March 2017
Intermediate to advanced
262 pages
5h 26m
Chinese
Content preview from 物联网设备安全
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
熄灯
——
攻击无线灯泡致使持续性停电
|
21
然后再发送
PUT
请求的实体内容:
xhr.send("{\"on\":false}");
这会导致被攻击者的浏览器直接连接位于本地网络的照明系统网桥,并发送关灯的命令。
在这种情况下,攻击者可以远程利用被攻击者的浏览器进入本地网络内部(这就是所谓
的
drive-by
攻击)。
其实恶意攻击的可能性并不高,因为攻击者必须知道一个
whitelist
令牌才能实施攻
击。然而,将
Access-Control-Allow-Origin
头设置为
*
,仍然是一种非常糟糕的设计思
路。良好的安全机制应当是禁止任意一个网站强制开灯或关灯,即使是网站所有者获取了
whitelist
令牌。
1.2.3
弱密码复杂性与密码泄露
当用户使用有效身份认证登录之后,照明系统网站允许用户在家远程控制灯光。
如图
1-7
所示,照明系统网站仅要求密码长度超过
6
个字符。用户通常倾向于创建简单
的易被猜测出来的密码,如
123456
(实际上,研究显示
123456
和
password
是最常用的
密码)。
事实是,用户真的会选择使用类似的弱密码,安全架构师的职责就是让用户不会犯这样
的错误。大多数人只会考虑当前设备和软件的工作状况,而忽略了未来潜在的负面影响。
尽管密码策略薄弱,网站还是可以制定策略,一分钟之内错误登录两次的账户会被锁死
(如图
1-8
所示)。在用户密码不容易被猜测出来的情况下,这会降低暴力攻击成功的
可能性。
然而,另一个严重的问题是:对不同的服务用户倾向于使用相同的身份认证。报告显示,
密码泄露的主要因素是相同的密码使用频率过高。当攻击者攻陷了一个主网站之后,他 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.