IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
64
votes
2 answers

Whatsapp encryption keys

Today I woke up and checked my Whatsapp and got the message that communications are encrypted end-to-end from now on. However, how can I know whether Whatsapp can be trusted? I did not generate my private/public keys, nor can I change them. Isn't…
Quora Feans
  • 1,881
  • 1
  • 12
  • 20
64
votes
12 answers

How would two people with burner phones communicate?

According to Edward Snowden in this tweet... Phones used in real-world ops are disposed on a per-action, or per-call basis. Lifetimes of minutes, hours. Not days. Let's imagine for a moment that I'm Jason Bourne. I've stopped by the kiosk in…
Roger Lipscombe
  • 2,317
  • 3
  • 14
  • 20
64
votes
3 answers

Why aren't IMSI catchers rendered ineffective by standard MITM defenses?

There's been a lot of reporting in the past few years about law enforcement agencies using IMSI catchers (also known as Stingrays after a popular brand of them) to intercept cellular communications. If I understand correctly, what IMSI catchers do…
HighCommander4
  • 1,182
  • 1
  • 10
  • 11
64
votes
2 answers

Why has the NSA had a hand in deciding on encryption standards?

The NSA has had a large hand in the design of at least two significant encryption standards: the Digital Encryption Standard, and its successor, the Advanced Encryption Standard. Because of their involvement, there is much speculation of backdoors.…
IQAndreas
  • 6,667
  • 9
  • 33
  • 52
63
votes
8 answers

How do you explain to experts that a database server should not reside in the DMZ?

Our security experts, database administrators, network team and infrastructure team are all saying it's OK to have the database server located in the DMZ along with the HTTP server and middle-ware server. Their reason: If the database server is…
bruce bana
  • 633
  • 1
  • 5
  • 7
63
votes
6 answers

Unix execute permission can be easily bypassed. Is it superfluous, or what's the intention behind it?

The unix read permission is actually the same as the execute permission, so if e.g. one process has write access it's also able to execute the same file. This can be done pretty easily:First this process has to load the content of the file,which…
Martin Erhardt
  • 733
  • 1
  • 5
  • 9
63
votes
4 answers

Disclose to user if account exists?

Someone told me it shouldn't be possible for someone to detect if a certain email address is used by a registered user on a website. So, for instance, when the user asks to reset his password, you should say "Password sent" whether the email exists…
forthrin
  • 1,751
  • 1
  • 13
  • 21
63
votes
3 answers

How does the Windows "Secure Desktop" mode work?

Can anyone explain (or provide a link to a simple explanation) of what the Windows "Secure Desktop" mode is and how it works? I just heard about it in the KeePass documentation (KeePass - Enter Master Key on a Secure Desktop) and would like to…
snth
  • 965
  • 1
  • 9
  • 10
63
votes
16 answers

What tools are available to assess the security of a web application?

What tools are available to assess the security of a web application? Please provide a small description of what the tool does. Update: More specifically, I'm looking for tools that assume no access to the source code (black box).
Olivier Lalonde
  • 5,079
  • 8
  • 32
  • 35
63
votes
6 answers

Is 2FA via mobile phone still a good idea when phones are the most exposed device?

Everyone knows that two factors are better than one. My problem is that often the only second factor allowed is text messages sent to your mobile phone. This creates two concerns: I travel frequently overseas and lose access to 2FA accounts any…
functionalparanoia
  • 521
  • 1
  • 4
  • 4
63
votes
1 answer

I found a password with hashcat, but it doesn't work

My assignment required me to find the password for a PowerPoint file (97 - 2003, v. 8.0 - v. 11.0). I used office2john.py to retrieve the hash, and I removed the file name. The hash…
Fabius
  • 681
  • 1
  • 5
  • 9
63
votes
2 answers

How are one-time password generators like Google Authenticator different from having two passwords?

Google Authenticator uses the TOTP algorithm to generate your One-Time Password (OTP). TOTP works like this : The server generates a secret key and shares with the client (you) when the client registers with the server. Using the shared key and the…
Ashwin
  • 1,607
  • 3
  • 18
  • 25
63
votes
1 answer

Who "brands" vulnerabilities?

It appears that every time there's a vulnerability discovered major enough to hit the news, its been assigned a brand name and often even a logo. Heartbleed, Spectre, Meltdown, Foreshadow, etc. Who decides and produces these? Is it typically the…
Kai
  • 625
  • 5
  • 6
63
votes
7 answers

Is exposing the server time a security risk?

If I create a servlet that would return the server time publicly (no need for authentication), would this be a security issue? I couldn't think of any issue with this, but somehow something tells me I could be wrong. To explain more, this end-point…
Manny
  • 661
  • 1
  • 5
  • 7
63
votes
5 answers

Is it common practice to log rejected passwords?

While selecting unique passwords for each purpose is a great idea, in practice this rarely happens. Therefore many select passwords from a personal pool of passwords that are easily remembered. When authenticating into systems that are used…
Drew Lex
  • 2,013
  • 2
  • 19
  • 24
1 2 3
99 100