IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
50
votes
7 answers

What is a satisfactory result of penetration testing assessment?

I'd like to ask you what should be satisfactory result of pen-testing job? My main concern is that pen-testing is hard and it won't always result in gaining remote shells or roots. However, it is much easier to list potential vulnerabilities. For…
Aria
  • 2,706
  • 11
  • 19
50
votes
4 answers

Why aren't sessions exclusive to an IP address?

Given the appropriate XSS vulnerability, an attacker can hijack somebody's session with the data that's passed to and from the server. Why aren't sessions always exclusive to the IP they were started on? i.e., when would a website/service need to…
user81147
50
votes
3 answers

Why would a password requirement prohibit a number in the last character?

In configuring a new system today (Juniper Space, Linux-based Network Management platform), I came across a bizarre password requirement that I'm curious about. Upon logging into the web UI with the default credentials, I was prompted to change the…
HopelessN00b
  • 3,385
  • 1
  • 19
  • 27
50
votes
5 answers

Why is end-to-end encryption still not default in mails?

I am not a cryptographer. Maybe that is why I don't see the issues with integrating PGP into SMTP. In my head: Lea requests the server of Luke's domain jedi.com to tell her the public key of luke@jedi.com (The request includes an encryption method…
Chris Pillen
  • 619
  • 5
  • 6
50
votes
4 answers

Isn't OS X's Single-User Mode a bad idea?

Recently, I had a Mac which fried its video logic board. Luckily, Apple had concluded that this was a design flaw and was fixing the affected models for free (see more here). However, I did not find this page for a while, and during that time had to…
Toastrackenigma
  • 621
  • 1
  • 5
  • 10
50
votes
2 answers

Will same-site cookies be sufficient protection against CSRF and XSS?

I must say, that I like this idea and it seems that it will bring a new form of protection against CSRF and XSS or at least it will reduce those attacks. So, how effective will this protection be? SameSite-cookies is a mechanism for defining how…
Mirsad
  • 10,075
  • 8
  • 33
  • 54
50
votes
14 answers

How to learn penetration testing at home?

I am interested in learning ethical hacking or penetration testing to head towards a career in that direction. I have a strong knowledge of linux and unix, basic computer theory and practice and basic programming knowledge (arrays, methods,…
Cyrus
  • 501
  • 2
  • 5
  • 3
50
votes
4 answers

What's the common pragmatic strategy for managing key pairs?

I have a small number of different workstations (plus client devices like iPhone) that I use for to connecting to numerous servers using SSH. Originally when I learned about PKI, I created a single key pair on my workstation, which I promptly…
Andrew Vit
  • 825
  • 1
  • 6
  • 9
50
votes
9 answers

Writing my own encryption algorithm

I am currently studying IT at college (UK college aka not University) and the coursework is boring me to death. I have been coding for quite a while now mainly in OO languages such as C# and Java but often get bored and give up quickly because the…
Confuto
  • 637
  • 1
  • 6
  • 6
49
votes
4 answers

Can I use a private key as a public key and vice versa?

I have code to encrypt data using a public key and decrypt it using a private key. This is useful when a client wants to send data to a server and know that only the server can decrypt it. But say I want the server to encrypt data using the private…
Graeme Perrow
  • 592
  • 1
  • 4
  • 7
49
votes
6 answers

Is a website published in an obscure directory comparably secure to being placed behind a login?

Let's say I create a microsite for a client that contains confidential business information. We need to place this in a location the client can access, in order for them to approve for launch. If we place this microsite behind a login, we have a…
CodeMoose
  • 601
  • 5
  • 10
49
votes
4 answers

What vulnerabilities could be caused by a wildcard SSL cert?

In a comment on this answer, AviD says: "There are numerous security issues with wildcard SSL certs." So, what are the problems? I understand that the same private key is being used in multiple contexts, but given that I could host all of my…
user185
49
votes
5 answers

Should I take over a compromised website from another hacker?

A website (www.blue*****art.com) is trying to attack my server using the Shellshock vulnerability. After doing an Nmap scan on the attacking IP address, I found many open ports. It looks like the website is running Exim, which is vulnerable to…
user67281
  • 531
  • 1
  • 4
  • 3
49
votes
8 answers

What prevents web shop owners from misusing credit card data?

I don't own a credit card but read much about fraud with stolen credit cards. Since I don't own one, I don't know how you exactly buy online using your credit card, so please correct me, if I am wrong (and I hope so). Customer choses articles in…
sweet home
  • 593
  • 5
  • 7
49
votes
9 answers

Is making a clean install enough to remove potential malware?

Is formatting the disk and reinstalling the system from scratch (to Ubuntu) enough to remove any potential hidden software spyware, keyloggers etc.? Or can something still persist installed in the bios or something like that? What to do then? To be…
Strapakowsky
  • 3,049
  • 8
  • 26
  • 31
1 2 3
99 100