firmware – does cascading router increase security

My traffic goes trough 6 routeurs in cascade.

Internet <–> Router lvl1 (192.168.1.1) <—> Rtlvl2 (192.168.2.1) <—> RtLvl3(192.168.3.1) <–> RtLvl4 <–> RtLvl5 <–> RtLvl6 (192.168.6.1) <–> My PC (192.168.6.2)

Each router is of a different trademark with a different Firmware (German, american, chinese, swedish..)

If a default is found on a router, or backdoors installed, or for any reason one RouterLvl1 is compromised, the attacker shoud hack All the other Router from lvl2 to lvl6 to get to my PC.

I did this because i had a lot of old unused little and cheap routers.
Does it make sense ? In your opinion, is the security of each router adding to the global security ?

Thanks for your answers.

security – Should a Web Application File URL Have Public or Private Access

I think Facebook restricted images to authenticated users in an effort to stop “screen scraping” by unknown actors. This also verifies that an image can only be viewed under strict business rules (friends, friends of friends, etc.).

By “public URL”, do you mean you have a signature as part of the URL that causes it to expire after a certain time or do you have a token that kills the link when the user’s session expires? If the link is still active after a user logs out, even for a short while, that could pose a security risk.

If you’ve been asked for the ability to share files without the need for a user login, you might consider applying a passcode at the very least to access the file. Otherwise, you’re sending a file into the wild to be accessed by whomever has the link without any authentication at all. Not sure what kind of content you’re dealing with, but if the file contains personally identifiable information (PII data), that’s another security risk.

You should also consider a way to kill any file link immediately by the user in the case that something was sent out that shouldn’t have been.

Might bear discussing this further with your IT team to iron out the rules for allowing non-authenticated file access.

office 365 – MS 365 Architecture and interdependencies between, SP online, MS teams and others in perspective of security and functionalities

We are migrating to MS 365 from 2010, I am new to this thing and was asked to prepare a proper architecture for the same, but as I am working I realized that msteams and other groups create their own site collections. So now I want to understand the architecture of this MS 365 and between, SP online, MS teams and others in perspective of security and functionalities.

Because , I dont want MS teams to create site collections as well as I dont want people to share anything to any body, i wanted well administered and well controlled environment.

Please advice any links, courses etc.

Drupal security update 7.73 – Drupal Answers

Part of Drupal security update 7.3 (https://www.drupal.org/project/drupal/releases/7.73) below information is mentioned,

If you are using jQuery's AJAX API for user-provided URLs in a **contrib or custom module**, you should review your code and set "jsonp: false" where this is appropriate.

Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

Whether we should apply the patch for contrib module as well which used

$.ajax(
 url : url
);

to add Drupal.sanitizeAjaxUrl() in url?

encryption – Apple Platform Security and NAND flash storage

I’m busy reading the Apple Platform Security document and I have a few questions regarding it.

The passcode is entangled with the device’s UID, so brute-force attempts must be performed on the device under attack.

Questions: Does this mean that if the device is physically damaged, the microchips cannot be taken out and brute forced on another device (PCB/FPGA)? If yes, what in the hardware prevents this? If no, what level of damage would render the NAND flash storage useless and the data unreadable?

Would repeatedly hitting (7-13 times) the back of the iPhone with a 6 pound hammer render sufficient physical damage to prevent information recovery?

The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. This means it would take more than five and one-half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.

Questions: Would an attacker ever be able to actually perform this password guess over the 5 1/2 years’ or would the maximum 10 attempts kick in and actually prevent this?

If the maximum attempts would prevent this, is this protection built into the hardware (Security Enclave)?

How many years would it take an attacker to brute force all combinations of a seven, eight, nine and ten-character alphanumeric passcode with lowercase letters and numbers?

economics – Are security guards irrational

This is an economics question.

Say 1 in 1000 security guards die in a year. Of the ones who actually show up it’s like 1 in 100.

The federal government estimates the value of a statistical life at 10 million. So guards lose 100k each year in death risk.

The salary of a security guard is 14 dollars per hour so it seems economically irrational.

Are security guards actually not economically rational?

And by the way you can interpret this as an art gallery problem but with death risk.

mod security – Tuning nginx /var/lib/nginx/body and ModSecurity

I have nginx set up with ModSecurity (via ModSecurity-nginx). My /var/lib/nginx/body directory fills up quickly. Currently, my /var/lib/nginx/body directory is 2.4gb.

I think this is due to something ModSecurity is doing. Does that sound accurate? If so, is there a configuration option in ModSecurity or nginx to tune this behavior?