Is there a legitimate reason for a USB-ethernet hardware device to have been connected to my laptop?

There was an unknown network adapter in my device manager. I found out it was for a USB-RJ45 ethernet device, which I have never even seen before. This device was not present when I bought the machine. As far as I have researched, it is not installed by any software or devices I use.

I’m concerned because there is a known vulnerability in Windows that’s exploited using these devices. A malicious person with access to the device could have stolen my credentials and logged in. (Google Usb-ethernet windows vulnerability if you don’t believe me.)

I believe the police or another malicious party exploited that vulnerability, and they used it to install a keylogger and acquire my hardware info. Is the presence of this device suspicious enough, from an information security standpoint, to support my belief? What would you do if you discovered the same on an enterprise machine?

How come RFC7636 (PKCE) stops malicous app doing the same code challenge and get legitimate access to API

As per the RFC7636 it stops malicious apps which pretend to be legitimate apps, gaining access to OAuth2.0 protected API’s.

The flow suggests a method of having a runtime level secret which generated from the client and letting the Auth server knows it. This allows token issuer to verify the secret with auth server and grant a proper access token.

However lets assume a malicous app, as the RFC paper suggests, with a correct client_id and client_secret, it can do the same PKCE process and gain access to protected resources.

Is this RFC doesn’t meant to protect those kind of attacks or simply I’m missing something here?

Are there legitimate methods other than feats for an erudite to learn powers not on the psion/wilder list?

An Erudite can select powers freely from the psion/wilder lists, and from all the discipline lists with certain caveats.

A StP alternate class feature Erudite can learn spells, converting them to “spellpowers” with the same caveats as discipline powers; they count as powers.

The Expanded Knowledge or the Hidden Talent feat clearly allows the acquisition of any one power from any list, with certain caveats.


Are there any non feat methods which legitimately allow an Erudite to acquire other non-psion/wilder powers (Lurk powers, Leech powers, mantle powers, etc.)?

Please do not include anything involving Manipulate Form, or similar levels of TO.

Is Certified | Ethical Hacker (C|EH) a scam or legitimate?

I’ve been doing a lot of research on Certified | Ethical Hacker (C|EH) to see if it’s a credible certification. But I’ve stumbled across a Wikipedia article on it and discovered that the sources are straight from the company EC-Council the ones that made the certification in the first place. The writing of the article sounds like it’s marketing it to you. It didn’t have a wiki article on EC-Council itself and the founder and CEO is from India (I’m not being racist or anything) I even signed up for it on the EC-Council website and got a message from the employee who is from India. Does anyone know the real history of the company or is it a scam?

If a vulnerability has no relevant attack vectors, is monitoring still legitimate for a company?

Today while reviewing vulnerability scan results with a colleague, we had a debate about what vulnerabilities can be considered “true or legitimate” and hence worthwhile to spend resources in monitoring. We had a differing opinion on whether vulnerabilities without a relevant attack vector can be considered “true” vulnerabilities for our company

My opinion was that even if a vulnerability discovered today has no applicable attack vectors because conditions needed to exploit it does not exist, the vulnerability is still worthy of monitoring as its future behavior may evolve. As more information is known about it, more attack vectors may become known. In addition, our company is moving in the direction of the Cloud, where I see faster detection and stronger monitoring of vulnerabilities in becoming more important, due to there being more “distance” between a company and its digital assets. I.e: Assets become less physically tangible.

However, I also understand my college’s point of monitoring and researching having a opportunity cost. If the probability of successful exploit is unlikely, then the time spent researching, monitoring, and reporting results may be better spent on another activity, similar to not how all security risks have equal criticality.

Given our company’s direction, that we work with highly sensitive customer data such as health information (HIPPA), and we are in the regulated financial services industry, I tend to feel more comfortable by taking the more conservative approach of my own viewpoint.

In general, are vulnerabilities with non applicable attack vectors considered “true” vulnerabilities?

How should the degree of monitoring and resource commitment to remediation be determined general speaking at a high level, particularly for regulated industries?

How can a scammer scan your data if you’re redirected from their fake website to the legitimate website?

Coming from this comment from this question at Travel StackExchange.

My question is: How can the scammer still scan a user’s data when the user registers their account on the legitimate site, after being redirected from the fake site?

So, suppose I go to homeaway-eu.com. I’m then redirected to homeaway.com. Now I search for a house and book it, after entering my data. How can the scammer get this information that I entered, such as my payment details and contact infos?

Edit: I think the answers below are coming from the point of view of the question that I linked above. My question is about the supposition that I wrote, not the exact case from Travel StackExchange.