Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

Bad information security advice

Security

1 Posts 1 Posters 94 Views

undefined Offline

undefined Offline
phenomlab
wrote on last edited by phenomlab

#1

It’s not often that I post anything on LinkedIn, but the post below caught my eye, and raised an eyebrow (to say the least) when I read it.

I typically remain impassive and neutral to most of these types of post as they are usually aimed at selling you something. However, the frankly absurd security advice here being offered was so bad, I found it hard to ignore and posted the below response

Forgive me if I decide not to take any of your cyber security advice as all of the points you’ve raised are the entire point of phishing exercises. Do you really think a nefarious actor isn’t going to send emails that look just like this (mostly because they have succeeded elsewhere as others have highlighted)?

Your profile states that you are the leader of a world class cyber security team, yet you offer really bad advice like this? This is exactly how all cyber security campaigns work and their effectiveness is blatantly obvious by the screenshot you posted.

“Hurt feelings” are irrelevant when you are measuring the effectiveness of your cyber security program. As the primary defense in any organization, the security department needs to be in a position to detect and repel as many attacks as possible. The paradigm here being that an organization needs to stop thousands of these attacks getting through per day (probably way more) yet an attacker only needs one link to be clicked for their campaign to succeed.

Employee security awareness should in fact be everything that the original poster claims it shouldn’t be. Just look at the success rate of previous campaigns which any decent training program is based on.

The bottom line here is that I really don’t understand the reasoning for the original post. This guy claims to be the leader of a world class cyber security team, yet he decides to give poor advice like this?

Speechless. And this is a so called professional?? We’re all doomed
Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

1 Reply Last reply
1

undefined

Setting for high load and prevent DDoS (sysctl, iptables, crowdsec or other)
Scheduled Pinned Locked Moved Security security server kernel ddos iptables
4

0 Votes

4 Posts

367 Views

undefined

@DownPW 🙂 most of this really depends on your desired security model. In all cases with firewalls, less is always more, although it’s never as clear cut as that, and there are always bespoke ports you’ll need to open periodically.

Heztner’s DDoS protection is superior, and I know they have invested a lot of time, effort, and money into making it extremely effective. However, if you consider that the largest ever DDoS attack hit Cloudflare at 71m rps (and they were able to deflect it), and each attack can last anywhere between 8-24 hours which really depends on how determined the attacker(s) is/are, you can never be fully prepared - nor can you trace it’s true origin.

DDoS attacks by their nature (Distributed Denial of Service) are conducted by large numbers of devices whom have become part of a “bot army” - and in most cases, the owners of these devices are blissfully unaware that they have been attacked and are under command and control from a nefarious resource. Given that the attacks originate from multiple sources, this allows the real attacker to observe from a distance whilst concealing their own identity and origin in the process.

If you consider the desired effect of DDoS, it is not an attempt to access ports that are typically closed, but to flood (and eventually overwhelm) the target (such as a website) with millions of requests per second in an attempt to force it offline. Victims of DDoS attacks are often financial services for example, with either extortion or financial gain being the primary objective - in other words, pay for the originator to stop the attack.

It’s even possible to get DDoS as a service these days - with a credit card, a few clicks of a mouse and a target IP, you can have your own proxy campaign running in minutes which typically involves “booters” or “stressers” - see below for more

https://heimdalsecurity.com/blog/ddos-as-a-service-attacks-what-are-they-and-how-do-they-work

@DownPW said in Setting for high load and prevent DDoS (sysctl, iptables, crowdsec or other):

in short if you have any advice to give to secure the best.

It’s not just about DDos or firewalls. There are a number of vulnerabilities on all systems that if not patched, will expose that same system to exploit. One of my favourite online testers which does a lot more than most basic ones is below

https://www.immuniweb.com/websec/

I’d start with the findings reported here and use that to branch outwards.
undefined

Windscribe VPN offered for free with a lifetime license
Scheduled Pinned Locked Moved General security vpn
6

5 Votes

6 Posts

856 Views

undefined

Missed out on this deal ? Windscribe offer a limited free version. More about that here
https://sudonix.org/topic/13/which-product-is-the-best-for-vpn/164?_=1652206628456
undefined

Securing javascript -> PHP mysql calls on Website
Scheduled Pinned Locked Moved Solved Security php mysql security
2

1 Votes

2 Posts

265 Views

undefined

@mike-jones Hi Mike,

There are multiple answers to this, so I’m going to provide some of the most important ones here

JS is a client side library, so you shouldn’t rely on it solely for validation. Any values collected by JS will need to be passed back to the PHP backend for processing, and will need to be fully sanitised first to ensure that your database is not exposed to SQL injection. In order to pass back those values into PHP, you’ll need to use something like
<script> var myvalue = $('#id').val(); $(document).ready(function() { $.ajax({ type: "POST", url: "https://myserver/myfile.php?id=" + myvalue, success: function() { $("#targetdiv").load('myfile.php?id=myvalue #targetdiv', function() {}); }, //error: ajaxError }); return false; }); </script>
Then collect that with PHP via a POST / GET request such as
<?php $myvalue= $_GET['id']; echo "The value is " . $myvalue; ?>
Of course, the above is a basic example, but is fully functional. Here, the risk level is low in the sense that you are not attempting to manipulate data, but simply request it. However, this in itself would still be vulnerable to SQL injection attack if the request is not sent as OOP (Object Orientated Programming). Here’s an example of how to get the data safely
<?php function getid($theid) { global $db; $stmt = $db->prepare("SELECT *FROM data where id = ?"); $stmt->execute([$theid]); while ($result= $stmt->fetch(PDO::FETCH_ASSOC)){ $name = $result['name']; $address = $result['address']; $zip = $result['zip']; } return array( 'name' => $name, 'address' => $address, 'zip' => $zip ); } ?>
Essentially, using the OOP method, we send placeholders rather than actual values. The job of the function is to check the request and automatically sanitise it to ensure we only return what is being asked for, and nothing else. This prevents typical injections such as “AND 1=1” which of course would land up returning everything which isn’t what you want at all for security reasons.

When calling the function, you’d simply use
<?php echo getid($myvalue); ?>
@mike-jones said in Securing javascript -> PHP mysql calls on Website:

i am pretty sure the user could just use the path to the php file and just type a web address into the search bar

This is correct, although with no parameters, no data would be returned. You can actually prevent the PHP script from being called directly using something like
<?php if(!defined('MyConst')) { die('Direct access not permitted'); } ?>
then on the pages that you need to include it
<?php define('MyConst', TRUE); ?>
Obviously, access requests coming directly are not going via your chosen route, therefore, the connection will die because MyConst does not equal TRUE

@mike-jones said in Securing javascript -> PHP mysql calls on Website:

Would it be enough to just check if the number are a number 1-100 and if the drop down is one of the 5 specific words and then just not run the rest of the code if it doesn’t fit one of those perameters?

In my view, no, as this will expose the PHP file to SQL injection attack without any server side checking.

Hope this is of some use to start with. Happy to elaborate if you’d like.
undefined

Hackers aren't evil - separating fact and FUD
Scheduled Pinned Locked Moved Blog hackers security
1

0 Votes

1 Posts

214 Views

No one has replied
undefined

Security, Or Just Obscurity?
Scheduled Pinned Locked Moved Blog security blog
1

+0

0 Votes

1 Posts

199 Views

No one has replied
undefined

Changing Passwords Regularly Actually Weakens Security
Scheduled Pinned Locked Moved Blog security blog
1

0 Votes

1 Posts

245 Views

No one has replied
undefined

Wasting a scammer's time is hugely entertaining
Scheduled Pinned Locked Moved Blog security blog
1

+0

1 Votes

1 Posts

324 Views

No one has replied
undefined

Browsing without a VPN? Think Twice...
Scheduled Pinned Locked Moved Security vpn security privacy
12

2 Votes

12 Posts

797 Views

undefined

And if you ever needed another reason to use a VPN, here it is.

https://news.sky.com/story/google-blinks-first-in-11-month-privacy-showdown-with-uk-regulator-12479198

Bad information security advice

Individual Categories