Highest Voted Questions - IT Security Stack Exchange

59

votes

9 answers

Can malware be attached to an image?

I have a small number of employees who use a company computer but these people aren't very tech-savvy. They use an email client and a messaging client. I'm pretty sure they wouldn't click on a .exe or .zip file in an email without thinking, and I…

virus attack-prevention image

asked Apr 07 '14 at 21:39

user2143356

753
1
5
7

59

votes

2 answers

Can I restrict a Certification Authority to signing certain domains only?

Is it possible to create a CA certificate (even unsigned), which is only allowed to sign certificates for specific limited domain(s), so that it can't be misused for other domains?

tls certificates public-key-infrastructure certificate-authority

asked Feb 23 '13 at 10:45

Smit Johnth

1,741
4
17
23

59

votes

2 answers

Why does this attack check the location of the server?

Recently (just now) the npm package ua-parser-js was found to be hijacked. The hijack installs a crypto miner on preinstall but I noticed the following passage in the preinstall script: IP=$(curl -k https://freegeoip.app/xml/ | grep…

exploit

asked Oct 22 '21 at 21:12

Calin Leafshade

663
3
6

59

votes

12 answers

How do you log in from an unsecured computer?

Suppose that you are on a cybercafe, at a friend's home or at your work office, and you need to log in on a site, but you feel that the the computer can not be trusted (e.g. your friend isn't tech-savvy and doesn't know how to protect his machine…

passwords authentication password-management

asked Nov 04 '12 at 18:48

naw

699
5
7

59

votes

11 answers

How to safely view a malicious PDF?

I have a PDF with important information that may contain malware. What would be the best way to view it?

malware pdf documents

asked Aug 19 '12 at 17:02

user11101

59

votes

5 answers

Is it secure to use MD5 to verify the integrity of small files (less than 15kb)?

I know that collision for MD5 has been documented since the 90s and that digital certificates based off of MD5 has been demonstrated to be completely compromised back in 2010 but how effective is MD5 in ensuring that small amounts of data have not…

hash md5 sha256

asked May 29 '18 at 03:21

thebunnyrules

693
1
5
10

59

votes

14 answers

Is it a good idea to use the entire Unicode range to generate a random password rather than limited ranges?

I know for a fact that some sites/apps with low security restrict passwords to alphanumeric characters only, and some allow a slightly broader ASCII range. Some sites/apps also support Unicode. Passwords are usually meant to be typable on any…

passwords unicode

asked Jan 16 '18 at 12:45

person of entropy

589
1
4
5

59

votes

13 answers

Why not use a national ID as username for every website?

Everyday we visit many websites, including our university's website, maybe Google, Yahoo, etc. But on each of them, we have a unique username, while each person in a country can have a "national code" such that no persons share a code. So, they…

government user-names

asked Oct 16 '17 at 17:46

Arman Malekzadeh

749
1
5
6

59

votes

8 answers

How can I securely develop a local webapp at a coffee shop?

When I'm developing a webapp, let's say a Django site, I run it locally and typically access it at http://localhost. I thought this was inherently secure because I assumed that localhost can only be accessed locally. However, I discovered that even…

tls web-application web-browser

asked May 17 '17 at 12:32

lofidevops

3,590
6
24
32

59

votes

1 answer

What's the Impact of the CloudFlare Reverse Proxy Bug? ("#CloudBleed")

In Project Zero #1139, it was disclosed that CloudFlare had a bug which disclosed uninitialized memory, leaking private data sent through them via SSL. What's the real impact?

known-vulnerabilities incident-response threat-mitigation threat-modeling incident-analysis

asked Feb 24 '17 at 03:18

Jeff Ferland

38,170
9
94
172

59

votes

6 answers

Anonymous surveys that aren't so anonymous

In the past I have completed an 'anonymous' survey at work only to find that my employer was able to garner a lot of not-anonymous information from this survey. Location, name of manager, etc. None of this information was provided in the survey. …

javascript asp.net html

asked Mar 07 '16 at 10:53

iShaymus

663
1
5
5

59

votes

6 answers

Why is leaving a passworded SSH over the internet so bad?

I've heard multiple multiple times to never leave SSH with a password open over the internet. Why is this so bad? I understand the password can be bruteforced, but what if it is a very strong password that would takes eons to crack? Are there more…

ssh internet

asked Feb 02 '16 at 14:33

Ethereal

703
1
6
6

58

votes

4 answers

Why are MD5 and SHA-1 still used for checksums and certificates if they are called broken?

I was just reading about SSL/TLS stuff, and according to this site (which is rated as A by Qualys SSL Labs), MD5 is totally broken, and SHA-1 is cryptographically weak since 2005. And yet, I noticed that a lot of programmers and even Microsoft only…

hash md5

asked May 03 '15 at 03:31

Freedo

2,253
5
19
28

58

votes

38 answers

What is your way to create good passwords that can actually be remembered?

What are the methodologies which can be used to generate "human" good quality password? They have to ensure a good strength and also easy to remember for a human being.

passwords entropy

asked Nov 21 '10 at 17:57

gbr

2,020
1
17
22

58

votes

3 answers

SSH: benefits of using hashed known_hosts

What are the benefits of storing known_hosts in a hashed form? From what I read, it is supposed to protect the list of servers I am connecting to, presumably in a scenario where my account has been compromised (and known_hosts file stolen) If my…

ssh

asked Apr 21 '14 at 12:06

Martin Vegter

1,947
4
28
39

Most Popular