IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
125
votes
6 answers

How to find out what programming language a website is built in?

I think that it's fundamental for security testers to gather information about how a web application works and eventually what language it's written in. I know that URL extensions, HTTP headers, session cookies, HTML comments and style-sheets may…
storm
  • 1,744
  • 4
  • 16
  • 26
124
votes
5 answers

Why do phishing e-mails use faked e-mail addresses instead of the real one?

I read that you can write anything into the From: field of an e-mail. If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
JFB
  • 1,685
  • 3
  • 13
  • 11
124
votes
4 answers

What is the website checking about my browser to protect the website from a DDoS?

Some sites I visit take me to a page that says roughly, "Checking your browser before accessing example.com. DDoS attack protection by CloudFlare". What exactly about my browser is being checked and how will that help protect against a DDoS attack?
user133587
123
votes
12 answers

Is there a legitimate reason I should be required to use my company's computer? (BYOD prohibited)

I just got a new job at a medium-sized (~100 employees) company and one of the first things I was told is that I cannot use my own computer, because I need to be able to connect to their network, access files, etc. I didn't think that made much…
Marcus McLean
  • 1,249
  • 2
  • 8
  • 8
122
votes
5 answers

How much can I trust Tor?

How much can I depend on Tor for anonymity? Is it completely secure? My usage is limited to accessing Twitter and Wordpress. I am a political activist from India and I do not enjoy the freedom of press like the Western countries do. In the event my…
Freedom
  • 1,255
  • 2
  • 9
  • 4
121
votes
8 answers

Is it acceptable that a skilled professional pentester deletes or modifies sensitive data in production unintentionally during a pentest?

Today I experienced a situation where a person responsible for the security of a company required a pentesting company to withdraw a clause in the contract that says that: "during the pentest there exist the possibility to delete or modify…
kinunt
  • 2,769
  • 2
  • 24
  • 30
121
votes
8 answers

Attacking an office printer?

I did an nmap scan on an advanced office printer that has a domain name and is accessible from outside the corporate network. Surprisingly I found many open ports like http:80, https:443, and svrloc:427 and some others. The OS fingerprint says…
hsnm
  • 1,281
  • 1
  • 10
  • 11
120
votes
11 answers

Password rules: Should I disallow "leetspeak" dictionary passwords like XKCD's Tr0ub4dor&3

TLDR: We already require two-factor authentication for some users. I'm hashing, salting, and doing things to encourage long passphrases. I'm not interested in the merits of password complexity rules in general. Some of this is required by law, and…
Jason Coyne
  • 1,583
  • 2
  • 10
  • 10
120
votes
11 answers

What's to stop someone from 3D print cloning a key?

My friend just posted a picture of her key to instagram and it occurred to me that with such a high res photo, the dimensions of the key could easily be worked out. Therefore the key could be duplicated. What's to stop someone malicious from abusing…
personjerry
  • 1,236
  • 4
  • 11
  • 14
120
votes
11 answers

Hacker used picture upload to get PHP code into my site

I'm working on a website — right now it's in early stages of testing, not yet launched and just has test data - thank goodness. First of all, a hacker figured out the password to log onto the websites 'administration' pages*. I think they used a key…
Williamz902
  • 1,285
  • 2
  • 9
  • 6
119
votes
2 answers

How difficult to crack keepass master password?

How easily could someone crack my keepass .kdbx file if that person steals the file but never obtains the Master Password? Is this a serious threat, or would a brute force attack require massive computing time? Assume a password more than 10…
steampowered
  • 1,817
  • 3
  • 15
  • 14
119
votes
9 answers

Is it dangerous to post my MAC address publicly?

When posting questions, it is often quite useful to include debug output. However, it sometimes include the MAC address of my laptop, router, or both. What are the possible dangers of releasing these mac addresses publicly?
Shelvacu
  • 2,363
  • 4
  • 17
  • 29
119
votes
12 answers

How can I punish a hacker?

I am a small business owner. My website was recently hacked, although no damage was done; non-sensitive data was stolen and some backdoor shells were uploaded. Since then, I have deleted the shells, fixed the vulnerability and blocked the IP address…
Elmo
  • 1,257
  • 2
  • 9
  • 9
119
votes
3 answers

Why wasn't the KRACK exploit discovered sooner?

From what I've read, the issue is as simple as performing step 3 of a 4-step handshake and the consequences of performing that step more than once. Considering the complexity of these kinds of algorithms, I'm somewhat surprised that it is so…
Dave Cousineau
  • 880
  • 2
  • 7
  • 9
118
votes
5 answers

Why do phishing emails have spelling and grammar mistakes?

Are the spelling and grammar mistakes in phishing emails done on purpose? Is there some wisdom behind it? Or they are simply indicative of the fact that they've been written by someone who does not natively speak English?
Muhammad Hasan Khan
  • 1,291
  • 2
  • 9
  • 6
1 2 3
99 100