IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
89
votes
9 answers

Secure USB cable for charging in untrusted environments

On a long haul flight, I imagine that charging a phone (in flight mode) with the inbuilt USB port on the head rest would be a security risk. Could I mitigate that risk by taking a regular USB cable and cutting the data (but not the power) cables? Or…
DarcyThomas
  • 1,308
  • 1
  • 10
  • 15
89
votes
3 answers

Why OpenSSH deprecated DSA keys

There was a question RSA vs. DSA for SSH authentication keys asking which key is better. Basically all answers were more in a favour of RSA over DSA but didn't really tell that DSA would be somehow insecure. Now however DSA was deprecated by OpenSSH…
Petr
  • 1,000
  • 1
  • 7
  • 6
89
votes
11 answers

Why didn't OSes securely delete files right from the beginning? And why do they still not do this?

After decades of hearing that "delete" does not really make the data impossible to recover, I have to ask WHY the OS was not corrected long ago to do what it should have been doing all along? What is the big deal? Can't the system just trundle along…
user82913
89
votes
16 answers

How to tell users that they shouldn't disclose their password over the phone to our help desk?

I work for a help desk, and we recently launched an online service where our members can log in. A problem we are having is that users who are calling us often ask us to confirm that the password handed in to them is correct. By doing so, they…
Terry
  • 1,125
  • 1
  • 9
  • 16
89
votes
15 answers

How to store passwords written on a physical notebook?

Answers to the question "How safe are password managers like LastPass?" suggest that storing personal passwords on a physical notebook might be a reasonable option: I know someone who won't use Password Safe and instead has a physical notebook…
tmh
  • 1,129
  • 1
  • 9
  • 10
89
votes
9 answers

Why should you redirect the user to a login page after a password reset?

The OWASP Forgot Password Cheat Sheet suggests: Whenever a successful password reset occurs, the session should be invalidated and the user redirected to the login page I'm failing to understand why this is so important. Is there a security basis…
Adam Parkin
  • 933
  • 1
  • 7
  • 7
88
votes
12 answers

What is different about being targeted by a professional attacker?

It is often said that security tools such as firewalls, antivirus programs, etc. are only effective against random, untargeted attacks. If you are specifically targeted by an intentional, professional attacker (e.g. state sponsored, NSA, Chinese…
user2174870
  • 1,378
  • 2
  • 11
  • 13
88
votes
3 answers

Is TrueCrypt not secure now and should I stop using it?

The official TrueCrypt webpage now states: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in…
user11153
  • 894
  • 2
  • 9
  • 17
88
votes
2 answers

What is the difference between serial number and thumbprint?

I have problems to understand what is the difference between the serial number of a certificate and its SHA1 hash. The MSDN says: Serial number A number that uniquely identifies the certificate and is issued by the certification…
reox
  • 1,032
  • 1
  • 8
  • 10
88
votes
12 answers

When is phishing education going too far?

I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware…
Anthony
  • 1,736
  • 1
  • 12
  • 22
88
votes
5 answers

Can "Accept cookie" button in a website be malicious?

I don't remember when this "accept/cancel cookie" button started to be used in websites. Why do they insist on getting users to click on this button? Can it do any harm to user's PC or to collect any private and sensitive data? Their reason for…
0_o
  • 1,142
  • 1
  • 9
  • 19
88
votes
7 answers

Does a CSRF cookie need to be HttpOnly?

We were recently handed a security report containing the following: Cookie(s) without HttpOnly flag set vulnerability, which we apparently had in one of our internal applications. The applied fix was as simple as setting Django's…
alecxe
  • 1,565
  • 5
  • 19
  • 34
88
votes
2 answers

Why would I choose SHA-256 over SHA-512 for a SSL/TLS certificate?

I'm looking to renew an SSL (okay, TLS) wildcard certificate with a well-known service. I need to provide a CSR, which I have created using a 2048-bit key. I also need to choose a signature hash. The service offers three choices: SHA-256, SHA-384,…
Joel Coehoorn
  • 2,136
  • 1
  • 13
  • 14
88
votes
1 answer

Isn't the BBC being extremely irresponsible in describing how to authenticate an account-related email?

On this webpage, the BBC says: I’ve received a ‘Changes to your BBC account’ email claiming to be from the BBC – is this a genuine email? At the end of September 2016, we upgraded our ‘BBC iD’ sign-in system to ‘BBC Account’, and as a result we had…
Lightness Races in Orbit
  • 2,163
  • 2
  • 15
  • 15
88
votes
7 answers

Why are password boxes always blanked out when other sensitive data isn't?

So far as I know, password boxes and PINs are always obscured in some way in order to prevent people from looking over your shoulder when you enter it. However, other important information that I type into a web form (credit card number, social…
GGMG-he-him
  • 1,045
  • 8
  • 12
1 2 3
99 100