<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin: 0px; font-family: Helvetica;">In this issue:</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">1. Top 25 Most Dangerous Software Errors</div>
<div style="margin: 0px; font-family: Helvetica;">2. A Scam-Free Vacation</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">1. Top 25 Most Dangerous Software Errors</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://www.sans.org">SANS.org</a> and
<a href="http://cwe.mitre.org/index.html">Common Weakness Enumeration (CWE)</a> have come up with the top 25 most dangerous critical coding errors that can lead to serious vulnerabilities in software. They are often easy to find and exploit. They are dangerous
because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. Although this list was compiled in 2011, the weaknesses listed are still the same today. </div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">A run-down of the top 5:</div>
<ol>
<li style="margin: 0px; font-family: Helvetica;"><b>SQL Injection</b>, ranked as number 1, is still the most common means of attack. For data-rich software applications, SQL injection is a way to steal the keys to the kingdom. A lot of software is all about
the data: getting it into the database, pulling it from the database, massaging it into information, and sending it elsewhere for fun and profit. If attackers can influence the SQL that you use to communicate with your database, then suddenly all your fun
and profit belongs to them. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security. They could modify the queries to steal, corrupt, or otherwise change your underlying data.
They'll even steal data one byte at a time if they have to, and they have the patience and know-how to do so. In 2011, SQL injection was responsible for the compromises of many high-profile organizations, including Sony Pictures, PBS,
<a href="http://MySQL.com">MySQL.com</a>, security company HBGary Federal, and many others.
</li><li style="margin: 0px; font-family: Helvetica;"><b>OS Command Injection</b> is next, and is where the application interacts with the operating system. Your software is often the bridge between an outsider on the network and the internals of your operating
system. When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing that program, then you are inviting attackers to cross that bridge into a land of riches by executing
their own commands instead of yours. </li><li style="margin: 0px; font-family: Helvetica;">The <b>classic buffer overflow</b> is third. Buffer overflows are Mother Nature's little reminder of that law of physics that says: if you try to put more stuff into a container than it can hold, you're going
to make a mess. The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination. However, copying an untrusted input without checking the size of that input is the simplest error to make in a time when there are much
more interesting mistakes to avoid. That's why this type of buffer overflow is often referred to as "classic." It's decades old, and it's typically one of the first things you learn about in Secure Programming 101.
</li><li style="margin: 0px; font-family: Helvetica;"><b>Cross-site scripting (XSS)</b> is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. It's pretty much inevitable when you combine the stateless nature of HTTP, the mixture
of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates.
Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you (because, after all, it *did* come from you). Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of
techniques to get the input directly into your server, or use an unwitting victim as the middle man (Man-in-the-Middle Attack) in a technical version of the "why do you keep hitting yourself?" game.
</li><li style="margin: 0px; font-family: Helvetica;"><b>Missing authentication for critical function</b> is fifth. In countless action movies, the villain breaks into a high-security building by crawling through heating ducts or pipes, scaling elevator shafts,
or hiding under a moving cart. This works because the pathway into the building doesn't have all those nosy security guards asking for identification. Software may expose certain critical functionality with the assumption that nobody would think of trying
to do anything but break in through the front door. But attackers know how to case a joint and figure out alternate ways of getting into a system.
</li></ol>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;"><a href="http://cwe.mitre.org/top25/">See the full list and learn mitigations and preventions for all 25</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------</div>
<div style="margin: 0px; font-family: Helvetica;">2. A Scam-Free Vacation</div>
<div style="margin: 0px; font-family: Helvetica;">---------------------------------</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">A lost ID card, using unknown wireless connections, stolen smartphone, skimmers, or laptop theft can ruin that glow you acquired while you were away. You don’t want to have to deal with identity theft or lost
devices. <a href="http://www.onguardonline.gov/blog/scam-free-vacation">These tips from the FTC provide some peace of mind for vacationers</a>.</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica; min-height: 17px;"><br>
</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div style="margin: 0px; font-family: Helvetica;">Read all archived Security FYI Newsletter articles and submit comments online at
<a href="http://securityfyi.wordpress.com/"><span style="color: rgb(4, 46, 238);">http://securityfyi.wordpress.com/</span></a>.</div>
<div style="margin: 0px; font-family: Helvetica;">=======================================================================================</div>
<div><br>
</div>
<div apple-content-edited="true">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<br>
Monique Buchanan<br>
IT Security Communications Coordinator<br>
Information Systems & Technology (IS&T)<br>
Massachusetts Institute of Technology<br>
<a href="http://ist.mit.edu/secure">http://ist.mit.edu/secure</a><br>
tel: 617.253.2715<br>
<br>
<br>
</div>
</div>
</div>
</div>
<br>
</body>
</html>