IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
101
votes
8 answers

Why do ATMs accept any PIN?

The other day I tried to withdraw some cash from an ATM in a hurry and punched in a wrong pin. I realized that only when I hit the "ok" button, but to my surprise the ATM did not complain. It showed the usual menu, asking me to select an operation.…
Andrew Savinykh
  • 1,640
  • 3
  • 14
  • 23
101
votes
4 answers

How does SSLstrip work?

I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works. A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing…
Scott Helme
  • 3,198
  • 3
  • 22
  • 32
101
votes
3 answers

Why is Sojdlg123aljg a common password?

I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
azoundria
  • 743
  • 2
  • 5
  • 7
101
votes
5 answers

Someone is trying to brute-force(?) my private mail server... very... slowly... and with changing IPs

This has been going on for about 1-2 days now: heinzi@guybrush:~$ less /var/log/mail.log | grep '^Nov 27 .* postfix/submission.* warning' [...] Nov 27 03:36:16 guybrush postfix/submission/smtpd[7523]: warning: hostname bd676a3d.virtua.com.br does…
Heinzi
  • 2,954
  • 2
  • 21
  • 25
101
votes
5 answers

How to address bad password security policy from a large company?

I just went to reset my Western Digital password and they emailed me my plaintext password, instead of providing online form to let me change it. This is really concerning to me as the site accepts/processes payments for their drives, and I have…
Douglas Gaskell
  • 1,219
  • 3
  • 10
  • 15
100
votes
1 answer

How are private keys kept private?

This may sound like a stupid question but seriously how are private keys kept private? If you're someone like Google you have some huge number of servers to which the public can establish secure connections. The *.google.com private key is required…
George Hawkins
  • 1,155
  • 1
  • 8
  • 11
100
votes
4 answers

What aspects of image preparation workflows can lead to accidents like Boris Johnson's No. 10 tweet's 'hidden message'?

The BBC reports that the image Boris Johson posted on Twitter to congratulate Joe Biden contains traces of the text "Trump" in the background. The BBC article links to a Guido Fawkes' article, and when I download the tweet's JPEG, convert to PNG…
uhoh
  • 1,415
  • 2
  • 11
  • 21
100
votes
12 answers

How do very big companies manage their most important passwords / keys?

Third-party password managers such as 1password, etc. are useful for people, businesses, etc. to store passwords. But I bet Facebook, Google, Twitter and other super big tech companies don't use such third-party services for their internal passwords…
Basj
  • 951
  • 2
  • 8
  • 16
100
votes
10 answers

Does it improve security to use obscure port numbers?

I recently started a job at a small company where the CTO prefers to host SSH services at obscure, high numbered ports on our servers rather than the well known port 22. His rationale is that "it prevents 99% of script kiddy attacks." I'm curious…
William Rosenbloom
  • 1,516
  • 2
  • 6
  • 12
100
votes
7 answers

Why do some GDPR emails require me to opt-out and some to opt-in?

I've noticed a trend in emails I've recieved as a result of GDPR, some of them are sort of 'opt-out' (or pseudo-opt-out where you just need to stop using their service) like so: Our updated Privacy Policy explains your rights under this new law and…
AncientSwordRage
  • 1,925
  • 4
  • 17
  • 19
100
votes
3 answers

What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase?

I'm looking at two comparable pieces of software which encrypt data on disk using a passphrase. One uses PBKDF2 to generate the encryption key from a passphrase, while the other uses two rounds of SHA256. What's the difference? Is one preferred over…
Andrey Fedorov
  • 1,323
  • 2
  • 10
  • 12
100
votes
4 answers

What is ECDHE-RSA?

What is the difference between ECDHE-RSA and DHE-RSA? I know that DHE-RSA is (in one sentence) Diffie Hellman signed using RSA keys. Where DH is used for forward secrecy and RSA guards against MITM, but where do the elliptic curves in ECDHE-RSA are…
Hubert Kario
  • 3,748
  • 4
  • 27
  • 35
100
votes
4 answers

What is the difference between an X.509 "client certificate" and a normal SSL certificate?

I am setting up a web service through which my company will talk to a number of business customers' services. We will be exchanging information using SOAP. I would like to handle authentication with SSL certificates provided by both parties, but…
Brandon Yarbrough
  • 1,103
  • 2
  • 8
  • 7
100
votes
11 answers

DDoS: Why not block originating IP addresses?

I'm a moderator of a major bulletin board. When a baddie shows up, we block their IP address; it works, at least until they find a new one. Why can't a protocol be developed for the world's routers to combat DDoS, whether by IP addresses or message…
vonlost
  • 1,155
  • 2
  • 8
  • 5
100
votes
10 answers

How to create a company culture that cares about information security?

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided. I already tried to instruct them but they simply don't care, they cannot see…
RF03
  • 1,063
  • 1
  • 8
  • 12
1 2 3
99 100