Collaborate Disseminate
This question already has an answer here:
https security – should password be hashed server-side or client-side?
9 answers
… Continue reading Why do web browsers provide websites with plain text passwords? [duplicate]
I have read multiple sites online about PFS and DH but I still have a few questions.
I understand that in order to have PFS you must use different keys to encrypt messages. So your IM client could be generating a new key for… Continue reading Perfect forward secrecy in Instant Messaging with multiple devices
Let’s assume that Alice and Bob have a conversation using Signal. They activated disappearing messages every 6 hours so all their messages disappear in both signal clients.
But are these messages stored in Signal’s servers? … Continue reading Signal Messenger: Do they keep a copy of disappearing messages? [on hold]
TL;DR
When a connection is refused when accessing a .mil website over HTTPS repeatedly in Internet Explorer, first logging into the site in Chrome will enable IE to connect every single time. Why is this?
I do IT servicing a… Continue reading Is a secure session kept alive between browsers?
I have often been told that allowing RDP access over the internet is a security risk – my understanding is that this logic stems from the idea that a potential hacker would brute-force the username and password in order to ga… Continue reading Security Risk of Open RDP (3389)
I saw lots of information on the impact to end user PC, but didn’t see anywhere explain the impact to the cloud service. If the issue is from the SOAP WSDL parsing, seems like the web service can also be impacted right?
Look… Continue reading Does CVE-2017-8759 impact the web service?
We are implement a cloud application and using nosql technology. We know there are quite a few compliance requirements out there require doing data encryption at rest. However, we would like to know is the volume level encryp… Continue reading Is volume level encryption enough to satisfy compliance requirements?
Let’s say I have two servers in different data centers. They need to talk to each other, how to protect the security? TLS is a must. For authentication, we are concerning to use credential since if it get stolen anyone can us… Continue reading What’s the standard way for server to server integration (cross internet) authentication
You are writing a program that makes a call out to a shell program. Explain the security risks involved and explain the precautions you should take.
I thought this was the answer but I was told it’s not correct and they didn’t supply the actual answer if it’s not this what is it. I was told the risks were to do with the keys.
SQL injection
A program takes user input and creates an SQL query using string concatenation. For example, suppose the user is prompted for user name and password.
Never construct SQL statements using String concatenation. Use PreparedStatements or the equivalent. If not you would need to check user input values (possibly using regular expressions), and checking for all possible metacharacters.
Java – Use PreparedStatements.
Buffer Overrun
A program writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory
If the buffer overrun goes over the end to the data segment in a program, this results in a segmentation fault and core dump. If not, the error can sometimes be exploited by an attacker. Change the values of nearby variables. Change the value of the return address. To the address of a user input buffer which can contain a program. Libraries exist for safe manipulation of buffers. Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a segmentation fault.
Cross Site Scripting
User data in cookies relevant to a (vulnerable) Web Application is disclosed to a malicious third party. Can happen when a Web Application echos user input to a page. The user can then enter script code (Javascript) which gets executed by the browser. A Cross Site Scripting attack can access cookies. Can access the DOM model and change links. Web Application accepts user input Does not check it. Echos the user input directly to the browser.
The solution Check user input using regular expressions URL encode the output. – Prevents text being interpreted as html/Javascript Add the httponly option to cookies – Cookie can’t be accessed in Javascript
Continue reading Shell program risks and precautions [on hold]
What is a Key space and how does it relate to the strength of a cryptosystem? Comment on the strength of the DES algorithm with a 56 bit key. What relevance does the key space have for passwords?
This is what I found so far … Continue reading In cyptography what is "Key Space"?