New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I was honestly thinking of creating an account (to see how FraudRecord works and if some scammy host put a record against me), but I'm quite hesitant on doing so now. I feel it would be a major privacy risk if I signed up with my personal information.
Did anyone grab the data? I'm not interested in the email addresses, but having a domain list of providers would be nice, it might save time finding new hosts.
Evidently a blank index.html is the new standard for security. I have no word to describe that other than "moronic".
It's not at all uncommon though. Honestly people who take any steps whatsoever to secure data, I propose, are the minority. Most people don't have a clue where to start and many of them are perfectly satisfied by "I can't think of anyone that would want to attack me so I don't need to secure anything."
I mean there's still people out there running WHMCS from 2009 without updates. It's getting harder and harder for me to be outraged by anyone's lack of security these days, takes too much energy.
Any sound advice you'd care to share on good web security practices?
Keep things up to date, convenience be damned. Make use of web server features to forcefully block public access to things people don't need to be accessing, make your own mod_sec (or equivalent) rules based on common tactics you see in log audits. Also, do log audits
Always remember, you are a target. Doesn't matter who you are or what you do.
I appreciate it, just getting into some programming courses in college and it's going to be a while before I get to the security classes. I still prefer learning as much as I can about the category just for my own accord. This should give me a nice start. :-)
What @Jar said, and also this: do not, under any circumstances (doesn't matter if it's not in production, etc) ever trust ANY data not to be malicious or invalid. Sanitize everything.
Also, MySQL injection is not the only dangerous attack. There are many other attacks which can have very serious consequences, and you should research on them.
You won't be able to fight something until you learn what you need to fight against.
@Pwner, many things about IT Security you can read about, but unfortunately some things you get by getting your hands dirty (i.e., running a system and observing the attack vectors used against it).
Take LET for example, beautiful playground to learn the various attack vectors used against your site(s). :-)
To get a good idea what you can read up on/get certified in, just do a search on "internet security certifications" -- there are some nice lists of "Top IT Security Certifications."
IMHO, these days in IT the right certification >>>>>>> "formal" education (but please don't construe this as a knock against getting formal education). IT certifications are what employers seek (or pay for) almost above all else.
Cheers