Author Topic: A complete security overhaul needed; we do not have much time left....  (Read 1474 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83766
  • No support PMs thanks
Re: A complete security overhaul needed; we do not have much time left....
« Reply #15 on: November 09, 2019, 10:40:01 PM »
Quote from: polonus
Dear DavidR & bob3160 and others,

There is one thing that all of the end users can do and that is fully update, upgrade and patch their OS, software programmes, everything installed there with the latest upgrades, updates & patches that comes with all of their devices.

What a gigantic difference toward overall security this simple act could make.
<snip>

Yes, but that isn't what your original post (and or some or the replies) are saying.

It borders on we're all doomed.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: A complete security overhaul needed; we do not have much time left....
« Reply #16 on: November 10, 2019, 12:58:54 AM »
I have said, that is what end-users should do and if all end-users globally would do so, this would have a definite impact.

Then what I have said initially is a conclusion I slowly and surely developed over the twelve years of diving into 3rd party cold recon website security here mainly in the V&W section. It dawned slowly upon me by seeing thousands and thousands of websites that were, where website security is concerned, so-to-say effectly "under par".

Most of these websites did not reach a mere F-grade status, an occasional C-grade, some A and A+. All the PHP-based CMS driven websites with user-enumeration and directory listing enabled, making it easy enough for average hackers to compromise such sites.

Then where developers are under enormous time pressure to deliver and security is a last resort issue. Then the devastating influence of certain almost global mono-cultures, like the one Google over time has created almost globally.

Summa sumarum it created just that feeling of gloom and a bit of despair with me, just simply because I see things go in a worse direction, I see little overall improvement. All such postings in the virus and worms and what did it bring us in the form of retired vulnerable libraries, left code to be retired, improved and extended security header security layers. Did it stop developers cut and paste code from github, weaknesses and flaws included. It educated a few, but it all comes too little and too late and too far in between.

OK, we now have more websites with better secured connection, thanks Google Safebrowsing, but more that has gone out of sight into the cloud. CloudFlare has become an important global data player.

But as a conclusion, when you close your eyes to it, the problems behind all this, won't go away. The pink elephant, that no-one wants to mention is there, and is not going to leave the room.

Small example of everyday analysis, I hate to see such vulnerabilities for an Apache Guacamole webserver in Kassel in Germany for instance, when an OP laments of his website being injected by malcreants:
ils.com/vulnerability-list/vendor_id-4 -> https://www.shodan.io/host/5.9.88.114

I see this neverending circus everyday. That is why I am waiting for a tiny bit of positive news, better security education for website developers and pentesters. Less managers to decide, most of them without any relative knowledge, how to dodge additional security expenses. Can you imagine why I feel like this, and still not have given up on those, that will come here for recommendations, advice and help.

Damian aka polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!