Most common software vulnerabilities during COVID-19
In December 2020, 71% of the US workforce was working from home. WFH culture placed a new importance on cybersecurity, as it allowed an unprecedented opportunity for cybercriminals to exploit this high reliance on the web.
This resulted in:
- A 600% increase in cyberattacks in Q1 of 2020.
- 74% of financial institutions experiencing a rise in cybercrime in the last 12 months.
- Cybercrimes costing an estimated US $6 trillion globally in 2021.
Fortunately, COVID has shown that most criminals attack through vulnerabilities that come from common coding errors that are easy to address. In order to resolve these errors, it is important to know what they are and when they are happening.
A recent study from MITRE and OWASP (Open Web Application Security Project) found that the most hazardous coding errors (37.9%) occur during data processing.
Most Common Coding Errors Leading To Cyber Attacks During COVID-19
The pandemic has been a part of our world for more than a year now. It has impacts on several industries, and the IT sector is no exception. Let’s see what the most common coding errors have been in this period of time.
Data Processing Flaws: Buffer Overflow
Buffer overflow was ranked #1 on the CWE Top 25 2019 list, and is most prevalent when working in C and C++.
These vulnerabilities occur when the memory buffer is set to receive more data than its capacity permits. During program execution, the data is written outside the memory block. Therefore, read or write operations can be conducted from outside the buffer limits. An unauthorized user can exploit this security vulnerability fairly easily. They can execute malicious code, read sensitive data, or change the control flow in the program.
In 1988, buffer overflow was the first vulnerability exploited by the Morris worm to propagate itself over the internet. The affected program was the Unix service finger. Since then, Microsoft operating systems have been notorious for such issues. The issue reemerged in 2001 when a buffer overflow in Microsoft’s Internet Information Services (IIS) 5.0 was exploited by what came to be known as the Code Red worm. Once again, in 2003 the SQL Slammer worm compromised machines running Microsoft SQL Server 2000.
Buffer overflow has also compromised the gaming industry. Its presence in licensed Xbox games allowed unlicensed software, including homebrew games, to run on the console. This software was able to run without the need for hardware modifications (modchips). The PS2 Independence Exploit also attacked a buffer overflow vulnerability in the PlayStation 2. Finally, the Twilight hack exploited a Wii buffer overflow in The Legend of Zelda: Twilight Princess.
Improper Output Encoding or Escaping
Such coding errors include:
- cross-site scripting
- SQL injection
- code injection or OS command injection
This coding error has to do with queries and commands computer programs use for their components to communicate. If these messages are missing proper encoding, hackers use this vulnerability to tamper with the application. With SQL injection or XSS, they can insert special characters that cause the data to be interpreted as control information for the program. Coding errors let certain software components receive malicious commands and perform the wrong operations.
SQL injection was particularly costly for Heartland Payment Systems, when 134 million credit card numbers were exposed. Prior to the breach, Heartland processed 100 million payment card transactions per month and dealt with 175,000 merchants. Their target market was small to medium-sized retailers. Visa and MasterCard uncovered the breach when they noticed suspicious transactions from accounts linked to Heartland processing. Due to the breach, the Payment Card Industry Security Standards Council determined that Heartland was out of compliance with its Data Security Standard (DSS). Heartland was not allowed to process payments of major credit card providers for 6 months. In addition, Heartland was forced to pay $145 million to compensate for fraudulent payments.
In SQL injection cases, the attacker is rarely caught. However, Albert Gonzalez and two unnamed Russian accomplices were indicted in the Heartland breach. Gonzalez’s resulting sentence was 20 years in federal prison.
Improper handling of sensitive information
This error is language-independent and includes software flaws such as:
- sensitive data exposure
- cryptographic issues
- insufficient or excessive logging
These coding mistakes are quite harmful. Their roots may lie in:
- poorly set security incident response systems
- failure to encrypt sensitive data
- weak key generation
- password hashing
These coding errors lead to intentional or unintentional information disclosure to unauthorized users. It allows hackers to perform cyber-attacks, commit fraud, or steal identities. Hackers use sensitive information including credentials, credit card numbers, and health records. If your organization is dealing with your customer’s private information, your reputation is threatened. If your customers are based in Europe, you are also likely to be cited for non-compliance by the GDPR.
One of the most famous cases of improper handling of sensitive information involves Adobe. In 2013, the information from 153 million user records was exposed. Security blogger Brian Krebs broke the story, revealing that hackers stole 3 million encrypted customer credit card records and login data. It was later found that the hackers also took IDs and encrypted passwords for 38 million active users. Adobe had to pay $1.1 million in legal fees and an undisclosed amount (estimated to be $1 million) to settle claims of violating the Customer Records Act.
Recently, Canva faced a similar data breach with 137 million user accounts being compromised. Email addresses, user names, names, cities of residence, and partial credit card and payment data were compromised. The company notified users and asked them to change their passwords. However, this was already after 4 million Canva users had their personal information shared online.
Moving forward: How to avoid software vulnerabilities and exploit
As employees are demanding WFH continue even as vaccines have rolled out, it is important companies continue to educate themselves about coding vulnerabilities.
The best plan to combat cyberattacks is to continually enhance cybersecurity by following simple protocols. This requires continuing education for every member of your IT staff.
Below is a list of security measures to protect your devices and systems:
- Don’t forget to update your operating systems and libraries. As soon as known software vulnerabilities in these products get documented, they come with patches. We strongly recommend running the updates in a testing environment beforehand to make sure they are safe.
- Reduce your exposure to possible attacks: disable, block, and remove any system component you don’t use or need; follow the least privilege principle in granting access rights to the system users.
- Secure your network. Use endpoint restrictions, continuous monitoring, and penetration testing. You can also resort to network and micro-segmentation.
- Take the time to check your system’s default security configurations and make custom settings. Do it as soon as it is deployed or even immediately upon purchase.
- Introduce automation into your operations to avoid human error.
- Inspect and monitor the terms and policies of your internet and computer service providers. This will help you detect possible security vulnerabilities and threats.
- Utilize trusted and reliable internet sources of external dependencies you use to build software. Regularly check for updates for the products you use.
- Make sure your staff is aware of the basic cybersecurity practices, tools, and measures. They are designed to protect your systems from security breaches and attacks.
- Write your code and design architecture with security in mind; make it clear and easy to read.
- Devise a back-up plan in case of an emergency situation. It will help to quickly recover, mitigate the consequences, and learn from your mistakes.
- Stay up-to-date with the latest news and useful articles related to cybersecurity vulnerabilities.
- Never postpone fixing your bugs, especially before moving on with the project.
- Consider turning to Avatao training to ensure that you are up-to-date on the latest skills and training to avoid these bugs.
How can you educate your developers? With interactive and engaging exercises, Avatao will teach you and your team how to avoid the most common coding vulnerabilities.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 8 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?