Ask HN: What is the most common security mistake you see?

75 points by jtraffic ↗ HN
Mainly I'm asking about websites, but other security mistakes are welcome (e.g., IoT, apps, firmware)

Also acceptable: Not common but happens reasonably often and exposes large vulnerabilities.

77 comments

[ 2.5 ms ] story [ 137 ms ] thread
I work in government. Hard-coded passwords, sharing production passwords by email, etc., is the norm.
In my organization, forcing users to change passwords every x months. Everybody I know ends up picking simpler to remember passwords from a pool as a result.
NIST just updated their guidelines, removing the requirement to change passwords, for that very reason. :)
Everyone I know just increments a number at the end of their password, until it allows them to start from 1 again.

ShittyPassword1 ShittyPassword2 ShittyPassword3 ... ShittyPassword8 ShittyPassword1

NIST came out recently against this, so hopefully, hopefully companies will start to listen.

infrastructure department says: "applications is responsible for security" application department says: "infrastructure is responsible for security" developer ask: "Can I help you?"
Default passwords.

Bad secret management (hardcoded in Git, shared secrets not changed after an employee left ...)

Dev and live not properly separated/dev not properly secured.

Services exposed to the internet that shouldn't be.

Old and forgotten software / appliances.

Don't forget about the dev/sysadmin workstations!

1. Secrets in source. This is by far the easiest one to "see".

2. In Ruby code, I see a surprising amount of `eval`; mostly `class_eval`

Eval of user input, or eval as a means of execution scope? An important distinction, since class eval and instance eval can run blocks at those levels, and there's nothing inherently wrong or insecure about that.
Lack of working backups. It's appalling how many people depend on systems with no backups.

Forget ransomware and other exotic attacks, what happens if after 7 years your hard drive decides to die on you?

I don't know. The backup is the first thing that needs to be setup and tested when you buy a computer. Windows and Mac have build-in systems for point-in-time backups and linux offers more than a few solutions.

Backup, backup and backup again :-)

Agreed. Disaster recovery is one of those things that everyone agrees needs to be possible. But nobody seems to realize that you are only good at the things you regularly do.

Which isn't fair of me. I think people do realize it. Just making the time to regularly repeat something you have done before is tough.

I am very sympathetic to the idea that you can automate this. However, this seems to typically fall afoul of the idea that you now just have more that can and will fail. So now you need something to monitor that....

I agree entirely with the sentiments here, but I wouldn't consider it a security issue. A safety issue more like.
Security for software is typically defined to include things that protect you from loss of access risks. Think the latest ransomware that went out.

Specifically, the axes of security are integrity, authentication, and availability. Backups give the illusion of helping both integrity and availability. However, without practiced and verified recovery plans, they do neither.

This advice doesn't seem to be getting through regardless of how loudly it is proclaimed. Everyone should have a backup plan with multiple points of failure, but of course lots of people don't because it's not trivial to set that up.

I don't think current operating systems go anywhere near far enough in helping users to get this right. When I buy a computer, the computer should be in charge of ensuring that catastrophic data loss cannot easily occur. 9 times out of 10, the user simply doesn't know how to set things up that way.

On a Mac it prompts on external hdd being connected, you click a button and its setup. How much simpler can it be ?
Not just backups. Restores. You need to test your backups by periodically testing your restore process to ensure the backups are actually any good.

Test your restore process periodically!

Server backups are pretty easy to test in this era of virtualization. (I know, not everyone does it, but at least in principle it's pretty straightforward to mount a duplicate VM and test one's backed-up data. Good way to test config management systems as well.)

But how does one test restoring personal data? I'm guessing that most people, like me, don't buy duplicate laptops just to be a platform for testing their data restoration protocols.

> It's appalling how many people depend on systems with no backups.

Truer words were seldom written!!

Organizational firewalled "internal networks" that everyone connects to.

People opening untrusted web content and email attachments in Acrobat Reader and Office.

Reliance on antivirus products.

Most common mistake I see: sharing your passwords with multiple people. Even when the product lets you have more than one account.

Mistake websites make: only letting you have one user account.

The biggest security mistake I see is the History.

Talking about history of :

1. Slack channels ( lot's of private stuff / links go to #general )

2. VCS ( lot's of passwords / tokens are in the commit history )

3. JIRA ( lot's of private information / company secrets are there )

Usually only one of those three can cost the company a big lawsuit if some employee/freelancer is deliberately being hired to make damage.

Things that are important ending up in public history is the mess in the first place.

JIRA is typically secured. As are VCS. As are Slack channels.

What is not secured are the developer machines...

Not realizing that the mind is supreme and the mind is fallible.
Critical functionality implemented in client code rather than the backend.
As a front-end developer I'm curious about this. Do you have an example to share?
I'm imagining doing some client side validation and then the server just blindly assumes the content has been validated.
- User logs in, API sends profile data to the UI including whether a user is an admin or not

- User tries to edit something sensitive, UI has profile data so disallows the action if the user is not an admin

- User pokes around the browser console to see what request would have been sent had the user been an admin and the UI allowed it

- User manually sends malicious admin request to API

- API fails to check whether admin request came from a user with admin rights and blindly executes the malicious action

How about putting the quotes around a value in JavaScript to prevent a DB error when the server concatenates it into a SQL statement later? There was even a helpful comment in the page source to explaining what was happening. I sent an email but it wasn't answered.

I found this on a mapping site (now defunct) that let you printout sections of maps for a change. However, you could get small sample maps for free. And so by altering the width and height parameters in the page source ...

This wasn't mean't as a dig at frontend devs. After all the backend used the values as passed, and there should be some archtectural oversight to ensure this sort of sloppiness doesn't pass review. It's really a case of incompetent all round.

As dev I see a push to put more and more functionality into the client. It makes for a better user experience, but the downside is that security gets overlooked.

No infrastructure secret management or very bad infrastructure secret management:

* Private SSH/AWS API Keys in Github

* Shared Prod Passwords

Not applying updates to infrastructure regularly

Not keeping software and systems on a regular update schedule.
Willful ignorance.

its 2017 and yet still the biggest vulnerability of them all is willful ignorance.

People have agendas to fulfill. Can't let the truth get in the way. Haven't found a budget to fit in the truth looks like we will have to do without it for now.

What is the truth?

Well nobody cares about security.

Who knows about the truth?

Mostly everybody

Why doesn't anyone do anything about it?

Trying hard just doesn't cut it anymore as we can see those with influence would rather destroy the entire internet for mass surveillance.

Also don't forget about 2FA

Security is boring and hard and it doesn't make you any money. Basically the same reason no one cares about US infrastructure projects.
Not training the employees:

I can provide email filtering, DNS filtering, firewalls and all sorts of technical solutions to security.

It all goes to pot if someone gets click-happy on weird websites or email attachments or falls for the "Your $Company_President need to transfer some funds" email.

Blind trust in open source package managers. Look at the damage the removal of left-pad from npm caused, for example, and imagine what could have happened if the author had malicious intent.
This is THE number 1 cause of build failures where I work, and is of particular concern for me because the Jenkins cluster I work with runs all slave nodes as a local admin user - certain products WILL NOT build otherwise.

One malicious package could completely compromise a significant amount of our infrastructure.

Obvious one but not using HTTPS would be up there.
Using bad programming languages, honestly. Most security problems boil down to type errors, but it's poor language choice that leads to making those.
What's an example of a bad programming language?
I didn't want to say, as most languages have their fans. But anything missing the features ML had; any language with null, without memory safety checking, without sum types and pattern matching, without type safety or generics (really any language without HKT, though I guess you don't need it for small programs).
Those that aren't "strict" in certain areas. Examples:

* Those without memory management (I'm not talking about garbage collection, though there seems to be a correlation). Buffer overflows/overruns and its cousins have caused many security flaws, including heartbeat and even flaws in java, where it interops with C programs for performance's sake.

* Syntactical leniency wrt. scope can lead to errors like apple's infamous "goto fail"

This is a very old history, but iptables rules designed to not being permanent by default and reseting itself at reboot without notice was a big one.
Appending strings together for SQL queries (SQL injection just waiting to happen).

Passing in user info for a query, instead of using session or token encoded data (Impersonation just waiting to happen).

Bad passwords/keys, and bad management of those secrets.

No plan for backups, or not having a way to restore backups.

Most common? Simply not having a security mindset whatsoever day-to-day. If you build anything you should be thinking about security, even if all you're thinking is why security isn't an issue for some particular project. It's always important to understand where the boundaries are because they will change. I've seen countless examples of people playing fast and loose with security merely because they never thought about it or don't understand the issues. Even today, right this second there are people who are writing code that is vulnerable to sql injection, people writing web app software without sanitizing their inputs, people writing remote execution vulnerabilities, etc, etc. All because they just don't think about it and just don't care.

A lot of people have the mindset "oh, who would ever hack me? my app is just small potatoes". And this is how you end up with things like the mirai botnet.

Part of my day job is reviewing vulnerability reports for a load of software written mostly in C/C++.

Bugs leading to memory corruption vulnerabilities are the most common mistake I see. So things like, not doing proper bounds checks before accessing an array, using memory after it's been freed, not initializing memory properly before using it, type confusions causing values to be treated as pointers, etc.

Not understanding that fundamentally a whitelist is safer and better than a blacklist. I have gotten into many fights about this in my work about this because it always leads to a hole later when something new or unknown sticks its head out. If there are ten things it is supposed to be able to do make a list of ten things, don't just try to filter out what might not look like the ten things.
(comment deleted)
On a general level, no systematic accounting of assets.

Can you get me most or all of the following in an hour or so?

- List of people with production API credentials and which ones per person

- List of accounts with weak passwords or lacking 2FA

- Who has SSH access to each of your servers?

- All portal logins per employee

- Show me the last 3 production data sources this specific employee accessed

- Per data source, list people and services that can read/write

- Network diagrams and policies

A lot of organizations can't. It's boring bookkeeping, but systems have to be put in place to keep this information correct and up to date. Otherwise, there's nothing to manage or secure!