Most Popular

1500 questions
65
votes
5 answers

Do 2FA sites leak info by confirming a correct password guess?

Here's my relatively layman's view of the issue. Many websites tout multifactor authentication (MFA) as an enormous boost to the security of users' accounts, and it can be if implemented properly. However, it seems that some sites will only prompt…
64
votes
4 answers

How can common users defend against the StageFright vulnerability?

I was just informed of the StageFright vulnerability in Android devices. A specially crafted MMS message can gain access to data on the phone; so presumably it's a buffer overflow with subsequent privilege escalation. Details have not yet been…
S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
64
votes
11 answers

Why does the user pick the password?

Almost every web service I can imagine has the user pick the password. Why is this? Couldn't the system choose a better password? It doesn't have to be some complicated mess; see this answer. Do users just find their own choices more convenient?…
PyRulez
  • 2,937
  • 4
  • 16
  • 29
64
votes
8 answers

Popular Security "Cargo Cults"

In Information and IT Security there is a nasty tendency for specific "best practices" to become inviolable golden rules, which then leads to people recommending that they are applied regardless of whether they are appropriate for a given situation…
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
64
votes
1 answer

Why don't video conferencing web applications ask permission for screen sharing?

I am using Chrome 87 with Jitsi Meet 2.0, but I have noticed this behavior too with other setups. When I first enter a room, Chrome asks for the following permissions: Even if I click "Block" to deny these permissions, Jitsi still appears to have…
Jaap Joris Vens
  • 605
  • 4
  • 13
64
votes
5 answers

What are the risks of just clearing cookies instead of logging off?

A typical web authentication workflow looks like this: User provides their credentials. Server validates credentials. If credentials are valid Server generates a token. Server keeps this token. Server responds to the login with this…
Joseph
  • 741
  • 1
  • 5
  • 8
64
votes
6 answers

Employer makes me use what I believe to be an insecure website for HR functions. What to do?

At my job, to be able to view my paychecks, vacation hours and HR data on myself I need to log into a 3rd party website. I'm by no means a security expert or expert programmer but I could tell (simply by trying) that I could continue to try…
A. Nony-Mous
  • 615
  • 1
  • 5
  • 4
64
votes
5 answers

Can Beehive detect a Snowden-like actor?

In a seminar, one of the Authors of Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks said that this system can prevent actions like Snowden did. From their articles' conclusions; Beehive improves on…
kelalaka
  • 5,474
  • 4
  • 24
  • 47
64
votes
2 answers

Are EU cookie consent forms safe?

Does the EU consent form system pose a new security risk? Today we have to click OK on about 20 cookie consent forms every week, where previously we could mostly dismiss internet forms as being invasive and risky. There are so many EU consent forms,…
bandybabboon
  • 849
  • 1
  • 7
  • 13
64
votes
2 answers

Does removing a GUI from a server make it less vulnerable?

Lately, I was watching an online video about Microsoft Certified Solutions Associate (MCSA) and in one of the videos it says "removing GUI from Windows server makes it less vulnerable." Is that true? If so, how does removing the GUI have that…
R1W
  • 1,617
  • 3
  • 15
  • 30
64
votes
4 answers

Why aren't application downloads routinely done over HTTPS?

We all know we should be using SSL whenever we collect passwords or other sensitive information. SSL provides two main benefits: Encryption: The data can't be read by a middle-man while in transit. Protection against MITM attacks: A man in the…
Tom Marthenal
  • 3,302
  • 4
  • 23
  • 26
64
votes
11 answers

Why don't websites and devices offer fake logins for hackers?

I was thinking about this earlier this morning and was wondering why websites and devices don't offer fake logins for hackers? What I mean by that is that if a hacker finds out some of your details and tries to log in to a website (for example) the…
Cromulent
  • 1,103
  • 1
  • 9
  • 13
64
votes
4 answers

Is posting from HTTP to HTTPS a bad practice?

Working on the assumption that SSL serves both to encrypt data and to provide assurance as to the identity and legitimacy of the website, should the practice of providing a logon form on a page requested over HTTP be avoided, even when it posts to…
Troy Hunt
  • 3,930
  • 4
  • 20
  • 21
64
votes
8 answers

Why do people still use/recommend MD5 if it has been proven weak since 1996?

It's still a commonly recommended way of hashing passwords, even if its insecurity had been proven in 1996: Therefore we suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a…
Marek Sebera
  • 2,223
  • 3
  • 21
  • 27
64
votes
3 answers

Are staggered roll outs of security patches bad?

Many Android devices, including the Google Nexus line, are now receiving monthly security patches via OTA updates, accompanied by the Android Security Bulletins. However, these updates are often released in what is known as "staggered roll outs,"…
tonytan
  • 698
  • 5
  • 8