Readit News logoReadit News
Posted by u/jtraffic 8 years ago
Ask HN: What is the most common security mistake you see?
Mainly I'm asking about websites, but other security mistakes are welcome (e.g., IoT, apps, firmware)

Also acceptable: Not common but happens reasonably often and exposes large vulnerabilities.

nulagrithom · 8 years ago
Not even trying.

Seriously, you wouldn't believe the number of companies/people who don't even try. I'm talking "db.run(request.body)" levels of not-trying, "the shared admin password is 'turtle'" levels of not-trying; "the medical records are protected because they're on a hidden share" levels of not-trying.

These are all things that I've seen.

Second to that is thinking that you're trying because every once in a while you have a vague sense of paranoia.

"Let's use MongoDB so we're safe from SQL injection." "We need to proxy the API because that's what other people do." "The WiFi password is secure because it's 26 characters long -- even though we're still using WEP."

Also things I've seen.

I know I'm not any better either. Given the opportunity, I would always hire a professional to audit my stuff.

jpindar · 8 years ago
Yeah, I've seen this too.

"No one but the customer is even going to know this machine exists, so why would anyone try to access it?" levels of ignorance are the cause of most of the IoT security issues we face today.

Deleted Comment

atmosx · 8 years ago
Lack of working backups. It's appalling how many people depend on systems with no backups.

Forget ransomware and other exotic attacks, what happens if after 7 years your hard drive decides to die on you?

I don't know. The backup is the first thing that needs to be setup and tested when you buy a computer. Windows and Mac have build-in systems for point-in-time backups and linux offers more than a few solutions.

Backup, backup and backup again :-)

ghughes · 8 years ago
This advice doesn't seem to be getting through regardless of how loudly it is proclaimed. Everyone should have a backup plan with multiple points of failure, but of course lots of people don't because it's not trivial to set that up.

I don't think current operating systems go anywhere near far enough in helping users to get this right. When I buy a computer, the computer should be in charge of ensuring that catastrophic data loss cannot easily occur. 9 times out of 10, the user simply doesn't know how to set things up that way.

stephenr · 8 years ago
On a Mac it prompts on external hdd being connected, you click a button and its setup. How much simpler can it be ?
Bladtman · 8 years ago
I agree entirely with the sentiments here, but I wouldn't consider it a security issue. A safety issue more like.
taeric · 8 years ago
Security for software is typically defined to include things that protect you from loss of access risks. Think the latest ransomware that went out.

Specifically, the axes of security are integrity, authentication, and availability. Backups give the illusion of helping both integrity and availability. However, without practiced and verified recovery plans, they do neither.

taeric · 8 years ago
Agreed. Disaster recovery is one of those things that everyone agrees needs to be possible. But nobody seems to realize that you are only good at the things you regularly do.

Which isn't fair of me. I think people do realize it. Just making the time to regularly repeat something you have done before is tough.

I am very sympathetic to the idea that you can automate this. However, this seems to typically fall afoul of the idea that you now just have more that can and will fail. So now you need something to monitor that....

jrs235 · 8 years ago
Not just backups. Restores. You need to test your backups by periodically testing your restore process to ensure the backups are actually any good.

Test your restore process periodically!

decasia · 8 years ago
Server backups are pretty easy to test in this era of virtualization. (I know, not everyone does it, but at least in principle it's pretty straightforward to mount a duplicate VM and test one's backed-up data. Good way to test config management systems as well.)

But how does one test restoring personal data? I'm guessing that most people, like me, don't buy duplicate laptops just to be a platform for testing their data restoration protocols.

webtechgal · 8 years ago
> It's appalling how many people depend on systems with no backups.

Truer words were seldom written!!

doubt_me · 8 years ago
Willful ignorance.

its 2017 and yet still the biggest vulnerability of them all is willful ignorance.

People have agendas to fulfill. Can't let the truth get in the way. Haven't found a budget to fit in the truth looks like we will have to do without it for now.

What is the truth?

Well nobody cares about security.

Who knows about the truth?

Mostly everybody

Why doesn't anyone do anything about it?

Trying hard just doesn't cut it anymore as we can see those with influence would rather destroy the entire internet for mass surveillance.

Also don't forget about 2FA

accountyaccount · 8 years ago
Security is boring and hard and it doesn't make you any money. Basically the same reason no one cares about US infrastructure projects.
0xcafecafe · 8 years ago
In my organization, forcing users to change passwords every x months. Everybody I know ends up picking simpler to remember passwords from a pool as a result.
mcheshier · 8 years ago
NIST just updated their guidelines, removing the requirement to change passwords, for that very reason. :)
GordonS · 8 years ago
Everyone I know just increments a number at the end of their password, until it allows them to start from 1 again.

ShittyPassword1 ShittyPassword2 ShittyPassword3 ... ShittyPassword8 ShittyPassword1

NIST came out recently against this, so hopefully, hopefully companies will start to listen.

accountyaccount · 8 years ago
• Password requirements outside of length really don't do squat except make it harder for people to remember their already weak passwords

• Using the same short passwords over and over again.

• Using short passwords <8 characters

• Using very commonly used passwords (password123)

• Security questions

Just use a password manager. Choose one strong 10+ character password that you can remember. Choose the first letter of every word from song lyrics you like if you have to.

Example: lwbeiycwlmdrgag (loving would be easy if your colors were like my dreams red gold and green).

It would take the standard web hack billions of years to figure out that password. Even if someone had massive computing resources behind the crack (not typical, and very expensive) it would take over a week. Password123 or Fido16 might take a minute.

kabdib · 8 years ago
Yubikeys (both two-factor and very long static passwords, with pins) go a long way. And a handful of Yubikeys handed out to your staff is cheaper than a data breach.

It's not protection from idiocy, but if you're a Microsoft shop, default long passwords avoid stuff that Microsoft is rather coy about (e.g., LANMAN hash attacks against passwords < 14 characters long are still a thing, sigh).

MarkMc · 8 years ago
> Choose the first letter of every word from song lyrics you like if you have to. Example: lwbeiycwlmdrgag (loving would be easy if your colors were like my dreams red gold and green).

I'm not sure that's a strong password. A web crawler could generate a list of n-grams from the first word of every word on every web page

wayn3 · 8 years ago
and that would be how many potential passwords?

i pick a random order of a 52 card deck as my password. is that a strong password? you could just iterate over all of them. might take a whole though.

now my password is EITHER the song thing or a random order of a 52 card deck, you dont know which one. am i having a strong password yet?

"a web crawler could just read every page on the internet and then construct all the potential n-grams of every word of every page on the internet and then easily figure out your password" sounds slightly optimistic.

youd only have to clone half the google operation to crack some random weirdos password.

xemdetia · 8 years ago
Not understanding that fundamentally a whitelist is safer and better than a blacklist. I have gotten into many fights about this in my work about this because it always leads to a hole later when something new or unknown sticks its head out. If there are ten things it is supposed to be able to do make a list of ten things, don't just try to filter out what might not look like the ten things.
lucb1e · 8 years ago
As a pen tester, the biggest problem is management not caring or understanding. If there is a budget for pen tests, there are failsafes for data loss (offline, so they can't be cryptolocked), monitoring is in active use, developers are given time to learn about and write secure software, and sysadmins given the time and budget needed, then it's usually quite alright. That might sound like a lot, but to most people here it's basic stuff. There are many companies that get it right, though of course I have a biased point of view (and I'm aware of it) because the ones I see have a budget for security tests.

As for a single, common mistake for iot/apps/firmware altogether, that's an overly broad question. I think the best answer I can give is not updating things when updates are available. That's the easiest way to get compromised without even writing a single line of vulnerable code.

lima · 8 years ago
Default passwords.

Bad secret management (hardcoded in Git, shared secrets not changed after an employee left ...)

Dev and live not properly separated/dev not properly secured.

Services exposed to the internet that shouldn't be.

Old and forgotten software / appliances.

Don't forget about the dev/sysadmin workstations!