IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
57
votes
3 answers

eBay web site tries to connect to wss://localhost:xxxxx - is this legit or they have some Malware JS running?

In helping a corporate user log on to eBay, I noticed that when on the login page, a stream of errors were coming up in the Firefox JS Console about not being able to connect to wss://localhost. This is a bit concerning, obviously. Why would a web…
ETL
  • 631
  • 5
  • 8
57
votes
10 answers

Does the saying "physical access = game over" apply to smartphones, too?

I was surprised to read in the responses to this popular question that it's considered nigh impossible to secure a computer system if intruders have physical access. Does this apply to smartphones as well? Let's suppose I have done the most I can…
Max
  • 715
  • 1
  • 4
  • 7
57
votes
2 answers

Why does SSL Labs now consider CBC suites weak?

Why does SSL labs now mark CBC 256 suites as weak, although equivalent GCM and ChaCha20 are considered strong? Until a few months ago, it was unmarked in reports (neither explicitly as weak or strong), and it is still unmarked in their client…
Martin Horský
  • 563
  • 1
  • 4
  • 10
57
votes
8 answers

How are passwords stolen from companies if they only store hashes?

Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?
W2a
  • 663
  • 1
  • 5
  • 6
57
votes
6 answers

Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?

We are a vendor providing a product that is being used in enterprises. We know that those companies having periodic CVE scans on products they are using part of their vulnerability management process. My question is, do we have to raise a CVE if our…
Filipon
  • 1,224
  • 11
  • 22
57
votes
7 answers

Does it make sense to consider a triggerable server software crash a DOS attack?

I've found a little vulnerability in a web application running on Node.js server. It works by sending some crafted payload to the application server, which makes the application server code to throw an error and due to lack of error handling - It…
Matías
  • 507
  • 1
  • 4
  • 4
57
votes
5 answers

Preventing deauthentication attacks

I am helpless against some kiddy with backtrack who repeatedly uses aireplay-ng to deauthenticate legitimate users on my Wifi work network. I captured and analyzed the network traffic on my Wifi work network, and I noticed a remarkable amount of…
Tawfik Khalifeh
  • 2,542
  • 6
  • 22
  • 27
57
votes
2 answers

If a container is compromised does that mean host also compromised?

Recently, I have heard of a new virtualization tech called containers. Suppose the container has been compromised, does this mean the host is also compromised (since the container is a process on a host)? In terms of security, is a VM (virtual…
Akhil Surapuram
  • 561
  • 4
  • 7
57
votes
8 answers

Brutalized VPS recovery data now available. Considerations?

Backstory My sites and VPS were stolen from me. The hosting company and I were locked out and unable to access it. They weren't able to create a temp password for access because the attacker blocked it. The last time I was logged into WHM, root…
Preston Bennett
  • 613
  • 1
  • 5
  • 10
57
votes
3 answers

My Android phone is vulnerable, but there are no updates?

I bought brand new HTC Desire 526G with operating system 4.4.2 (Kitkat), everything is as it should be (not rooted) so it is still on factory settings. But now I didn't get for a long time any security updates, I have checked manually in system…
user134969
  • 1,328
  • 4
  • 16
  • 24
57
votes
9 answers

How does Google Maps know where I am, when I'm using a VPN?

How does Google Maps determine my location? I've gotten some understanding of Google Maps' geolocation methods from here: http://friendlybit.com/js/geolocation-and-google-maps/ In the newer browsers (all but IE6, IE7, or IE8) may ask you for your …
user10732
  • 673
  • 1
  • 6
  • 4
57
votes
13 answers

Is WhatsApp or Facebook Messenger secret conversation a reasonable method for transferring passwords?

I have the Netflix account in our family, meaning I have the password. It's a secure password, with 16 characters, including symbols, numbers and uppercase, for example 3?TeJ)6RK]4Z_a>c, which has around 80 bits of entropy. However, I have to share…
Tim
  • 950
  • 1
  • 7
  • 16
57
votes
10 answers

Does the local network need to be hacked first for IoT devices to be accessible?

I completely understand how IoT devices were used in the massive DDoS attacks because they are easily manipulated due to lack of firewalls, default passwords, etc. What I don't understand is although easily hacked, most IoT devices are connected to…
Chad Caldwell
  • 623
  • 1
  • 5
  • 6
57
votes
11 answers

Can a DDoS attack yield any information?

Can a DDoS attack reveal any information or be used to mount a hack? My understanding is that the whole point of DDoS or DoS is to consume all of the resources/overload the server causing it to crash. And that being the only reason to do a DDoS. I…
KosugiNinja
  • 689
  • 1
  • 5
  • 6
57
votes
8 answers

Why are self signed certificates not trusted and is there a way to make them trusted?

I have locally made a Root CA certificate. I used the CA cert to sign the IA cert and used the IA cert to sign the server certificate. When I try to access the local server which uses the server certificate, it gives me a security risk warning. Is…
Praz
  • 595
  • 1
  • 4
  • 3
1 2 3
99 100