Who needs security through obscurity?
-
Am I right in thinking that a website shouldn't tell potential hackers what software it's running? :confused: http://www.codeproject.com/script/Membership/Uploads/2587207/PentaxWebStore.png[^]
-
Am I right in thinking that a website shouldn't tell potential hackers what software it's running? :confused: http://www.codeproject.com/script/Membership/Uploads/2587207/PentaxWebStore.png[^]
True, it can weed out script kiddies searching for easy exploit to run. However, for a targeted attack, it does not trick the attacker very long, as there is lots of way to fingerprint the underlying server. I think a better protection is lying, not hiding. Make them believe you run on Apache while you are using IIS.
-
Am I right in thinking that a website shouldn't tell potential hackers what software it's running? :confused: http://www.codeproject.com/script/Membership/Uploads/2587207/PentaxWebStore.png[^]
Who needs attacks based on vulnerabilities in the server or framework, when so many sites are open to SQLi, XSS or XSRF? :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Who needs attacks based on vulnerabilities in the server or framework, when so many sites are open to SQLi, XSS or XSRF? :doh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
A DDoS will take the site down for a while, or even permanently. SQLi will leak your entire database to any script-kiddie with the right tool, and you'll end up facing massive fines and compensation claims.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
A DDoS will take the site down for a while, or even permanently. SQLi will leak your entire database to any script-kiddie with the right tool, and you'll end up facing massive fines and compensation claims.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
you'll end up facing massive fines and compensation claims
I see lots of articles where some large firm leaked passwords, but I never heard anything about "claims" or compensation. Even if you did not have the luxury of checking all the code of the outsourced devs' group for SQLi, and you'd have to rely on their word; point is that you don't ignore the rest of potential problems, simply because some other may exist. ..but yes, I do hope that claims will be more common in the future. Only then would companies have a financial incentive to keep their security up-to-date.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^][](X-Clacks-Overhead: GNU Terry Pratchett)
-
Am I right in thinking that a website shouldn't tell potential hackers what software it's running? :confused: http://www.codeproject.com/script/Membership/Uploads/2587207/PentaxWebStore.png[^]
Sadly, that seems to be the default setting with Apache. I've seen it often with directory listings.
