[ale] Freelance web-devs make in-secure sites
DJ-Pfulio
DJPfulio at jdpfu.com
Thu Jun 8 08:27:35 EDT 2017
Perhaps IoT devices need this too?
Bruce Schneier's blog ...
https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html
"Last year, on October 21, your digital video recorder — or at least a
DVR like yours — knocked Twitter off the internet. Someone used your
DVR, along with millions of insecure webcams, routers, and other
connected devices, to launch an attack that started a chain reaction,
resulting in Twitter, Reddit, Netflix, and many sites going off the
internet. You probably didn't realize that your DVR had that kind of
power. But it does."
A few years ago during a national election is a smaller country, the
entire country was taken off line using internet attacks.
IoT (or Internet of Shit-devices) have amplified this power.
On 06/08/2017 08:09 AM, Jim Kinney wrote:
> Hah!
>
> Sad but true.
>
> Certain aspects of programming should be required to be
> run/directed/managed by licensed professional engineers. Finance,
> utilities, and medical are the top three for me that scream for real
> professional programming. We don't let precocious high schoolers build
> bridges just because they were really good with lego blocks. Engineering
> of physical things protects itself with professional standards.
> Engineering of virtual things needs to do the same.
>
> On Jun 8, 2017 7:44 AM, "Adrya Stembridge" <adrya.stembridge at gmail.com
> <mailto:adrya.stembridge at gmail.com>> wrote:
>
> For $250 they got about what they paid for.
>
> On Thu, Jun 8, 2017 at 6:42 AM, DJ-Pfulio <DJPfulio at jdpfu.com
> <mailto:DJPfulio at jdpfu.com>> wrote:
>
> Of the 17 commissioned projects by Tripwire (a security firm), 10
> websites were completed and purchased.
>
> The researchers found that every website had critical security
> failures.
> Read more here:
>
> https://www.helpnetsecurity.com/2017/06/08/website-security/
> <https://www.helpnetsecurity.com/2017/06/08/website-security/>
>
> * Unauthorized users allowed (all) - Check
> * Allowed hackers to upload a PHP webshell (all) - Check
> * Allowed auth bypass via SQL injection (several) - Check
> * Allowed content modification via SQL injection (half) - Check
>
> Short, but interesting read.
More information about the Ale
mailing list