IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
101
votes
5 answers

How to address bad password security policy from a large company?

I just went to reset my Western Digital password and they emailed me my plaintext password, instead of providing online form to let me change it. This is really concerning to me as the site accepts/processes payments for their drives, and I have…
Douglas Gaskell
  • 1,209
  • 3
  • 10
  • 15
100
votes
4 answers

How does SSLstrip work?

I've been reading up on SSLstrip and I'm not 100% sure on my understanding of how it works. A lot of documentation seems to indicate that it simply replaces occurrences of "https" with "http" in traffic that it has access to. So a URL passing…
Scott Helme
  • 3,178
  • 3
  • 21
  • 32
100
votes
12 answers

How do very big companies manage their most important passwords / keys?

Third-party password managers such as 1password, etc. are useful for people, businesses, etc. to store passwords. But I bet Facebook, Google, Twitter and other super big tech companies don't use such third-party services for their internal passwords…
Basj
  • 951
  • 2
  • 8
  • 16
100
votes
10 answers

Does it improve security to use obscure port numbers?

I recently started a job at a small company where the CTO prefers to host SSH services at obscure, high numbered ports on our servers rather than the well known port 22. His rationale is that "it prevents 99% of script kiddy attacks." I'm curious…
William Rosenbloom
  • 1,516
  • 2
  • 6
  • 12
100
votes
7 answers

Why do some GDPR emails require me to opt-out and some to opt-in?

I've noticed a trend in emails I've recieved as a result of GDPR, some of them are sort of 'opt-out' (or pseudo-opt-out where you just need to stop using their service) like so: Our updated Privacy Policy explains your rights under this new law and…
AncientSwordRage
  • 1,925
  • 4
  • 17
  • 19
100
votes
4 answers

What is the difference between an X.509 "client certificate" and a normal SSL certificate?

I am setting up a web service through which my company will talk to a number of business customers' services. We will be exchanging information using SOAP. I would like to handle authentication with SSL certificates provided by both parties, but…
Brandon Yarbrough
  • 1,103
  • 2
  • 8
  • 7
100
votes
11 answers

DDoS: Why not block originating IP addresses?

I'm a moderator of a major bulletin board. When a baddie shows up, we block their IP address; it works, at least until they find a new one. Why can't a protocol be developed for the world's routers to combat DDoS, whether by IP addresses or message…
vonlost
  • 1,155
  • 2
  • 8
  • 5
100
votes
10 answers

How to create a company culture that cares about information security?

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided. I already tried to instruct them but they simply don't care, they cannot see…
RF03
  • 1,063
  • 1
  • 8
  • 12
100
votes
12 answers

Landlord will be watching my data traffic, as mentioned in the lease agreement

I am moving to Germany, and in the contract I signed I had to accept that all my data traffic can/will be checked by the apartment owner. The contract states: Flatrate, aber hinter 30GB Tarif priorisiert, aslo etwas langsamer Ja ich weiss, daß…
Olba12
  • 1,069
  • 2
  • 8
  • 13
100
votes
12 answers

Explain Security to Employer

My employer wants/wanted to install a 3rd party app on my personal cell phone. One of the issues that we are still not seeing eye-to-eye with is regarding security. Here are some issues that concern me: The 3rd party sent everyone in our company…
w0lf42
  • 963
  • 2
  • 6
  • 7
99
votes
4 answers

Can I add a password to an existing private key?

Say I have previously created a private/public key combination, and decided at the time to not protect the private key with a password. If I later decide to "beef up" security and use a password-protected private key instead, would I need to…
IQAndreas
  • 6,557
  • 8
  • 32
  • 51
99
votes
5 answers

What is the benefit of having FIPS hardware-level encryption on a drive when you can use Veracrypt instead?

The expensive one: https://www.dustinhome.se/product/5010873750/ironkey-basic-s1000 The cheap one: https://www.dustinhome.se/product/5010887912/datatraveler-100-g3 Over 14,000 SEK difference in price. Same company (Kingston). Same USB standard (3).…
Taeyang
  • 477
  • 1
  • 3
  • 4
98
votes
1 answer

How are private keys kept private?

This may sound like a stupid question but seriously how are private keys kept private? If you're someone like Google you have some huge number of servers to which the public can establish secure connections. The *.google.com private key is required…
George Hawkins
  • 1,135
  • 8
  • 11
98
votes
8 answers

Do we need to logout of webapps?

A quick Google search doesn't reveal whether it is important to logout of webapps (online banking, Amazon, Facebook, etc.), or if I am safe just closing the tab or browser. I am sure I heard on some TV show that it's best to logout... What possible…
Angelo.Hannes
  • 1,099
  • 1
  • 9
  • 12
98
votes
2 answers

How do I get the RSA bit length with the pubkey and openssl?

I have a public key generated with ssh-keygen and I'm just wondering how I get information on the keylength with openssl?
Evan Carroll
  • 2,325
  • 4
  • 22
  • 29
1 2 3
99 100