SQL injectionSQL injection is a favorite trick among hackers and topped the 2011 CWE report as the biggest threat facing online networks. "For data-rich software applications, SQL injection is the means to steal the keys to the kingdom," the report said. The basic idea is that a hacker inserts code into an online form such as one asking for your name, address and so on. If proper precautions aren't taken to prevent this exploit, hackers can download, corrupt or alter an entire database. Hackers will even "steal data one byte at a time if they have to," according to the report. SQL injection was responsible for many high-profile attacks including LulzSec's hacks into Sony Pictures and PBS, as well as Anonymous' intrusion into the network of security company HBGary Federal. This hack was even used to break into Oracle's MYSQL.com. After hacking into Sony Pictures LulzSec called SQL injection, "one of the most primitive and common vulnerabilities."
Missing authorizationMissing authorization allows hackers to manipulate software in a way that allows them to gain access to data they never should have been able to see. This exploit was used against Citigroup in early May when hackers stole details to more than 200,000 users' bank accounts, according to the report. How did the evil geniuses do it? By changing personal account information "that was present in fields in the URL," the report said. Basically, that means when the hacker landed on www.randombank.com/user/ account/123456, all they had to do was change the URL to www.randombank.com/user/account/789012 to gain access to another account.
Missing encryption of sensitive dataIt's bad enough when a company or organization makes it easy for the bad guys to break in, but it gets worse when critical data such as account passwords are sitting there unencrypted. LulzSec gained access and later released more than 62,000 plain text passwords stolen from various databases. For security fans looking to learn about the biggest threats in software for 2011 the report has more details to spill. For example, the report also discusses how the Stuxnet worm, which disabled Iranian nuclear sites, used hard coding to wreak havoc on computer systems. If you have any interest in computer security, the CWE report is well worth a read.Return to security news headlines
View Security News Archive