Home » Information Security » Page 1
Job Opening - Security Engineer (Data Analytics)
by Cadu in Information Security
Job Opening - Security Engineer (Data Analytics)
Hi All,
I'll like to borrow the security section here to find security like-minded folks whom are keen in a role in my company. If this is not the correct section, Moderators please assist to move as required and appreciate the help.
This is a junior position and we're open to fresh graduates (Diploma / Degree) o

Migrating GPG master keys as subkeys to new master key
by Trevor Dickson in Information Security
Currently I have 3 private GPG pairs which are all master keys. I want to convert these keys into subkeys for a new key pair (and keep that in the vault).I have read the following thread http://atom.smasher.org/gpg/gpg-migrate.txt which involes some sort of hacking the binary file to convert one master key into a subkey and replace it with another. Is it possible to combine my different keys into

Consider a "zero-knowledge" file host such as mega.co.nz. How can one prevent users to upload unencrypted content?
by Rineau in Information Security
I am wondering how could a zero-knowledge host such as mega.co.nz prevent users to just upload files in clear, and, for example, to discredit the site by uploading a large quantity of illegal material and then telling the authorities.Ideally, the server should refuse unencrypted uploads. However, what's a definition of "unencrypted" that a computer may understand? I guess there's none.It could be

Is my service provider hacked and what can I do to protect myself?
by sgmichelsen in Information Security
I found myself looking at a stock and forex search page when I try to access Chinese Stackexchange using my FireFox browser today. This is what the page looks like:And this is the HTML of the page:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"><!-- turing_cluster_prod --><html> <head> <meta http-equiv="Content-Typ

basic checklist of things to check to secure a router and wireless network with IP cams
by Guid in Information Security
Suppose I have a brand new router, and I have set up some basic things just to get a wireless home network going:I created an SSID name for the network, and it's WPA2-PSK protected. I also added a password for the router "admin" in order to prevent others allowed in the network from modifying the router settings.The router gateway/settings cannot be accessed from WAN.I also had needed to do some p

How secure is a partial 64bit hash of a SHA1 160bit hash?
by Sigtryggur in Information Security
So http://en.wikipedia.org/wiki/SHA-1 SHA-1 produces a 160-bit (20-byte) hash valueand As of 2012, the most efficient attack against SHA-1 is considered to be the one by Marc Stevens with an estimated cost of $2.77M to break a single hash value by renting CPU power from cloud serversWith a theoretical attack taking 2^60 operationsSo if a custom verification algorithm only the first 64bits of th

Can the xor of two RNG outputs ever be less secure than one of them?
by crazy2383 in Information Security
Suppose I'm suspicious that one or more (pseudo)-random number generators is cryptographically flawed, perhaps even deliberately backdoored. The RNGs in this case might be either PRNG algorithms, hardware random number generators, or some OS-provided primitive whose source might be either of these.Can it ever be a bad thing to "salt" the RNG by using the xor of its output and some other RNG's out

Ranking of web security conferences
by DigDog in Information Security
I have prepared a paper to publish in a web security conference. How can I know the ranking of available conferences to know which conference is better? For example, should I look at their sponsors?

Do I need to expire a session cookie when sessions are handled server-side?
by PatrickSimonHenk in Information Security
The only data in the cookie is the session ID. There is no expiration timestamp set when creating it, a session is always evaluated server-side to see if it has expired.When logging out, the session is destroyed server-side. Is there any point then in expiring the cookie?

Is my invitation based file access authorization scheme worthwhile?
by Daniel E. Renfer in Information Security
I need to allow users to upload files with sensitive data to a server, then invite other authenticated users to access specific files.This is my proposed solution:Each user will have his own folder to which he uploads files, and the parent folder will have an .htaccess with deny all to block direct access. (This already works well.)Then, an invited user will get a generated SHA1 invitation id and

How is password character validation in 3D secure is implemented? [duplicate]
by toutatis in Information Security
This question already has an answer here: Is my bank storing my password in plain text? 5 answers We have a website which stores hashed passwords in the database. During logins we hash the password entered by user and compare two hashes. This

How bad is exposing valid user names?
by br4dz in Information Security
Today like many other times in the past, signed for a new service and got a common error message: Your user name or password is invalidThis time I am wondering how useful it is to notify "invalid password OR user" versus a less common but more useful two message schema with the real problem: "unknown user", "invalid password"My thought was that a system that does not specify if the user name is

Can anonymizing techniques make you less anonymous?
by l1feh4ck3r in Information Security
There's a recent report in the news of a Harvard student who emailed in a bomb threat so as to postpone year-end exams. According to the report, he carefully covered his tracks using the best technology he knew about: he used a throw-away email account, and only accessed it over TOR. It turns out that this last point -- using TOR to send his email -- is what made him easy to find. Officials simply

Cracking passwords after a patteren with ex. John
by M0dusFRee in Information Security
So i am trying to find out how easy it is to crack a password using some great Linux tools.We all know about John as a password cracker and how great it is. But how about specifying a patteren.Lets assume the following policies.A password must start with a capital letter and then followed by 3 small lettersA password must end with 3 numbers A password must be excatly 7 in lengthPassword example:

Target store data breach - What should I do to prevent my account which got exposed via Target Red Card
by scosant in Information Security
I couldn't find any information anywhere on what the customers should do whose card details got exposed, any idea what should I do? As I am one of 40 million whose card details got leaked. I have red card associated with one of the banks checking account.

Trust a non-root CA in OpenSSL
by Isaac in Information Security
Is it possible to have OpenSSL trust a non-root CA such that a certificate signed by that non-root CA can be properly verified? I've noticed that the default behavior for OpenSSL is to only verify certificates when it can build a complete chain, up to a self-signed root CA. Can this be overridden?I specifically do not want the root to be in the CAfile.
TAGS : Trust root OpenSSL

MiTM not working --rejected by router?
by Jason Merrill in Information Security
I have been attempting to run a MiTM on a very old XP SP3 computer. I have attempted it with 3 products, as listed below:Wireshark: Traffic from the computer did not even show up. (I did see traffic from multiple IP's, so I think I have the right adapter)ARP Spoof: (with and without SSL Strip): As soon as attack took place victim was kicked off my network and not allowed back on until attack stopp

How can I use a proxy appliance as HTTP Proxy & Reverse Proxy at the same time?
by LDam in Information Security
I have a BlueCoat ProxySG 810 appliance and want to use it as both an HTTP Proxy Server for clients on the Inside interface of a PIX 525 Firewall (OS Version = 8.0(4)) and a Reverse Proxy Server for my Web Servers on the DMZ.Should I place the ProxySG 810 on the DMZ?If I do so, does the ProxySG 810 need to access the Inside network (i.e. Initialize connections to Inside) to be able to serve as an

Can too much web searching be a danger to a security professional?
by kiirpi in Information Security
As a junior security professional, I spend a lot of time goggling for things such as 'wpa dictionaries', 'vulnerabilities...' , 'how to crack ...','and so on.I sometimes feel like I am calling for wrong attention (from ISP, google and/or agencies), regardless of my intention to increase my knowledge of what I am defending against and having fun on cracking my own home network.Will googling draw to

Privacy Policy - Copyrights Notice - Feedback - Report Violation - RSS 2017 © bighow.org All Rights Reserved .