cookies – How secure is to authorize a website to “trust your device”?

A bank has a form of 2FA where, after you put in your username and password, they send a code via SMS to your mobile phone and you have to put that too.

On the screen asking for the SMS code, there is an option to “trust this device”, meaning that they won’t ask for this SMS code (but still ask for username and password) on “my device”.

  1. How do the website knows that the one connecting is “my device” and so it doesn’t have to send the OTP but let me pass through? I suspect it is done by cookies, but I don’t know for sure.

  2. Can someone “forge” a request to let it appear it comes from my device when in reality it doesn’t?

  3. How I am exposed in case someone steal my PC?

[WTS] DigitalServer.com.mx Powerful Servers & Secure SSLs in Mexico|99.9% Uptime!

DigitalServer.com.mx is leading web hosting provider in Mexico now offering powerful dedicated services, secure SSL Certificates. You will receive super fast hosting along with real Mexican Ips as well as helpful professional customer and tech support team who work 24/7.

Our team offer nice Certificados SSL en Mexico, check out our Secure SSL Certificates:

==>> Comodo Positive SSL Certificate:
Validacion de Dominio
Soporte con www y sin www al mismo tiempo
Emision en 5 Minutos
$10,000 USD de Seguro
Re-emision sin costo
SHA2 y ECC
Sello Estatico
ORDER NOW – $700.00/MXN yearly

==>> Besides, we are happy to offer these SSLs:
– Rapid SSL
– Comodo PositiveSSL Wildcard
– Rapid SSL Wildcard
– Geotrust Quick SSL Premium
– Geotrust True BusinessID
– Symantec Secure Site
– Geotrust True BusinessID Wildcard

FOR MORE Details, follow this LINK: https://www.digitalserver.com.mx/certificados-ssl.shtml

We are happy to announce our NEW Servidores Dedicados!!!

Servidores Dedicados Premium
Super servers for applications and websites

Premium Servidores Dedicados under linux or Windows, DigitalServer atmosphere, offers you a range of low-cost servers with 100% internet connectivity and Premium support. If you wish to have autonomy and full access to your server, dedicated servers in Mexico are an excellent choice and opportunity, as the existence is limited.

Servidor Dedicado DSM-1
Processor – Intel Xeon 4 Cores / 4 Threads E3-1225v2 3,2+ GHz
RAM – 16 GB
Serial ATA hard drive – 1 TB
Including IP´s – 1 IP Fija
Uptime 100%
Rent monthly $2,450.00 MXN
ORDER

Servidor Dedicado DSM-2
Processor – Intel W3520 4 Cores / 8 Threads 2,66+ GHz
RAM – 32 GB
Serial ATA hard drive 2 TB
Including IP´s 1 IP Fija
Uptime 100%
Rent monthly $2,750.00 MXN
ORDER

Servidor Dedicado DSM-3
Processor – Intel Xeon W3520 / E3-1245v2 4 Cores 8 Threads 3,4+ GHz
RAM – 32 GB
Serial ATA hard drive – 2×2 TB en Raid 1
Including IP´s – 1 IP Fija
Uptime 100%
Rent monthly $2,945.00 MXN
ORDER

Take a look at Digitalserver.com.mx Servidores Dedicados en México:

Servidor Dedicado en México DS-1A
Processor – Intel Core i3/Core 2 Duo 3.06 Ghz + 4 MB Cache
RAM – 4 GB
Serial ATA hard drive – 1 TB
Including IP´s – 1 IP Fija Mexicana
Uptime 100%
Rent monthly $3,450.00 MXN
ORDER

Servidor Dedicado en México DS-2B
Processor – Intel Single Xeon E3110 3.0ghz L2 cache 6MB
RAM – 6 GB
Serial ATA hard drive – 1 TB
Including IP´s – 1 IP Fija Mexicana
Uptime 100%
Rent monthly $4,640.00 MXN
ORDER

Servidor Dedicado en México DS-3C
Processor – Intel Core2Quad Yorkfield 2.83GHZ 12Mb L2 Cache
RAM – 8 GB
Serial ATA hard drive – 1 TB
Including IP´s – 1 IP Fija Mexicana
Uptime 100%
Rent monthly $5,795.00 MXN
ORDER

We are accepting PaymentWall as method of payment: https://www.paymentwall.com/
And payments from 192 countries, some of that are local payments.

If you have any question – feel free to contact our sales team!

.

Is rsyncd secure? (except for the lack of transport encryption)

I have been using an rsyncd server for backups for what feels like a decade.
I saw that rsyncd has no transport encryption (not even for username and password).

I wonder what other security issues this software has?

Here is my config (/etc/rsyncd.conf)

port = 873
(backup)
path = /disk/backup
uid = nobody
gid = users
list = yes
read only = no
write only = no
use chroot = yes
auth users = sefwsf
secrets file = /var/lib/backup/rsyncd-save.secrets
lock file = /run/lock/rsyncd-save

on my Desktop I use this command:

rsync --stats -hart --password-file=/tmp/pw.txt ~/stuff $bakuser@192.168.24.3::backup --delete

Secure Encryption … best practice

I am just working on a project that will store personal information.

Passwords are already hashed, but I would like to encrypt the personal information as well in order to boost confidence.

I have never done this before. I read up on a few articles but I was wondering what people suggest here, their experiences and best practices.
SEMrush

Thanks

 

encryption – Which cipher block mode is most secure?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

disk encryption – Can I safely disable and re-enable Secure Boot when Bitlocker is used in order to make a Forensic Image?

I am about to make a forensic image (using dc3dd from OSFClone) of a laptop and in this specific case I’d like to startup using an bootable USB stick with OSFClone and image the disk to an external disk. The laptop in this case used Bitlocker with (I suspect) a TPM 2 chip. I did receive a Bitlocker recovery key for this laptop but I cannot be 100% sure that the recovery key is correct. I did also receive a local Windows Administrator user which I could use to boot and login to Windows and check the recovery keys but I rather don’t want to boot the machine into Windows at all.

My plan is to (temporarily) disable Secure Boot, boot from the OSFClone USB and make a forensic image to an external disk. After that I want to re-enable Secure Boot again. I wonder if Bitlocker will prompt to enter a Recovery Key in this case when booting normally again? Or will it boot straight into Windows (after re-enabling) like nothing has happened?

It’s an option if I have to enter the Bitlocker recovery key once after imaging and boot into Windows. But I rather don’t boot into Windows and as I said I cannot be 100% sure the recovery key I’ve received is correct.

Lastly, what happens if I do (accidentally) boot into Windows before re-enabling Secure Boot, does re-enabling Secure Boot change back the old behavior (no recovery key required) or did it then save that one “unsecure boot” state and prompt it anyway till a recovery key is entered.

Also in this case I am not sure if OSFClone will image the unencrypted disk (which I suspect in case of a SED disk with TPM-only, as it should unlock when the machine with TPM and disk power on) or will I only manage to image the encrypted disk (which I suspect when SED and/or TPM is not used). Either way, the forensic processing software we use (Intella by Vound-Software) should be able to handle Bitlocker encrypted images when the recovery key is supplied but I rather want to understand exactly how it works and if my understanding of this matter is correct.

security – Why is SHA-256 mining secure?

My question is: Say I know that the message b ‘added’ with the number a gets mapped to my desired output. Why is it not possible for me, given a different block (b2) to find a corresponding number (a2), such that the hash of the result will map to the same number c?

It’s not possible because there are 2^256 (approximately 1 followed by 77 zeroes) possible hash results. You would have to try an awful lot of possible values for a2 to find one that happened to produce precisely the same hash output. The stars would burn out first.

What is the operation that combines the block b with the number a that makes this impossible? Is it simple appending?

No, it is not simple appending. That would produce very, very long numbers. It’s an operation that has three important characteristics:

  1. It produces an output smaller than its input. This makes it irreversible because information is lost. You cannot reverse the hashing operation just as you cannot reverse addition. If I add two numbers and get 10, you cannot tell me which two numbers I added because that information has been lost.

  2. A small change in the input produces large changes in the output. That is, changing a single bit of the input changes roughly half of the bits of the output, and it is not easily predictable which bits that will be. It mixes the input quite thoroughly to produce its output.

  3. The output is long, 256 bits. As a result, brute force trial and error to get particular outputs is not practical.

You can read more on the SHA-2 family of functions (which includes SHA-256) here.

security – Is my website’s PHP registration system secure?

I would like to know if my registration system is secure. I’m not sure if it is secure, as I’m new in development, and I’m afraid that the system is flawed

Also, I’m not experienced in object oriented programming, I would like to know if my script looks a bit like OOP or is simply a set of procedural programming with object oriented

database.php

<?php

/**
 * Class responsible for connecting to the database
 * It will be inherited by the SignUp class
 */
class DatabaseConnection
{
    public function __construct(string $host, string $dbname, string $username, string $password)
    {
        try{
            $this->database = new PDO("mysql:host=$host;dbname=$dbname;charset=utf8mb4", $username, $password);
        }catch(PDOException $e){
            throw new Exception($e->getMessage());
        }
    }
}

registration.php

<?php

/**
 * This is a registration script
 * @author Anne Batch
 * @copyright 2021
 */

declare(strict_types = 1);

class SignUp extends DatabaseConnection
{
    /**
     * Database Connection
     * @var PDO
     */
    private $database;

    /**
     * @var string
     */
    private $name;

    /**
     * @var string
     */
    private $email;

    /**
     * @var string
     */
    private $passwordHash;

    /**
     * @var string
     */
    private $signUpPage;
    
    /**
     * @param string $name Assign the username
     */
    public function setName(string $name)
    {
        $this->name = $name;
    }

    /**
     * @param string $email Assign the email
     */
    public function setEmail(string $email)
    {
        $this->email = $email;
    }

    /**
     * @param string $password & $confirm Assign password and password confirmation
     */
    public function setPassword(string $password, string $confirm)
    {
        if ($password === $confirm) {
            $options = (
                'cost' => 12,
            );
            $this->passwordHash = password_hash($password, PASSWORD_BCRYPT, $options);
        }
        else {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Passwords does not match!</div>');
        }
    }

    /**
     * @param $signUpPage Redirect Page
     */
    public function signUpPage(string $signUpPage)
    {
        $this->signUpPage = $signUpPage;
    }

    /**
     * @param $errorMessage Notification Message
     */
    private function returnWithError(string $errorMessage)
    {
        $_SESSION('error') = $errorMessage;
        header('Location: ' . $this->signUpPage);
        exit();
    }

    /**
     * Checks whether a name exists
     */
    public function existingName(): void
    {
        $statement = $this->database->prepare("SELECT 1 FROM users WHERE username = :username");
        $statement->execute((
            ":username" => $this->name
        ));
        $exists = $statement->fetchColumn();

        if(!$exists) {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Name already exists!</div>');
        }
    }

    /**
     * Checks whether an email exists
     */
    public function existingEmail(): void
    {
        $statement = $this->database->prepare("SELECT email FROM users WHERE email = :email");
        $statement->execute((
            ":email" => $this->email
        ));

        $result = $statement->rowCount();

        if($result != 0) {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Email already exists!</div>');
        }
    }

    /**
     * Checks if the fields have been filled
     */
    public function isDefinedFields(): void
    {
        if(!$this->name || !$this->email) {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Please, fill out all the fields!</div>');
        }
    }

    /**
     * Checks if the username is less than 3 or greater than 50
     */
    public function ValidateNameLength(): void
    {
        if(mb_strlen($this->name) < 3) {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Can only use 3 or more characters as name!</div>');
        }

        if(mb_strlen($this->name) > 50) {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Can only use a maximum of 50 characters as name!</div>');
        }
    }

    /**
     * Checks if the email is semantically correct
     */
    public function ValidateEmail(): void
    {
        if(!filter_input(INPUT_POST, $this->email, FILTER_VALIDATE_EMAIL)) {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Incorrect email!</div>');
        }
    }
    
    /**
     * Checks if the username matches the regular expression
     * The purpose of regular expression is to prevent JavaScript attacks
     * The user will not be able to use certain characters, such as <> /
     */
    public function addUser(): void
    {
        if(preg_match("/^(w&.-)*$/", $this->name)) {
                $statement = $this->database->prepare("INSERT INTO users VALUES(?, ?, ?, ?, ?, ?, ?)");
                $statement->execute((
                    $this->name,
                    $this->email,
                    $this->passwordHash,
                    $_SERVER('REMOTE_ADDR'),
                    $_SERVER('HTTP_CLIENT_IP'),
                    $_SERVER('HTTP_X_FORWARDED_FOR'),
                    $_SERVER('HTTP_USER_AGENT')
                ));
                if($statement) {
                    $this->returnWithError('<div class="alert alert-success" role="alert">Registered successfully!<br>Login now</div>');
                }
            }  
        else {
            $this->returnWithError('<div class="alert alert-danger" role="alert">Can only use letters and numbers as name!</div>');
        }
    }
}

main.php

<?php

session_start();

require_once('database.php');
require_once('registration.php');

$users = new SignUp('localhost', 'database', 'root', 'password');
$users->setName($_POST('username'));
$users->setEmail($_POST('email'));
$users->signUpPage('signup');
$users->setPassword($_POST('password'), $_POST('password2'));
$users->existingName();
$users->existingEmail();
$users->isDefinedFields();
$users->ValidateNameLength();
$users->ValidateEmail();
$users->addUser();

magento2 – Magento 2 force secure URL via XML?

In M1 it was possible to add some lines to config.xml to force secure urls for certain pages …

<?xml version="1.0"?>
<config>
    ...
    <frontend>
        ...
        <secure_url>
            <cms_newsletter>/newsletter</cms_newsletter>
            <sendfriend_product>/sendfriend/product</sendfriend_product>
        </secure_url>
    ...

What is the equivalent in Magento2?

Secure IPC method for C++ in Linux

I just can’t choose a method of interprocess communication that would fit my goals, so I ask for help. My list of needs is as follows:

  1. It must be safe. Communication should not be hacked. Communication will only take place between two processes. There should be no possibility of a MITM attack. The source code of the program must remain open
  2. This method should work on Linux. I don’t need the method to support any other platform.
  3. Suitable for C ++
  4. Bidirectional
  5. Minimum delay
  6. I’m not entirely sure about the amount of data transferred. Most likely, the volume will not exceed the size of char[32].

This is the first time I needed to implement IPC. I am lost among all the possible methods for IPC. I cannot provide any significant research. Although I have already written 3 simple examples for shared memory, socket and pipe, I cannot find a way to ensure that communication is not hacked. Is it possible at all to be sure of this?

Absolutely any solution is suitable, the main thing is that the first three points are fulfilled.