Appropro of A previous post on poor software programming practices, a “Top 25 Programming Errors” was released THIS WEEK by SANS and MITRE.
The main goal for the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list will be a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers could use the same list to help them to ask for more secure software. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software to “stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes software is even shipped.”
In a nutshell:
The Top 25 is organized into three high-level categories that contain multiple CWE entries.
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
* CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
* CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
* CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
* CWE-285: Improper Access Control (Authorization)
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security
You can read the entire document from the SANS website or at MITRE. Also on that page they have correlated related attack patterns for each error. It’s a sobering read, and considering how elemental some of these errors are, it’s dismaying to see them still so high on the list.
I’ve seen at least five of these errors in audit exams this year, and more than once. The most common one I see is CWE-250 – Execution with Unnecessary Privileges.
Bruce Schneier’s last cryptogram contained a discussion about the purpose of audit. He was commenting on the fact that Barack Obama’s phone records, passport file and aunt’s immigration status was inappropriately accessed by employees of the State Department, Immigration and Verizon employees.
Because of good audit controls, the State Department electronic monitoring alerted supervisors when information was inappropriately accessed. Verizon fared less well, and Immigration has no idea who accessed the information.
“Audit helps ensure that people don’t abuse positions of trust.” Too bad Countrywide didn’t have such alarms in place to catch the guy siphoning off information to sell. Or the guy who walked out the building with hundreds of thousands of dollars of hardware over the course of 10 years.
With hard statistics this year that insiders, either by ignorance or malfeasance, have been a large source of data breaches, having good audit trails and controls in place makes more and more sense.
With so many large databases out there holding such private information, how can we continue to pretend that it only happens to other businesses? And complaints about the cost of security just aren’t cutting it anymore. The incredible COST of a data breach just keeps rising.
Pointing fingers and saying the other guy should be responsible for security doesn’t work either. Ultimately, responsibility rests with those who have the data to safeguard the data – no matter what form it takes: inside a database, on a backup tape, on a laptop, on a web server.
If we’re going to use personal information to make money for our business, we’d better be prepared to protect that information – from ourselves and other employees.
I was doing an audit today (I know, the term “audit” should only be used in connection with a financial exam, but everybody but Public Accountants use it this way) and examining the users inside a SQL database that holds one heck of a lot. I wish more IT Auditors would start looking inside databases.
Every single application ID was “dbowner” in it’s database. Every single one. All these different application functions, with “dbowner” rights. Why bother to have a dozen IDs? Just to fool the client? Guess so. Yes, the application does respond based on Windows user ID – but the application ID, which accesses the database for the application, has total rights over the database. It makes everything work just hunky-dory (dating myself, I know) but there’s six ways to Sunday to utilize that kind of power inside the database.
Developers do it this way because it’s fast and easy. But combine this with a badly configured web server and you have a break-in waiting to happen. That’s exactly what I’m looking at today, and it really makes me wonder when business is going to wake up and secure their software.
KPMP is saying that breaches are going to increase in 2009, and I can’t help but agree.
It is amazing to me that businesses are still issuing laptops to employees that do not have encryption. That being said, what do we mean when we say “the laptop is encrypted?”
There are three scenarios for encrypting portable computers:
1. Windows File Encryption
2. Third-party file, directory encryption software
3. Third-party whole disk encryption software
When you are making a decision on products to use, consider the following:
1. What level of encryption is the vendor stating? If the documentation says the algorithm is “proprietary,” throw it in the trash.
2. If the laptop is stolen, and there is a public announcement, is it going to sound better to say: “The whole disk was encrypted,” or, “They could get into the laptop because just some files were encrypted.” Consider your reputation risk.
3. If only files are encrypted, if I crack the password and get in as the user, does it automatically decrypt the files for me? Better check.
4. Can the software encrypt other items, like USB drives? Even better, if it does it automatically.
Don’t fall for the argument that disk encryption software is “too expensive.” What’s your reputation worth? Not only that, Trucrypt makes a GREAT free encryption product. For small business environments with 2 or 3 laptops, send them a donation and get going; it’s a great product.
From Slashdot comes the painfully unsurprising news about digital picture frames. The software installation CD comes with a virus, W32.Sality.AE worm.
WalMart and Amazon sold these items during the Christmas season this year. Although Mercury and Samsung are the brands listed, all digital frames have left my Christmas list.
A little further digging reveals a Trojan product affecting a wide variety of digital frames that has been attached to numerous software installation products made in China. Given that 2.26 million digital frames were sold in 2007, according to the Consumer Electronics Association, and it expected sales to grow to 3.26 million in 2008, this issue really ought to be getting a lot more press.
The Trojan recognizes over 100 different brands of anti-virus software. I’d be reformatting my disk right about now, because it is very hard to locate and remove.
This was a known issue in February of 2008 – why didn’t Amazon and Walmart vet the software with the frames before selling them this Christmas?
OK, so you’ve bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny “security solution” from a vendor (one or many).
Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I’m spelling that fancy French right!) And of course either you have to manage it (without training, “that’s too expensive, just watch the consultants put it in”), or it’s been “outsourced.”
Or as an auditor, you’ve been told to use it for all auditing functions, and not worry about doing any follow up or periodic testing because this product is such a “time-saver.”
So, how do you know (my favorite question) it’s working and doing a good job? Not what the fancy report it produces says, not what the consultant says, not what the manual says, not what the boss says. What you can actually see.
I’ve been following a discussion on the Security Focus “pen-test” mailing list about how security software has just as many issues as regular software. I don’t like thinking that the software protecting me and writing to a SQL database is using an unencrypted ODBC connection that can be captured by ARP poisoning.
So, although I am rarely asked to audit or test a firewall, IDS or host IDS, having run and learned on all of them, I have some suggestions for you to try out.
NEXT: How to Audit Your IDS/Firewall/ECM for free.
In my travels as an auditor this year, I’ve visited 15 states and seen approximately 20 different networks, both LAN and WAN. I’ve audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service bureaus.
I continue to see networks that are not patched. “It might break our custom code,” is the most common excuse, followed by, “Gee, we just didn’t get around to it.”
Software coding continues to be a security disaster in the making. Developers continue to open up databases by giving too many rights to users and application IDs. I still find individual developer IDs inside production databases.
Management continues to be unwilling to invest the money in a secure architecture. In the last three years, I can count on the fingers of one hand the organizations I’ve seen that follow secure best practices. And not use all the fingers.
I still hear people try to tell me that they don’t need a firewall because they have really good routers. And then they don’t update the IOS on the routers and/or leave the default SNMP strings in place.
If you are paying for these services, and you are getting the above, there is a problem waiting to happen on your network. If you don’t know what’s going on in your databases, time to find out before another Countrywide happens in your back yard.
Have a safe holiday. And remember: who is responsible for good security? You are. I am. Let’s keep trying to do it right.
For saying the blindingly obvious:
“Companies and schools should find new ways to authenticate the identities of customers, employees and students that do not involve social security numbers, a U.S. consumer protection agency said on Wednesday as part of recommendations to fight identity theft.”
Now here is the real challenge: could the FTC, a government agency, please communicate this point with Medicare? You, know, the government agency that puts the social security number on the medical benefits card it requires members to carry? The report addresses the use in the “private sector,” but medical use of social security numbers is a huge factor in medical identity theft, synthetic identity theft, and plain ol’ identity theft.
The FTC released the report on December 17, 2008, and you can read it here. All 21 pages of it in double space.
The “Social Security Number” was created in 1936 for the purpose of tracking workers’ earnings for benefits purposes. Not as a universal identifier. Any good DBA will tell you that only using one “identifier” predicates a high risk of false positives. Newer techniques, such as full name, address, date of birth, place of birth, etc, as a group predicate a much more accurate positive response (“Yes, this is the right person”).
But this additional data is “out there” as well, along with social security numbers. The genie IS out of the bottle.
The report worries about social security numbers data already being out of control. Given how many databases are out there (public and private) with ALL of the above information in storage, I think it is already way out of control, and the other identifying data along with it. Daily reports from the “Breach Blog” saturate my email box. Reading Pogo Was Right only confirms my opinion.
The FTC report seems to be an exercise in “too little, too late.”
It’s been an interesting week in “Breachland,” with reports of breaches in all sorts of places: eyewear companies, auto dealerships, Universities with “password-protected laptops,” Dallas City Hall, and, unfortunately, a big German Bank.
We are already statistically well past any previous year’s statistics for number of break-ins, laptop losses, backup tapes stolen, and internal employee data theft.
And yet I still see organizations that blithely ignore data on laptops, don’t monitor or encrypt their backup tapes, and have firewall rules that are like Swiss cheese.
Security costs money. Organizations struggling to meet payroll don’t have the willingness to allocate resources to address logical security issues. “It hasn’t happened here!”
It will. The big businesses make it harder (not impossible, just harder) to hack in from the Internet, but small businesses online are becoming the focus of cybercrime cartels. Especially if those businesses have a back-door connection to much bigger organizations.
Many large organizations outsource their data to third party service bureaus, marketing firms, or connect via an Extranet. If the small organization has weak security, it provides access to the back door of the larger one. Something to think about.
Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.
So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.
The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.
I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.
Where does this report get stored? Who has access to the reports? The manager? The clerks?
Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)
Why does a store owner need that much information? I’ll try and find out.