Concerned about your software security? Give us a call.
We live in a complex threat environment of malware, spyware, disgruntled employees and aggressive international hackers. Consequently, the threat of security breaches in software has become one of the most troubling aspects about technology – in particular the theft of intellectual property or personal data in an increasingly interconnected world.
“Blueberry provided cutting-edge technical competence to our development project at a cost effective price.”
We are all exposed to the constant danger of digital data theft. More so as many proof-of-concept attacks are likely to become real threats as connected devices become more commonplace.
Hackers exploit weaknesses in operating systems and the software running on them. They also obtain passwords through any number of simple cons. However, once they have the same access as legitimate users they can commit crimes that may not be noticed for weeks or even months.
When credit card breaches that used a magnetic stripe to read and record account data were discovered (where hackers grab unencrypted live data as it is sent to banks for authentication), the exploit was resolved by introducing new EMV smart cards that contained an authentication chip to ensure it was a legitimate bank card. The chip also generates a one-time transaction code with each purchase, preventing hackers from embossing stolen data onto fake cloned cards to use for fraudulent purchases in stores.
This is one example of how the software industry is engaged in a contest of ingenuity with tech-savvy thieves, who are constantly on the lookout for new ways to breach the security of existing software.
There was a time when the assets of businesses were tangible and the greatest risk to a business was physical burglary. These days, a company’s most valuable assets are largely intangible – intellectual property or sensitive data about their clients.
As a result, one of the biggest threats to businesses is data sabotage – that is changing or manipulating digital data in order to compromise its integrity. This is favoured by hackers because data alterations can go unnoticed for a time, but still have enormous consequences and implications – particularly so for financial institutions as well as the defence industry, but applies to all companies.
When such breaches occur, we must ask: how did this happen; what is the company doing about it; and how can we stop it happening again?
To answer these questions means looking beyond ‘Security’ measures, to’ Privacy’ issues too, and recognising the importance of security and privacy working hand-in-hand to mitigate the risk and enhance accountability.
This has recently been brought to the fore in the recent Apple v. FBI controversy and the auto-encryption bills the US Congress is trying to pass. The move is mirrored to some extent by the Investigatory Powers bill the UK government is trying to pass as part of new surveillance laws, which would require software vendors to build backdoors into their software by default. Doing so will, in effect, grant politicians extrajudicial powers to spy on private information.
This sort of smartphone intrusion is a further complexity that software developers may need to contend with when considering the security of their applications, as any intentionally designed backdoor carries the risk of becoming public property (this is in essence Apple’s argument for not providing the FBI with a “master key” to the encrypted smartphone, since it would mean the iPhone operating system would become less secure).
The most effective hacking methods, demonstrated by recent examples such as the Sony Pictures scandal, the iCloud celebrity photo leak or discovery of CIA head John Brennan’s classified data on AOL remain:
- Insider attacks
- Social engineering (phishing and personal)
- Brute force password guessing
Needless to say, when a company’s data is breached, it faces significant response costs, scrutiny, reputational damage, and monetary loss. It’s also significant that in a data breach, both the company and its customers suffer.
The big scandals of recent years have been situations where a hacker gains access to a server and steals millions of passwords and other user details – hence the need to protect the servers with good firewalls and other security measures.
It must be remembered that a lot of personal information is stored in data systems around the world, and with the way people reuse passwords, a breach in one system is enough to gain access to other systems, or piece together a fraudulent identity for a spending spree. Furthermore, an average person’s mailbox over time accumulates enough data for a fully-fledged identity theft.
This is why poor password selection for services like email, website and cloud services logins makes them attractive to brute-force attacks.
Consequently bespoke software should always be designed to allow for the comparative weakness at the point where password credentials are checked to gain entry to a system.
The standard technique for securing passwords is by ‘hashing and salting’. Hashing uses algorithms to convert a password into a long series of jumbled numbers and letters which cannot be reversed. This allows the hashed password to be used to check a future login, but the password itself is never stored.
Blueberry’s web systems use an algorithm to show the user how secure their chosen password is as they type it in, and also enforces reasonable standards for password choice – such as using letters and numbers, and insisting the password is eight characters or longer.
But hackers don’t usually stop there. They can use dictionaries of common hashed passwords against a stolen database. If they find a match, they’ve got the password. This is why we also add ‘salt’ to passwords. Salting is extra random data added to the password before hashing and goes a long way to providing extra protection against attacks.
Blueberry takes a further step by looking up user passwords in a dictionary of known common passwords, and we warn the user if their selected password is on the list. We also check to see if a user is using a common pattern of password – for example, “tree123”.
Custom Software Security
Operating systems and other widely used software are a prime target for hackers. A weakness discovered in widely-used products is valuable because it can be used in the commission of many crimes. As a result, the more widely used a program is, the more attention it draws – not just from the hackers attempting to find its weaknesses, but also from the software industry in protecting it.
Bespoke software generally gets less attention because no one knows the source code outside of the developers themselves. However, this lack of attention does not necessarily make it more secure, as most software today is built upon widely used technology that presents a potential path for the determined hacker.
For Blueberry, security testing early on in the development life cycle is critical to finding vulnerabilities or coding errors. Software vulnerability testing and code reviews check for vulnerability to SQL Injection Attacks, Cross-Site Scripting and Permission Elevation attacks.
Blueberry works with clients to understand and mitigate security risks at the start of a project. We ensure that we utilise the right security tools, tests and auditing products to protect the business and the software that we design. This includes protection from malicious threats, firewalling, compliance with regulatory practices and standards, network access control, authentication, and encryption management. We make use of vulnerability scanning tools, such as Nexpose; the Web Application Attack and Audit Framework, w3af, Metasploit Framework; and Nessus.
If you have a custom software development project with security requirements, please give us a call.