IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
88
votes
10 answers

How secure is RDP?

I have a sort of a conflict with my company's Security Lead Engineer. He says that Remote Desktop Protocol (RDP) is not secure enough and we should be using TeamViewer instead. We use RDP not only to access local resources inside our corporate…
prot
  • 991
  • 1
  • 6
  • 7
88
votes
3 answers

What is the difference between a Hash Function and a Cryptographic Hash Function?

I mean, is it just a matter of "how difficult is it to reverse the function with the current technology"? Or is there a mathematical concept or property that makes them different? If it is a matter of "how difficult is it to reverse the function",…
Mr.Eddart
  • 983
  • 1
  • 7
  • 6
88
votes
4 answers

What prevents me from buying a SSL certificate for a domain I don't control?

Can I simply build a webserver, make its hostname "google.com", create a CSR off that server, and send that to a Certificate Authority for signing? Let's say I pick the cheapest and dodgiest outfit I can find. Will that work? What mechanisms are in…
Flamer
  • 859
  • 1
  • 7
  • 5
87
votes
9 answers

Why do people use IP address bans when IP addresses often change?

Why do people use IP address bans (e.g. to block a malicious user from an internet service) when IP addresses change often? For example, we turn our router off every night so our IP address often changes in the morning. Furthermore, often a simple…
micheal65536
  • 1,746
  • 1
  • 10
  • 14
87
votes
11 answers

What to do about websites that store plain text passwords

I recently received an email from a popular graduate job website (prospects.ac.uk) that I haven't used in a while suggesting I use a new feature. It contained both my username and password in plain text. I presume this means that they have stored my…
jamesj
  • 1,093
  • 1
  • 8
  • 10
87
votes
6 answers

How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me?

I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm just stating what I personally use for the sake…
Paranoid Android
  • 711
  • 1
  • 5
  • 4
87
votes
2 answers

Should I use AntiForgeryToken in all forms, even login and registration?

I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc. Some other forms, like…
Artiom Chilaru
  • 973
  • 1
  • 9
  • 7
87
votes
2 answers

How did someone log-in to my Gmail account from Kenya?

While on holiday in France in May I received an email from Google "New sign-in". Your Google Account was just used to sign in: Nairobi, Kenya. Tuesday, 26 May 2015 22:10 (East Africa Time). I hastily changed my password. I've never been to…
Colonel Panic
  • 2,134
  • 2
  • 22
  • 24
86
votes
10 answers

New Gmail login system—going against conventional wisdom?

I noticed that the new gmail login asks for username first, and then confirms if such username exists, before asking for password input. Does this not go against conventional security wisdom to not divulge information about whether an username…
ataftoti
  • 945
  • 1
  • 7
  • 5
86
votes
9 answers

Comparison Between AppArmor and Selinux

I was reviewing several different comparisons of AppArmor and SELinux which include: Why I Like AppArmor More Than SELinux SELinux and AppArmor: An Introductory Comparison From these articles I conclude that AppArmor is better than SELinux based…
Ali Ahmad
  • 4,814
  • 8
  • 35
  • 61
86
votes
3 answers

Does CVE-2021-44228 impact Log4j ports?

Log4j has been ported to other languages, such as log4perl, log4php, log4net, and log4r. Are these ports vulnerable to CVE-2021-44228 as well? I believe that they aren't because the vulnerability uses JNDI (Java Naming and Directory Interface),…
Fire Quacker
  • 2,442
  • 1
  • 21
  • 29
86
votes
2 answers

ssltest: Chain issues - Contains anchor

I've run ssltest on web application and it found "Chain issues - Contains anchor" (section "Additional Certificates (if supplied)") What does it mean? Should it be fixed? Can it be exploited?
Andrei Botalov
  • 5,317
  • 10
  • 46
  • 73
86
votes
3 answers

What information about me do stores get via my credit card?

Lets say I buy something at some (physical) store and pay using a credit card on one of these electronic terminals. What information do the owners of this store get about me (or my credit card) from this transaction? Can they find out whether…
flawr
  • 701
  • 1
  • 5
  • 7
86
votes
8 answers

What attacks are made possible by public release of my web history?

Assume that my Internet history is made public (accidentally or on purpose). And this release is over 24 hours since the visits were made. Also, assume that there aren't embarrassing sites on there: there isn't any blackmail potential. (My most…
Joe
  • 823
  • 1
  • 6
  • 9
86
votes
1 answer

Why are files that are not assigned to a user considered a security risk?

From the Linux Bible, edition 9: Files that are not assigned to any username are considered to be a security risk. How is this possible and how could this be exploited? Edit:My question isn't a duplicate of the mentioned question because my…
AXANO
  • 899
  • 7
  • 23
1 2 3
99 100