IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
40
votes
4 answers

Have computer criminals been known to exploit easily-edited websites like Wikipedia to embed malicious scripts?

When I was reading a page on Wikipedia several months ago (December 2014) I saw what looked like a pop-up window from BT, but I soon realized that when I closed the page the pop-up disappeared. I then opened Firebug and inspected the box and saw…
Alexander Kalian
  • 553
  • 4
  • 10
40
votes
2 answers

Is it safe to send SSL certificates via email?

I just ordered a cheap Comodo PositiveSSL Certificate via a UK reseller, and I was rather surprised to find that the following files were emailed to me automatically, in a zip file: Root CA Certificate - AddTrustExternalCARoot.crt Intermediate CA…
halfer
  • 831
  • 1
  • 7
  • 12
40
votes
8 answers

Is "different usernames" as good as "different passwords"

The answers to this question, and the associated xkcd got me wondering: if I use different account names in every service, then can I use the same hard-to-crack password in each? I'm thinking that cross-site password hacking, a-la-xkcd, is done by a…
GreenAsJade
  • 1,021
  • 1
  • 9
  • 10
40
votes
5 answers

Why do you need to close your browser window after logging out of a website?

I might be wrong, but I believe the request to close the browser window after logging out is common, though it's completely unclear what the risks might be of failing to close a browser window (assuming the browser is completely up-to-date) and why…
blunders
  • 5,072
  • 4
  • 30
  • 45
40
votes
9 answers

How does SSL/TLS PKI work?

We have lots of questions that address portions of SSL/TLS as it relates to PKI, but none of them seem to bring everything together. A canonical answer that we can point people to I think would be quite helpful. We have How Does SSL/TLS Work?…
RoraΖ
  • 12,457
  • 4
  • 52
  • 84
40
votes
3 answers

How to detect if I am vulnerable to "Superfish," and how to remove it?

The site has already a discussion of the security risks of "Superfish". It seems to me that anything that tampers with the bits of one's connection is bad. If it tampers with TLS connections, it is evil. How can I determine if I am vulnerable to…
Bob Brown
  • 5,323
  • 1
  • 20
  • 29
40
votes
9 answers

Is it bad to have cameras using a static IP address?

I am about to move in a new house, and I would like to install some security cameras. The contractor told me that in order for me to check the videos recorded by the cameras in real time when I am away I'll need to have a static IP address. Are…
Ant
  • 673
  • 1
  • 5
  • 12
40
votes
6 answers

Is SQL injection possible with LIMIT?

A friend of mine built a web application that I'm testing for fun. I noticed that he allows a user to set the limit of a certain query, and that limit is not sanitized. For example, I can choose any number or string I like as a limit. I realize…
Ali
  • 519
  • 1
  • 4
  • 8
40
votes
8 answers

Who is responsible for the strength of user's passwords?

Who is responsible for a user's password's strength? Is it us (developers, architects, etc.) or the user? As a web developer, I've frequently wondered whether I should enforce the minimal password strength on my websites/applications users. I…
Michal M
  • 549
  • 4
  • 7
40
votes
6 answers

Can malware be dangerous even when quarantined?

I am reading a book on network security and when talking about user confusion it writes: "It is not uncommon for a user to be asked security questions such as Is it safe to quarantine this attachment? With little or no direction, users are…
Peter Horniak
  • 503
  • 1
  • 4
  • 5
40
votes
15 answers

Why do people think that this is bad way to hash passwords?

What's wrong with this code? $password = "hello"; $password = md5($password); for ($i = 1; $i < 20; $i++) { $password = md5($password); } I don't think an attacker with access to the hashes storage would be able to decrypt any password using more…
genesis
  • 718
  • 6
  • 15
40
votes
1 answer

Should I publish my public SSH key with user@hostname at the end?

In ~/.ssh/id_rsa.pub my public key is stored as: ssh-rsa magicmagicmagicmagic...magicmagic username@hostname When publishing my public key, should I include the username@hostname bit? Can I replace it with something else? My concerns are that: I…
lofidevops
  • 3,630
  • 7
  • 26
  • 32
40
votes
2 answers

Why does Google cripple the 2FA Google Authenticator PAM module?

If you enable 2FA for Google Apps the shared secret is 160 bits. The google_authenticator PAM module on the other hand seems to use 80 bits for the shared secret. According to RFC 4226: R6 - The algorithm MUST use a strong shared secret. The…
Akshay Kumar
  • 502
  • 4
  • 7
40
votes
4 answers

Cracking a linear congruential generator

I was recently listening to the security now podcast, and they mentioned in passing that the linear congrunential generator (LCG) is trivial to crack. I use the LCG in a first year stats computing class and thought that cracking it would make a nice…
csgillespie
  • 1,007
  • 2
  • 10
  • 15
40
votes
4 answers

Is generating random numbers using a smartphone camera a good idea?

Forgive my ignorance on the subject, but I wish to know more and asking (stupid) questions are one way. I was reading http://www.random.org/randomness/ and this idea popped into my head (before the bit about lava-lamps) Considering the…
ian
  • 1,302
  • 11
  • 21
1 2 3
99 100