In wake of Heartbleed, the Internet security flaw that exposed at least two-thirds of websites to the risk of data theft, security professionals and programmers are warning that other serious vulnerabilities are looming. From so-called injection flaws to faulty authentication systems, hazards and hackers are just around the corner.
“Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure,” the Open Web Application Security Project (Owasp) said in its report of the 10 most critical cybersecurity risks of 2013. “As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially.”
At the top of the group’s list are injection flaws, which occur when an attacker submits untrusted data to trick a website into performing an unintended command, such as allowing access to private accounts. Owasp ranked injection flaws as the most critical for how easy they are for malicious hackers to exploit, how common they are and how severely they can impact a business.
The second-biggest flaws are authentication (password login) systems that aren’t implemented correctly. There are also cross-site scripting (XSS) flaws, which happen when an application takes untrusted data and sends it to a web browser without validation. The Syrian Electronic Army uses XSS attacks to deface websites and other hackers can use XSS to redirect users to malicious sites or hijack user sessions.
What’s especially troubling about the list is that top five worst risks in 2013 are the exact same as the worst risks in 2010. Despite the fact that all programmers are taught to avoid these errors, imexperienced programmers working on increasingly more difficult lines of code allows these flaws to continue cropping up.
“If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization,” Gerald M. Weinberg, a computer scientist, wrote in his 1971 book, “The Psychology of Computer Programming.” The aphorism has since been dubbed “Weinberg’s Second Law,” and Heartbleed showed that it’s just as true today as it was more than 40 years ago.
The people writing the code can’t be entirely blamed. Programmers are often given scant direction in building software, and their efforts often aren’t rewarded. Open-source software like OpenSSL, the software that Heartbleed attacked, are controlled by a nebulous team of volunteers.
Private companies are also often unwilling to spend money on new systems or proper bug testing and correction.
“You don’t wanna know how much relies on very old systems and technology [sic],’ an IT professional using the name “He_knows” wrote on a Reddit thread created to discuss cybersecurity vulnerabilities that the public isn’t aware of.
“We can write good software, but it costs a fortune and business priorities often mean good enough is good enough,” Reddit user “noir_lord” wrote.
This often means a company will pay for good developers to build software and get it running, only to replace them with less experienced and inexpensive developers to watch after it. Years later, the IT staff is unaware of how the original software was even built in order to modify or change it.
Security firms like Codenomicon, which discovered the Heartbleed vulnerability, have built programs to automatically test computer systems, making bug testing quicker and less expensive. IT professionals talk a lot about “defensive programming,” and urge businesses to realize that is most cost effective to spend time and money testing for bugs than it is trying to recover from a hacker attack.
There is also the problem of computer illiteracy putting everyday Internet users at risk. The majority of people still use default passwords like “password” or “123456,” fail to use malware detection to check for programs that record keystrokes or create a backdoor into the computer, and rely too much on insecure Wi-Fi networks.
“Nearly every single Comcast router I’ve ever tested is vulnerable to a WPS (wifi protected setup) authorization bypass vulnerability,” Reddit user FarcusDimagio said in a page dedicated to discussing cybersecurity risks. WPS allows even inexperienced hackers to easily get around most Wi-Fi passwords and join the network to eavesdrop or do serious damage.
As for individual computer users, there are several small things to be safer online. Users should choose a different password for every website they choose, write them down on paper and store that paper in a safe place. Wi-Fi customers can ask their service providers how to disable WPS and keep their routers safer. People also should take advantage of free malware detection software like Malwarebytes.
In general, security experts think everyone can be safer online with a little bit more computer literacy. In the same way that most car owners may not be mechanics but still understand the basic of how a car works and how to protect it, users need to understand how their computer and the Internet works in order to defend against the next security crisis.