Ask HN: What is the most common security mistake you see?
Mainly I'm asking about websites, but other security mistakes are welcome (e.g., IoT, apps, firmware)
Also acceptable: Not common but happens reasonably often and exposes large vulnerabilities.
77 comments
[ 2.5 ms ] story [ 137 ms ] threadShittyPassword1 ShittyPassword2 ShittyPassword3 ... ShittyPassword8 ShittyPassword1
NIST came out recently against this, so hopefully, hopefully companies will start to listen.
Bad secret management (hardcoded in Git, shared secrets not changed after an employee left ...)
Dev and live not properly separated/dev not properly secured.
Services exposed to the internet that shouldn't be.
Old and forgotten software / appliances.
Don't forget about the dev/sysadmin workstations!
2. In Ruby code, I see a surprising amount of `eval`; mostly `class_eval`
Forget ransomware and other exotic attacks, what happens if after 7 years your hard drive decides to die on you?
I don't know. The backup is the first thing that needs to be setup and tested when you buy a computer. Windows and Mac have build-in systems for point-in-time backups and linux offers more than a few solutions.
Backup, backup and backup again :-)
Which isn't fair of me. I think people do realize it. Just making the time to regularly repeat something you have done before is tough.
I am very sympathetic to the idea that you can automate this. However, this seems to typically fall afoul of the idea that you now just have more that can and will fail. So now you need something to monitor that....
Specifically, the axes of security are integrity, authentication, and availability. Backups give the illusion of helping both integrity and availability. However, without practiced and verified recovery plans, they do neither.
I don't think current operating systems go anywhere near far enough in helping users to get this right. When I buy a computer, the computer should be in charge of ensuring that catastrophic data loss cannot easily occur. 9 times out of 10, the user simply doesn't know how to set things up that way.
Test your restore process periodically!
But how does one test restoring personal data? I'm guessing that most people, like me, don't buy duplicate laptops just to be a platform for testing their data restoration protocols.
Truer words were seldom written!!
People opening untrusted web content and email attachments in Acrobat Reader and Office.
Reliance on antivirus products.
Mistake websites make: only letting you have one user account.
Talking about history of :
1. Slack channels ( lot's of private stuff / links go to #general )
2. VCS ( lot's of passwords / tokens are in the commit history )
3. JIRA ( lot's of private information / company secrets are there )
Usually only one of those three can cost the company a big lawsuit if some employee/freelancer is deliberately being hired to make damage.
JIRA is typically secured. As are VCS. As are Slack channels.
What is not secured are the developer machines...
- User tries to edit something sensitive, UI has profile data so disallows the action if the user is not an admin
- User pokes around the browser console to see what request would have been sent had the user been an admin and the UI allowed it
- User manually sends malicious admin request to API
- API fails to check whether admin request came from a user with admin rights and blindly executes the malicious action
I found this on a mapping site (now defunct) that let you printout sections of maps for a change. However, you could get small sample maps for free. And so by altering the width and height parameters in the page source ...
This wasn't mean't as a dig at frontend devs. After all the backend used the values as passed, and there should be some archtectural oversight to ensure this sort of sloppiness doesn't pass review. It's really a case of incompetent all round.
As dev I see a push to put more and more functionality into the client. It makes for a better user experience, but the downside is that security gets overlooked.
* Private SSH/AWS API Keys in Github
* Shared Prod Passwords
Not applying updates to infrastructure regularly
its 2017 and yet still the biggest vulnerability of them all is willful ignorance.
People have agendas to fulfill. Can't let the truth get in the way. Haven't found a budget to fit in the truth looks like we will have to do without it for now.
What is the truth?
Well nobody cares about security.
Who knows about the truth?
Mostly everybody
Why doesn't anyone do anything about it?
Trying hard just doesn't cut it anymore as we can see those with influence would rather destroy the entire internet for mass surveillance.
Also don't forget about 2FA
I can provide email filtering, DNS filtering, firewalls and all sorts of technical solutions to security.
It all goes to pot if someone gets click-happy on weird websites or email attachments or falls for the "Your $Company_President need to transfer some funds" email.
One malicious package could completely compromise a significant amount of our infrastructure.
* Those without memory management (I'm not talking about garbage collection, though there seems to be a correlation). Buffer overflows/overruns and its cousins have caused many security flaws, including heartbeat and even flaws in java, where it interops with C programs for performance's sake.
* Syntactical leniency wrt. scope can lead to errors like apple's infamous "goto fail"
Passing in user info for a query, instead of using session or token encoded data (Impersonation just waiting to happen).
Bad passwords/keys, and bad management of those secrets.
No plan for backups, or not having a way to restore backups.
A lot of people have the mindset "oh, who would ever hack me? my app is just small potatoes". And this is how you end up with things like the mirai botnet.
Bugs leading to memory corruption vulnerabilities are the most common mistake I see. So things like, not doing proper bounds checks before accessing an array, using memory after it's been freed, not initializing memory properly before using it, type confusions causing values to be treated as pointers, etc.
Can you get me most or all of the following in an hour or so?
- List of people with production API credentials and which ones per person
- List of accounts with weak passwords or lacking 2FA
- Who has SSH access to each of your servers?
- All portal logins per employee
- Show me the last 3 production data sources this specific employee accessed
- Per data source, list people and services that can read/write
- Network diagrams and policies
A lot of organizations can't. It's boring bookkeeping, but systems have to be put in place to keep this information correct and up to date. Otherwise, there's nothing to manage or secure!