Questions tagged [exposure]

25 questions
21
votes
3 answers

Is exposing exception information in web service a security risk?

It is a known fact that exposing the exception information to the end user provides security risks since an adversary can user that to figure out how things work internally and attack it. But what about a web service, where that information might be…
Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
15
votes
3 answers

Bruteforce attack on my FTP server

I recently setup VSFTPD on my personal server for sharing files over FTP. In the vsftpd.log file, i see hundreds of failed attempts to login with usernames like "adminitrator" , "adminitrator1", "adminitrator2", "adminitrator123" etc. I am surprised…
18bytes
  • 885
  • 1
  • 10
  • 12
9
votes
2 answers

Does http.sys vulnerability affect Windows not running any webservers?

Windows kernel level HTTP driver http.sys is affected by remote code execution vulnerability (MS15-034). This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker …
vartec
  • 259
  • 2
  • 8
9
votes
1 answer

Employer stores plain text personal data in a 'data warehouse'

I'm unsure if I have posted this in the correct community but the organisation I am currently working for currently uses an SQL 'data warehouse' which contains a bunch of tables from various sources, for various purposes. This data warehouse (as far…
8
votes
1 answer

Is exposing website performance data a security risk?

I am currently adding a subsite to some websites that allows me to monitor performance data live as the server software perceives it. The data is mostly stuff like amount of memory used, memory allocated, memory freed during last garbage collection,…
MarLinn
  • 238
  • 1
  • 5
6
votes
2 answers

Annual Rate of Occurrence (ARO) and Exposure Factor (EF) Data

I'm calculating loss expectancy (SLE/ALE) but where or how does one get data on annual rates of occurrences for various things? From simple hard-drive failure rates to something complex like the exploitation of client browsers? Or how about the…
jvff
  • 61
  • 1
  • 2
4
votes
4 answers

Safari downloaded my php source once. Should I worry?

I uploaded via ftp, then typed in the URL of the script to Safari; Safari downloaded the source!! This hosting site has never done that before - .php scripts have always executed. I can't duplicate it. The page loads as php should now. Maybe I just…
4
votes
1 answer

Can I safely post the output of lspci, lsusb, lshw?

I'm having trouble with my SD card, and have been asked to inspect the output of tail -f /var/log/syslog, sudo lspci -v -nn, sudo lsusb, and sudo lshw. tail shows nothing when I insert the card, so there's nothing to post - no worries there.…
lofidevops
  • 3,550
  • 6
  • 23
  • 32
3
votes
1 answer

Is a newly installed server with no services running (but connected to the web) at risk?

A new server has just been installed but literally has nothing else running on it, no services setup to SSH in or anything yet (it's a Linux server). However, it is hooked up to the web so I can start pulling software down and installing it. So…
Arlix
  • 1,459
  • 3
  • 13
  • 22
3
votes
0 answers

What is the Meow Attack and how can I guard my databases against it?

Recently, there has been some news articles about unsolicited attacks on unsecured public facing Elastic and Mongo databases. These are commonly being called "Meow" attacks, resulting in entire databases being deleted without ransom or warning. My…
3
votes
1 answer

How do applications such as password managers check leaked credentials and how can I get more results?

I have been using LastPass for a while and I have just seen an option to generate an exposure report. By its output, I assume it checks various sources containing credentials dumps from hacked web applications for matches to my username / e-mail.…
Alexei
  • 2,183
  • 3
  • 9
  • 23
3
votes
2 answers

Securely expose WebService from Enterprise Network to Internet Client

(coming from stackoverflow) Are there any standards (or certified solutions) to expose a (Web-)Service to the internet from a very security-sensitive network (e.g. Banking/Finance)? I am not specifically talking about WS-* or any other…
hotzen
  • 131
  • 3
2
votes
4 answers

Anonymity through Tor over VPN

I want to do some research on network anonymity. Assume that I am careful enough not to disclose any personal information while connected to an anonymous network. If I run a system that uses Tor over a VPN that I paid for with Bitcoins (free VPNs…
2
votes
1 answer

Big insurance website exposing StackTrace of Java JSON Parser

Recently I coincidentally have discovered that an api endpoint of an insurance company is sending a StackTrace of a JSON parser as response to a http POST message with bad formatted JSON in the content field. The url of the endpoint is indicating…
2
votes
1 answer

How likely is an attack for a known OTA ring 0 vulnerability in mobile devices?

Following on from this question about a WiFi OTA vulnerability: assume a popular computing platform has a known vulnerability that would allow creation of a worm with access to ring 0 (kernel). Then, how likely is it / how long would it take before…
z0r
  • 333
  • 2
  • 8
1
2