Many of the highest-profile computer hacking attacks of the past year took advantage of common, well-known software flaws and could have been prevented with a solid testing and review process, according to an analysis supported by the US Department of Homeland Security.
The analysis was released on Monday by Mitre, the US federal contract research laboratory, and the not-for-profit Sans Institute for security training.
It blamed attacks by hacker groups Lulz Security and Anonymous against Sony Pictures, the public television network PBS and security firm HBGary Federal on the most dangerous flaw, known as SQL injection. That flaw, which allows outsiders to tease information from protected databases, can be fixed at low cost, the analysis said.
The researchers said a May intrusion at Citigroup, which allowed hackers to get records on hundreds of thousands of credit card users, relied on “missing authorisation”. This is listed as the sixth-most dangerous flaw, based on its prevalence, consequences and level of “attacker awareness”. Identifying and fixing that flaw has a “low to medium cost”, they said. Citi declined to comment.
Mitre and Sans have provided similar lists of the top 25 flaws in the past, but in this year’s version they added tools to help companies know what to look for when they try to secure their systems.
With a more specific review, “you can be much more proactive and get away from the victim mentality”, said Joe Jarzombek, homeland security’s director of software assurance.
The analysis supports the conclusions of private security experts who have complained that flawed programming and architecture have left gaping security holes at many big targets. Those flaws are increasingly easy to find by hackers using scanning tools.
Programmers are generally not held accountable for vulnerabilities and the process of reviewing their work is uneven, said Alan Paller, Sans director of research. All too often, company executives only learn of their errors after they have been attacked.
A growing number of security companies now certify that the programs they review will emerge without any of the top 25 errors. Some software buyers could soon demand similar certification from the original program suppliers, Mr Paller said.
“This is a first step toward a really big change in how you get software evaluated, the first step toward a scoring system,” he said.
Additional reporting by Suzanne Kapner in New York