Questions tagged [exposure]
25 questions
21
votes
3 answers
Is exposing exception information in web service a security risk?
It is a known fact that exposing the exception information to the end user provides security risks since an adversary can user that to figure out how things work internally and attack it. But what about a web service, where that information might be…
Ilya Chernomordik
- 2,197
- 1
- 21
- 36
15
votes
3 answers
Bruteforce attack on my FTP server
I recently setup VSFTPD on my personal server for sharing files over FTP. In the vsftpd.log file, i see hundreds of failed attempts to login with usernames like "adminitrator" , "adminitrator1", "adminitrator2", "adminitrator123" etc.
I am surprised…
18bytes
- 885
- 1
- 10
- 12
9
votes
2 answers
Does http.sys vulnerability affect Windows not running any webservers?
Windows kernel level HTTP driver http.sys is affected by remote code execution vulnerability (MS15-034).
This security update resolves a vulnerability in Microsoft Windows.
The vulnerability could allow remote code execution if an attacker
…
vartec
- 259
- 2
- 8
9
votes
1 answer
Employer stores plain text personal data in a 'data warehouse'
I'm unsure if I have posted this in the correct community but the organisation I am currently working for currently uses an SQL 'data warehouse' which contains a bunch of tables from various sources, for various purposes. This data warehouse (as far…
nopassport1
- 193
- 4
8
votes
1 answer
Is exposing website performance data a security risk?
I am currently adding a subsite to some websites that allows me to monitor performance data live as the server software perceives it. The data is mostly stuff like amount of memory used, memory allocated, memory freed during last garbage collection,…
MarLinn
- 238
- 1
- 5
6
votes
2 answers
Annual Rate of Occurrence (ARO) and Exposure Factor (EF) Data
I'm calculating loss expectancy (SLE/ALE) but where or how does one get data on annual rates of occurrences for various things? From simple hard-drive failure rates to something complex like the exploitation of client browsers? Or how about the…
jvff
- 61
- 1
- 2
4
votes
4 answers
Safari downloaded my php source once. Should I worry?
I uploaded via ftp, then typed in the URL of the script to Safari; Safari downloaded the source!!
This hosting site has never done that before - .php scripts have always executed.
I can't duplicate it. The page loads as php should now.
Maybe I just…
Bobbi Bennett
- 143
- 6
4
votes
1 answer
Can I safely post the output of lspci, lsusb, lshw?
I'm having trouble with my SD card, and have been asked to inspect the output of tail -f /var/log/syslog, sudo lspci -v -nn, sudo lsusb, and sudo lshw. tail shows nothing when I insert the card, so there's nothing to post - no worries there.…
lofidevops
- 3,550
- 6
- 23
- 32
3
votes
1 answer
Is a newly installed server with no services running (but connected to the web) at risk?
A new server has just been installed but literally has nothing else running on it, no services setup to SSH in or anything yet (it's a Linux server).
However, it is hooked up to the web so I can start pulling software down and installing it.
So…
Arlix
- 1,459
- 3
- 13
- 22
3
votes
0 answers
What is the Meow Attack and how can I guard my databases against it?
Recently, there has been some news articles about unsolicited attacks on unsecured public facing Elastic and Mongo databases. These are commonly being called "Meow" attacks, resulting in entire databases being deleted without ransom or warning.
My…
MDMoore313
- 978
- 9
- 14
3
votes
1 answer
How do applications such as password managers check leaked credentials and how can I get more results?
I have been using LastPass for a while and I have just seen an option to generate an exposure report. By its output, I assume it checks various sources containing credentials dumps from hacked web applications for matches to my username / e-mail.…
Alexei
- 2,183
- 3
- 9
- 23
3
votes
2 answers
Securely expose WebService from Enterprise Network to Internet Client
(coming from stackoverflow)
Are there any standards (or certified solutions) to expose a (Web-)Service to the internet from a very security-sensitive network (e.g. Banking/Finance)?
I am not specifically talking about WS-* or any other…
hotzen
- 131
- 3
2
votes
4 answers
Anonymity through Tor over VPN
I want to do some research on network anonymity.
Assume that I am careful enough not to disclose any personal information while connected to an anonymous network.
If I run a system that uses Tor over a VPN that I paid for with Bitcoins (free VPNs…
user2554749
- 23
- 3
2
votes
1 answer
Big insurance website exposing StackTrace of Java JSON Parser
Recently I coincidentally have discovered that an api endpoint of an insurance company is sending a StackTrace of a JSON parser as response to a http POST message with bad formatted JSON in the content field.
The url of the endpoint is indicating…
Matthias Herrmann
- 123
- 6
2
votes
1 answer
How likely is an attack for a known OTA ring 0 vulnerability in mobile devices?
Following on from this question about a WiFi OTA vulnerability: assume a popular computing platform has a known vulnerability that would allow creation of a worm with access to ring 0 (kernel). Then, how likely is it / how long would it take before…
z0r
- 333
- 2
- 8