[10234] in Security FYI
[IS&T Security-FYI] SFYI Newsletter, July 28, 2014
daemon@ATHENA.MIT.EDU (Monique Buchanan)
Mon Jul 28 15:38:06 2014
Resent-From: ist-security-fyi@MIT.EDU
From: Monique Buchanan <myeaton@MIT.EDU>
To: ist-security-fyi <ist-security-fyi@MIT.EDU>
Date: Mon, 28 Jul 2014 19:37:08 +0000
Message-ID: <BB3FDD12-6D23-4922-B9C2-226B29901F98@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0734603927=="
Errors-To: ist-security-fyi-bounces@MIT.EDU
--===============0734603927==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary="_000_BB3FDD126D234922B9C2226B29901F98mitedu_"
--_000_BB3FDD126D234922B9C2226B29901F98mitedu_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
In this issue:
1. Top 25 Most Dangerous Software Errors
2. A Scam-Free Vacation
---------------------------------------------------------
1. Top 25 Most Dangerous Software Errors
---------------------------------------------------------
SANS.org<http://www.sans.org> and Common Weakness Enumeration (CWE)<http://=
cwe.mitre.org/index.html> have come up with the top 25 most dangerous criti=
cal coding errors that can lead to serious vulnerabilities in software. The=
y are often easy to find and exploit. They are dangerous because they will =
frequently allow attackers to completely take over the software, steal data=
, or prevent the software from working at all. Although this list was compi=
led in 2011, the weaknesses listed are still the same today.
A run-down of the top 5:
1. SQL Injection, ranked as number 1, is still the most common means of =
attack. For data-rich software applications, SQL injection is a way to stea=
l the keys to the kingdom. A lot of software is all about the data: getting=
it into the database, pulling it from the database, massaging it into info=
rmation, and sending it elsewhere for fun and profit. If attackers can infl=
uence the SQL that you use to communicate with your database, then suddenly=
all your fun and profit belongs to them. If you use SQL queries in securit=
y controls such as authentication, attackers could alter the logic of those=
queries to bypass security. They could modify the queries to steal, corrup=
t, or otherwise change your underlying data. They'll even steal data one by=
te at a time if they have to, and they have the patience and know-how to do=
so. In 2011, SQL injection was responsible for the compromises of many hig=
h-profile organizations, including Sony Pictures, PBS, MySQL.com<http://MyS=
QL.com>, security company HBGary Federal, and many others.
2. OS Command Injection is next, and is where the application interacts =
with the operating system. Your software is often the bridge between an out=
sider on the network and the internals of your operating system. When you i=
nvoke another program on the operating system, but you allow untrusted inpu=
ts to be fed into the command string that you generate for executing that p=
rogram, then you are inviting attackers to cross that bridge into a land of=
riches by executing their own commands instead of yours.
3. The classic buffer overflow is third. Buffer overflows are Mother Nat=
ure's little reminder of that law of physics that says: if you try to put m=
ore stuff into a container than it can hold, you're going to make a mess. T=
he scourge of C applications for decades, buffer overflows have been remark=
ably resistant to elimination. However, copying an untrusted input without =
checking the size of that input is the simplest error to make in a time whe=
n there are much more interesting mistakes to avoid. That's why this type o=
f buffer overflow is often referred to as "classic." It's decades old, and =
it's typically one of the first things you learn about in Secure Programmin=
g 101.
4. Cross-site scripting (XSS) is one of the most prevalent, obstinate, a=
nd dangerous vulnerabilities in web applications. It's pretty much inevitab=
le when you combine the stateless nature of HTTP, the mixture of data and s=
cript in HTML, lots of data passing between web sites, diverse encoding sch=
emes, and feature-rich web browsers. If you're not careful, attackers can i=
nject Javascript or other browser-executable content into a web page that y=
our application generates. Your web page is then accessed by other users, w=
hose browsers execute that malicious script as if it came from you (because=
, after all, it *did* come from you). Suddenly, your web site is serving co=
de that you didn't write. The attacker can use a variety of techniques to g=
et the input directly into your server, or use an unwitting victim as the m=
iddle man (Man-in-the-Middle Attack) in a technical version of the "why do =
you keep hitting yourself?" game.
5. Missing authentication for critical function is fifth. In countless a=
ction movies, the villain breaks into a high-security building by crawling =
through heating ducts or pipes, scaling elevator shafts, or hiding under a =
moving cart. This works because the pathway into the building doesn't have =
all those nosy security guards asking for identification. Software may expo=
se certain critical functionality with the assumption that nobody would thi=
nk of trying to do anything but break in through the front door. But attack=
ers know how to case a joint and figure out alternate ways of getting into =
a system.
See the full list and learn mitigations and preventions for all 25<http://c=
we.mitre.org/top25/>.
---------------------------------
2. A Scam-Free Vacation
---------------------------------
A lost ID card, using unknown wireless connections, stolen smartphone, skim=
mers, or laptop theft can ruin that glow you acquired while you were away. =
You don=92t want to have to deal with identity theft or lost devices. These=
tips from the FTC provide some peace of mind for vacationers<http://www.on=
guardonline.gov/blog/scam-free-vacation>.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Read all archived Security FYI Newsletter articles and submit comments onli=
ne at http://securityfyi.wordpress.com/.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Monique Buchanan
IT Security Communications Coordinator
Information Systems & Technology (IS&T)
Massachusetts Institute of Technology
http://ist.mit.edu/secure
tel: 617.253.2715
--_000_BB3FDD126D234922B9C2226B29901F98mitedu_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <A05E723A2ED2014D95A4DEF2FDAF660A@exchange.mit.edu>
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space;">
<div style=3D"margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Top 25 Most Dangerou=
s Software Errors</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. A Scam-Free Vacation=
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">1. Top 25 Most Dangerou=
s Software Errors</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------------------------------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://www.s=
ans.org">SANS.org</a> and
<a href=3D"http://cwe.mitre.org/index.html">Common Weakness Enumeration (CW=
E)</a> have come up with the top 25 most dangerous critical coding errors t=
hat can lead to serious vulnerabilities in software. They are often easy to=
find and exploit. They are dangerous
because they will frequently allow attackers to completely take over the s=
oftware, steal data, or prevent the software from working at all. Although =
this list was compiled in 2011, the weaknesses listed are still the same to=
day. </div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">A run-down of the top 5=
:</div>
<ol>
<li style=3D"margin: 0px; font-family: Helvetica;"><b>SQL Injection</b>, ra=
nked as number 1, is still the most common means of attack. For data-rich s=
oftware applications, SQL injection is a way to steal the keys to the kingd=
om. A lot of software is all about
the data: getting it into the database, pulling it from the database, mass=
aging it into information, and sending it elsewhere for fun and profit. If =
attackers can influence the SQL that you use to communicate with your datab=
ase, then suddenly all your fun
and profit belongs to them. If you use SQL queries in security controls su=
ch as authentication, attackers could alter the logic of those queries to b=
ypass security. They could modify the queries to steal, corrupt, or otherwi=
se change your underlying data.
They'll even steal data one byte at a time if they have to, and they have =
the patience and know-how to do so. In 2011, SQL injection was responsible =
for the compromises of many high-profile organizations, including Sony Pict=
ures, PBS,
<a href=3D"http://MySQL.com">MySQL.com</a>, security company HBGary Federal=
, and many others.
</li><li style=3D"margin: 0px; font-family: Helvetica;"><b>OS Command Injec=
tion</b> is next, and is where the application interacts with the operating=
system. Your software is often the bridge between an outsider on the netwo=
rk and the internals of your operating
system. When you invoke another program on the operating system, but you a=
llow untrusted inputs to be fed into the command string that you generate f=
or executing that program, then you are inviting attackers to cross that br=
idge into a land of riches by executing
their own commands instead of yours. </li><li style=3D"margin: 0px; font-f=
amily: Helvetica;">The <b>classic buffer overflow</b> is third. Buffer over=
flows are Mother Nature's little reminder of that law of physics that says:=
if you try to put more stuff into a container than it can hold, you're goi=
ng
to make a mess. The scourge of C applications for decades, buffer overflow=
s have been remarkably resistant to elimination. However, copying an untrus=
ted input without checking the size of that input is the simplest error to =
make in a time when there are much
more interesting mistakes to avoid. That's why this type of buffer overflo=
w is often referred to as "classic." It's decades old, and it's t=
ypically one of the first things you learn about in Secure Programming 101.
</li><li style=3D"margin: 0px; font-family: Helvetica;"><b>Cross-site scrip=
ting (XSS)</b> is one of the most prevalent, obstinate, and dangerous vulne=
rabilities in web applications. It's pretty much inevitable when you combin=
e the stateless nature of HTTP, the mixture
of data and script in HTML, lots of data passing between web sites, divers=
e encoding schemes, and feature-rich web browsers. If you're not careful, a=
ttackers can inject Javascript or other browser-executable content into a w=
eb page that your application generates.
Your web page is then accessed by other users, whose browsers execute that=
malicious script as if it came from you (because, after all, it *did* come=
from you). Suddenly, your web site is serving code that you didn't write. =
The attacker can use a variety of
techniques to get the input directly into your server, or use an unwitting=
victim as the middle man (Man-in-the-Middle Attack) in a technical version=
of the "why do you keep hitting yourself?" game.
</li><li style=3D"margin: 0px; font-family: Helvetica;"><b>Missing authenti=
cation for critical function</b> is fifth. In countless action movies, the =
villain breaks into a high-security building by crawling through heating du=
cts or pipes, scaling elevator shafts,
or hiding under a moving cart. This works because the pathway into the bui=
lding doesn't have all those nosy security guards asking for identification=
. Software may expose certain critical functionality with the assumption th=
at nobody would think of trying
to do anything but break in through the front door. But attackers know how=
to case a joint and figure out alternate ways of getting into a system.
</li></ol>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;"><a href=3D"http://cwe.m=
itre.org/top25/">See the full list and learn mitigations and preventions fo=
r all 25</a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------</div>
<div style=3D"margin: 0px; font-family: Helvetica;">2. A Scam-Free Vacation=
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">-----------------------=
----------</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">A lost ID card, using u=
nknown wireless connections, stolen smartphone, skimmers, or laptop theft c=
an ruin that glow you acquired while you were away. You don=92t want to hav=
e to deal with identity theft or lost
devices. <a href=3D"http://www.onguardonline.gov/blog/scam-free-vacation">=
These tips from the FTC provide some peace of mind for vacationers</a>.</di=
v>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div style=3D"margin: 0px; font-family: Helvetica;">Read all archived Secur=
ity FYI Newsletter articles and submit comments online at
<a href=3D"http://securityfyi.wordpress.com/"><span style=3D"color: rgb(4, =
46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style=3D"margin: 0px; font-family: Helvetica;">=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D</div>
<div><br>
</div>
<div apple-content-edited=3D"true">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<div style=3D"color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; t=
ext-align: start; text-indent: 0px; text-transform: none; white-space: norm=
al; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-w=
rap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-=
space;">
<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href=3D"http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>
--_000_BB3FDD126D234922B9C2226B29901F98mitedu_--
--===============0734603927==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
ist-security-fyi mailing list
ist-security-fyi@mit.edu
To Unsubscribe http://mailman.mit.edu/mailman/listinfo/ist-security-fyi
--===============0734603927==--
