IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
39
votes
5 answers

Security impact of using a public password for free WiFi

We have a WiFi network that we want to be public and free. Does having a password that is known to everyone provide any additional security advantage to the people using this network as opposed to just leaving it without a password? i.e. Can a…
epeleg
  • 615
  • 1
  • 8
  • 13
39
votes
2 answers

How do email clients "send later" without storing a password?

Email clients like Spark for macOS have a feature where a user can send an email later, at any given time, even when the computer is turned off. An SMTP server needs a password based authentication, though. Does that mean that if I use Spark to send…
NikxDa
  • 773
  • 1
  • 5
  • 12
39
votes
5 answers

Pen test results for web application include a file from a forbidden directory that is not even used or referenced

In a recent pen test of a web application one of the issues found was a 'backup file'. This was a javascript file that was renamed to filename.js1 when an updated version of filename.js was uploaded. The 'backup file' lives in a directory with…
Alfie
  • 451
  • 4
  • 7
39
votes
8 answers

How can I prevent a user from copying files to another hard drive?

I have a Linux machine that contains sensitive files. Users should be able to access (read) them when they are using the computer, but should not be able to copy them to another hard drive (USB stick or another hard drive that might have been added…
Iakovos Gurulian
  • 509
  • 1
  • 4
  • 9
39
votes
5 answers

Should I use HTTPS on a domain that will only be used for redirection?

If I have a domain, https://www.example.com. It has an SSL certificate for that domain only. I also want to redirect people who only type example.com in their browser's address bar. Should I secure the second domain https://example.com and why, or…
Michel
  • 501
  • 4
  • 6
39
votes
4 answers

What is formjacking?

I just heard a very confused news broadcast about Symantec warning the world about the dangers of formjacking. The newsreader said it involved “hacking the form, not the website” whatever that means. I googled around and found a Symantec blog post…
11684
  • 502
  • 1
  • 4
  • 10
39
votes
7 answers

Is it possible to detect 100% of SQLi with a simple regex?

I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex. In other words, using very simple PHP code as an example: if (preg_match("/select/i", $input)) { attack_log("Possible SELECT SQLi…
reed
  • 15,398
  • 6
  • 43
  • 64
39
votes
2 answers

How should an application store its credentials

Context When developing desktop applications, you will occasionally have to store credentials somewhere to be able to authenticate your application. An example of this is a Facebook app ID + secret, another one is MySQL credentials. Storing these…
Zar
  • 492
  • 1
  • 4
  • 7
39
votes
2 answers

How do universities and schools securely sync passwords between multiple services?

I'm a student and it seems every school or university I have been to has one password that you set for your user account for logging in to university services, which is also then synced to external services the university use such as blackboard,…
darkniss
  • 501
  • 4
  • 6
39
votes
4 answers

Convince the company not to store credit card numbers in our webapp

The company I work for needs a system to perform monthly credit card charges to customer accounts. Customers will be able to update their credit card information from an online interface written in PHP (which will be presented through HTTP over…
M8R-53mg86
  • 393
  • 3
  • 5
39
votes
6 answers

Which parts of a credit card can I obfuscate and still have it be valid

I was recently the victim of credit card fraud and I suspect it is from a merchant somewhere keeping track of my credit card details. I cancelled the card and received a new one, but I would like to make it as difficult as possible for criminals in…
8bitme
  • 493
  • 1
  • 4
  • 6
39
votes
2 answers

How does RSA encryption compare to PGP?

On this answer, cjk says RSA and PGP are different. What you are essentially asking is how do I run my petrol car on diesel? The answer is you can't. I would be interested in a more detailed comparison between the two, why they are different, and…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
39
votes
4 answers

Microsoft email servers "require remote control of Android device security features"

Just tried to set up my student email address with the default email client on my Android device. The email servers used by the university are outlook.office365.com (incoming) and smtp.office365.com (outgoing). So I set it up like I always do with a…
voices
  • 1,649
  • 7
  • 22
  • 36
39
votes
3 answers

What is an SNI Hole?

Earlier today, Lone Learner asked Why is there no certificate error while visiting google.net although it presents a certificate issued to google.com? The accepted answer explains that the issue was caused by an SNI Hole. You've fallen into a "SNI…
Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
39
votes
3 answers

Why should memcmp not be used to compare security critical data?

From man 3 memcmp: Do not use memcmp() to compare security critical data, such as cryptographic secrets, because the required CPU time depends on the number of equal bytes. Instead, a function that performs comparisons in constant…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
1 2 3
99
100