IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
40
votes
4 answers

Have computer criminals been known to exploit easily-edited websites like Wikipedia to embed malicious scripts?

When I was reading a page on Wikipedia several months ago (December 2014) I saw what looked like a pop-up window from BT, but I soon realized that when I closed the page the pop-up disappeared. I then opened Firebug and inspected the box and saw…
Alexander Kalian
  • 553
  • 4
  • 10
40
votes
8 answers

Is "different usernames" as good as "different passwords"

The answers to this question, and the associated xkcd got me wondering: if I use different account names in every service, then can I use the same hard-to-crack password in each? I'm thinking that cross-site password hacking, a-la-xkcd, is done by a…
GreenAsJade
  • 1,021
  • 1
  • 9
  • 10
40
votes
5 answers

Why do you need to close your browser window after logging out of a website?

I might be wrong, but I believe the request to close the browser window after logging out is common, though it's completely unclear what the risks might be of failing to close a browser window (assuming the browser is completely up-to-date) and why…
blunders
  • 5,072
  • 4
  • 28
  • 45
40
votes
9 answers

How does SSL/TLS PKI work?

We have lots of questions that address portions of SSL/TLS as it relates to PKI, but none of them seem to bring everything together. A canonical answer that we can point people to I think would be quite helpful. We have How Does SSL/TLS Work?…
RoraΖ
  • 12,347
  • 4
  • 51
  • 83
40
votes
3 answers

Predicting Math.random() numbers?

I was reading up on the documentation for Math.random() and I found the note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more…
Abe Miessler
  • 8,165
  • 10
  • 45
  • 72
40
votes
3 answers

How to detect if I am vulnerable to "Superfish," and how to remove it?

The site has already a discussion of the security risks of "Superfish". It seems to me that anything that tampers with the bits of one's connection is bad. If it tampers with TLS connections, it is evil. How can I determine if I am vulnerable to…
Bob Brown
  • 5,293
  • 1
  • 19
  • 28
40
votes
9 answers

Is it bad to have cameras using a static IP address?

I am about to move in a new house, and I would like to install some security cameras. The contractor told me that in order for me to check the videos recorded by the cameras in real time when I am away I'll need to have a static IP address. Are…
Ant
  • 673
  • 1
  • 5
  • 12
40
votes
6 answers

Is SQL injection possible with LIMIT?

A friend of mine built a web application that I'm testing for fun. I noticed that he allows a user to set the limit of a certain query, and that limit is not sanitized. For example, I can choose any number or string I like as a limit. I realize…
Ali
  • 519
  • 1
  • 4
  • 8
40
votes
6 answers

What is the simplest safe way to convey a password to another person?

What is the easiest way for two people – neither of whom are computer specialists and cannot meet in person – to send a password for an encrypted file that is attached to an email? The two simplest methods are these: telephone the other person and…
Peter
  • 987
  • 2
  • 9
  • 12
40
votes
3 answers

What is an SSL certificate intended to prove, and how does it do it?

If I get an SSL certificate from a well-known provider, what does that prove about my site and how? Here's what I know: Assume Alice and Bob both have public and private keys If Alice encrypts something with Bob's public key, she ensures that only…
Nathan Long
  • 2,644
  • 4
  • 21
  • 28
40
votes
6 answers

Can malware be dangerous even when quarantined?

I am reading a book on network security and when talking about user confusion it writes: "It is not uncommon for a user to be asked security questions such as Is it safe to quarantine this attachment? With little or no direction, users are…
Peter Horniak
  • 503
  • 1
  • 4
  • 5
40
votes
4 answers

How to know if firmware is stealing my information?

The recent news item Chinese Star N9500 Android smartphone contains factory-installed Trojan, says security firm has prompted me to think about firmware security. The news mentions the spyware is part of the device's firmware. This makes me worry:…
Just a HK developer
  • 553
  • 4
  • 7
40
votes
3 answers

Is the HTTP TRACE method a security vulnerability?

I saw many posts here on this site dishing out advice on disabling HTTP TRACE method to prevent cross site tracing. I sought to do the same thing. But when I read the Apache documentation, it gives the opposite advice: Note Despite claims to the…
Question Overflow
  • 5,250
  • 6
  • 27
  • 48
40
votes
15 answers

Why do people think that this is bad way to hash passwords?

What's wrong with this code? $password = "hello"; $password = md5($password); for ($i = 1; $i < 20; $i++) { $password = md5($password); } I don't think an attacker with access to the hashes storage would be able to decrypt any password using more…
genesis
  • 718
  • 6
  • 15
40
votes
1 answer

Should I publish my public SSH key with user@hostname at the end?

In ~/.ssh/id_rsa.pub my public key is stored as: ssh-rsa magicmagicmagicmagic...magicmagic username@hostname When publishing my public key, should I include the username@hostname bit? Can I replace it with something else? My concerns are that: I…
lofidevops
  • 3,590
  • 6
  • 24
  • 32
1 2 3
99 100