Most Popular

more tags

1500 questions

votes

7 answers

Why would an attacker ever want to sit on a zero-day exploit?

I am trying to understand why an attacker would want to wait to use a zero-day exploit. I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to…

zero-day

asked Dec 03 '18 at 00:33

jonem

votes

5 answers

What is the specific reason to prefer bcrypt or PBKDF2 over SHA256-crypt in password hashes?

We know that to slow down password cracking in case a password database leak, passwords should be saved only in a hashed format. And not only that, but hashed with a strong and slow function with a possibility to vary the number of rounds. Often…

passwords hash bcrypt

asked Aug 08 '16 at 12:21

ilkkachu

2,106
1
11
15

votes

7 answers

Does FTPS (FTP+S) offer better security than SFTP on the server side?

I had an exchange with some third party sysadmin yesterday regarding the setup of a file transfer interface between our servers. I suggested using SFTP because our application has good support for it. My interlocutor absolutely wants FTP+S (FTP+TLS)…

ssh ftp sftp

asked Apr 28 '16 at 07:47

Stéphane C.

votes

6 answers

How do you destroy an old hard drive?

How do you destroy an old hard drive? To be clear, unlike questions Secure hard drive disposal: How to erase confidential information and How can I reliably erase all information on a hard drive? I do not want to erase the data and keep the hard…

hardware data-leakage risk-management destruction

asked Feb 02 '12 at 14:09

Xonatron

1,083
1
7
7

votes

10 answers

If a provider sees the last 4 characters of my password, can they see it in full?

I have some domains/websites as well as emails with Bluehost. Every time I need support, they need the last 4 characters of my main password for the account. They cannot tell me how they store the password, so I am intrigued in how they could…

encryption passwords password-management password-policy web-hosting

asked Sep 17 '15 at 14:51

rhymsy

1,212
1
10
15

votes

9 answers

Can my company see what HTTPS sites I went to?

At work my company uses internet monitoring software (Websense). I know if I visit a https ssl-encrypted site (such as https://secure.example.com) they can't see what I'm doing on the site since all the traffic is encrypted. But do they see, that I…

tls http proxy

asked Apr 05 '11 at 20:43

IAmARegisteredUser

votes

3 answers

Stack Overflows - Defeating Canaries, ASLR, DEP, NX

To prevent buffer overflows, there are several protections available such as using Canary values, ASLR, DEP, NX. But, where there is a will, there is a way. I am researching on the various methods an attacker could possibly bypass these protection…

exploit known-vulnerabilities buffer-overflow

asked Sep 21 '12 at 13:09

sudhacker

4,300
5
23
35

votes

6 answers

Is it safe to let a user type a regex as a search input?

I was in a mall a few days ago and I searched for a shop on an indication panel. Out of curiosity, I tried a search with (.+) and was a bit surprised to get the list of all the shops in the mall. I've read a bit about evil regexes but it seems that…

denial-of-service regex

asked Aug 06 '18 at 00:04

Xavier59

2,884
3
17
34

votes

10 answers

How would disabling IPv6 make a server any more secure?

I was reading this article about hardening security on Linux servers, and in point #23, the article says: #23: Turn Off IPv6 Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet…

linux ipv6

asked Mar 20 '18 at 20:02

vakus

3,763
3
22
32

votes

8 answers

What could an "Most WAFs when blocking XSS will block obvious tags like script and iframe, but they don't block img. Theoretically, you can img src='OFFSITE URL', but what's the worse that can happen? I know you can steal IPs with it, but is that it?

xss html

asked Sep 01 '16 at 00:42

user1910744

1,013
1
8
6

votes

13 answers

Company computers for competent developers, how can you deal with them?

This is a follow up on Is there a legitimate reason I should be required to use my company’s computer. Mostly, because I see a huge issue in a couple of specific situations. Had I been in a position of the security engineer for an organization I…

virtualization corporate-policy

asked Aug 30 '16 at 15:19

grochmal

5,757
2
19
30

votes

6 answers

Should passwords be automatically reset when the underlying method changes

I'm currently an engineer on a project in development phase. One 'module' on this project gives the ability for user authentication/authorization. However it's come to our concern that the password hashing algorithm may not be up to cop (aka not…

password-management user-management

asked Mar 21 '16 at 14:03

Crazy Dino

1,527
12
12

votes

7 answers

How does hacking work?

I am specifically talking about web servers, running Unix. I have always been curious of how hackers get the entry point. I mean I don't see how a hacker can hack into the webpage when the only entry method they have into the server is a URL. I must…

penetration-test php unix

asked Jan 31 '12 at 18:31

user7360

votes

5 answers

Are there any downsides to using Let's Encrypt for a website's SSL certificates?

On the advantages side, I see several benefits to using the Let's Encrypt service (e.g., the service is free, easy to setup, and easy to maintain). I'm wondering what, if any, are the disadvantages to using Let's Encrypt? Any reasons why website…

tls certificates webserver certificate-authority letsencrypt

asked Jun 06 '15 at 13:54

Dolan Antenucci

1,103
1
7
5

votes

3 answers

What is the purpose of the rotating plate in front of the lock?

I am now in Poland and see these everywhere: The plate can rotate freely,when you insert the key, matching the groove, you rotate the key so it is aligned with the lock and then insert the key. What is the purpose of this?

physical physical-access locks

asked Sep 05 '19 at 10:52

Thomas

Prev 1 2 3

…

99 100 Next