How would you know if your provider employs best security practices when hardening your server

[FONT=Tahoma, Verdana, Arial, sans-serif][COLOR=#333230]Other than just trusting that your web hosting provider employs best practices or by… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1814992&goto=newpost

open source – How does one best test/vet protocol security via a 3rd party?

Long story short, I wrote something. It involves some basic cryptography, as well as some homecooked methods to ensure that the line of communication between client and server is secure from MITM attacks. At least, that’s what I think. And also, that’s the main purpose of the code.

Due to some needs not being met by off-the-shelf suites such as openssl, AES, and other things that would make implementation of cryptography easier, I’ve had to write most of the algorithms from scratch, reading up on how the chosen cryptography methods work, and so forth. The end result is a project that I would like to upload to github as I’ve had quite a few people interested in it. However, first I would like to put it through the test to see if it holds up to what I want to be able to promise upon release.

So the question is, then: What is the best way of ensuring that the code is secure to the extent that the cryptography is tight and not riddled with security holes? I imagine involving a 3rd party to both look at the code and try to break the protocol would be a good start, but how would I go about finding a 3rd party?

While it is tempting to upload it to github right away, I am a bit worried about people believing it to be secure when it actually isn’t, as it hasn’t been vetted yet.

rest – APIs Security for publicly exposed APis for Website/App

We have a website using PWA Client calls / Mobile APP, all using the same APIs.
We have APIs Exposed to Public. Currently, our APIs are not secure meaning that anyone can check APIs signature via developer tools/proxy tools and hit the API.

We want our APIs to be hit by verified clients.
Verified clients do not mean logged in clients. Our website can be used by non-logged in users as well. Clients here mean users accessing the website via browsers/app.

So for that, we are planning that we will allow those APIs only which have the registered/enabled token and that will be sent via header.

Now to generate the token:

  1. Device —- sends Token(B) Request—-> Server
  2. Server generates Token(B) and returns it and stores it in Redis
  3. Device —- sends Token(B) to enable request—–> Server
  4. The server enables it
  5. The device sends Token(B) in all subsequent requests
  6. The server checks whether the token exists in Redis in the enabled state or not

Since these register/enable token APIs are also exposed publicly, to ensure no one is able to hack this process:

  • While enabling the token, we also send the Encrypted token(A) alone with the actual token(B).
  • At the server, we decrypt the token(A) and matches it with the normal Token(B).

Encryption is done using the private key known to client/Server only.

Is this the right approach and this is vulnerable? The only issue is seen is that register/enable token APIs are exposed publically. But we have also added the security to that, is that good enough?

How much hand sanitizer can be taken through airport security in the EU?

The US TSA recently increased the amount of liquid hand sanitizer allowed through airport security to 12oz up from 3.4oz (the usual rule for liquids).

What about airport security in the EU? Is there any sort of exemption to / relaxation of the usual rule for liquids which applies to hand sanitizer?

I hope a general answer for all the EU exists, but if it does not, I am specifically interested in France and Greece.

Password managers security – Information Security Stack Exchange

What is the reliable site or resource that lists those password managers that have been thoroughly tested by users and that have the most reliability?

  1. From the point of security: that they do not have access to your data, that it is impossible to hack their data, etc.
  2. From the point of reliability (say, the software crashes with all of your passwords – what would you do if you entrust it with all of your passwords, or say their servers are blocked in your country/their country blockes it)
  3. From the point of usability. Say, you need to have specific features, such as an android app with local storage and possibility to create offline password archives, or say you want it to generate passwords in certain patterns, or have both auto-generated passwords and to input passwords yourself.

In general I do not like the idea of entrusting all of my passwords to some software which is just software and may crash or cease existing anytime.
It seems even more reliable to store all of the passwords in just a notebook or a text file with several copies.

security – Allow all applications to access Desktop, Documents, and Downloads in Catalina

How do I disable the macOS Catalina security feature that prevents apps from accessing the Desktop, Documents, and Downloads folders? Note: I have my Desktop and Documents folders stored locally, not in iCloud Drive.

The ideal fix would be something that I can do once to allow all applications to access these folders without simply granting all applications full disk access.

Enabling HTTP Security headers in S/4 Hana web applications

We have 3-4 S/4 HANA applications in our environment and want to enable HTTP Security Headers, but couldn’t figure out how to go about it. We then approached SAP directly and even their solutions are not working, and their support team has a pretty vague and dissatisfactory answer,they said that the application doesn’t require such headers security mechanisms are already in place to mitigate a variety of attacks.

Now me and my team are helpless. Has someone achieved it? The application in question are SRM, Fiori, GRC & ROS.

webservice – HTTP Security Headers in S/4 HANA web applications

We have 3-4 S/4 HANA applications in our environment and want to enable HTTP Security Headers, but couldn’t figure out how to go about it. We then approached SAP directly and even their solutions are not working, and their support team has a pretty vague and dissatisfactory answer,they said that the application doesn’t require such headers security mechanisms are already in place to mitigate a variety of attacks.

Now me and my team are helpless. Has someone achieved it? The application in question are SRM, Fiori, GRC & ROS.

In case this question doesn’t belong here please let me know, will move it to a different site.

permissions – Security threat after taking advice?

I was following some advice trying to fix some issues with my webcam and camera permissions. I followed the top comments answers but noticed some comments later speaking of potential security threats.


THIS IS BAD ADVICE. THIS RECURSIVELY CHANGES ALL PERMISSIONS OF ALL FILES AND DIRECTORIES IN YOUR HOME FOLDER AND POSES A SECURITY THREAT. ALSO IT IS NOT A DIRECT ANSWER TO THE QUESTION… (just to reiterate @qwerty_so, thank you) – jorijnsmit”
“Actually a bad advice. This will change the user permission to 644 for all files in your private folder. Thus is takes back that for protected files as well (like e.g. your ~/.ssh/id_rss which in turn is no longer accepted for ssh logins). Besides that it does not solve the issu. – qwerty_so “

Is there anything I can do to reverse what I’ve done?

Apps don’t show up in camera and microphone privacy settings in MacBook

fingerprint authentication systems – Information Security Stack Exchange

Password authentication systems check for full equality. If you make a typo in your password, you will not be authenticated*.

You cannot check a fingerprint for full equality; it’s a ‘scan’ and there will always be some minor differences: perhaps you have a small cut in your finger, or you put your finger slightly rotated on the device and the digitalization process displaces a few pixels.

A hash is designed to implement the avalanche effect; a small change in the input causes a large difference in the output. That means that two slightly different passwords or two slightly different fingerprints produce two completely different hashes. If you have the hash of a fingerprint, there’s no way of verifying whether it matches a slightly different fingerprint.

*: such a verification system would work by verifying the hash with not only the hash of the actually entered password, but also the hash of all possible typos.