Market Features
Hackers Exploited Common Software Errors
Stock quotes in this article:C
By the Financial Times
Many of the highest-profile computer hacking attacks of the past year took advantage of common, well-known software flaws and could have been prevented with a solid testing and review process, according to an analysis supported by the US Department of Homeland Security.The analysis was released on Monday by Mitre, the US federal contract research laboratory, and the not-for-profit Sans Institute for security training. It blamed attacks by hacker groups Lulz Security and Anonymous against Sony Pictures, the public television network PBS and security firm HBGary Federal on the most dangerous flaw, known as SQL injection. That flaw, which allows outsiders to tease information from protected databases, can be fixed at low cost, the analysis said.The researchers said a May intrusion at Citigroup, which allowed hackers to get records on hundreds of thousands of credit card users, relied on "missing authorisation". This is listed as the sixth-most dangerous flaw, based on its prevalence, consequences and level of "attacker awareness". Identifying and fixing that flaw has a "low to medium cost", they said. Citi declined to comment.Mitre and Sans have provided similar lists of the top 25 flaws in the past, but in this year's version they added tools to help companies know what to look for when they try to secure their systems.With a more specific review, "you can be much more proactive and get away from the victim mentality", said Joe Jarzombek, homeland security's director of software assurance.The analysis supports the conclusions of private security experts who have complained that flawed programming and architecture have left gaping security holes at many big targets. Those flaws are increasingly easy to find by hackers using scanning tools.Programmers are generally not held accountable for vulnerabilities and the process of reviewing their work is uneven, said Alan Paller, Sans director of research. All too often, company executives only learn of their errors after they have been attacked.A growing number of security companies now certify that the programs they review will emerge without any of the top 25 errors. Some software buyers could soon demand similar certification from the original program suppliers, Mr Paller said."This is a first step toward a really big change in how you get software evaluated, the first step toward a scoring system," he said.Additional reporting by Suzanne Kapner in New YorkTheStreet Premium Services
Jim Cramer's Action Alerts PLUS:
Trade right alongside a Wall Street pro — enjoy access to his Charitable Trust portfolio and be sent trade alerts BEFORE he makes a move. Learn More
OptionsProfits:
Get 50+ trade ideas a week from the industry's top options experts. Plus — exclusive commentary on market trends and essential trading tools. Learn More
Real Money:
Our team of professional Wall Street Pros — including Jim Cramer, Doug Kass, and Nicholas Vardy — delivers intelligent analysis, timely trade ideas, and colorful commentary. Learn More
Stocks Under $10:
Break into the market with small- and mid-cap stocks... all $10 or less! David Peltier tells you exactly which low-priced stocks he's buying and selling. Learn MoreTo begin commenting right away, you can log in below using your Disqus, Facebook, Twitter, OpenID or Yahoo login credentials. Alternatively, you can post a comment as a "guest" just by entering an email address. Your use of the commenting tool is subject to multiple terms of service/use and privacy policies - see here for more details.
blog comments powered by Disqus
| Dow Jones | S&P 500 | NASDAQ | 10-Year Note |
|
|---|---|---|---|---|
| 12,454.83 | 1,317.82 | 2,837.53 | 17.45 |
Oil *
107.26
|
|
DOWN
74.92 |
DOWN
2.86 |
DOWN
1.85 |
DOWN
0.14 |
10 Yr
1.74%
SPDR Gold
152.68
|
|
-0.60%
|
-0.22%
|
-0.07%
|
-0.80%
|
Data delayed 20 minutes |
Connect with TheStreet