[HN Gopher] OWASP Data Breach Notification
___________________________________________________________________
OWASP Data Breach Notification
Author : Newklol
Score : 60 points
Date : 2024-04-01 20:21 UTC (2 hours ago)
(HTM) web link (owasp.org)
(TXT) w3m dump (owasp.org)
| lenerdenator wrote:
| Maybe I'm just hanging out in the wrong places but right now it
| feels like _everyone_ is making stupid, stupid security mistakes
| _all the time_. If AI is the main buzzword, infosec is #2 right
| now.
| mandevil wrote:
| It feels to me more like it's the power of the comprehensive
| background scanning (I've seen it called 'internet background
| radiation') that is constantly taking place: anything you
| forget about, anything you misconfigure, anything you are slow
| to patch, that is going to be found and exploited by some tool
| someone built somewhere that is continually searching the
| entire internet for the same five mistakes.
| pixl97 wrote:
| And it's so easy to do...
|
| GET /file.name
|
| ERROR 404
|
| [User: wtf is going on]
|
| Turns on directory index
|
| Sees /file.name
|
| [Oh that's the problem]
|
| Forgets to turn directory index off
| gerdesj wrote:
| Quite.
|
| My firm have a Nessus scanner and we point it at ourselves as
| well as our customers. There are also several checks on the
| monitoring system that will flag if something suddenly starts
| working.
|
| Background radiation is about right.
|
| Run up a honeypot VM with a web service on it and watch the
| logs with something like lnav. You soon get a feel for how
| fast the legitimate (and I use that term advisedly) crawlers
| like Google and that rock up along with the others.
|
| You will see a lot of hits from things with a Github link
| within their agent header - script kiddies or perhaps clever
| kiddies pretending to be script kiddies - more analysis
| needed. You will also see hits from agents claiming to be
| Google or Bing or Firefox on Commodore 64. Again, careful
| packet analysis, IP lists etc can be instructive ... if you
| can be arsed.
|
| Anyway.
|
| Humans cannot see network traffic. When you instruct your
| firewall to do something via its GUI or CLI you are merely
| providing instructions that may or may not actually do
| anything. Do feel free to actually test it. nmap, for
| example, is available for port testing and much, much more.
| mparnisari wrote:
| > everyone is making stupid, stupid security mistakes all the
| time
|
| Newsflash: humans make mistakes all the time.
| rad_gruchalski wrote:
| Only those who do nothing make no mistakes.
| 01HNNWZ0MV43FF wrote:
| Groundbreaking stuff. So security is fine, actually?
| coffeebeqn wrote:
| It's the combinatorics. A small company might have a hundred
| micro services and some tens of third party dependencies and
| most of both only get touched or looked at when something goes
| wrong. Add in any code shipped to client machines and the
| various versions of everything and then add in basically
| everything related to IT and phishing and...
| pixl97 wrote:
| Software that gets used ships with insecure defaults, and
| software that ships hardened and totally locked down and must
| be configured for everyone's individual use case typically
| doesn't become successful.
| hathawsh wrote:
| Exactly. Employee A adds a feature and adds security policies
| X and Y to prevent abuse. Employee B adds another feature and
| disables policy X because it conflicts with the new feature
| and policy Y is still in place. Employee C adds some
| functionality that conflicts with policy Y, but reasons
| that's OK because a comment says the feature is protected by
| both the X and Y policies. So policy Y gets disabled too.
|
| You can see why everyone would then start pointing fingers at
| each other. Hopefully, regular reviews and careful analysis
| prevent this kind of situation.
| nodoodles wrote:
| Checks calendar... good one! I hope..
|
| Good reminder why not to collect and keep personal data you don't
| need
| mfkp wrote:
| Published on 3/29...
| westmeal wrote:
| haha whoops
| derkades wrote:
| In my opinion this is an understandable mistake that they've
| handled as well as can be expected.
| lwilli wrote:
| This is ironic...
| https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
| hypeatei wrote:
| Disabling directory listing/indexes is the first thing on a
| "web server hardening" checklist, or so I thought...
| shmde wrote:
| How the turntables.
| WhatsName wrote:
| Is this April Fools or for real?
___________________________________________________________________
(page generated 2024-04-01 23:00 UTC)