LulzSec, Anonymous Hacks Were Avoidable, Report Says

SQL injection, classic buffer overflow and cross-site request forgery are among the avoidable types of attacks

The hacker group LulzSec made headlines recently with its smash and grab data breaches against Sony, the U.S. Senate, Arizona's Department of Public Security and PBS. But it turns out that attacks like these are often avoidable, according to a new report sponsored by the Department of Homeland Security.

The annual CWE (Common Weakness Evaluation)/SANS Top 25 Most Dangerous Software Errors discusses the biggest threats that software makers and large IT organizations face and how to avoid them. Each threat is evaluated and graded based on its prevalence, importance, and the likelihood that bad guys will try to take advantage of the exploit.

Topping this year's list are threats such as SQL injection, classic buffer overflow, cross-site scripting, cross-site request forgery, and failure to encrypt sensitive data. If those threats sound familiar, that's because several of these exploits were used to steal data sitting on corporate servers this year. If you're interested in reading it you can find the 2011 CWE report here, but here's a look at some of the highlights from this year's top 25 software threats.

SQL injection

SQL injection is a favorite trick among hackers and topped the 2011 CWE report as the biggest threat facing online networks. "For data-rich software applications, SQL injection is the means to steal the keys to the kingdom," the report said. The basic idea is that a hacker inserts code into an online form such as one asking for your name, address and so on. If proper precautions aren't taken to prevent this exploit, hackers can download, corrupt or alter an entire database. Hackers will even "steal data one byte at a time if they have to," according to the report.

SQL injection was responsible for many high-profile attacks including LulzSec's hacks into Sony Pictures and PBS, as well as Anonymous' intrusion into the network of security company HBGary Federal. This hack was even used to break into Oracle's

After hacking into Sony Pictures LulzSec called SQL injection, "one of the most primitive and common vulnerabilities."

Missing authorization

Missing authorization allows hackers to manipulate software in a way that allows them to gain access to data they never should have been able to see. This exploit was used against Citigroup in early May when hackers stole details to more than 200,000 users' bank accounts, according to the report. How did the evil geniuses do it? By changing personal account information "that was present in fields in the URL," the report said. Basically, that means when the hacker landed on account/123456, all they had to do was change the URL to to gain access to another account.

Missing encryption of sensitive data

It's bad enough when a company or organization makes it easy for the bad guys to break in, but it gets worse when critical data such as account passwords are sitting there unencrypted. LulzSec gained access and later released more than 62,000 plain text passwords stolen from various databases.

Threats aplenty

For security fans looking to learn about the biggest threats in software for 2011 the report has more details to spill. For example, the report also discusses how the Stuxnet worm, which disabled Iranian nuclear sites, used hard coding to wreak havoc on computer systems. If you have any interest in computer security, the CWE report is well worth a read.

Connect with Ian Paul ( @ianpaul ) and Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityhackersfirewallsnetwork securitysecuritysony

More about MySQLOraclePromiseSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place