The hacker group LulzSec made headlines recently with its smash and grab data breaches against Sony, the U.S. Senate, Arizona's Department of Public Security and PBS. But it turns out that attacks like these are often avoidable, according to a new report sponsored by the Department of Homeland Security.
The annual CWE (Common Weakness Evaluation)/SANS Top 25 Most Dangerous Software Errors discusses the biggest threats that software makers and large IT organizations face and how to avoid them. Each threat is evaluated and graded based on its prevalence, importance, and the likelihood that bad guys will try to take advantage of the exploit.
Topping this year's list are threats such as SQL injection, classic buffer overflow, cross-site scripting, cross-site request forgery, and failure to encrypt sensitive data. If those threats sound familiar, that's because several of these exploits were used to steal data sitting on corporate servers this year. If you're interested in reading it you can find the 2011 CWE report here, but here's a look at some of the highlights from this year's top 25 software threats.
SQL injection is a favorite trick among hackers and topped the 2011 CWE report as the biggest threat facing online networks. "For data-rich software applications, SQL injection is the means to steal the keys to the kingdom," the report said. The basic idea is that a hacker inserts code into an online form such as one asking for your name, address and so on. If proper precautions aren't taken to prevent this exploit, hackers can download, corrupt or alter an entire database. Hackers will even "steal data one byte at a time if they have to," according to the report.
SQL injection was responsible for many high-profile attacks including LulzSec's hacks into Sony Pictures and PBS, as well as Anonymous' intrusion into the network of security company HBGary Federal. This hack was even used to break into Oracle's MYSQL.com.
After hacking into Sony Pictures LulzSec called SQL injection, "one of the most primitive and common vulnerabilities."
Missing authorization allows hackers to manipulate software in a way that allows them to gain access to data they never should have been able to see. This exploit was used against Citigroup in early May when hackers stole details to more than 200,000 users' bank accounts, according to the report. How did the evil geniuses do it? By changing personal account information "that was present in fields in the URL," the report said. Basically, that means when the hacker landed on www.randombank.com/user/ account/123456, all they had to do was change the URL to www.randombank.com/user/account/789012 to gain access to another account.
Missing encryption of sensitive data
It's bad enough when a company or organization makes it easy for the bad guys to break in, but it gets worse when critical data such as account passwords are sitting there unencrypted. LulzSec gained access and later released more than 62,000 plain text passwords stolen from various databases.
For security fans looking to learn about the biggest threats in software for 2011 the report has more details to spill. For example, the report also discusses how the Stuxnet worm, which disabled Iranian nuclear sites, used hard coding to wreak havoc on computer systems. If you have any interest in computer security, the CWE report is well worth a read.