IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
110
votes
11 answers

Is `sudo` almost useless?

Once an attacker has a shell as your sudoer user (or just compromised a local process enough), he/she can use one of the many privilege escalation tool to even automatically put themselves for example as apt or some other processed called by root to…
Wernight
  • 1,187
  • 2
  • 8
  • 8
109
votes
8 answers

Why do I hear about so many Java insecurities? Are other languages more secure?

I really like the Java programming language, but I continuously hear about how insecure it is. Googling 'java insecure' or 'java vulnerabilities' brings up multiple articles talking about why you should uninstall or disable Java to protect your…
gsgx
  • 1,225
  • 2
  • 12
  • 13
109
votes
7 answers

Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?

Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him: I'm the Chrome browser security tech…
brentonstrine
  • 1,259
  • 2
  • 10
  • 13
109
votes
11 answers

"Username and/or Password Invalid" - Why do websites show this kind of message instead of informing the user which one was wrong?

Lets say a user is logging into a typical site, entering their username and password, and they mistype one of their inputs. I have noticed that most, if not all, sites show the same message (something along the lines of, "Invalid username or…
bobble14988
  • 1,355
  • 3
  • 9
  • 12
109
votes
4 answers

Do I need CSRF token if I'm using Bearer JWT?

Context: Angular site is hosted on S3 behind CloudFront, separate from Express server that is used as API and almost all requests are XMLHttpRequests. All requests are sent without cookies (withCredentials = false by default) and I use JWT Bearer…
Igor Pomogai
  • 1,193
  • 2
  • 8
  • 7
109
votes
8 answers

My school wants to keep the details of our door authentication system a secret. Is that a good idea?

So, I am designing a door authentication system (can't really go into more detail) for our school, so that only authenticated persons can go through a certain internal door. They hold that its inner working should be kept a secret, so that no one…
PyRulez
  • 2,937
  • 4
  • 15
  • 29
108
votes
5 answers

Can simply decompressing a JPEG image trigger an exploit?

The novel Daemon is frequently praised for being realistic in its portrayal rather than just mashing buzzwords. However, this struck me as unrealistic: Gragg's e-mail contained a poisoned JPEG of the brokerage logo. JPEGs were compressed image…
JDługosz
  • 1,138
  • 2
  • 7
  • 12
108
votes
6 answers

Why can't I MitM a Diffie-Hellman key exchange?

After reading the selected answer of "Diffie-Hellman Key Exchange" in plain English 5 times I can't, for the life of me, understand how it protects me from a MitM attack. Given the following excerpt (from tylerl's answer): I come up with two prime…
orokusaki
  • 1,342
  • 2
  • 10
  • 13
108
votes
4 answers

Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?

It has become quite difficult to configure an HTTPS service that maintains "the ideal transport layer". How should an HTTPS service be configured to permit some reasonable level of compatibility while not being susceptible to even minor attacks? TLS…
rook
  • 46,916
  • 10
  • 92
  • 181
108
votes
5 answers

What kinds of encryption are _not_ breakable via Quantum Computers?

There's the recent article NSA seeks to build quantum computer that could crack most types of encryption. Now I'm not surprised by the NSA trying anything1, but what slightly baffles me is the word "most" - so, what encryption algorithms are known…
Tobias Kienzler
  • 7,578
  • 10
  • 43
  • 66
108
votes
15 answers

At what point does something count as 'security through obscurity'?

So, I keep finding the conventional wisdom that 'security through obscurity is no security at all', but I'm having the (perhaps stupid) problem of being unable to tell exactly when something is 'good security' and when something is just 'obscure'. I…
root
  • 1,547
  • 3
  • 12
  • 20
108
votes
15 answers

How can I argue against: "System is unhackable so why patch vulnerabilities?"

An operating system has reached End of Support (EoS) so no more security patches are coming for the OS ever. An embedded device running this OS needs to be updated to a newer version. However, the engineers who designed the original product feel…
Ken
  • 1,091
  • 2
  • 6
  • 5
108
votes
7 answers

Is social-engineering an actual threat

I've recently finished book The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick The book was released on 4th December 2002. Not talking only about techniques described in this book, but are the ways used by…
Marek Sebera
  • 2,223
  • 3
  • 20
  • 27
107
votes
11 answers

Technology that can survive a "Rubber-Hose attack"

In the documentary film Citizenfour, Edward Snowden says about documents: I'm comfortable in my technical ability to protect [documents]. I mean you could literally shoot me or torture me and I could not disclose the password, even if I wanted…
QBR8ZIKvyJ
  • 971
  • 2
  • 7
  • 4
107
votes
17 answers

Is "password knocking" a good idea?

With port knocking, you have to "knock" on specific ports in defined order to expose a port on which service is running. How about password knocking? For example you have three passwords: A, B and C. None of them is correct by itself, but entered…
gronostaj
  • 1,290
  • 2
  • 10
  • 17
1 2 3
99 100