Questions tagged [risk]
104 questions
39
votes
14 answers
How to safely save passwords for a future administrator?
I am the volunteer IT administrator for a local non-profit organization. The organization has a few systems - specifically security cameras, network hardware, and telephones - that have local administrator accounts to manage them. Right now, I am…
Moshe Katz
- 1,331
- 1
- 11
- 17
26
votes
7 answers
Is malware distributed with pirated software actually common?
An often-repeated piece of conventional wisdom goes like the following.
Don't download pirated software, they often contain malware.
I'm curious to know if there are any hard facts to backup this claim.
I've seen plenty of software vendors making…
Alexander O'Mara
- 8,774
- 6
- 34
- 38
20
votes
6 answers
When registering for most websites, why do you need to confirm your email address?
I'm working on a site which allows users to sign up for a service. They choose a username/password, enter their personal details, etc and proceed into the site, their details being stored for future visits.
Currently, we don't ask for confirmation…
bobble14988
- 1,355
- 3
- 9
- 12
20
votes
7 answers
Can I trust DNS servers?
If I use my own VPN and use third party DNS - can I trust it?
For example, is there any possibilities that an attacker can track the requests by contacting the DNS-hosting (assume that attacker have order and DNS-hosting have logs), and find out…
ideloxew
- 497
- 1
- 5
- 16
19
votes
3 answers
How to convince my management of a physical security risk?
While I do not claim to be an expert in all things security based, I'd think that I have a good grounded knowledge of what is acceptable and what is not in regards to digital security.
After giving some general advice on internal network security, I…
Aaron Dobbing
- 473
- 3
- 13
14
votes
7 answers
What risk rating models are used for calculating risk scores of web vulnerabilities?
What risk rating methods, models, assessments or methodologies are used for calculating or estimating a risk score of vulnerabilities (for example, like described in the OWASP top 10) and which of those are best to use for web vulnerabilities?
I'm…
Bob Ortiz
- 6,234
- 8
- 43
- 90
13
votes
5 answers
What is the risk of giving USB drives as promotional items by a healthcare provider
There have been a couple of instances where malware infected USB drives have been given away unknowingly as promotional items at conferences, e.g., IBM in 2010.
Besides this, if a healthcare company were to give away "branded" USB drives, what…
Cassandra Cross
- 131
- 2
13
votes
7 answers
Looking for Information security / risk management table top or card games
I am looking for table top or card games related to risk management or information security. A kind of "serious" game that can be used as a teaching tool of infosec/risk management.
I know only about Microsoft's Elevation of Privilege.
Konrads
- 589
- 1
- 5
- 15
12
votes
4 answers
Are short usernames a security concern?
I was somewhat suprised that the sysadmin approved a one-letter username like "m" and my username is also short ("nik"). I think that if usernames are brute force attacked then the username should also be longer than just a few characters. Do you…
Niklas Rosencrantz
- 450
- 5
- 20
11
votes
1 answer
Security risks replying to emails using a personal account
I happen to have a very common name.
I own the corresponding gmail account @gmail.com and I regularly receive emails meant for someone else.
Because they very often seem to contain important information, I always reply to let the senders know that…
Marco Altieri
- 633
- 5
- 13
11
votes
3 answers
What are PHP allow_url_fopen security risk?
Recently I was reading an article about file_get_contents and HTTPS.
One part that caught my attention is:
Of course, the allow_url_fopen setting also carries a separate risk of
enabling Remote File Execution, Access Control Bypass or…
Gudradain
- 6,921
- 2
- 26
- 43
7
votes
3 answers
What are the risk implications of not verifying referer header on login form?
Imagine a generic web application with a login form to access the application. Regardless of how the actual authentication is performed, what are the implications of not checking the referer header to verify the submit request is coming from within…
Steve
- 15,155
- 3
- 37
- 66
7
votes
1 answer
How big is the risk of hash fixed points/cycles?
It's established wisdom to hash password multiple times with a salt to increase the time it takes per brute force iteration. At the same time (unless the algorithm guarantees otherwise) there's a minuscule but non-zero chance of ending up with a…
l0b0
- 2,981
- 20
- 29
7
votes
3 answers
Does a working JTAG diagnostics port on Android phone add unnecessary risk?
Not enough people seem to know about JTAG outside the hacker and LEO communities but the short version is that JTAG allows anyone with physical access to your phone to chew their way right into it.
I can't understand why fundamentally disposable…
Mark Mullin
- 381
- 2
- 9
6
votes
2 answers
Annual Rate of Occurrence (ARO) and Exposure Factor (EF) Data
I'm calculating loss expectancy (SLE/ALE) but where or how does one get data on annual rates of occurrences for various things? From simple hard-drive failure rates to something complex like the exploitation of client browsers? Or how about the…
jvff
- 61
- 1
- 2