IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
53
votes
7 answers

How are GPUs used in brute force attacks?

I have read that GPUs can be used in brute force attacks? But how can this be done and is there a need for any other hardware devices (hard disks for instance)? Note: I'm more interested in web application security, but I don't want to put on…
Mahmood Muhammad Nageeb
  • 615
  • 1
  • 5
  • 8
53
votes
4 answers

Old OS memory space protection - was it really that bad?

In his book Security Engineering, Anderson really focuses on how in the 90s and early 2000s programs would need to access memory that wasn't their own, and programmers programmed with the assumption the program would be run with administrative…
Celeritas
  • 10,089
  • 22
  • 79
  • 144
52
votes
2 answers

Digital Certificate deployment: using two certs for each user?

At a large enterprise environment I have come across a deployment approach for Digital Certificates where each user is issued two (2) key pairs: One for signing documents, emails, etc. that is completely "personal" (perhaps kept only by him in an…
George
  • 2,813
  • 2
  • 23
  • 39
52
votes
4 answers

How to inject executable, malicious code into PDF, JPEG, MP3, etc.?

I wanted to know if its generally possible to inject executable code into files like PDFs or JPEGs etc., or must there be some kind of security hole in the application? And if so, how would one do that? I often hear that people get infected by…
JohnnyFromBF
  • 1,413
  • 4
  • 16
  • 23
52
votes
6 answers

Phones broadcast the SSIDs of all networks they have ever connected to. How can these be obtained by an attacker?

I just watched an interesting talk from Glen Glenn Wilkinson titled: The Machines that Betrayed their Masters. He said that your phone is constantly broadcasting all the SSIDs it has ever connected to. How would an attacker be able to capture these…
that guy
  • 668
  • 1
  • 6
  • 9
52
votes
4 answers

Are salted SHA-256/512 hashes still safe if the hashes and their salts are exposed?

Scenario: a database of hashed and and salted passwords, including salts for each password, is stolen by a malicious user. Passwords are 6-10 chars long and chosen by non-technical users. Can this malicious user crack these passwords? My…
Seppo Erviälä
  • 621
  • 1
  • 5
  • 6
52
votes
2 answers

What is the difference between SSL and X.509 Certificates?

I used openssl to create a X.509 certificate but I don't quite understand the relationship between a X.509 and a SSL certificate. Are they the same? Is a SSL certificate just a X.509 certificate that is used for SSL?
vernomcrp
52
votes
7 answers

What are the cons of stateless password generators?

Does anybody have hands-on experience with stateless password generators (managers) like Getpass? It seems like it does most of the work of cloud password managers, but leans more to the security side as there is no servers with passwords to…
Cookiecutter
  • 631
  • 1
  • 5
  • 6
52
votes
10 answers

Is using haveibeenpwned to validate password strength rational?

I have been hearing more and more that the haveibeenpwned password list is a good way to check if a password is strong enough to use or not. I am confused by this. My understanding is that the haveibeenpwned list comes from accounts which have been…
Nacht
  • 925
  • 1
  • 6
  • 12
52
votes
7 answers

Invalid users trying to log in to my server

I'm seeing a lot of log entries that appear to be failed login attempts from unknown IP addresses. I am using private and public keys to log in with SSH but I have noticed that even with private and public keys set I am able to log in to my server…
mk_89
  • 631
  • 1
  • 6
  • 5
52
votes
10 answers

Replacing Windows 7 security updates with anti-virus?

Microsoft has announced Windows 7 will no longer be receiving updates after January 14, 2020: Here. I hate windows 10's forced updates and telemetry so I have always stuck with Windows 7, but it may be as good as dead after the lack of security…
TritiumCat
  • 593
  • 1
  • 4
  • 10
52
votes
2 answers

Is this Paypal Github SDK reference really a dangerous site?

I'm working on integrating a payment system with paypal in C#, and I installed the official paypal nuget package. Then I went to the paypal github site. And linked to this below site (SDK Reference). At this point both Chrome and Firefox warned me…
user230910
  • 1,005
  • 1
  • 11
  • 12
52
votes
4 answers

How to verify the checksum of a downloaded file (pgp, sha, etc.)?

Maybe I have been negligent towards the verification of software I download over the Internet, but I (or anybody I ever met) have never tried to verify the checksum of the contents I download. And because of this, I have no idea about how to verify…
ThankYouSRT
  • 1,275
  • 3
  • 12
  • 15
52
votes
5 answers

What actions should I, as an end user, take in response to EFAIL?

There's a lot of talk about EFAIL: The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded…
Anders
  • 65,052
  • 24
  • 180
  • 218
52
votes
10 answers

Why use usernames and not just email addresses to identify users?

Why use usernames, and not just email addresses, to identify users? - What is the main concern or the main case when a security expert (which I'm not) should recommend inserting another layer of usernames, for example, when a native/web application…
user9303970
  • 443
  • 1
  • 4
  • 15
1 2 3
99 100