STE WILLIAMS

Is $100 million enough to save the web from ads?

After years of going nowhere, could web micropayments be the next big enabler for user privacy?

The privacy angle on this has always sounded interesting: if visitors could pay websites small amounts of money for consuming content, perhaps those sites wouldn’t need to sell traffic to advertisers whose business is built on distracting, tracking and profiling visitors.

Easy to aspire to, harder to make work – with a long list of commercial micropayments systems that nobody uses serving as cautionary tales.

But that was before privacy became a big deal, which is why a startup called Coil has decided to try again by backing an initiative called Grant for the Web (GftW), backed by a $100 million fund to be handed out over five years.

Founded in 2018, Coil describes itself as a “content monetisation” company, but don’t let that put you off. Grant for the Web is taken seriously enough by outsiders that The Mozilla Foundation and copyright non-profit Creative Commons have signed up as launch partners.

But what is it?

The following explanation appears on the Creative Commons website:

The program will fund individuals, projects, and global communities that contribute to a privacy-centric, open, and accessible web monetisation ecosystem.

Content creators and software companies will be able to do this using Coil’s open Web Monetization API, which has been proposed to the World Wide Web Consortium (W3C) Web Incubator Community Group as ILP-RFC 0028 (Draft 9).

In other words, it’s a new web content payment standard which will fund interested parties to build proof of concept examples of what that might look like in practice.

It’s like a pragmatic re-imagining of the ‘build it and they will come’ strategy that failed for previous micropayments systems.

The problem with those is they were essentially commercial platforms designed to create a new middleman that would take its cut from microtransactions.

Unfortunately, while many users were happy to pay for content, they didn’t want to use lots of incompatible platforms to achieve this. Starved of users, nobody could make enough money.

The Web Monetization API, by contrast, offers the possibility of using micropayments as the mechanism to achieve privacy by freeing websites from having to resort to traditional advertising surveillance to make ends meet.

Freeloading

Isn’t there a danger that companies will ditch privacy and just help themselves to the open API?

Potentially, although Grant for the Web’s Advisory Council says that at least 50% of the grants will be awarded to projects which embrace values supporting open standards and privacy.

We’re speculating here but one possibility is that Coil’s API finds its way into Firefox which, if it were to happen, would embed a micropayments mechanism into a browser used by more than a hundred million people.

That wouldn’t guarantee privacy even if sites accepted payments via that interface, but it would offer a counterbalance to the incentives that lead to users being tracked all over the web.

It’s a different take on the problem addressed by Brave, a dedicated browser that attempts to ensure privacy by serving ads anonymously to users who are rewarded for consuming them with a sort of micropayment in the form of ‘Basic Attention’ Tokens (BATs).

Which idea will triumph? That’s impossible to say right now but in the end, success will be about signing up popular websites that readers value. After years of struggle, perhaps web publishing’s future is looking up after all.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7IGQrwFwo98/

WannaCry – the worm that just won’t die

Remember WannaCry?

That’s the infamous self-spreading ransomware attack that stormed the world in May 2017.

WannaCry was an unusual strain of ransomware for two main reasons.

Unlike most ransomware we’ve seen in the past 30 years (yes, it really is that long!) WannaCry was a computer virus, or more precisely a self-spreading worm, meaning that it replicated all by itself, finding new victims, breaking in and launching on the next computer automatically.

WannaCry broke in across the internet, jumping from network to network and company to company using an exploit – a security bug in Windows that allowed the virus to poke its way in without needing a username or a password.

And not just any exploit – WannaCry used an attack called ETERNALBLUE that was allegedly stolen from the US National Security Agency by a hacking crew known as Shadow Brokers .

The good news is that, even back at the time that WannaCry burst onto the internet, a patch to fix the ETERNALBLUE security hole was available, issued two months previously by Microsoft as part of the March 2017 Patch Tuesday update.

If you’d patched within the past two months, you were largely immune to WannaCry, and could therefore stand down from red alert.

Even if you detected network attacks coming from existing, unpatched, infected victims, those ETERNALBLUE probes would have bounced harmlessly off your up-to-date devices.

Of course, not everyone had patched within that two month window, and so the malware spread far and fast, demanding $300 per infected computer from something like 200,000 victims in short order.

WannaCry won’t die

Well, guess what?

Not everyone has patched even now, more than two years later, and WannaCry is not only still alive (and ignoring the kill switch that was designed to stop it), but possibly more alive than ever.

Sophos experts Peter Mackenzie, Fraser Howard and Anton Kalinin have just published a must-read paper that will tell you why, and how.

Fortunately, although we’re still seeing huge amounts of WannaCry activity, we aren’t seeing many people actually getting their data scrambled by it.

And because people who are infected aren’t themselves visibly being affected by unwanted encryption and ransom demands, they don’t realise they’re being using to spread copies of it.

But how on earth can a destructive virus more than two years old, one that was patched against even before it first appeared, continue to spread like crazy?

And how come it’s still alive but no longer drawing attention to itself by leaving a sea of scrambled files and ransom demands in its wake?

More importantly, what can we do to stop it now?

The data that our experts analyse in their report is fascinating:

  • More than 12,000 WannaCry variants were found in the wild, two years after the malware was supposedly conquered for good.
  • More than 5,000,000 attempted attacks against unpatched computers were blocked in the last three months of 2018 – and that’s just the ones where Sophos Endpoint Security was installed and reported back to us.
  • More than 97% of unpatched computers under attack were runnning Windows 7, so this is not just a story about forgotten Windows XP devices.
  • A few people actually paid the ransom even though there’s no point in doing so. The crooks behind the relevant Bitcoin addresses aren’t monitoring payments or providing decryption tools.

What to do?

We don’t want to spoil the paper but we will say that the only reason most of the contemporary WannaCry variants don’t scramble the computers they infect…

…is because the file-scrambling part of the malware is corrupted.

In other words, if you haven’t patched, and you do get infected, but you don’t get your files ruined, you got lucky.

You were saved by accident rather than by design – from WannaCry, that is, but who knows who or what else has been wandering round your network in the more than two years since you last patched?

Read the paper and learn what what to do – there are apparently millions of people in our midst who desperately need our help and advice, for the greater good of all.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EU2F9uItjyk/

Your ugly mug may be scanned yet again – but at least you’ll be able to board faster at Gatwick

Gatwick Airport will extend its use of facial recognition to match passengers to their passports at departure gates before they board planes.

The original trial with easyJet scanned passengers’ faces when they used self-service luggage drop-off points on their way to European destinations. We’re sure at least some of those self-service points worked.

facial recognition

San Francisco votes no to facial-recognition tech for cops, govt – while its denizens create it

READ MORE

A spokeswoman for the airport told the Beeb: “Gatwick [is now planning] a second trial in the next six months and then rolling out auto-boarding technology on eight departure gates in the North Terminal when it opens a new extension to its Pier 6 departure facility in 2022.”

She said that the trial showed passengers found the tech easy to use and its use led to faster boarding times and less time spent queuing.

The news comes at a challenging time for facial recognition more broadly.

In the US, there has been blowback against widespread use of the technology. San Francisco recently banned any use of biometric technology by public bodies in the city. Attaching the technology to police body-worn cameras has also been criticised.

crowds amass at london kings cross station

Plot twist: Google’s not spying on King’s Cross with facial recognition tech, but its landlord is

READ MORE

In the UK, which has a higher tolerance for surveillance, the technology is increasingly being used in public spaces – like King’s Cross in London. Landlords there were handed a database of images by the Metropolitan Police to load onto its AI-powered spotter system, which ran between 2016 and 2018. The Information Commissioner’s Office is investigating the mass snoop.

Given acceptance of ePassport gates, smut scanners and other invasive tech as part of the security theatre at airports, we can’t see many objections being raised.

Passengers can opt out of using the face scanners and Privacy International told the BBC the airport should seek genuine consent, especially when scanning children.

Gatwick said no data would be stored for longer than a few seconds during the trial, which had been designed to comply with relevant data protection laws.

We’ve contacted the airport and will update this story if we get more details. ®

Updated at 1040 on 18/09/19 to add:

Gatwick sent us the following statement:

Last year Gatwick ran one of the most extensive passenger trials of biometric auto-boarding technology with over 20,000 international passengers experiencing the technology for the first time across a whole range of European destinations.

More than 90 per cent of those interviewed said they found the technology extremely easy to use and the trial demonstrated faster boarding of the aircraft for the airline and a significant reduction in queue time for passengers. Gatwick is now collating all the data in order to further develop and optimise the technological solution with a view to rolling out auto-boarding technology on eight departure gates in the North Terminal when it opens a new extension to its Pier 6 departure facility in 2022.

One of the major benefits for passengers will be the open gate-room concept that Gatwick will be able to enable with this technology. This will allow passengers to spend more time enjoying the shops or having a last minute coffee before boarding their flight.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/18/gatwick_facial_recognition/

How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

A pair of newly disclosed security flaws could allow malicious virtual machine guests to break out of their hypervisor’s walled gardens and execute malicious code on the host box.

Both CVE-2019-14835 and CVE-2019-5049 are not particularly easy to exploit as they require specific types of hardware or events to occur. However, if successful, either could allow a miscreant to run malware on the host from a VM instance.

CVE-2019-14835 was discovered and reported by Peter Pi, a member of the Tencent Blade Team. It is found in the Linux kernel versions 2.6.34 up to version 5.3, where it is patched.

The flaw itself is found in Qemu-KVM, an open-source environment typically used to host virtual machines on Linux servers. Pi found that when the host server performs a migration to another machine, Qemu accesses a table in memory that the guest VM can write to.

If the attacker successfully manipulates that table, they can trigger a buffer overflow on the host server, allowing them to execute malicious code on the host machine outside the hypervisor.

“The bug happens in the live migrate flow. When migrating, Qemu needs to know the dirty pages, vhost/vhost_net uses a kernel buffer to record the dirty log, but it doesn’t check the bounds of the log buffer,” Blade Team said in its summary.

“So we can forge the desc table in guest, wait for migrate or doing something (like increase host machine workload or combine a memory leak bug, depends on vendor’s migrate schedule policy) to trigger cloud vendor to migrate this guest.”

As the summary notes, actually exposing the bug requires being able to trigger a migration, meaning the attack would either have to chain with another exploit or have some fairly detailed knowledge of the host server, making the real-world risk from the flaw slightly less.

Still, admins would be well advised to update the kernel on their Linux servers in order to get this and other bug fixes.

Meanwhile, with VMware and AMD…

Piotr Bania and Cisco Talos took credit for discovery of CVE-2019-5049. This is a memory corruption vulnerability exposed by ATIDXX64.DLL in versions 25.20.15031.5004 and 25.20.15031.9002 of AMD’s graphics drivers. It can be exploited by Windows 10 virtual machines to break out of VMware Workstation. Thus, if you’re hosting Windows 10 guests with these drivers present, you’re at risk.

“A specially crafted pixel shader can cause an out-of-bounds memory write,” Talos said of the bug.

“An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host.”

Users and admins can patch the flaw by updating their AMD drivers to the latest stable version. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/18/vmware_amd_hypervisor_escapes/

MPs call for ‘immediate’ stop to facial recog in UK as report underlines bias risks in ‘pre-crime’ algos used by coppers

MPs across parties have called for an immediate “stop” to live facial recognition surveillance by the police and in public places.

The joint statement signed by 14 MPs including David Davis, Diane Abbott, Jo Swinson, and Caroline Lucas stated:

We hold differing views about live facial recognition surveillance, ranging from serious concerns about its incompatibility with human rights, to the potential for discriminatory impact, the lack of safeguards, the lack of an evidence base, an unproven case of necessity or proportionality, the lack of a sufficient legal basis, the lack of parliamentary consideration, and the lack of a democratic mandate.

However, all of these views lead us to the same following conclusion: We call on UK police and private companies to immediately stop using live facial recognition for public surveillance.

The call is also backed by 25 rights and technology groups including Big Brother Watch, Amnesty International and the Ada Lovelace Institute.

Such groups have warned about the increasing use of the controversial technology. The Metropolitan Police has used facial recognition surveillance 10 times across London since 2016, including twice at London’s Notting Hill Carnival.

Facial recognition is also being used in privately owned public spaces, including, controversially, the King’s Cross Estate in Londonthe ICO has already stuck its oar in on that subject.

It follows a report yesterday (PDF), in which British police officials cast doubt on the use of predictive policing algorithms, calling them imprecise and biased.

Security and defence think tank the Royal United Services Institute (RUSI) interviewed police representatives, academics and legal experts about the challenges of using data analytics and algorithms. Machine learning is used to map and predict areas with high crime rates, and the data is then used to direct police on where to patrol, also known as “hotspot policing”.

Out of the 43 police forces across England and Wales, only 12 have experimented with predictive policing algorithms, and only three or four agencies are currently deploying the technology, Alexander Babuta, a research fellow of National Security Studies at RUSI and one of the authors of the report, told The Register.

Machine learning models are only good at picking up on patterns in the training data and, therefore, cannot predict rare crimes.

If there are any biases in the data, the algorithms will only serve to enhance them. For example, if a particular area is known for high rates of robberies then sending more police to that area will potentially mean more arrests, creating a positive feedback loop. So instead of predicting future crimes, the software tends to just affect future policing instead.

“We pile loads of resources into a certain area and it becomes a self-fulfilling prophecy, purely because there’s more policing going into that area, not necessarily because of discrimination on the part of officers,” said one copper.

‘Human bias … introduced into the datasets’

The algorithms are potentially even worse when they’re used to predict how likely someone is to commit a crime. Some forces such as the Durham Constabulary and the Avon and Somerset Constabulary have employed the tool to assess recidivism by taking into account the “likelihood of victimisation or vulnerability, and likelihood of committing a range of specific offences”.

But, again, if these are given biased data it will lead to certain demographics being targeted. “Young black men are more likely to be stopped and searched than young white men, and that’s purely down to human bias. That human bias is then introduced into the datasets, and bias is then generated in the outcomes of the application of those datasets,” an official noted.

In fact, neighbourhood officers from Durham can check the local profiles of people with criminal records on their mobile devices through an app that calculates the risk of them reoffending. The results are updated everyday, apparently. But as one expert observed: “Predictive judgments are meaningful when applied to groups of offenders. However, at an individual level, predictions are considered by many to be imprecise.”

Algorithms have to crunch through tons of data in order to make accurate predictions. Relying on a single individual’s data is probably not enough to get it to work. Even if a tool is effective for groups of people, it doesn’t mean it’ll necessarily be accurate for a single person.

The RUSI report is the first study into data analytics and algorithms in policing; there will be a second looking into the possible solutions to biases in the technology next year.

“This project forms part of the Centre for Data Ethics and Innovation’s (CEDI) ongoing review into algorithmic bias in policing,” said Babuta. “The aim is to develop a new national policy framework for police use of data analytics.

“CDEI will shortly publish draft guidance for consultation, and based on feedback provided by policing stakeholders, this guidance will then be revised and refined.

“Our final report will be published in February 2020, and will contain specific recommendations regarding what should be included in a new Code of Data Ethics for UK policing.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/18/uk_police_criminals_algorithms/

Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now

On Tuesday, the Common Weakness Enumeration (CWE) team from MITRE, a non-profit focused on information security for government, industry and academia, published its list of the CWE Top 25 Most Dangerous Software Errors.

These CWEs represent the most common critical weaknesses in software. They’re bugs, design flaws, or other errors in software implementation. They include things like buffer overflows, pathname traversal errors, undesired randomness or predictability, code evaluation and injection, lack of data verification and so on.

CWEs differ from CVEs in that they are precursors to vulnerabilities. “A weakness can become an exploitable vulnerability under the right operational conditions,” explained Chris Levendis, a project manager at MITRE, in a phone interview with The Register.

Drew Buttner, who heads a software assurance group at MITRE focused on secure code review, said this is the first time the list has been updated since 2011.

Here are the top 10:

The score represents an attempt to capture the frequency that a CWE represents the root cause of a vulnerability and the anticipated severity of exploitation.

About a third of the list is new, Buttner said, and the remaining two-thirds can be found on the 2011 list. Survivors from the past include Unrestricted Upload of File with Dangerous Type (CWE-434), SQL Injection (CWE-89), and OS Command Injection (CWE-78). “Those continue to be prevalent and dangerous weaknesses,” he said.

SQL Injection, CWE-89, has become less prevalent, however, dropping from first place in 2011 to sixth place today. Likewise, another holdout, Use of Hard-coded Credentials, CWE-798, fell from rank 7 in 2011 to rank 19 today.

Buttner also noted that some old problems had disappeared as a result of developer diligence. CWE-134, Uncontrolled Format String, he said, appeared on the 2011 list but isn’t on the current one.

Among current weaknesses, Improper Input Validation, CWE-20, ranked number three, didn’t make the list in 2011. Neither did, Information Exposure, CWE-200, which presently ranks fourth.

But the 2011 list isn’t really directly comparable to the 2019 list because the methodologies used to compile them have changed. Previous lists, said Buttner, were based on subjective discussions with industry experts that were used to compile lists of CWEs. Now, MITRE’s CWE group relies on data queried from the National Vulnerability Database and Common Vulnerability Scoring System (CVSS) scores.

The current list has also been shaped by improvements in bug hunting tools. “Advances in static analysis have really helped developer teams identify and find these types of mistakes,” said Buttner.

MITRE’s newfound data-driven approach hasn’t diminished the organization’s interest in engagement with tech types.

“The more we can talk to the community, the more we can learn from each other and the more we can make the list more robust,” said Buttner. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/18/the_25_most_dangerous_software_weaknesses/

US government sues ex-IT guy for breaking his NDA (Yes, we mean Edward Snowden)

The US government today sued former CIA employee and NSA sysadmin contractor Edward Snowden to deny him payment from his newly published book, Permanent Record.

The civil lawsuit [PDF], filed in the Eastern District of Virginia, alleges that Snowden violated non-disclosure agreements signed as a condition of employment with the CIA and NSA. Those agreements require signatories to submit books to the respective agencies for review, prior to publication, to ensure classified information isn’t disclosed.

Snowden in 2013 leaked a series of secret documents to the press, an act of whistleblowing intended to shine light on the breadth of blanket electronic surveillance carried out by the US and its allies. The revelations had a dramatic effect on the technology industry, prompting a broad reevaluation of basic security standards and hastened the deployment of encryption across the internet.

US authorities that year indicted Snowden on criminal espionage charges and cancelled his passport while he was at Sheremetyevo Airport in Moscow, Russia. After being stuck in the airport for more than a month, Snowden won asylum in Russia, and he still resides there. The US and Russia have no extradition treaty.

Permanent Record was published on Tuesday by Henry Holt and Company, an imprint of Macmillan Publishing Group, which is owned by Holtzbrinck Publishing Group, based in Germany.

The US Department of Justice is suing Snowden and those three affiliated publishing entities to prevent the author from receiving any proceeds.

‘No monetary benefits’

“Intelligence information should protect our nation, not provide personal profit,” said G. Zachary Terwilliger, US Attorney for the Eastern District of Virginia, in a statement. “This lawsuit will ensure that Edward Snowden receives no monetary benefits from breaching the trust placed in him.”

In a phone interview with The Register, David Greene, senior staff attorney and civil liberties director for the Electronic Frontier Foundation, said the lawsuit, like so much about the government’s dealings with Snowden, seems overly punitive but it isn’t unexpected.

Indeed, on Twitter last week, national security layer Bradley P. Moss observed that because Snowden was unlikely to have sought pre-publication review from the CIA and NSA, US authorities “can now go after all the proceeds from the book, even if he intended to donate every last cent to charity.”

Greene said that this case differs from Snepp v. United States, a US Supreme Court precedent involving a former CIA agent who published a book about his intelligence activities and was denied proceeds, in that all the information in the book related to Snowden’s work was previously disclosed, or so he assumes.

group of people in suits look at laptop screens

NSA: That ginormous effort to slurp up Americans’ phone records that Snowden exposed? Ehhh, we don’t need that no more

READ MORE

Ben Wizner, director of the ACLU’s Speech, Privacy, and Technology Project and attorney for Snowden, confirmed as much in a statement. “This book contains no government secrets that have not been previously published by respected news organizations,” he said. “Had Mr Snowden believed that the government would review his book in good faith, he would have submitted it for review. But the government continues to insist that facts that are known and discussed throughout the world are still somehow classified.”

Greene said he expects the government will argue that the facts disclosed are irrelevant and that a review is contractually required regardless. As a defense, he said Snowden and his publisher may argue some form of futility defense, whereby a contractual requirement may be excused if it’s deemed futile.

Wizner said Snowden wrote the book to inspire continued conversation about mass surveillance.

Snowden himself proved quick to grasp the marketing value of the litigation. In a Twitter post promoting Permanent Record, he said, “This is the book the government does not want you to read.”

Uncle Sam’s legal eagles appear to have anticipated this by insisting that it “does not seek to stop or restrict the publication or distribution of Permanent Record.” It claims it just wants to stop Snowden from being paid. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/17/us_govt_sues_snowden/

Any Advice for Assessing Third-Party Risk?

Here are five tips about what not to do when assessing the cyber-risk introduced by a third-party supplier.

Question: What are some important points to consider when looking to improve my third-party risk assessment function?

Josh Goldfarb, independent consultant : Most businesses work closely with and rely on third parties, suppliers, and vendors to help them accomplish their business objectives — but while third parties can provide many benefits to a business, they can also introduce risk.

So it’s important to holistically assess your third-party risk regularly. You should begin by prioritizing your risks and tailoring your third-party risk assessments accordingly. 

Here are a few things you should not do: 

  • Don’t be afraid to have multiple questionnaires: Assign risk assessment questionnaires to each party based upon the size, type, criticality, and data sensitivity for each vendor.
  • Don’t trust the answers you get: Leverage technology to verify and validate responses and to check that required controls are actually in place.
  • Don’t end the process at the assessment phase: Build a work program for each vendor to bring them in line with your expectations.
  • Don’t forget to measure: Each assessment should result in a tangible risk score that you can use to assess your exposure across individual vendors, various different segments of the supply chain, and the supply chain as a whole.
  • Don’t stagnate: Remember to continually review your third-party risk assessment function amid evolving priorities, identify weak spots, and work to strengthen and improve them.

What do you advise? Let us know in the Comments section, below.

Do you have questions you’d like answered? Send them to [email protected].

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/any-advice-for-assessing-third-party-risk/b/d-id/1335826?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Get Smart

MITRE Releases 2019 List of Top 25 Software Weaknesses

The list includes the most frequent and critical weaknesses that can lead to serious software vulnerabilities.

MITRE today published a draft of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, a list of the most widespread and critical weaknesses that could lead to severe software vulnerabilities, as the organization explained a release on the news.

Attackers can often exploit these vulnerabilities to assume control over an affected system, steal sensitive data, or cause a denial-of-service condition, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on the list. Users and admins are encouraged to review both the list and recommended mitigations that MITRE advises them to implement. 

The Top 25 is a community resource for software developers, testers, customers, project managers, security researchers, and educators exploring common threats in software. This year, the team took a new approach to generating the list. The methodology involved pulling CVE-related data from within the US National Vulnerability Database (NVD) and accounting for frequency and average Common Vulnerability Scoring System (CVSS) score to determine rank. A scoring formula was used to assess the level of frequency and danger each weakness presents.

This list historically has been compiled by gathering survey responses from a broad group of organizations and by collecting feedback from security analysts, researchers, and developers. Industry pros were asked to nominate weaknesses they considered to be the most widespread or important; a customized part of the CVSS was used to decide on the ranking of each weakness.

“There were a number of positives in this approach, but it was also labor-intensive and subjective,” MITRE says. The 2019 list involves a more rigorous and statistical process; instead, it leverages data about reported vulnerabilities to gauge the dangerousness of each weakness.

“We wanted to go with a methodology that was more objective and based on what we’re seeing in the real world,” says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year’s Top 25 is the first release of the list since 2011, Buttner points out, but MITRE’s goal going forward is to release a new list for each year.

2019’s Top Weaknesses
There were no surprises in this year’s Top 25, agree Buttner and Chris Levendis, MITRE CWE project leader. “A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed,” Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.

The highest-ranking weakness, with a score of 75.56, is CWE-119, buffer overflow or “Improper Restriction of Operations within the Bounds of a Memory Buffer.” Some languages allow direct addressing of memory locations and don’t automatically ensure locations are valid for the memory buffer being referenced. This can cause read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could execute malicious code, change the control flow, read sensitive data, or crash the system.

Buttner and Levendis anticipated buffer overflow would be near top of the list, as it was also near the top in 2011 and it’s a well-known weakness throughout the industry.

Next-highest is CWE-79, “Improper Neutralization of Input During Web Page Generation” or cross-site scripting, with a score of 45.69. Software doesn’t neutralize, or incorrectly neutralizes, user-controllable input before it’s placed in output later used as a web page served to other users. Untrusted data may enter a web app and ultimately execute malicious script.

Number three is CWE-20, or Improper Input Validation, which exists when software doesn’t validate or improperly validates input that can affect a program’s control flow or data flow. An attacker can write input not expected by the application. This can lead to parts of the system receiving unexpected input, which may cause arbitrary code execution or altered control flow.

Software users can use the Top 25 list to gauge the security practices of the companies they’re buying software from before they invest, Levendis says. Those using open source can better learn whether developers are paying attention to those weaknesses, and developers can use the list as a “priority cheat sheet” consisting of weaknesses they should be keeping an eye on.

He adds: “At the most fundamental level, that’s what you can use the weaknesses for if you’re a consumer of software.”

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How a PIA Can CYA.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/mitre-releases-2019-list-of-top-25-software-weaknesses/d/d-id/1335829?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple