Research Highlights Top 25 Programming Errors

A group of renowned security researchers led by the MITRE Corporation, also including the National Cyber Security Division (US Department of Homeland Security) and the SANS Institute, have updated their one-year-old findings, and republished the list of the top 25 most dangerous programming errors.

The list is broken down into three major categories as follows: Insecure interaction between components, Risky resource management and Porous Defenses. The entire list of programming errors is comprised of:

1. Failure to Preserve Web Page Structure ('Cross-site Scripting')
2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site ('Open Redirect')
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition.

The list was voted during a period of ten days by representatives of various organizations, the votes being cast for a vast category of metrics, the most important being critical importance and widespread prevalence. To avoid organizations being biased to one or more errors, only one vote per organization was allowed. The nominees list was then sorted based on the aggregate scores received by each error.

The authors didn't limit themselves to only listing these errors but went on record and encouraged customers to insert special security and application anti-hacking protection clauses in future contracts, providing a draft for those interested. The researchers' conclusions tend to blame in equal part the developers and IT educational institutes.

While few IT and programming courses really tackle the subject of product and code security, the main problem to the recent recorded hacks remains the programmer's reduced security knowledge base. The MITRE report tries to offer a solution by encouraging customers to contractually force either employees and freelancers into foul-proofing their code.

“As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,” says the MITRE report. “Use the Top 25 to help set minimum expectations for due care by software vendors. Consider using the Top 25 as part of contract language during the software acquisition process.”

The complete report, with technical details, code samples, detection methods, references and interpretation guidance can be found on the MITRE page or the SANS Institute page.

New Banking Trojan Discovered in the Wild

New Banking Trojan Discovered in the Wild - Used to perform ACH and wire fraud - Softpedia

Researchers from Atlanta-based security vendor SecureWorks have discovered a new information-stealing trojan facilitating ACH and wire fraud. The trojan has all the capabilities of malware commonly used to steal money from SMBs and non-profits.

An unprecedented wave of Automated Clearing House (ACH) and wire fraud started in 2009, resulting in small and medium-sized companies, public institutions and non-profit organizations losing millions of dollars to cyber-criminals. The problem prompted the FBI and the American Bankers Association torecommend that online banking operations be performed from dedicated computers only.

These attacks start by infecting computers on an organization's network with the purpose of stealing online banking credentials. The Clampi and Zeus (Zbot) families of trojans have so far dominated this aspect of cyber-crime and positioned themselves as the leading information-stealing computer trojans.

However, it seems other groups are willing to challenge that supremacy, especially since antivirus products are getting better at generically detecting modified Clampi and Zeus variants, which significantly reduces their success rate. The trojan discovered by SecureWorks back in January, which was dubbed Bugat, appears to be one of these new competitors.

"In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41)," Jason Milletary, SecureWorks' technical director for malware analysis, explains on the company's research blog.

Bugat is capable of capturing information entered in Web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials. Additionally, the malware can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

The trojan communicates with a command and control (C&C) server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

"The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals," Mr. Milletary concludes. Indeed, just last week, Symantec warned of a new Zeus-like crimeware toolkit called SpyEye.