Subscription Center
Jan 13, 2009 04:06 PM | 3
A new report warns that your computer software is probably less secure than you think. The SysAdmin, Audit, Network, Security (SANS Institute), a cooperative research and education organization in Bethesda, Md., that also provides computer security training, Monday released a reporting outlining the top 25 most dangerous errors that programmers make that may lead to security breaches and open the door to cyber crime and espionage.
Nonprogrammers probably won't glean much from the list, given that the errors listed have techy titles such as, "Improper Input Validation" and "Cleartext Transmission of Sensitive Information." Regardless of whether you understand what they mean, these problems affect much of the software that you use and potentially expose sensitive personal information to hackers.
Consider this scenario: you're buying a book online, but the Web site you're using was written with software containing some of these "top 25" errors. In laymen's terms, improper input validation means that a hacker can enter garbage data (random letters, numbers and symbols) into the fields on the Web site's "payment" page, causing that page to malfunction, possibly allowing hackers to access the credit card numbers (along with expiration dates) of the site's customers. The software code doesn't include instructions to check (or validate) whether data entered into a given field is realistic (for example, a 20-digit credit card number should be rejected right away). If the site transfers and stores data in "cleartext" (read: unencrypted), it commits another error on the list and makes the hacker's job even easier.
A handful of these programming mistakes led to more than 1.5 million Web site security breaches last year alone, according to SANS. The report notes that compromised computers were used to attack other poorly secured computers, creating a cascading effect that allowed untold numbers of PCs to be hacked.
Hacking causes businesses, government agencies and people in general major headaches on a daily basis. In 2001, British citizen Gary McKinnon allegedly hacked into NASA's computers, stole 950 passwords and deleted files at a naval base in New Jersey (responsible for replenishing munitions and supplies for the Atlantic fleet), costing the U.S. government $700,000, according to PC World. (It would have been much worse of McKinnon had planted viruses in these computers.) The U.S. is still fighting to have McKinnon—who claims he was searching for info to prove the U.S. government has knowledge of UFOs—extradited from the U.K.
Software writing has always been something of a black art, given the number of computer programming languages out there and the general lack of guidelines or architecture that programmers are required to follow, IBM fellow and self-proclaimed "software archaeologist" Grady Booch told Scientific American.com in June. Programmers are taught to get their creations to work, no matter what it takes. As a result, there is very little consistency from one program to the next.
Another problem: software writers in the 1980s and 1990s pushed to create more dynamic software that would attract new customers without much regard to security. Microsoft is a prime example of this and has spent the past decade shoring up its Windows operating system and other software that have become popular hacker targets. The emergence of the Web, and, with it, computers connecting into an unsecured public network exacerbated the problem by giving hackers remote access to their targets (they no longer had to sit in front of a computer in order to break into it).
The first step toward solving the problem, SANS director Mason Brown said in a statement, is "to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems."
Security experts acknowledge that improved software isn't going to prevent all cyber attackers but they say this is a good start. "The real dedicated serial attacker will probably find a way in even if all these errors were removed," Patrick Lincoln, director of the Computer Science Laboratory at SRI International, told the BBC. "But a high school hacker with malicious intent—ankle-biters if you will—would be deterred from breaking in."
Image: © iStockphoto.com; Sami Suni
Tags:
SANS,
Microsoft,
software,
hacker
More News Blog:
Next: Feds fail to use effective drug treatment plans in prison
Previous: No way, dude: DEA just says "no" to scientist's pot request
See what we're tweeting about
BecCrew I have no idea what this means but I love it so much http://t.co/NA5WMMApWS
DNLee5 #DispatchesDNLee: Non-target capture Marsh Mongoose: http://t.co/h6iOKMW63v via @YouTube
Horganism Ahab to severed whale head: O head! thou hast seen enough to split the planets and make an infidel of Abraham and not one syllable is thine!
Deadline: Jun 30 2013
Reward: $1,000,000 USD
This is a Reduction-to-Practice Challenge that requires written documentation and&
Deadline: Jul 30 2013
Reward: $100,000 USD
The Seeker desires a method for producing pseudoephedrine products in such a way that it will be extremely difficult for clandestine che
Powered By: 
YES! Send me a free issue of Scientific American with no obligation to continue the subscription. If I like it, I will be billed for the one-year subscription.
3 Comments
Add CommentDoes the ordinary person care, I think not, especially if they are using a Mac with os 10.5.6... I have been very lucky have had a mac system for more than twenty years and never had any problem..
Reply | Report Abuse | Link to thisIs Scientific American for the 'ordinary person'? I think not.
Reply | Report Abuse | Link to thisThis is the problem with commercial software. Its creation is an opaque process. This is the same problem with MS and its Certification Exams. The software doesn't usually work the way it is portrayed with the exams.
Reply | Report Abuse | Link to this