Software bugs: a lot done, more to do

The newly published Common Weakness Enumeration CWE Top 25 lists frequent and critical weaknesses that can lead to serious software vulnerabilities. MITRE, the non-profit group that publishes the list, noted that these weaknesses are often easy to find and exploit. “They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working,” it said.

Despite an eight-year gap since the previous list, many of the common software errors haven’t changed. Buffer flaws were the most commonly occurring weakness, followed by cross-site scripting. In a good writeup for Sophos, Danny Bradbury commented: “That this term, first coined by Microsoft in 2000, is still featuring heavily in real-world bugs shows how much work is left to do in teaching developers how to avoid it.” 

The Top 25 is a community resource for software developers, testers, customers, project managers, security researchers, and educators exploring common threats in software. The researchers changed the methodology for this year’s list to make it more evidence-based. MITRE now plans to release a fresh list on a yearly basis. The full list, along with commentary and analysis, is available here.

Scammers read marketing thought leaders, too

There’s been much research into the best time for sending marketing emails if you want people to open them. It turns out that fraudsters have been keeping up with best practice. Agari, an email security company, analysed text-based phishing attacks, otherwise known as business email compromise (BEC) or CEO fraud. And guess what? Close to a quarter of all scam emails arrived on a Tuesday morning. More than half of all BEC attacks are distributed between 8am and 12pm. 

“Scammers tend to follow conventional wisdom among many legitimate email marketers which states that it is best to send emails first thing in the morning… There seems to be a notable preference for 9 AM, presumably aiming to arrive just as someone is sitting down to work in the morning,” Agari’s Crane Hassold wrote. 

It’s not surprising that attackers pay attention to email response patterns. Research from ProofPoint found that 99 per cent of attacks target people, not systems. Financial scams in particular continue to be a growing problem. The FBI estimates that losses from business email compromise were over $1.2 billion in 2018. Worryingly, a recent survey from Webroot suggests some office workers are overconfident that they can correctly spot a fake email. Fortunately, there are lots of resources to help educate staff. SANS’s September newsletter covered how scammers trick people through social media using similar tactics to fraud emails. Europol has also published an update about this scam. 

Going mobile: lost devices highlight data breach risks 

One of the biggest data breach risks is losing devices that contain important or personally identifying information. As a recent news story shows, it’s also a very common risk. A Freedom of Information request found that two UK government agencies had misplaced 540 mobile digital devices in three years. 

As Infosecurity Magazine reported, mobile phone losses were the most common (426), followed by 94 missing laptops and 21 tablets. Absolute Software, the company that submitted the FOI request, had previously discovered that the UK Ministry of Defence recorded a 300 per cent increase in losses of both devices and sensitive data over two financial years. 

The story shows the need for robust mobile device management, so organisations can reduce the chances of losing sensitive information. In the SANS newsletter, Lee Neely advised: “Implementing full-device encryption, robust authentication, remote locating and wiping capabilities can protect against data loss, also investigate replacing sleep mode with hibernate to both clear memory and reduce device emissions. Support these actions with clear policy and education so users know what is expected to protect these devices.” And you happen to be the person who finds personal information in a public place, the Data Protection Commission has some advice for you.

Links we liked

Advice on building an internal offensive security team, or ‘red team’. MORE

Analysing the recent DDoS attack against Wikipedia; the largest yet recorded. MORE

New cybersecurity guidelines for operators of essential services in Ireland. MORE

The Cloud Security Alliance has published the ‘egregious 11’ threats to cloud computing. MORE

Six pillars of DevSecOps; a free report courtesy of the Cloud Security Alliance. MORE

Sophos has published a paper documenting the WannaCry ransomware’s infection path. MORE

Are password restrictions necessary, or arbitrary? And does user perception play a part? MORE

Dissecting a dropper: the TrickBot trojan goes under Yoroi’s microscope. MORE

You know that scam where someone impersonates the CEO? Now with faked voice. MORE

Do you know a business like this? When security policies prevent remote working. MORE

Lovely hurling, indeed: how an Irish sports fan turned the tables on an email scammer. MORE

IoT attack opportunities, from the cybercriminals’ perspective. MORE