IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
136
votes
8 answers

How hard is it to intercept SMS (two-factor authentication)?

A lot of two-factor authentication mechanisms use SMS to deliver single-use passphrase to the user. So how secure is it? Is it hard to intercept the SMS message containing the passphrase? Do mobile networks use any kind of encryption on SMS? I found…
Paul Podlipensky
  • 2,837
  • 4
  • 22
  • 25
135
votes
9 answers

Is Google spying on all of us?

I am curious because, I experienced something bizarre recently. About a month ago, someone asked me to find out a price for a T-shirt printing machine, and probably for the first time, I pressed these keys and started searching, searching, for long…
samayo
  • 929
  • 2
  • 8
  • 10
135
votes
7 answers

How did Google know I looked something up?

Yesterday I was searching DuckDuckGo for booking a vacation. I ended up reading a lot on one specific website. Today multiple websites show me Google banners from this specific website. Normally, I never look up websites for booking a vacation. I…
P.Yntema
  • 1,047
  • 2
  • 8
  • 13
135
votes
8 answers

Why are programs written in C and C++ so frequently vulnerable to overflow attacks?

When I look at the exploits from the past few years related to implementations, I see that quite a lot of them are from C or C++, and a lot of them are overflow attacks. Heartbleed was a buffer overflow in OpenSSL; Recently, a bug in glibc was…
Nzall
  • 7,373
  • 6
  • 30
  • 45
135
votes
16 answers

What should I do when my boss asks me to fabricate audit log data?

My boss just asked me to create a fictitious log entry to say that a user's account was updated before it was, to win a dispute. I feel this is not right because I am trying to start a career in working with data technology. Whether or not I get…
computer_nurd
134
votes
19 answers

Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations?

I work at a company with a staff of about 1000+. We currently have programming development staff that work on web based projects (approx 50 people). Recently due to security concerns our IT and Security department implemented a restriction no…
TroySteven
  • 1,329
  • 2
  • 8
  • 11
133
votes
6 answers

How secure are the FIDO U2F tokens

Google and Yubico just announced the availability of cryptographic security tokens following the FIDO U2F specification. Is this just another 2FA option, or is this significantly better than solutions such as SecureID and TOTP? Specifically: In…
tylerl
  • 82,665
  • 26
  • 149
  • 230
133
votes
4 answers

How does the authentication in the new UK £1 coin work?

The UK is getting a new £1 coin. Its designers, the Royal Mint, claim that unlike current coins, it includes built in technology for high speed authentication and verification everywhere from ATMs to vending machines and point-of-sale. How does…
Colin Pickard
  • 1,800
  • 2
  • 11
  • 14
133
votes
2 answers

Why is "fhepfcelehfcepfffacacacacacacabn" a top DNS query from my devices?

I recently set up NextDNS on my personal devices to further reduce the amount of tracking and ads I'm exposed to. The service comes with built-in analytics that shows a brief overview of your network activity. Most of the top hits are…
Etheryte
  • 852
  • 2
  • 7
  • 13
133
votes
3 answers

Is HostGator storing my password in plaintext?

I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss. I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all…
Marquizzo
  • 1,907
  • 4
  • 9
  • 13
133
votes
5 answers

Is momentary physical access dangerous?

I’m asking the question with these conditions: The device (computer or mobile phone) is in a running state. “Momentary” refers to a reasonably short period of time, such as 5 to 10 seconds. The system may not be in a “locked” state (e.g. showing a…
tonychow0929
  • 2,247
  • 3
  • 13
  • 14
133
votes
14 answers

Is a Windows installer that doesn't require admin rights dangerous?

I use Atlassian SourceTree on Windows, and one thing I like about it is that it doesn't require admin privileges to install or update. I happened to mention this to our ISSO (Information System Security Officer), and he was not a fan. He said that…
David K
  • 1,317
  • 2
  • 8
  • 9
133
votes
8 answers

Why would someone trust DuckDuckGo or other providers with a similar privacy policy?

DuckDuckGo is a search engine that claims it will not share your results with others. Many of my skeptical coworkers think it may be a scam. Is there any proof that any web search engine will protect your privacy as it advertises?
makerofthings7
  • 50,488
  • 54
  • 253
  • 542
132
votes
2 answers

What to do if caught in a physical pentest?

I've seen a lot of people talk about how to pentest and how NOT to get caught during engagements but have a hard time finding "How to behave when caught during a Red Team engagement". Red Teams are to simulate adversaries attacking systems. Many…
ChocolateOverflow
  • 3,472
  • 4
  • 17
  • 34
132
votes
11 answers

Is it completely safe to publish an ssh public key?

I use a RSA key to log into remote servers with ssh. And I keep my dot files under version control in a publicly accessible place so that I can quickly setup new servers to work the way I like. Right now I don't have my .ssh directory under version…
Brian
  • 1,291
  • 2
  • 8
  • 6
1 2 3
99 100