How do you protect against your IT domain admins accessing your data?

I work at a small company and we use an external company to take care of all our IT needs (a “managed IT service provider”). This includes managing our windows domain, our network, and everything else. To do so, they obviously have domain admin rights over all the computers.

Some high-profile employees work with sensitive files and data that we need to be sure no one is able to access or steal.

How can we set up our security so that no one in the IT department is able to access what they should not? Is there a way to guarantee this? Or is it required for the IT admins to be trusted?

In other words, if IT administers our firewall and accounts and security, how can we”police” the police?

How to protect data integrity in IoT network?

The security of IoT devices is very important to protect the data uploaded by IoT devices. Because if an attacker force an IoT device to upload misleading/false data, the analytics and insights generated by IoT system would lead to corrupted information.

Therefore in order to make sure that data uploaded by IoT device is guninue and not fake which is the best technique? or in other words how to ensure that the data sent is sent by an authentic device and not the fake (hacked) device?

Who or what exactly does the “Same Origin Policy” aim to protect

As I understand the “Same Origin Policy” is a browser security feature that aims to protect the user. It prevents scripts to load data from another webserver (typicall with ajax).

So esentially there are 3 actors:

  • The User in the Browser
  • The Original Website
  • The “other origin” Web Resource

Does it protect the user ? No: With CORS I can just allow any Origin on a malicious “Other origin” Web Resource

Does it protect the original Website? No: With CORS I can just allow any Origin on a malicious “Other origin” Web Resource

Does it protect the “other origin” Web Resource? No: A browser with Same Origin Policy disabled or a crafted request can be used to get the request trough anyway

I cannot get my head around that. What is the situation where the SOP help and which of these 3 actors does it protect in this situation.

Some bots are trying to locate files on server, how to protect?

In my apache error log I am getting these errors (there are 100s of these lines), most of these IPs are from China.

I guess some bots are trying to find vulnerable files. Is there any way to protect the server against such attacks?

script '/var/www/public_html/bbr.php' not found or unable to stat script '/var/www/public_html/ioi.php' not found or unable to stat script '/var/www/public_html/uuu.php' not found or unable to stat script '/var/www/public_html/qiqi.php' not found or unable to stat script '/var/www/public_html/qiqi1.php' not found or unable to stat script '/var/www/public_html/config.php' not found or unable to stat script '/var/www/public_html/db_session.init.php' not found or unable to stat script '/var/www/public_html/wp-admins.php' not found or unable to stat 

Is there a way to protect against fake messages by an SPA that consumes a webservice directly?

I develop a webservice currently and communication might be a bottleneck. It would be at least 100ms faster if I could access the webservice from the browser directly instead of sending the messages to the consumer’s server first and relaying them to the webservice along with the consumer identifier.

If I store that consumer identifier in the SPA, then everybody could fake a request in the name of the consumer, they just need to check what the SPA sends to the webservice as an user of it. Is there a way to protect the webservice against these kind of fake messages?

How to protect your PDF files from copying…

I have seen a few ebooks in PDF format where you can't copy and paste the text from that ebook. It suppose this would be really useful if you don't want people to copy parts of your ebook.

Anyone know how to do this? I would like to protect the information in my new ebook a bit better.

I know this is possible, but I don't have a clue on how to do this.


How to protect from being the spoofed number on caller ID?

The question How to protect from caller-id spoofing? focuses on how to protect oneself from incoming calls with spoofed caller ID information.

This question is about how to protect oneself when someone is using your number in spoofed caller ID to place calls to others (e.g. to check if a target number is still “live”). A certain subset of those called get angry, call back demanding to be taken off the call list, file complaints, get the number on blacklists that prevent legitimate use, etc.; the spoofer is hurting both the called party and the party whose number is being used. What can the latter party do to protect themselves from these consequences?

How to protect a server against Cloud Hopper?

Almost everyone is using cloud service providers for their computing needs these days, including myself. I am getting increasingly paranoid about a Cloud Hopper threat recently described in this Reuters article. To summarize:

  1. Hackers gain access to the cloud service provider.
  2. They use the cloud’s admin privileges to access the clients’ servers (including mine) and steal whatever information they want there
  3. When cloud service provider discovers the breach, they keep it super secret from everyone, especially their clients, otherwise their company goes down in a very competitive cloud service market.
  4. This goes on for months or years until the client discovers that the product it makes is now offered for a fraction of a price by a state-controlled Best New Company Co. Ltd. Inc. from a country that sponsors cyber theft.

So how can I, the client of a cloud service provider, protect my business from this threat? Solutions that come to mind:

  1. Don’t use cloud services at all. But that is expensive
  2. Do not store unencrypted sensitive documents in the cloud. But the production code and the database are the sensitive documents too.
  3. ?