IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
89
votes
9 answers

Secure USB cable for charging in untrusted environments

On a long haul flight, I imagine that charging a phone (in flight mode) with the inbuilt USB port on the head rest would be a security risk. Could I mitigate that risk by taking a regular USB cable and cutting the data (but not the power) cables? Or…
DarcyThomas
  • 1,298
  • 1
  • 10
  • 15
89
votes
11 answers

Why didn't OSes securely delete files right from the beginning? And why do they still not do this?

After decades of hearing that "delete" does not really make the data impossible to recover, I have to ask WHY the OS was not corrected long ago to do what it should have been doing all along? What is the big deal? Can't the system just trundle along…
user82913
89
votes
16 answers

How to tell users that they shouldn't disclose their password over the phone to our help desk?

I work for a help desk, and we recently launched an online service where our members can log in. A problem we are having is that users who are calling us often ask us to confirm that the password handed in to them is correct. By doing so, they…
Terry
  • 1,125
  • 1
  • 9
  • 16
88
votes
3 answers

Why is using an SSH key more secure than using passwords?

If people use a password to log in to a UNIX server, then it could be forced to expire the password, then they change it. If people use an ssh key and have no passwords, no password expiry, then nothing forces them to change their SSH key…
thequestionthequestion
  • 1,181
  • 1
  • 10
  • 9
88
votes
12 answers

What is different about being targeted by a professional attacker?

It is often said that security tools such as firewalls, antivirus programs, etc. are only effective against random, untargeted attacks. If you are specifically targeted by an intentional, professional attacker (e.g. state sponsored, NSA, Chinese…
user2174870
  • 1,378
  • 2
  • 11
  • 13
88
votes
12 answers

When is phishing education going too far?

I currently work on the IT security team at my workplace in a senior role. Recently, I assisted management in designing the phishing / social engineering training campaigns, by which IT security will send out phishing "test" emails to see how aware…
Anthony
  • 1,736
  • 1
  • 12
  • 22
88
votes
5 answers

Can "Accept cookie" button in a website be malicious?

I don't remember when this "accept/cancel cookie" button started to be used in websites. Why do they insist on getting users to click on this button? Can it do any harm to user's PC or to collect any private and sensitive data? Their reason for…
0_o
  • 1,142
  • 1
  • 9
  • 19
88
votes
1 answer

Mac OS X terminal prompt displaying foreign hostname (or: What is Stacey's iPhone doing in my Terminal?)

I opened my Terminal today and saw this: StaceysiPhone6s:~ jcz$ Who is Stacey? Why is she in my Terminal? What happened? What should I be worried about? How do I fix it?
Jeff
  • 943
  • 1
  • 6
  • 9
88
votes
7 answers

Why are password boxes always blanked out when other sensitive data isn't?

So far as I know, password boxes and PINs are always obscured in some way in order to prevent people from looking over your shoulder when you enter it. However, other important information that I type into a web form (credit card number, social…
GGMG-he-him
  • 1,045
  • 8
  • 12
88
votes
10 answers

How secure is RDP?

I have a sort of a conflict with my company's Security Lead Engineer. He says that Remote Desktop Protocol (RDP) is not secure enough and we should be using TeamViewer instead. We use RDP not only to access local resources inside our corporate…
prot
  • 991
  • 1
  • 6
  • 7
88
votes
4 answers

What prevents me from buying a SSL certificate for a domain I don't control?

Can I simply build a webserver, make its hostname "google.com", create a CSR off that server, and send that to a Certificate Authority for signing? Let's say I pick the cheapest and dodgiest outfit I can find. Will that work? What mechanisms are in…
Flamer
  • 859
  • 1
  • 7
  • 5
88
votes
3 answers

Why OpenSSH deprecated DSA keys

There was a question RSA vs. DSA for SSH authentication keys asking which key is better. Basically all answers were more in a favour of RSA over DSA but didn't really tell that DSA would be somehow insecure. Now however DSA was deprecated by OpenSSH…
Petr
  • 990
  • 1
  • 7
  • 6
88
votes
9 answers

Why should you redirect the user to a login page after a password reset?

The OWASP Forgot Password Cheat Sheet suggests: Whenever a successful password reset occurs, the session should be invalidated and the user redirected to the login page I'm failing to understand why this is so important. Is there a security basis…
Adam Parkin
  • 923
  • 1
  • 7
  • 7
87
votes
9 answers

Why do people use IP address bans when IP addresses often change?

Why do people use IP address bans (e.g. to block a malicious user from an internet service) when IP addresses change often? For example, we turn our router off every night so our IP address often changes in the morning. Furthermore, often a simple…
Micheal Johnson
  • 1,746
  • 1
  • 10
  • 14
87
votes
11 answers

What to do about websites that store plain text passwords

I recently received an email from a popular graduate job website (prospects.ac.uk) that I haven't used in a while suggesting I use a new feature. It contained both my username and password in plain text. I presume this means that they have stored my…
jamesj
  • 1,093
  • 1
  • 8
  • 10
1 2 3
99 100