Questions tagged [security-theater]
DO NOT USE THIS TAG AS A GENERIC SECURITY TAG!! Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. The term was coined by computer security specialist and writer Bruce Schneier for his book Beyond Fear.
97 questions
1
vote
0
answers
123
views
What is a term for ineffective security measures that don't prevent any realistic attack? [closed]
Is there a term for when you a particular system design might prove to have some advantages, but doesn't actually qualitatively change the potential attacks on the system and thus ends up as redundant,...
- 417
0
votes
0
answers
38
views
Do `Signature` headers have real benefits? [duplicate]
I'm working with an HTTPS API that requires me to include a Signature header, the signature is calculated as codeBase64(hmacWithSha384(key, body)). I'm wondering if it provides any real-life benefits ...
- 1
0
votes
3
answers
157
views
Security in depth vs security theatre
If some security measure serves only to add an extremely small barrier to an attack, are there generally accepted principles for deciding whether that measure should be retained?
Does defence in depth ...
- 195
2
votes
2
answers
174
views
How can I, as an enduser, put pressure on corporations and discourage password strength theater? [duplicate]
For work and other official matters, I am often forced to use websites and apps which clearly have some kind of cargo cult going on in their security department, given that they impose extremely ...
- 249
2
votes
1
answer
240
views
Over-the-top (?) security practices for CVV inputs
On some internet banking websites, I've seen some CVV input fields that seem strange to me. Here is an example:
The field works as such:
You can not input a CVV code using a keyboard.
The numbers ...
user195617
-1
votes
1
answer
229
views
Why do people, even programmers and geeks, seem to almost feel the urge to "give hackers a fair chance" at stealing their data? [closed]
I once heard that the author of the early NES emulator "Nesticle", clearly a very intelligent person, baffingly used some kind of exploitable "Samba" or "SMB" server ...
- 1
1
vote
0
answers
159
views
Does Snowflake Data Sharing add any real security?
Snowflake is a cloud database like Google BigQuery or Amazon Redshift. Unlike them, however, it markets a "Secure Data Sharing" feature.
They go to some effort (including a full "Data ...
- 111
3
votes
1
answer
1k
views
How exactly does Windows Defender in Windows 10 determine when to upload your local files to Microsoft?
Every time I install Windows 10, I painstakingly go through every setting that can be found in any GUI setting for the OS, disabling everything that sounds creepy.
One of the most disturbing things I'...
3
votes
1
answer
3k
views
What attacks are prevented using Session Timeout or Expiry?
OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session:
Session timeout define action window time for a user thus this window ...
- 543
2
votes
0
answers
139
views
Benefit of authentication with a gateway
Given...
a public web service with enabled SSL/TLS
the web service enforces authentication using JSON Web Tokens
a client on a LAN without an Internet connection
a proxy on the LAN that grants point-...
- 211
86
votes
6
answers
20k
views
How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me? [duplicate]
I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical "business logic". (This could be any other language and the exact same problem would still stand; I'm ...
- 711
14
votes
1
answer
898
views
What would happen if some random webpage made an Ajax request for http://127.0.0.1/private.txt?
I run a localhost-only webserver (PHP's built-in one) for all my admin panels and whatnot on my machine. I'm worried that, if any random webpage has a JavaScript snippet which makes an Ajax call to ...
- 149
3
votes
1
answer
347
views
When a closed-source company hires somebody to audit their code, is the auditor forced to do it in the company's office?
Let's say that ACME, Inc. is making closed-source software. It's closed for a reason (they don't want it leaving their building other than in compiled form). Now, they are hiring some company/person ...
77
votes
8
answers
15k
views
If we should encrypt the message rather than the method of transfer, why do we care about wifi security? Is this just security theatre?
Most answers to this question about the security of satellite internet boil down to: encrypting the message is more important than encrypting the method of transfer.
However, there seems to be a lot ...
- 1,910
4
votes
2
answers
260
views
What is the difference between exploitable security measures and security theater?
As an example, the US no-fly list is commonly referred to as a security theater given that it is easy to work around. However blurring license plates when posting a picture online is not considered a ...
- 1,034
3
votes
2
answers
2k
views
Forcepoint secure email
I just got an email from a financial institution in answer to a question I raised with them. It came in the form of a "secure email" from Forcepoint, which requires you to open an HTML document and ...
- 204
2
votes
4
answers
256
views
Does allowing a user to know their own authorized capabilities decrease security?
In a system with a complex set of computed authorizations, does conveniently allowing a given user access to view all of their own authorizations decrease security?
In a "Policy as Code" system ...
- 668
235
votes
3
answers
35k
views
Why did I have to wave my hand in front of my ID card?
I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face....
- 8,021
4
votes
3
answers
585
views
How much of a visible deterrent is IT security?
While looking at this question, one of the comments made me think. In the comment, the user asserted that "one must invest a lock that cost $40, the insurance company just want to make sure that it ...
- 143
0
votes
1
answer
148
views
how does your standard security system work? [closed]
Do they have lasers motion sensors etc.. more looking for the type of security system you would see in a basic house not rich / well endowed one.
- 101
0
votes
2
answers
610
views
Is the common recommendation to obscure the existance of a username on login just security theater? [duplicate]
It is a common recommendation to return "Username or password is incorrect" instead of "Username does not exist" when the given username does not exist and "Password is incorrect" when username exists ...
- 790
2
votes
2
answers
162
views
Does storing two components of a secret in two places increase safety?
Let's say I have a secret integer X, and so I don't risk losing it, I store it encrypted on some cloud service. But I think there's a small probability that it gets hacked. So to help allay those ...
- 121
2
votes
3
answers
639
views
What is Security Theater?
Security Theater, or Security Theatre in British English, has been mentioned in many posts on this site.
What does Security Theater mean?
What are some examples?
Is it the greatest threat to ...
- 1,024
1
vote
0
answers
118
views
Electronic store security [closed]
Iam not sure if this is the right place to ask this question. I would like to know what security features an electronic store should have besides the general alarm system monitored by a security ...
- 11
0
votes
3
answers
567
views
Should we use Microsoft security or defender for securing our WAN network [closed]
I would like to understand much about Microsoft Security Essentials or another antivirus which build in or developed by Microsoft. I'm planning to set up the network for my company and use Microsoft ...
- 111
10
votes
1
answer
1k
views
Implications of prominent *secure messaging apps* requiring phone number identifiers
More specifically and also generally than this related question, I'm curious about the privacy implications of prominent secure messaging apps (marketing themselves as protecting users' privacy) ...
- 2,015
5
votes
1
answer
1k
views
Why does oAuth and oAuth 2 have access tokens at all?
I am trying to implement a system for third-party apps to access data that a user stores on a provider. We have a robust access control system, with separate read/write/etc. levels for each "stream" ...
3
votes
1
answer
474
views
Cleanware. What does it do and are there security risks involved?
So I get these questions quite a lot recently from friends or family. And I thought this could be a good question for Security Exchange, because I couldn't find this kind of question here.
I recieved ...
- 848
18
votes
8
answers
16k
views
Are 7-Zip password-protected split archives safe against hackers when they are password-protected a couple of times?
Imagine I wish to upload my sensitive personal information (photos, document scans, list of passwords, email backups, credit card information, etc.) on Google Drive (or any other cloud service).
I ...
- 239
1
vote
1
answer
2k
views
Does my host machine stay completely safe if I'm browsing the dark web using virtual box or vmware on bridge network connection? [duplicate]
I'm just asking if my host machine stays safe when browsing the dark web darknet using Tor on a virtual machine with bridge connection through the host machine ? Since the virtual machine will be ...
- 113
4
votes
3
answers
2k
views
Does mixing in keystrokes of Backspace, Arrows and Delete add any security to password typing?
It is well known that the analysis of the keyboard sound can reveal/hint at what keys were pressed when a password is typed.
One could mix in wrong characters (not belonging to the password) with ...
- 1,138
3
votes
1
answer
159
views
NFC Security for Payment
During an offline transaction, the Point-of-Sale has no internet connection,
and so the payment terminal cannot verify if the client’s payment
device has been revoked.
A malicious person can use a ...
- 31
3
votes
1
answer
256
views
Handwriting/cursive education is on the decline. How does this affect signature-based authentication?
More and more schools are not teaching cursive handwriting, and many are considering it more of an art, or optional in the curriculum.
I assume this will have an impact on the ability to forge a ...
- 51.1k
-4
votes
1
answer
116
views
Tendency towards security-is-binary in cryptography [closed]
In the real (physical) world, we seem to feel secure with just enough
security, e.g.:
Our door lock isn't the most secure. Anyone can lock-pick / break
with force.
Our car isn't the most robust. ...
4
votes
1
answer
6k
views
Capturing text messages on the fly
Suppose your phone is not connected to any network. You are sitting in a cafeteria with 50 other people, everyone is communicating to each other via text messages. Is it possible through any device or ...
- 343
14
votes
2
answers
10k
views
Is LastPass secure enough? [closed]
They said:
Private Master Password:
The user’s master password, and the keys used to encrypt and decrypt
user data, are never sent to LastPass’ servers, and are never
accessible by LastPass.
...
- 259
4
votes
0
answers
180
views
Is there any way a website can show it hasn't been "hijacked" by the authorities? [closed]
I heard about warrant canaries and thought the idea was interesting. My understanding of what they are is a website or online service publishes a statement periodically that they have not been served ...
- 10.2k
8
votes
1
answer
2k
views
Database table name prefixes and security by obscurity
One of the most common pieces of advice with respect to securing WordPress, Magento, and other widely-used pieces of software is to add a prefix to database table names or change the default prefix. ...
- 203
16
votes
2
answers
464
views
Is adding a supplementary credit transaction something that could improve online payment security?
An online company from which I regularly buy goods apparently recently upgraded their security policy.
Let's say I bought something for 73,31€. As usual this company uses 3D-Secure for the checkout ...
- 19.4k
4
votes
3
answers
1k
views
How to choose a linux for learning? [closed]
I am beginner in Security. My first assignment is about "Linux firewall using IPTABLES" . I know about Ubuntu, backtrack and kali Linux.
How to choose a Linux distribution to learn about security?
- 153
1
vote
3
answers
1k
views
How to Stop DDoS Attacks by simple function on web server?
I have an overview ideas of the preventing ddos attacks, in a simple way. Please clarify me, if my thinking is wrong.
Option 1
From the basic understanding of the DDOS attacks is that the attacker ...
- 197
12
votes
4
answers
5k
views
Would making an IIS web server appear to be running Apache instead improve security?
As you can see from the tag, I know that security by obscurity is not true security.
So consider a server available to the Internet on port 443 (SSL) of a fixed IP address in the dialup range of a ...
- 2,163
2
votes
0
answers
2k
views
Vulnerability NTP:Traffic amplification in clrtrap feature of ntpd affect or not affect to Cisco device?
I am using CCSVM tool SCAN for Network devices (Cisco). Below you can find the scan result:
Title vulnerability: NTP: Traffic amplification in clrtrap feature of
ntpd Solution fix: Disable NTP ...
- 21
14
votes
3
answers
36k
views
Is it safe to auto-fill credit card numbers using Chrome?
Is it safe to auto fill credit card numbers using Chrome? Does it safely store the credit card information? As far as my understanding goes, it just shows asterisk values but on click it reveals the ...
- 5,147
4
votes
5
answers
505
views
Do I need to secure a computer from physical attacks when attackers can already harm in many other ways?
Recently, I was working on a computer system for a model railroad club. This computer system is capable of monitoring and controlling the positions of all the (physical) trains which could be ...
- 554
2
votes
4
answers
187
views
Preventing phishing of few critical websites
Suppose $S$ is a set of known websites which are very important. Assume there is an anti-phishing tool company $A$ which is aware of such websites. Can the company A reliably develop an anti-phishing ...
- 1,452
-5
votes
1
answer
9k
views
How to disable a trail camera with a laser [closed]
My neighbor presently has a version of a Stealth Cam P12 6 MP Trail Camera 9 (see link below) pointed directly into my windows. Rather than get into a legal argument (the authorities where I live won'...
- 1
1
vote
1
answer
317
views
What question(s) can someone ask an individual to quickly determine their 'hacking ability'?
Scenario: You are on Craigslist searching for cheap electronics and come across an add for cheap E-reader. It's a bit of a deal with about 20-40% off the retail price so you contact the seller and all ...
- 3,662
3
votes
2
answers
2k
views
Firewall egress filtering / quick whitelisting
Suppose your Aunt or Uncle is easily fooled by phishing attempts and their computer has multiple root kits and key loggers running. Assume their computing habits will never change.
Looking at his ...
- 225
0
votes
2
answers
185
views
What is the severity if someone read the ConnectionStrings_Prod.config?
I was doing an pen test in a website and the programmer did a big mistake and I was able to read any file. So I read the web.config and see the password for database was in ConnectionStrings_Prod....
- 327