of a priority. One of the factors when searching for the right security toolset – how does it actually work? PreEmptive has a layered approach when it comes to protecting your data. Think of it as building your perfect sandwich starting with the bread (obfuscation), adding the meat (renaming code), then the veggies – lettuce (string encryption), tomato (control flow) and more, topping it off with the condiments (active runtime checks) that monitors tampering, debugs, and more. Now that you know what’s in the perfect “security sandwich,” it’s imperative that you continue to test and secure after each build. This will allow you to have the confidence in your security application.

Reason 1: Becoming another Data Breach Statistic

Every month there is another data breach that is brought to our attention. Which makes you really think, are you choosing the right security platform? How do you know this platform is the right one? Assessing the needs of your company/organization or projects is the first step, next researching security options. Some promise to be “the leading” security platform or the “number one,” but PreEmptive has been in the biz since 1996. That’s over 20 years of securing your applications! Not only do we have the experience, we have hundreds of fortune 500 companies who use PreEmptive, Charles Schwab, FedEx, Census Bureau, Microsoft to name a few. If these companies trust our software, we guarantee that by using us, you won’t become another data breach victim.

In case you still need more information, we encourage everyone to read our case studies to find out how other companies found success in protecting their companies with PreEmptive. We hope this blog has eased your worries, but if you’re not sold try us with a FREE Trial


Categories
Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.

Conclusion

There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

Categories
Support Corner

Support Corner: Protecting React Native Apps

Reading Time: 3 minutesWe’ve recently worked with a handful of customers in the process of creating React Native apps. As with other mobile development frameworks, it is relatively easy to reverse engineer and tamper with React Native apps. For this reason, it’s essential to secure your organization’s IP and data before publishing. In the following article, we’ll discuss how to do so using PreEmptive.

React Native apps are primarily written in JavaScript, then packaged as an APK, AAB, or IPA file for deployment. Once the app is installed on a device, the end user can extract an APK and see the bundled JavaScript file within the “assets” directory. The bundle will be minified during the build, but this can easily be unminified and formatted by a text editor such as Nodepad++ with JSTool. Doing so would reveal API calls, keys, and sensitive strings:

JavaScript can also interface with Native Java modules. Java is compiled and embedded in the APK as one or more classes.dex file(s). A tool such as ByteCode viewer can decompile the classes.dex to reveal sensitive IP within Java source:

Leaving code exposed in such a way is quite dangerous. A hacker could clone the app, infiltrate back-end systems, initiate a data breach, and more. Luckily, PreEmptive can protect the code embedded in the APK. JSDefender for JavaScript can protect the JavaScript bundle. DashO Java obfuscator can protect the Java code.

JSDefender’s Metro plugin and DashO’s Gradle plugin integrate protection directly into our build.

metro.config:

build.gradle:

When building the React Native project

>npx react-native run-android 

or 

>gradlew clean assembleRelease or bundleRelease


PreEmptive can be seen running in the build output:

After this build, binary is hardened against decompilation, reverse engineering, and tampering:

The full source code sample can be downloaded here.

In order to run the sample:

  • Download the JSDefender (trial or commercial) Core and Metro npm packages. 
  • Configure the JSDefender license key in jsdefender.config.json. 
  • Install and register PreEmptive DashO (trial or commercial) on your machine.
  • Run npm install within the directory. 

If you have feedback on this topic or any other topics you would like us to discuss in the Support Corner, please contact us.

 

 

 

 

Categories
Risk Management

Holiday Hacking — What Are the Trends?

Reading Time: 3 minutesThe holidays are here and many of us are taking time off work. But do you know who doesn’t go on vacation? Hackers. In fact, security breaches and attempted attacks go up this time of year. Ecommerce sales increase, so there’s more opportunity to steal financial information. And a lot of people take time off work, leaving organizations less able to respond quickly to security alerts as they happen.

Here, we’ll look at the characteristics and trends of hacks and attacks that happen during the holiday season, including what threats are most prevalent, how they happen, and the consequences of overlooking cybersecurity measures. And we’ll also provide a few tips for reducing your risks so that your holidays stay merry and bright.

 

Teams Are Understaffed

During the holidays, businesses and organizations are especially susceptible to cybersecurity attacks. Security firm Cybereason wrote in a 2021 report that ransomware attacks occur more frequently on weekends and holidays. One of the primary reasons is the human element — many people take time off work leaving fewer team members present to detect and respond to threats.

When people are out of the office, response times go up, or are paused altogether. Responsibilities may be handled by others who are less experienced and unable to respond with the same speed and thoroughness. And when you consider that many large organizations use third-party vendors to monitor technology infrastructure, it’s one added level for a diffusion of responsibility to creep in.

 

Ransomware Threats Are Increased

Ransomware attacks are happening with accelerating frequency, affecting both individual consumers and major corporations alike. Even states aren’t safe, with Montenegro’s government recently finding itself on the receiving end of an attack. And, for hackers, a long holiday weekend is a great time for a ransomware attack. Why? See the above — teams are running on skeleton crews, and ransomware attacks often need time to spread throughout a network. And there’s no better time than when resources are spread thin.


Phishing Goes Way Up

With Black Friday just around the corner, it is expected to hit $158 billion in sales this year in the United States. In addition to intercepting or otherwise stealing payment information, attackers have gotten creative in other ways by impersonating shipping companies such as DHL, FedEx, and UPS and sending emails or text messages about a problem with a package. Since many people are sending or receiving packages this time of year, many employees fall victim and may end up providing personal information, such as login and password credentials or bank information in an attempt to remedy the fake problem.

 

How You Can Prepare & Respond

Before you slow down for the holidays, take a moment to make sure you’re prepared. All businesses and organizations should have incident response plans and review them before the holidays to ensure protocols and contact information are all current. If there are gaps, they can be addressed. Don’t allow yourself to get in a situation where you find out late in the evening that the server is down and only Bob can fix it, but nobody has Bob’s current cell phone number.

Additionally, even though the holidays are a time when many people relax, security teams should stay vigilant about vulnerabilities by assigning specific personnel to monitor security alerts as they’re announced and apply all necessary patches without delay.

Finally, one of the most important steps organizations can take is to conduct phishing simulation training so employees can identify malicious attachments and links. Hackers have become quite sophisticated in their phishing attempts and it’s not simply about being easily fooled. Advocate or implement, depending on your position, company-wide training about phishing.


Stay Secure With PreEmptive

When you secure your applications with PreEmptive, you’re locking hackers out. They can try — and they do — but they fail. And then they move on to easier targets. It’s why over 300,000 users and 5,000 corporate clients spanning virtually every industry in over 100 countries trust PreEmptive for software security that reduces the risks of hacks and data breaches.

  • The largest mobile carriers in the world utilize our mobile protection solutions
  • We’ve been the industry leader in obfuscation and in-app security for 20+ years
  • PreEmptive is the only third-party technology embedded into Visual Studio, which makes it subject to Microsoft’s regression tests, code audits and security reviews.

 

Want to see how you can hit the sweet spot between cost, convenience, and functionality with PreEmptive? Schedule a fast-and-free, no-obligation demo to see how PreEmptive integrates seamlessly with your development process to maximize data security while saving time and money.


 

Categories
Risk Management

A Review on JavaScript Security in 2022

Reading Time: 4 minutesAmong developers, JavaScript is a popular programming language for web application development due to its flexibility, interactivity, and user experience. A Stack Overflow survey shows that over 67% of developers use JavaScript. Also, more than 95% of websites use this language.

But from a security point of view, JavaScript is the fourth most vulnerable programming language, just behind Java, PHP, and C. Much can go wrong with JavaScript, from malicious attacks to insecure user inputs. 

The potential risks include stealing a user’s session, redirecting a session, modifying data, and tricking users into performing unintended actions. JavaScript’s source code vulnerabilities also allow for data exploitation. How can you address these JavaScript vulnerabilities and make your web applications secure in 2022 and next year?

Common JavaScript Vulnerabilities and How They Manipulate Data

Below is the list of common Javascript vulnerabilities and how they can steal or manipulate your data:

→ Vulnerabilities in Source Code

As JavaScript is an interpreted programming language and not a compiled one, a single obfuscation method won’t protect your application against hackers

Other vulnerabilities include developers’ widespread use of libraries and software packages in the application code. There can be potential hidden vulnerabilities in the packages, which hackers can use to exploit the code later on.

→ Cross-Site Scripting (XSS) Vulnerability

How JavaScript interacts with the Document Object Model (DOM) on the web page can become a potential security concern, allowing for script embedding and execution on client computers across the internet. 

XSS attacks allow web applications to accept unintended or untrusted scripts on a webpage without proper validation.

The XSS attack involves the hacker interacting with the user through reverse engineering or requesting them to visit a particular page. Next, the browser executes the untrusted script, and the attack completes successfully.

Server-Side Injection Vulnerability

On the server side, injection attacks are more common. They exploit query parameters in SQL databases to execute arbitrary JavaScript instructions on an application. 

The applications that usually pass string functions like setTimeout(), eval(), and setInterval() are more vulnerable to injection attacks. An attacker can create an id string parameter to retrieve all tables from the database or write in the database.

Hijacking Session Data

The client-side JavaScript on a browser accepts all content that a web application returns to a browser. This also includes cookies containing sensitive data, such as users’ session IDs. A common way for an XSS attack is intercepting the session ID and sending it to the hacker. In this way, the hacker is able to hijack the session.

How to Improve JavaScript Security During Development

There are certain preventative measures you can take to avoid vulnerabilities and increase your JavaScript application security:

 

1. Conduct Regular Scans on Your Code

Audit your application code regularly to find potential vulnerabilities. In addition, write test units to ensure your code behaves as you want it to and executes securely. 

Also, use scanning tools to regularly scan your application code and identify potential vulnerabilities in third-party libraries and packages. So, you can remove them before they can be exploited. Do a regular patch and update your libraries.

2. Perform Proper Input Validation

To prevent XSS attacks, perform proper validation and sanitization of user input to ensure it only consists of acceptable characters. For example, you can allow the phone number field to include only numbers and a dash or parentheses. 

Don’t allow unexpected character input. Use methods such as innerText, a secure way to manipulate DOM. This method escapes malicious content, thus preventing DOM-based XSS attacks.

To prevent malicious SQL injections, you must also perform input validation. If it fails the test, the SQL query won’t be executed. Another way to deter potential injection attacks is to replace concatenations with prepared statements or parameterized queries. 

Basically, the parameterized queries can extract the SQL syntax from the input parameters. 

An excellent way to enhance server-side security is to use server application protection. It will integrate seamlessly with your JavaScript application build to prevent both active and passive attacks.

3. Escape or Encode Insecure Data

Any XSS attack relies on input data containing special characters in underlying JavaScript. The browser views these characters as part of the web page code rather than as a value to display during execution. 

This enables the hacker to get out of the text field and provide extra browser-side code for execution. To prevent this type of attack, any time your browser-supplied user input returns a response, replace the special characters with an escape code. 

For instance, replaced the < and > characters to delimit HTML entities with &lt; and &gt;. This will prevent the browser from interpreting these characters as HTML entities, forcing it to display them.

4. Secure Cookie Transmission

It is a bad security practice to expose session IDs in logs, error messages, or URLs. This causes issues like session hijacking, fixation, and cross-site request forgery (CSRF). The CSRF attack tricks the browser to execute malicious requests to other websites in the background by using the clients’ session cookies.

A technique to prevent this kind of attack is to introduce tokenization for client-server interaction. Upon establishing a session, a token must be generated for each form on the site and sent with each request while the user is present on the website.

Another way to secure cookie transmission is to use HTTP-only cookies. This attribute won’t allow the browser to provide access to cookies through DOM. It will also prevent client-side script attacks from accessing session IDs from the cookies.


Wrapping Up

JavaScript is a popular programming language, but its source code is visible to anyone with a browser. It has other potential pitfalls as well. The recommended best security practice to prevent hackers from exploiting JavaScript vulnerabilities is to keep both the client and server sides secure. 

This approach prevents the risk of malicious content while validating the client to improve end-user results. The client-side validation will inform users of issues with their input, while server-side validation ensures that only trusted data makes its way to the JavaScript application.

A good security practice is to obfuscate your JavaScript code to prevent hackers from reverse engineering, finding vulnerabilities, and debugging. 

PreEmptive JSDefender can help you obfuscate your code, making it difficult for malicious attacks to exploit JavaScript security and modify or steal your code. Register today to get a free trial!


 

Categories
Risk Management

3 Ways Financial Service Organizations Can Improve Mobile App Security

Reading Time: 5 minutesFinance mobile apps usage is rapidly accelerating, with the number of user sessions increasing by 49% in 2020. VMware reports that cyberattacks on financial apps also rose by 118% during the same year. 

Another report by Intertrust reveals that 77% of financial services apps include at least one security vulnerability that could lead to a data breach. Recently a new Trojan virus called SOVA has been found targeting financial banking apps by encrypting the Android phone and asking for a ransom to decrypt afterward. 

Cybercriminals look for maximum impact and profit, making financial apps a potential target. Therefore, it is imperative to adopt certain measures to improve mobile app security during the development process. 

Challenges to Financial App Security and How To Avoid Them

 

Making financial applications resilient to cyberattacks is a must security practice. During app development, you can improve security by avoiding the following mistakes:

→ Not Validating Data

 

Not validating user input can make your financial app an easy target for hackers. They can easily enter harmful codes or malicious commands that can cause a data breach. 

Therefore, you must validate data by checking its format, length, permissible characters, minimum and maximum value, etc. This way, the app will only accept the user data you want. 

Weak or No Encryption

 

If you are storing or sending data with weak or no encryption, hackers can easily access and use it for nefarious means. Therefore encrypt all data that you transmit or store so even if hackers download it, they won’t be able to access it. 

Most developers focus on the client side of app security and don’t pay much attention to the server side. This can compromise confidential data, such as credit card information stored on the server. 

The solution is to include a reliable secure sockets layer (SSL) and high-level encryption in your app security practices. This will boost server-side security.

A tool like DashO can provide layered protection for your financial Android and Java apps. Layering makes it impossible for hackers to gain access to sensitive information. 

Another excellent app security practice is to use encryption protocols like SHA256 and AES. Also, never store the encryption keys on the application. 

Not Validating User Authentication 

 

Permitting users to set any password they want is risky because hackers try different combinations of characters to gain access to passwords by brute force. 

You can avoid this by including validation for setting passwords and locking users out of their accounts after a few incorrect login attempts. Also, set up multi-factor authentication for the app. 

Cached Confidential Information 

 

Caching confidential information saves time for users as it allows them to log in instantly without entering data. However, it also puts them at risk of breach. If the device gets stolen, anyone can log into the app.

The solution is to include conditions to prevent confidential information from getting cached automatically.

→ Skipping Penetration Testing

 

Penetration testing allows you to know about security vulnerabilities in real-time. Research by Informa Tech conducted on companies with 3000 or more employees shows that 69% of organizations perform penetration testing to prevent data breaches.

Due to deadlines, shortages, or other reasons, developers usually skip this step and release the app, which puts users at risk. No matter how short the delivery deadline is, perform many penetration tests on your app. This will help you find security flaws and fix them during the development process.

3 Ways to Improve Financial App Security During the Development Process

Following these best security practices will improve app security during the development process:

1.  Using Multi-Tiered Authentication

 

A token is a security unit that authenticates a user’s identity by storing personal information transmitted between applications and websites. Financial app developers should use tokens to monitor user sessions. 

These tokens can be approved or withdrawn. Also, design the app to accept medium-to-strong passwords containing alphanumeric characters. These passwords should be renewed regularly, let’s say after every six months. 

Adding a one-time password (OTP) system for each login session will make sign-ups more secure. A multi-factor authentication (MFA) system, including a combination of a retina scan and biometric print, will level up your app security. While hackers can crack passwords through brute force, the biometric factor will foil their attack.

Many security regulations also call for implementing MFA, so you’ll also have a better posture at compliance. Moreover, the user login process can be simplified by using MFA. Once you authenticate users, you can reward them with Single Sign-On (SSO), where they can use multiple services on a single login.

2. Use of Authorized API

 

Always use an authorized application programming interface (API) in your financial app code. To gain maximum security in the app development process, you must have centralized authorization for the whole API. As apps are installed on mobile phones, they are less secure. 

Hackers can install their own app on a device they control and easily manipulate the financial app to take advantage of its security vulnerabilities. API calls are usually protected by an API key and user credentials as an access token. 

You can secure your APIs when they access third-party platforms by using digital signatures, encrypting data, quotas, API gateways, and throttling. 

3. Real-Time Threat Detection

 

In the past, organizations would get to know about a security lapse in their apps after a considerable time. Now they are increasingly focusing on building real-time threat detection capabilities.

The reasons are that early detection can help retrieve stolen information promptly, and regulations require businesses to report a breach quickly. A company‘s reputation suffers if it takes a long time to detect and respond to a security violation.

Therefore, if you develop a real-time threat detection system for your app, you can take preventative measures against developing ransomware and patch vulnerabilities. Moreover, you can use a tool like Dotfuscator for .NET that provides app security in real-time by updating its protection regularly to counter cyberattacks.


Bottom Line

App hardening

Given the sophistication of cyberattacks on financial apps, the financial industry cannot solely rely on a single security practice. When developing an app, it is crucial to ensure that it complies with data privacy regulations and is not susceptible to cyberattacks. 

Adopting a solution consisting of real-time intelligence, multi-user authentication, database security, and authorized API is vital for mobile app security. But remember following the best security practices for financial apps requires considerable expertise. 

Tools like PreEmeptive can assist you with app security by offering a smart app protection solution against reverse engineering, unauthorized debugging, and snooping. 

We use a layered approach, including encryption, root detection, obfuscation, shielding, and tamper-proofing to prevent hackers from exploiting your data. Learn more on our product page.


 

Categories
JSDefender Change Log

JSDefender Change Log V2.6 Build 0 – Release Date Nov 01, 2022

Reading Time: < 1 minute

Change Log – Version 2.6.0 – Release Date Nov 01, 2022

Features

  • upgrade webpack support to version 5.74.0
Categories
101

Hacker Horror Stories to Frighten Dev Teams This Halloween

Reading Time: 4 minutesHalloween is a time for ghosts, ghouls, and other frightening things. But ask any cybersecurity professional if they’re more scared of hockey masks and chainsaws or hackers and malware, and most will take their chances with the slashers. Truly, few things are more terrifying than when data security is compromised. 

Customer information, reputation, credibility, the outlook for the future — all of those things come into question when hackers and attackers infiltrate. It’s the thing of nightmares and, unfortunately, it happens more often than you think.

In fact, some estimates place the total at 109 million accounts that were breached in the third quarter of 2022 alone. That’s a 70% jump over the previous quarter. Yikes! And while no breach is minor, sometimes the magnitude of the breach, who it affects, and the costs and outcomes are especially jaw-dropping.

So to finish out Cybersecurity Awareness Month, let’s look at a few especially terrifying hacker horror stories that are sure to spook you!

 

Hackers Breach the Red Cross

It’s bad enough when hackers target businesses, but something about going after the charitable organizations that help people seems especially egregious. That happened in January of this year when hackers attacked servers operated by the Red Cross, which contained data about Restoring Family Links services, which works to reconnect people separated by war, migration, and violence. The personal information of a half million people was exposed.

 

 

Disgruntled Employee Goes After Cash App

It’s one thing when hacks and attacks come from the outside – those are to be expected. But when a person within an organization betrays their position to compromise security? That type of inside job is hard to protect against. Cash App found out the hard way in April this year when a former employee breached data containing customer names, stock information, account numbers, and portfolio information, along with a lot of other sensitive financial information. Eight million customers had to be notified about the occurrence!

Russia’s Warfare Has Cyber Element

Few things are more horrific than war. And the conflict that’s on everyone’s mind is what’s going on in Ukraine. The violence on the ground is bad enough, but Russian hackers have also taken to launching cyber attacks against the power grid in Ukraine, nuclear facilities, and a lot more.

 

Personal Health Information Leaked

Australia has had an especially difficult 2022 when it comes to cyber attacks, and many organizations have found themselves in compromising situations. Among the worst was when the personal health information of almost a quarter million people was leaked. In this case, not only were clients put at risk, but the company itself, Australian Clinical Labs Ltd., saw its share price fall as a result.

Hackers Hit the Bar

Having a glass of wine (in moderation) is a commonly practiced way to temporarily forget about problems like data breaches and security leaks. Well, not for customers of iDealwine. The online wine merchant just recently reported that they’d been the victim of a data breach that has potentially exposed the information of every single one of their customers.

Former Uber Exec Covered Up Data Breach

Imagine facing nearly a decade in federal prison for a hack you didn’t even commit. That’s what happened when former Uber Chief Security Officer Joseph Sullivan was found guilty in federal court of not disclosing a 2016 breach of customer and driver records to regulators and attempting to cover up the incident. He is looking at a possible maximum of five years in prison for the obstruction charge, and a maximum of three years for the other charge. It doesn’t get much worse than that.

 


PreEmptive Protects Applications From Hackers

 

Maintaining data security in today’s world requires a comprehensive approach and constant vigilance. No single habit does it all, nor is sometimes often enough. Whether it’s simply regularly changing your passwords and practicing good password hygiene, or implementing a full-fledged, enterprise-level security program.

When it comes to helping software developers create secure products, PreEmptive is a trusted global leader of protection tools for Desktop, Mobile, Cloud, and Internet of Things (IoT) applications. We help organizations make their applications more resistant and resilient to hacking and tampering so that protecting intellectual property, sensitive data, and revenue is achievable.

Want to learn more about our products and if they’re right for you? Contact us for a complimentary security consultation.

 


 

Categories
Risk Management

Cybersecurity Awareness Month: Changing Your Passwords

Reading Time: 4 minutesOctober is Cybersecurity Awareness Month, a month-long effort to raise awareness about the importance of practicing good habits to keep ourselves and our data safe. This year’s theme is “See Yourself in Cyber,” which is intended to communicate that cybersecurity isn’t complex; it’s all about people. And one of the most important things people can do to stay safe online is to practice good password hygiene. And what better time to start than by updating your passwords for Cybersecurity Awareness month.

 

Why You Should Practice Good Password Hygiene

Passwords are how we verify our identity. Whether it’s online banking, email, applications, or the countless other things in our daily lives that require a password, using sound practices to manage them is a must to keep your data safe and secure from prying eyes. Hackers look for situations with weak passwords; unfortunately, many people make it easy.

When was the last time you changed your email and social media passwords? What about your bank and household accounts? Experts say you should do it at least every three months. Do you use the same passwords for any accounts? If you’re shy about sharing your answers, you’re not alone. Many organizations have poor behavior around password management, and weak passwords cause at least 30% of security breaches. 

The 2021 Verizon Breach Investigations Report found that 80% of hacking-related breaches involved stolen or brute-forced credentials. But such aggressive approaches usually aren’t even required. For example, did you know that “Password” is the second most-used password in the United States? We can do a lot better than that.

How to Change & Manage Your Passwords for Cybersecurity Awareness Month

Each of us has over 80 passwords, and there are better ways to manage them than saving them in browsers, writing them on post-it notes, or reusing them for multiple accounts. In honor of Cybersecurity Awareness Month, we’re encouraging everyone to update their credentials. Below are strategies and habits that can ensure your passwords are secure.

Use a Password Manager

A password manager like LastPass or KeePass eliminates the need to memorize credentials or store them in a browser. With just one password you can can create and save passwords for all your accounts.

 

Create a Strong Password

Creating a strong password is a critical step to protecting yourself online. Using long, complex passwords is one of the easiest ways to defend yourself from data breaches and hacks.

 

Get Goofy

If you must create your passwords instead of using randomly generated examples, get creative. Phonetic replacements (“kc” instead of “k”), deliberate misspellings, and substituting letters with numbers and punctuation marks or symbols (such as @ instead of the letter “A”) can maintain security while allowing you to remember your password more easily.

 

Make It Hard to Guess

The National Institute of Standards and Technology provides several suggestions to promote password security, including not using personal information in your passwords. Kids’ names? Pets names? Address? Forget it. All of that information is easy for criminals to guess.

 

Don’t Tell Anyone Your Passwords

Never tell anyone your passwords. If someone calls you on the phone or emails you and says they’re with a service provider and need your passwords, hang up — it’s a scam. Additionally, do not keep written passwords out in plain sight.

 

Each Account Gets Its Own Password

 

Using the same password across multiple accounts is like giving attackers a master key that unlocks every door in your life. Do you really want to do that? Mix things up and use a distinctly unique password for each account. Password managers — which you should use — make it easy.

 

Double Your Protection With Two-Factor or Multi-Factor Authentication

 

Whenever an application allows you to use multi-factor authentication (MFA), do it. It’s another way to ensure that the only person with access to your account is you.

 

Other Strategies to Stay Safe Online

 

Practicing good password hygiene all the time is something every one of us needs to do. But it’s also just one component of cybersecurity. You can arm yourself with multiple layers of protection by following these other practices promoted during Cybersecurity Awareness Month.

 

  • Think before you click. If a link looks off, don’t click. It could be an attempt to steal information or install malware. 
  • Update your software. Got a software update notification? Install it immediately. Even better, turn on automatic updates.
  • Get more information. Want to see everything you can do? Get all the tips about cybersecurity at the official website.

PreEmptive Is Security

PreEmptive helps organizations make applications more resistant and resilient to hacking and tampering. We are a global leader in obfuscation tools for Desktop, Mobile, Cloud, and Internet of Things (IoT) applications. Our products balance ease of use, strength of protection, quality of output, ROI, and security.

Learn more about our products.

 


 

Categories
Risk Management

Friendly Reminder Why Source Control Matters

Reading Time: 4 minutesAll work — physical or digital — requires a specialized toolset to master the task at hand. One of the most helpful tools for program developers is source control management software. Now that the end of the year is approaching, projects will be coming to a close. However, many programmers forsake the implementation of source control management because they don’t understand the benefits of establishing standout coding practices and habits.

Whether the work is an individual project or a large team effort, source control helps track, manage, protect, and improve code in order to meet those end-of-year deadlines. Read further as we define it, highlight the challenges and emphasize the importance of Source Control. 

What Is Source Control?

In essence, source control is the process of storing and tracking changes and edits to a coding project from start to finish. To accomplish this, programmers often use source management systems, services designed to help coders save a detailed log of backups for each iteration of code. They also allow multiple DevOps team members to work and edit within a single version and make changes without getting in the way of others’ progress.

Selecting a source control management system isn’t easy. An abundance of tools are available, making it crucial for developers to research which ones best fit their needs.

Source Control Challenges

Remember: The absence of source control is an approach to source control. It’s also the worst approach. Failing to conduct source control methodically with the proper tools can be disastrous.

For example, trying to conduct a project without a systematized backup of previous versions makes it incredibly difficult to backtrack and identify errors. Additionally, without a proper source code management system, different coders won’t be able to work simultaneously within the codebase. This lack of collaboration increases the chances of miscommunication, errors, and frustration throughout each project. 

Although getting an entire team initiated with a new process and management system is often labor-intensive, it’s worth the commitment. Finding the right source control management system for a team’s work style is vital to long-term success. 

Reasons to Implement Source Control

From a birds-eye view, implementing a source control strategy is vital to a functioning and productive coding organization. Not only does it increase productivity, but it also increases safety and fosters collaboration. 

Increase Code Security

All DevOps teams know that the source code requires as much protection as possible. Therefore, instituting proper source control is crucial because it boosts security measures. 

All data is stored in a repository through the source control management system. The repository, which can be either a public or a private server, keeps each version in a safe and centralized cloud-based system.

Additionally, many systems also come with encryption protocols and application hardening. 

Track Changes and Defects

With source code construction, keeping an eye on every change is absolutely necessary for a project’s success. Management tools provide developers with dynamic ways to track and monitor all tweaks and edits. 

Many source control management solutions automatically alert users to a code’s detected vulnerabilities and defects. Because of this, coding teams prefer these systems — such as PreEmptive’s source control solution — because they analyze and identify issues throughout each version.

Foster Collaborative Code Building

Especially in team environments, synchronizing all collaborators within one version is an immense step to success. Source code management allows developers to work within one codebase and merge all of their changes in one central repository instead of pulling together multiple versions.

Working on the shared code allows the whole team to review, edit, and leave comments in the same place. The improved collaboration accelerates the code-building process and keeps everyone in the loop on the team’s progress. 

Store Backup Code

Source control management is also sometimes referred to as “version control.” This alternative title highlights the ability for programmers to go back and look at previous versions. 

This ability to store every version and go back in time is critical to productivity, as it can save hours, days, and even weeks of work when someone is trying to track down errors. 

Best Practices for Source Control Management

When a company is figuring out which source control management system best serves its needs, there are a handful of habits it can get the team into early to ensure a more successful transition. 

Find a System That Suits the Project’s Needs

Not all source control systems offer the same features. Because of this, it’s worthwhile to put in extra effort up front and nitpick over which solution best fits the necessities of the project. 

It’s important to investigate the competing security features, different access controls, and storage methods. 

Knowing the fine details up front helps avoid stress later on. Check out PreEmptive’s source control solutions to see whether the wide range of features can meet all of the project’s source management needs.

Maintain the Latest Version

Every code revision ensures the new code is pulled and stored within the system. Keeping versions of each code iteration may seem tedious, but tracking even the slightest changes can be extremely helpful. 

It’s recommended to save commits as often as possible, as storing many versions eliminates the need to second-guess the timing of changes and edits. 

Keep a Detailed Note Log

When saving and creating new versions of code, it’s wise to note every change — large or small. There’s nothing too insignificant to be tallied; promoting an organized source control process saves teams time when issues arise. 

Review All Changes

Every time a new code version is committed, the team should run a detailed review of all changes. Doing so reduces the likelihood of building on faulty code. 

If the source control management system offers automatic error detection, the team should address any issues that arise immediately. Quick action saves incorrect code from slipping through the cracks. 

Implement Source Control as Soon as Possible

There’s little reason any programming team should be without a sound system for managing its coding projects. As is evident, implementing the best source control management service brings immense benefits to the team’s productivity and the safety of the source code. 

Happy Coding everybody!

 


 

Categories
Support Corner

Protecting C# Applications That Use Friend Assemblies

Reading Time: 2 minutesThe internal keyword in C# restricts access of types and members to callers in the same assembly. The InternalsVisibleTo attribute is a special way to grant internals access to a “Friend” assembly. Friend assemblies are used when unit testing, as internal members must be directly invoked by a test DLL. So it is quite common to have several friend assemblies in our project.

 

Dotfuscator takes friend assemblies into consideration when applying protection settings. It follows a specific process to preserve runtime behavior while performing as much obfuscation as possible. It also notifies us of any potential issues with friend assemblies during the build.

 

Please consider the following example, a DLL has InternalsVisibleTo an EXE file:

 

 

The EXE file directly references an internal class, made possible only by adding the InternalsVisibleTo attribute in the DLL: 

When obfuscating only the DLL, one of the following warnings would be shown, depending on the Dotfuscator configuration:

 

WARNING: MyAssembly has non-input Friend Assemblies and is in Library Mode; internal members will not be renamed or pruned. Consider adding Friend Assemblies as input for increased obfuscation.

OR 

WARNING: MyAssembly has non-input Friend Assemblies and is not in Library Mode; internal members may be renamed or pruned. References from non-input Friend Assemblies to the internal members of MyAssembly may no longer be valid.

 

The first message occurs when Dotfuscator is run in Library Mode. In Library Mode, Dotfuscator will not rename public and protected members for reusability of obfuscated components (as with APIs). Because of the InternalsVisibleTo attribute, Dotfuscator will also skip the renaming of internals. This will result in less Rename obfuscation than we may have anticipated, but it also will not break any runtime behavior. 

 

The second message warns that Dotfuscator may rename internals in a way that could break calls from the friend assembly.  If the friend assembly is deployed with this obfuscated DLL, this could cause a runtime error. If the friend assembly is not deployed (as with a unit testing DLL) then this warning will have no runtime impact and can be disregarded.

 

In general, obfuscation works best when more parts of the application are obfuscated together. The above warnings will completely disappear if the friend assembly is included as Dotfuscator input. If this is not feasible, we can still process the assemblies in Library mode but with less obfuscation.

 

The full example can be downloaded here.


Be on the look out for our next Support Corner blog!

 

Categories
Risk Management

Be Aware of Frauds and Scams in the Wake of Hurricane Ian

Reading Time: 5 minutesIf natural disasters weren’t bad enough all by themselves, unfortunately, they also bring on frauds and scams. Here are some of the most common.

 

As we write this, Hurricane Ian slams the southeastern United States with category-four hurricane force. Not only are natural disasters and severe weather events devastating for the people most affected, but they also create a perfect storm, so to speak, for scammers and fraudsters to prey on both vulnerable and giving people.

 

We’re advocates for data security — all data. Electronic or otherwise. And we don’t want people in our community to be victimized by both the storm and con artists, so we compiled a list of common scams that appear during natural disasters so survivors of Hurricane Ian can identify suspicious behavior, avoid being a victim, and ideally, report it to the authorities.

 

Common Scams During Hurricane Season

Whenever a natural disaster strikes, many people need help, and just as many people want to help. But there are also unsavory types who try to profit off others’ misery and misfortune, especially during a crisis like a hurricane when things are chaotic and everything is thrown upside down — literally.. Whether you’re affected by Hurricane Ian or want to help people who are, below are scams to watch out for.

 

Disaster Relief Charity Scams

 

Unfortunately, fake charities seeking donations for disaster relief is one of the most common scams after a natural disaster. It’s incredibly easy for scammers to use phone number spoofing and social engineering to create a compelling story. If there is a charity to which you want to donate, do it through their official website after you verify their authenticity with the Better Business Bureau’s Wise Giving Alliance, Charity Navigator, Charity Watch, or GuideStar. The National Association of State Charity Officials can also tell you what charities are registered in your state.

 

Fake Representatives

 

After a disaster, some people pose as official disaster aid workers trying claiming to help survivors complete applications while asking for fees or claiming to need insurance information. Be aware that federal and state workers never ask for or accept money for federal disaster assistance and they always have proper identification and provide it readily. If any of these are amiss, it’s likely a scam.

 

Insurance Scams

 

If someone contacts you claiming to represent your insurance company, and asks for account numbers or any other personal information, hang up immediately and call your insurance company on the number provided on your monthly statement. You can continue your business if the call is legitimate (highly unlikely). If not, let them know that you received a scam call.

 

And if you’re a policyholder with the National Flood Insurance Program (NFIP), reach them directly at 800-638-6620. Never give any personal information to anyone who calls you and claims to be with the NFIP.

 

Contractors and Home Improvement Scams

 

Many people’s homes need repairs after a hurricane. That’s when the fraudulent contractors come out hoping to take money without doing any work. Be cautious if a contractor promises fast repairs or asks for full or sizable payment before work is complete. Never give insurance policy numbers or coverage details to anyone you don’t have a contract with. If you’re considering a contractor, ask for licensing and insurance information. Many states have online services to verify licensing. And watch out for a FEMA ”endorsement.” The Federal Emergency Management Agency does not certify contractors.

 

If possible, use a contractor you’ve had a good experience with in the past, or get a recommendation from someone you trust. 

 

Housing Scams

 

If you need temporary or replacement housing, be vigilant about online scams promising a rental only if you act immediately. Never agree to rent a home without seeing it first. Do not disclose bank information, credit card numbers, or other personal information over the phone or internet to hold or reserve anything you have not physically seen and verified.

 

Social Media Misinformation

 

Social media can be beneficial during a hurricane or natural disaster to keep up to date on news and know if loved ones are okay. It can also be a vehicle for fake charities soliciting donations with heart-felt messaging and imagery during natural disasters like Hurricane Ian when people need help. Remember that not everything on social media is true, including charity requests. Double-check any social media solicitations for charitable donations before you give. And be aware that crowd-funding websites do not always vet the people who post campaigns.

 

Other Tips to Protect Yourself

You’ve probably noticed the common theme in many scams that are out in full swing after a hurricane — scammers make up a lie and, unfortunately, an unsuspecting person believes it and provides information that the scammer then uses to steal money, information, or otherwise take advantage. Hurricane or not, there are a few habits to keep you, your data, and your financial assets safe in these situations.

 

  • Beware of unsolicited calls. If someone contacts you out of the blue claiming to represent an organization and asks for your account, financial, or other personal information, hang up immediately.

 

  • Only donate to charities, disaster relief organizations, and insurance companies directly through their public numbers or official website donation portal.

 

  • Delete unexpected or suspicious-looking email messages requesting donations, do not click any links or open any attachments. Scammers use email for phishing and malware attacks.

 

  • Stay connected with the news to keep abreast of recovery efforts. The local news will report if official representatives are in the area. 

 

  • FEMA recommends watching your credit report for unauthorized changes and filing necessary complaints with the Federal Trade Commission through its website IdentityTheft.gov.

 

How to Report Fraud

If you suspect fraud, say something. Speaking up and reporting it helps others from being victims of this type of heartless ugliness. There are several ways to report fraud:

 

 

Stay Safe!

 

Unfortunately, some people take advantage during times of struggle. Whether you’ve been affected or are trying to help those who were, staying aware and vigilant is a good way to help ensure you aren’t taken advantage of. Take care of yourself and each other! 

 

This month we acknowledge Cybersecurity Awareness Month! Follow us on social for more tips/tricks to keep your information and data safe!