IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [threat-mitigation]

The elimination or reduction of the frequency, magnitude, or severity of exposure to risks, or minimization of the potential impact of a threat or warning.

The elimination or reduction of the frequency, magnitude, or severity of exposure to risks, or minimization of the potential impact of a threat or warning.

178 questions
141
votes
12 answers

Is public Wi-Fi a threat nowadays?

In my opinion, arguments we have been using for years to say that public Wi-Fi access points are insecure are no longer valid, and so are the recommended remedies (e.g. use VPN). Nowadays, most sites use HTTPS and set HSTS headers, so the odds that…
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
139
votes
8 answers

I got an email threatening to DDOS me if I don't pay a ransom. What should I do?

I received the following email, addressed to me at an email address on my personal domain (for which I run my own mail server on a VPS): FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective.…
alexw
  • 1,289
  • 2
  • 9
  • 13
65
votes
5 answers

What can an attacker do with Bluetooth and how should it be mitigated?

What are the security risks of Bluetooth and what technologies and best practices should be used to protect my device? What can an attacker do once a malicious device is paired with mine? Specifically Is it a good idea to remove & re-pair my…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
59
votes
1 answer

What's the Impact of the CloudFlare Reverse Proxy Bug? ("#CloudBleed")

In Project Zero #1139, it was disclosed that CloudFlare had a bug which disclosed uninitialized memory, leaking private data sent through them via SSL. What's the real impact?
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
58
votes
9 answers

What can a company do against insiders going rogue and negatively affecting essential infrastructure?

In 2013, a Citibank employee had a bad performance review that ticked him off. The results were devastating: Specifically, at approximately 6:03 p.m. that evening, Brown knowingly transmitted a code and command to 10 core Citibank Global Control…
Nzall
  • 7,313
  • 6
  • 29
  • 45
57
votes
11 answers

Are there "secure" languages?

Are there any programming languages that are designed to be robust against hacking? In other words, an application can be hacked due to a broken implementation, even though the design is perfect. I'm looking to reduce the risk of a developer…
TruthOf42
  • 835
  • 1
  • 7
  • 12
48
votes
13 answers

DDoS - Impossible to stop?

Is it possible - in theory - to stop1 a DDoS attack of any size? Many people claim it's impossible to stop DDoS attacks and tell me I just shouldn't mess with the wrong people on the internet. But what if, in like 5 years, everyone is able to rent a…
user2173629
  • 589
  • 1
  • 4
  • 3
46
votes
5 answers

Should web applications that are only accessible from a LAN be held to the same security standards as publicly accessible websites?

Many security measures are intended to protect against hostile users who want to abuse the software or get access to content they don't have permission to access. Things like CSRF protection, SQLi protection, TLS and many other security features…
Nzall
  • 7,313
  • 6
  • 29
  • 45
22
votes
3 answers

What risks do Cookieless sessions have? What are the mitigations?

I'm debating if I should support cookieless sessions in my web app. It would look something like this: http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx Since the URL is never constant, I don't think it's possible for a CSRF…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
20
votes
2 answers

Why does rfc6797 say "An HSTS Host MUST NOT include the STS header field in HTTP responses over non-secure transport."

Why does the RFC prohibit the server from sending HSTS to the client over HTTP? I can see that if a HTTP client responds to that unsecure HTTP response it might cause that site to be inaccessible to the client, but I don't see any reason for the…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
17
votes
8 answers

Encrypting files on Google Drive

It's my understanding files kept on Google Drive are not protected. I would like to have them encrypted so that to be able to view or modify them one must enter a password. I foresee a potential dilemma: the computer must have the…
Celeritas
  • 10,039
  • 22
  • 77
  • 144
14
votes
2 answers

Linux password changed. Is this an attack or a hardware glitch?

My Linux (Ubuntu 12.04) password suddenly changed last night and I'm not sure if this is an attack or just a hardware/user error. This is on a personal/non-server box. Several strange events led up to it, enumerated below: While browsing web pages,…
skytreader
  • 263
  • 2
  • 6
14
votes
4 answers

Possible to prevent Juice Jacking by only connecting USB pins 1 & 4?

According to this accepted answer, there is no phone on the market today that is immune from "Juice Jacking"*. I think an easy way to mitigate this threat is to have a filter that blocks USB pins 2 & 3 and only connects 1 & 4. (see Wiki for…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
14
votes
6 answers

How can mini-computers (like Raspberry Pi) be applied to IT security?

It's no secret that thousands of $35 Raspberry Pi (Model B) computers have just shipped to people around the world. With these, and other similar types of computers becoming cheaper and more available, what are the security implications? So as to…
Matt
  • 3,192
  • 2
  • 21
  • 26
14
votes
1 answer

How does adding a random serial number improve a certificate's security?

This article says: "Finding collisions is a tricky process, since it requires you to muck with the bits of the public key embedded in the certificate (see this paper for more details). Also, Microsoft could have prevented this somewhat by…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
2 3
11 12