Security

522 readers
6 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
26
22
Schneier on xz (www.schneier.com)
submitted 7 months ago by [email protected] to c/[email protected]
27
28
29
30
 
 

When an email is forwarded, the position of the original email in the DOM usually changes, allowing for CSS rules to be selectively applied only when an email has been forwarded.

31
32
33
12
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/[email protected]
 
 

Anyone here use fidelity (https://www.fidelity.com/)? I had to call to get something done with my account and thought it was weird that they have you (more/less) T9 dial your password into the system, though its not real T9 in that (for example) one press of 2 would mean either a,A,b,B,c,C,2. They say for special characters just give a * sign.

Any thoughts on if that is safe on their part? It seems weird to me since they either need the password in plaintext on their end or I guess the hash of the T9 version of the password which would be less secure anyways because of: all one case and only one type of 'special character'.

And yes: before you ask this was 100% the actual fidelity phone number: +1 800-343-3548

In their defense they did ask for other verification information once I got a person, but still felt really weird.

Any thoughts on the security of this mechanism?

34
35
36
37
 
 

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

38
39
40
41
42
43
44
45
46
47
48
49
50
 
 

This was a fascinating and informative read. I hope the author makes progress on "creating an open-source project to de-cloud and debug smart home products"; I would love to contribute to something like that!

view more: ‹ prev next ›