IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
115
votes
9 answers

Why is Steam so insistent on security?

Is there any particular reason why the Steam application attempts to be so secure? It seems to force you to take more security measures (two-factor authentication, emails confirming all trades, etc) than most banks do. Is this due to the fact that…
Jojodmo
  • 1,012
  • 2
  • 7
  • 10
115
votes
4 answers

What certificates are needed for multi-level subdomains?

I'm working on a web site with a several levels of subdomains. I need to secure all of them with SSL, and I'm trying to determine the correct certificate strategy. Here's what I need to secure: foo.com www.foo.com Any combination of…
Nathan Long
  • 2,644
  • 4
  • 21
  • 28
114
votes
6 answers

What would one need to do in order to hijack a satellite?

I realise this borders on sci-fi, but there's been some interesting demonstrations regarding security of various satellites. What would be required to hack a satellite (in general terms, any hack really)? Are they all basically connected in the…
Incognito
  • 5,214
  • 5
  • 28
  • 31
114
votes
5 answers

What should a website operator do about the Heartbleed OpenSSL exploit?

CVE-2014-0160 http://heartbleed.com This is supposed to be a canonical question on dealing with the Heartbeat exploit. I run an Apache web server with OpenSSL, as well as a few other utilities relying on OpenSSL (as client). What should I do to…
Deer Hunter
  • 5,327
  • 5
  • 34
  • 50
114
votes
6 answers

Roles to play when tailgaiting into a residential building

Following people into a large RFID protected residential building is ridiculously easy, as not everyone knows everyone else. Just the other day I was let in with a rifle (an airgun, but how could have they known). But standing helplessly in front of…
Vorac
  • 1,907
  • 3
  • 20
  • 29
114
votes
7 answers

Someone is using my (or has the same) email

I just got a letter from court saying I made 49 threats to someone I had a problem with three years ago. This person presents "my emails" as evidence. I went through all my emails, and I haven't found a single one. The mail presented as evidence all…
Leah G
  • 1,079
  • 2
  • 7
  • 5
114
votes
15 answers

How can mom monitor my internet history from a distance?

This might sound like a funny question from a twelve-year-old. The less funny part is that I am 21 and currently studying at university (I don't live at University, although I am 15 minutes away. I do not use university network). You might or…
Azerty
  • 1,273
  • 2
  • 9
  • 8
113
votes
4 answers

Is using 'dot' and 'at' in email addresses in public text still useful?

When entering your email address publicly, a practice is to replace . with text dot and @ with text at. I assume that the reasoning is that this way automatic email-collector robots won't match your address so easily. I still see updated websites…
n611x007
  • 2,255
  • 3
  • 16
  • 17
112
votes
9 answers

Why can we still crack snapchat photos in 12 lines of Ruby?

Just came across this bit of ruby that can be used to decrypt Snapchat photos taken out of the cache on a phone, apparently adapted from here. To my surprise, it worked without a problem, considering the problems around Snapchat's security which…
Dmitri DB
  • 1,181
  • 2
  • 9
  • 12
112
votes
4 answers

Do I need CSRF token if I'm using Bearer JWT?

Context: Angular site is hosted on S3 behind CloudFront, separate from Express server that is used as API and almost all requests are XMLHttpRequests. All requests are sent without cookies (withCredentials = false by default) and I use JWT Bearer…
Igor Pomogai
  • 1,223
  • 2
  • 8
  • 7
112
votes
6 answers

Why should I offer HTTP in addition to HTTPS?

I am setting up a new webserver. In addition to TLS/HTTPS, I'm considering implementing Strict-Transport-Security and other HTTPS-enforcement mechanisms. These all seem to be based on the assumption that I am serving http://www.example.com in…
lofidevops
  • 3,590
  • 6
  • 24
  • 32
111
votes
9 answers

Is it safe to send clear usernames/passwords on a https connection to authenticate users?

I'm setting up a home HTTP server which can send and receive JSON data to/from different clients (Android and iPhone apps). I'd like to allow access only to certain users and I'm considering using a simple username/password mechanism, as setting up…
Emiliano
  • 1,213
  • 2
  • 9
  • 6
111
votes
13 answers

Why do sites implement locking after three failed password attempts?

I know the reasoning behind not letting infinite password attempts - brute force attempts is not a meatspace weakness, but a problem with computer security - but where did they get the number three from? Isn't denial of service a concern when…
Bradley Kreider
  • 6,182
  • 2
  • 24
  • 36
111
votes
11 answers

Is `sudo` almost useless?

Once an attacker has a shell as your sudoer user (or just compromised a local process enough), he/she can use one of the many privilege escalation tool to even automatically put themselves for example as apt or some other processed called by root to…
Wernight
  • 1,197
  • 2
  • 8
  • 8
111
votes
13 answers

Secure way to log in to a website on someone else's computer

Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke…
today
  • 1,081
  • 2
  • 7
  • 8
1 2 3
99 100