A Thing
The Green SheetGreen Sheet

Tuesday, September 16, 2014

Flawed coding blamed for recent data breaches

The proliferation of data breaches at major U.S. retailers is a direct result of poorly coded software, according to a software analysis and measurement firm. The global data analytics firm, CAST, said seven out of 10 retail and finance applications are vulnerable to the Heartbleed-style malware attacks that have caused havoc among U.S. retailers nationwide in recent months.

CAST revealed in its 2014 CAST Report on Application Software Health (CRASH) that financial and retail industry applications are the most vulnerable to data breaches, with 70 percent of retail and 69 percent of financial services applications having "data input validation violations" that can lead to breaches. "This is particularly concerning, considering the amount of personal and financial customer data often held in applications across these industries," CAST said.

Lev Lesokhin, CAST Executive Vice President, described faulty code as a product of rushed deadlines faced by IT staff. "So long as IT organizations sacrifice software quality and security for the sake of meeting unrealistic schedules, we can expect to see more high-profile attacks leading to the exposure and exploitation of sensitive customer data," he said.

FI security coding fails

A Trustwave 2012 slide presentation entitled "Whitelist is the New Black" defined input validation as the "process of verifying the correctness of data supplied to an application before using that data." The data security firm noted that input validation is the hardest part of ensuring applications are secure. "Most vulnerabilities are a result of user-controlled data not being validated, or not being validated appropriately," Trustwave said.

CAST said poorly written code that did not properly validate data resulted in the notorious Heartbleed malware attack, which exposed over 60 percent of the Internet's servers to potential attacks. "As of June, 21, 2014, it's estimated that 309,197 public web servers still remained vulnerable," the researcher noted.

In its CRASH report, CAST singled out the financial services industry for the worst coded applications, the most surprising finding of the report. "[T]he data showed that the financial services industry has the highest number of input validation violations per application (224) even though their applications, on average, are only half as complex as the largest application scanned," CAST said.

Dr. Bill Curtis, Chief Scientist at CAST and CRASH report author, believes CAST's findings discredit the idea that software security and software quality are mutually exclusive. "The CRASH Report data proves this is false," he said. "Badly constructed software won't just cause systems to crash, corrupt data and make recovery difficult, but also leaves numerous security holes."

Home Depot the latest victim

In April 2014, the Heartbleed bug was detected by Trustwave in the popular OpenSSL security protocol, which is described as a cryptographic library used in securing e-commerce sites, email services and file transfer protocol programs. The bug is a weakness in the code that can be exploited by hackers to circumvent encryption and gain access to sensitive cardholder and enterprise data.

Heartbleed had reportedly gone undetected for over two years, time in which hackers could exploit the weakness to steal SSL certificates that establish encrypted communications for such activities as consumers making online purchases with bankcards or when administrators log onto networks.

The most recent big breach occurred at The Home Depot. The home improvement retailer said it first learned about the breach on Sept. 2, 2014, from law enforcement and its banking partners, and that the compromise began the previous April, affecting its U.S. and Canadian stores, but not its operations in Mexico, nor customers shopping via its online store.

Security reporter Brian Krebs wrote in a Sept. 14 post on his KrebsonSecurity blog that multiple financial institutions reported a steep increase over the past few days in ATM withdrawal fraud using data stolen from Home Depot customer accounts. While the retailer reassured customers that no debit card PIN data was compromised in the attack, Krebs noted that fraudsters can use other types of data that was stolen, such as ZIP codes, to reset debit cardholders' PINs via automated phone systems that employ weak cardholder authentication methods.

"The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big-box stores," Krebs wrote. "But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs."

In the wake of the breach coming to light, a class-action lawsuit in the Atlanta district court was filed by the Georgia law firm of Harris Penn Lowry LLP. The suit alleges that Home Depot did not inform its customers of the breach until after Krebs broke the story on his blog site. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing