IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [statistics]

28 questions
138
votes
8 answers

Are "man in the middle" attacks extremely rare?

In "Some thoughts on the iPhone contact list controversy and app security", cdixon blog Chris Dixon makes a statement about web security Many commentators have suggested that a primary security risk is the fact that the data is transmitted in plain…
Jeff Atwood
  • 4,542
  • 6
  • 25
  • 29
20
votes
2 answers

What statistics can be used to identify pseudorandom data?

I'm working on some code that attempts to identify files whose contents appear to be "random". As such, I'm looking for statistical measures that can be used to identify such randomness. I've implemented the following so far: Shannon entropy of the…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
14
votes
2 answers

How many passwords does the average user know?

Looking for research on the count and complexity of passwords that an average user is actively using. Note: Also, just to be clear, by research, this is not a request for you to respond with an answer entirely based on opinions, rather than facts,…
blunders
  • 5,052
  • 4
  • 28
  • 45
14
votes
5 answers

Where can I find statistics on security breaches?

I am putting together a security presentation, and I would like statistics on the occurrence of and damages from security breaches. Does anyone know of a reliable, recently-updated source?
Sean W.
  • 835
  • 4
  • 14
10
votes
2 answers

Average number of exploitable bugs per thousand lines of code?

Over the years I've heard various estimates for the average number of exploitable bugs per thousand lines of code, a common figure being one exploitable bug per thousand lines of code. A Google search gives some much lower figures like 0.020 and…
David Wachtfogel
  • 5,512
  • 21
  • 35
7
votes
4 answers

What are the most common infection vectors for personal computers?

We have OWASP to tell us about common security vulnerabilities in webapps and such, but what are the most common infection vectors for personal computers? A few example vectors: Social engineering (trojans) Browser exploits Document / application…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
7
votes
2 answers

What fraction of vulnerabilities does black-box pentesting find?

Black-box penetration testing is one to check a web application for vulnerabilities. It can find some vulnerabilities, but not all. What fraction of vulnerabilities does black-box pentesting find, on average? Is anyone aware of any data or…
D.W.
  • 98,420
  • 30
  • 267
  • 572
5
votes
4 answers

How to check for duplicate passwords?

Is it possible to check if a given number of people are using the same password, without risking anyone's password getting out? I heard that Google does this, not allowing the user to set a password 1000 people are using. What if users have access…
Behrooz
  • 191
  • 1
  • 7
5
votes
2 answers

Average time before a malware gets detected in the world

I am actually working on a scolar presentation about Careto malware. I was really impressed by the time it took to discover it (at least 6 years, according to some compilation stamps), so to improve my presentation I am looking for statistics about…
Elouan Keryell-Even
  • 173
  • 5
5
votes
3 answers

What fraction of web sites are vulnerable?

It is known that security vulnerabilities are common on the web: many web sites are vulnerable. Is there any data on what fraction of web sites are vulnerable, and what fraction are secure?
D.W.
  • 98,420
  • 30
  • 267
  • 572
4
votes
2 answers

What are the most common username-based password patterns?

I know that there are some common passwords like hunter6 or Password. These are very insecure since everybody knows to try them first. It is commonly thought that passwords derived from the username alone are also insecure. For instance, setting the…
Superbest
  • 1,094
  • 8
  • 20
4
votes
2 answers

Is there a benefit in measuring randomness? How would it be done?

Is there any benefit in determining how random a given file, stream, signal is? I guess this would be useful to determine If something is (poorly) encrypted To verify the proper encryption of a file, data (GCM, SALSA20, or unknown cipher) To…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
3
votes
1 answer

How to evaluate the security level of session ID generation?

For a few weeks we observed a collision in session ID generation, resulting in two operators independently connected to a test web application sharing the same session. We investigated the issue and exercised the session ID generation to generate…
Penelopa Koyfman
  • 31
  • 2
3
votes
1 answer

How to identify call stats about 2/3/4G users in a room?

If someone can please provide some advice about the following problem I am trying to solve it will be great. Scenario: A standard office room, with (say) a couple of people in it What I want to find: (1) How many cell phones are in the room (2) What…
abby
  • 31
  • 3
3
votes
1 answer

What percent of publicly posted databases implemented password security?

I am trying to get some statistics on databases that were a part of data breaches, namely, I would like to be able to find out what percentages of publicly posted databases (from a data breach) had passwords stored in plain text form, hashed, salted…
leomercury
  • 33
  • 3
1
2