IT Security Rewind – Week of June 27


by Josh Arrington

While we in the U.S. office are caught up thinking about July 4 festivities, the world of security bids adieu to LulzSec, CitiBank ups its losses and CWE/SANS unveil this year’s list of the Top 25 most dangerous programming errors, which have been the focus of so many recent attacks. Let’s get started with this week’s rewind!

Hard-coding a secret password is just bad manners – The New York Times and multiple other outlets covered news related to the Homeland Security Department’s unveiling of a new system of guidance intended to help make the software behind Web sites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The annual CWE (Common Weakness Evaluation)/SANS Top 25 Most Dangerous Software Errors list covers the most significant threats faced by software makers and IT organizations, while providing advice on how to protect against the vulnerabilities. While top threats included SQL injection and cross-site scripting, coming in at Number 7 is particularly relevant to Cyber-Ark and our customers: Use of Hard-coded Credentials. You’ll recall that the Stuxnet worm used hard-coded credentials in order to spread.

LulzSec says farewell – The week LulzSec wasn’t in the news for its attacks, instead, it released a message saying it had “completed its 50-day goal of reviving the AntiSec (anti-security) hacker movement, which aimed to disrupt government and corporations by breaking their network security.” Hoping that others will take up its “good cause,” the security industry will be kept guessing about where its members will pop up next.

Citigroup’s losses keep climbing – It was reported this week that approximately 3,400 Citigroup credit card customers suffered a loss of $2.7 million during a security breach earlier this year, according to a Wall Street Journal report. The company maintains that data used to commit fraud, such as Social Security numbers, card security codes and dates of birth were not compromised. Citigroup has instituted fraud monitoring on the accounts, and replaced 217,657 cards for customers so far.

That wraps up this week’s rewind. What other CWE/SANS Top 25 errors is your organization most focused on?

Leave a Reply

Your email address will not be published. Required fields are marked *

You must be logged in to post a comment.