The Department of Homeland Security will release a new guidance document today intended to make the software that runs the Web less susceptible to malicious hacks.
DHS has teamed with security and technology experts at the SANS Institute and Mitre to create a list of the top 25 programming errors that lead to the most serious hacks, according to The New York Times. The idea is to educate companies and organizations about the channels that criminal hackers use to gain access to confidential information and servers. These are often common software errors that can lead to “zero day” exploits.
According to the Times, the number one error on the list is a programming mistake that can leave a server vulnerable to SQL-injection attacks like those LulzSec and Anonymous have used to access supposedly secure information.
The guidance framework will include “vignettes” for various industry verticals, like banking and manufacturing, and will highlight which vulnerabilities are most frequent in the types of software is used.
Not Always A Tech Issue
While groups like Anonymous and LulzSec (which reportedly is disbanding) use sophisticated hacking methods (like SQL-injections), the greatest threat to security within the government and large corporations does not come from programming vulnerabilities.
It is their employees.
Bloomberg published an in-depth article June 27 titled “Human Errors, Idiocy Fuel Hacking.” That may seem like an outrageous accusation but remember that one of the biggest security leaks in recent history – WikiLeaks – was the result of one person with physical storage (a CD) and access to confidential files. All Bradley Manning allegedly needed to do was put the disc into a computer and start downloading.
Bloomberg reports that DHS staff secretly dropped CDs and USB drives into the parking lot of government buildings to see if they were picked up and put into a computer. The ones that were picked up were plugged in 60% of the time and ones with official logos 90% of the time.
It is one thing for an average citizen to pick up a USB drive marked “DHS” and put it into a computer but another entirely for government workers supposedly trained on security risks to do so. It is reminiscent of the movie “Burn After Reading” where Brad Pitt finds a CD filled with another character’s bank records and thinks it is top-secret information.
Bloomberg also notes that social engineering attacks are growing more sophisticated and are on the rise. According to security company Symantec’s State of Spam and Phishing monthly report, phishing attempts rose 6.7% between June 2010 and May 2011. Phishing has become more targeted with “spear phishing” aimed at specific groups of individuals and “whale phishing” aimed at C-level executives.
“Rule No. 1 is, don’t open suspicious links,” Mark Rasch of Computer Sciences Corporation told Bloomberg. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”
Once a phishing target clicks on a malicious link, it is likely that one of the top 25 software errors listed in the DHS guidance are being exploited. When it comes to security, the fact of the matter is that an organizations’ own people are the biggest threat, not some esoteric group of hackers living in the Internet ether.
Correction: The original version of this post referred to the Wikileaks suspect as Ryan Manning. The post has been updated to reflect his actual name, Bradley Manning. 6/28/11 – 9:40 a.m. EST.