how would a 12-digit password be a safe guard in this situation?

So guys, I messed up with the configs in a computer and let the SSH server open to the wild with ROOT login enabled. I’m trying to assess the potential damages, which I may never know for sure.

Regrets apart, this mistake lasted for over a year until I verified several SSH authentication attempts in secure.log (botnets and/or skiddies) with random users, but some tried with root. The secure.log shows that all root connection attempts failed and no break-in evidence, but I may not rely on those logs anymore.

My hopes resort in the fact that I changed the default SSH port (not really a security measure) plus a 12-digit password (capital and noncapital letters plus symbols, so 72^12 possibilities), however I don’t know if a 12-digit password is really worth a security matter these days. Even considering a swarm of botnets (between 300k to 6M), it would take years to break the password, but DoS and DDoS are other possibilities and I wanna try to reach some peace of mind.

Unfortunately, I had to format and re-install Linux in this computer given ongoing needs, but I’ve kept /var/log/ files in case of an investigation. The network admin (the computer wasn’t at my home) didn’t notice any suspicious activity, then I came up with a few possibilities after some research:

  1. OK scenario: password was worth its length and hold any intruder.

Possible solution: harden security and (even) keep the OS.

Comment: the intruder may have cleared the logs to trick me, so better to be sure and format anyway.

  1. Bad, but manageable scenario: someone managed to connect and setup a botnet/spammer/bitcoin miner.

Possible solution: format computer and harden security.

Comment: no suspicious network activity had been noticed and I’d have noticed some CPU stress and/or other symptoms, but none seen. However, I used only SSH terminal with no graphic interface (tty) in this computer, so symptoms would be possibly less evident (?).

  1. Really a bad scenario: intruder accessed my computer and stole my data.

Possible solution: format computer and harden security.

Comment: OK I’d need to live with that, but the hardware would be reusable.

  1. Worst-case scenario: intruder break-in plus a rootkit/keylogger/sniffer/worm.

Possible solution: format computer and harden security, unless a more serious intervention had been done, like BIOS or HDD/SSD firmware virus/rootkit.

Comment: I believe a hardware-level threat means game over for MB and SSD/HDD.

In summary: (1) would be fine; (2) seems very unlikely, since no alarms were triggered, (3) is bad, but hardware still OK, and (4) is the worst scenario. I believe a compromised root password is way worse than getting a rootkit from some suspicious downloaded app (just guessing), especially if it is nested into the hardware.

Therefore, scenario (4) worries me and I presume I don’t have any means to find out if my computer had an intervention at hardware level. Per my research, BIOS and SSD/HDD firmware hacks are possible and usually meant for high-level targets (not my case), but rare for ordinary users and very hardware-dependent (I found lots of debate on internet).

Any thought/ideas/suggestions in ways I could verify my hardware are appreciated.

How can I stay safe when I’m visiting potentially harmful websites on Android 9.0+ or similar MIUI?

I mean harmful by the fact that they might have ads, popups or other ways in which they might transfer malware to my phone or exploit vulnerabilities. And by visiting I mean interacting, clicking on items found on them, playing videos on them, like adult sites for an example of such a website.

Is there a sandbox or a VM on such Android phone that might help? Or am I secured if I have a basic antivirus, NoScript and an adblocker? Is there any you would recommend?

Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?

I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the System.Text.Json namespace.

public async Task<IActionResult> Put([FromBody]JsonElement json) {     string result = JsonSerializer.Serialize(json); } 

However currently, the json is rendered back to the page, within a script block and using @Html.Raw(), which raised an alarm with me, when I reviewed the code.

While testing if this creates an opening for script injection, I added

<script>alert("HACKED");</script> 

to the input. This input is transformed into

\u003Cscript\u003Ealert(\u0027HACKED\u0027);\u003C/script\u003E 

when serialized.

This look fine. Rendering this to the page does not result code execution, when I tested that.

So, is unicode character encoding really a good protection against script injection, or should I not rely on it?

Is it conceivable that unicode encoding is lost somewhere during processing? Like (de)serializing once more, etc?

This seems like a question that has been asked and answered before, but I couldn’t find it.

Is my code safe enough to be publish on the server side?

I’m new here to ask a question. Sorry if my question had miss explanation. I just wanna ask if my PHP code is secure enough. Please find below is the source code.

Get the ID for choosing the Value

/*Create a new Query for get all the ID from each of Venue Type on the Administration Database*/ $  Q_VenueType = "SELECT Biz_ID FROM Biz";  $  R_VenueType = $  connection->query($  Q_VenueType);  if ($  R_VenueType->num_rows > 0) {     //Success Condition     $  rows = array();     while ($  row = $  R_VenueType->fetch_assoc()) {         $  rows[] = $  row;     }      echo json_encode($  rows);      $  R_VenueType->close();  }else{     //Failed Condition     echo('0'); }  mysqli_close($  connection); 

Get Value with the ID as an Input

//Create Variable to get the Venue Type Value by their ID. $  VenueType_ID = htmlspecialchars($  _POST['TypeID'], ENT_QUOTES);  /*Create a new Query for get all the ID from each of Venue Type on the Administration Database*/ $  Q_VenueTypeValue = "SELECT Biz_Name FROM Biz WHERE Biz_ID = '".$  VenueType_ID."'";  $  R_VenueTypeValue = $  connection->query($  Q_VenueTypeValue);  if ($  R_VenueTypeValue->num_rows > 0) {     //Success Condition     $  rows = array();     while ($  row = $  R_VenueTypeValue->fetch_assoc()) {         $  rows[] = $  row;     }     echo json_encode($  rows);  }else{     //Failed Condition     echo('0'); }  mysqli_close($  connection); 

Please ask for further information, Thank you for the answer before.

Is it safe to install a trusted CA certificate from another source?

As you may know, a CA certificate issued by Sectigo expired recently. This is affecting certain mobile apps and possibly websites, rendering them unable to connect to required network resources. In particular, some older devices that do not have the replacement CA certificate are unable to connect to servers using such certificates.

A work-around is possible (How can I work around the expired Sectigo certificate on my old mobile device?)… but is it safe? What dangers, if any, is a user potentially exposed to by copying a CA certificate from an already-trusted device to a device which does not have said certificate?

(For this purpose, please ignore the broader issue of whether using a device that is not receiving updates is safe. We all know that has its own risks. I am asking specifically if installing a CA certificate that is already widely trusted is any more dangerous than simply using such devices without installing the new certificate.)

Safe to sell used Android-phone without doing factory reset

I’ve got an Android One-unit with Android 10. However it refuses to boot and I’ve decided to get rid of it and I think I get get some money by selling a broken phone online. However since it refuses to boot I can not perform a factory reset or similair procedures. Is is safe to sell it or can personal data get in the wrong hands?

Some information:

  • I have not changed the encryption settings, so I think it’s encrypted by default
  • I got two factor authentication turned on on my Google account and removed the device from my “trusted devices”
  • I have screen-lock turned on with pattern needed to unlock it.

VPN provider asks to install RootCertificate. How is it safe?

I want to use VPN provider (ProtonVPN), and don’t want to use an app. They ask user to install their Root Ca. How safe is it? What type of info could they get from my laptop? If I have their certificate installed, does that means they can see and get all info from my browser, including passwords and https sites? And what about other non browser traffic? How safe is it? What are the risks?

Is it safe to run a flask server in a development environment?

I have a project that I have to present on a Zoom call for my AP Computer Science class. I have a flask site that I am running off of my laptop onto a port forward. When I run the server it says:

WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. * Debug mode: off 

I only plan to run this for a couple of hours, and it doesn’t need to be particularly efficient, but I don’t want to open my computer up to attack. (I know it’s very dangerous to run it in debug mode like this). The web app doesn’t have any sensitive data to be stolen, but I wanted to make sure I wasn’t opening my machine to remote code execution, or anything like that.

Is AES ECB mode safe for one block Encryption then MAC with same key?

I want to do something really basic but I need to be sure that the process is safe :

Problem

Alice and Bob have to agree on a secret 6 digits PIN. They each have a pre-shared aes symetric key k and a AES-128 block cipher. The PIN will then be used only once secretly.

I want to take care of Man-in-the-Middle.

Solution

  • Alice creates à 128 bits random number : Arand
  • She encrypts Arand with basic ECB(Arand, k) and gets Acipher
  • Again, She encrypts Acipherwith ECB(Acipher, k), as a MAC, and gets Amac
  • Alice sends to Bob Acipher|Amac

Bob does the same and sends Bcipher|Bmac to Alice

  • The two of them verify the Mac by encrypting [A|B]cipher and comparing it to [A|B]mac.

  • If the mac is ok, they uncipher [A|B]cipher and get the [A|B]rand of the other.

  • They compute the 6 digits PIN by taking 3 digits in Arand and 3 in Brand.

Question

Is it safe to use ECB mode in this particular case ? Is it safe to use the same key for encryption and for the mac in this case ? Is there a much easier solution to only agree on 6 digits ?

my answer is : as we use fixed size one-bloc long messages, it’s ok am i right ?

I know we should’nt imagine ourself our own algorithms but this one seems really trivial.

Thanks ! Louis