If apps seem increasingly open to attack, it’s because they are, at least by one measure.
According to Trustwave’s 2015 Global Security Report, applications tested by the tech security company had a median of 20 vulnerabilities last year — compared with 14 and 13 in the prior two years, respectively.
The report, released this week, is based on 574 breach investigations across 15 countries conducted by Trustwave’s SpiderLabs division last year, and also includes “proprietary threat intelligence,” according to a press release.
Half of these breach investigations involved the theft of personally identifiable information, which can be used to commit identity theft.
The investigations were mostly of e-commerce breaches in the retail industry. Weak passwords or weak remote access security were the primary causes of the breaches.
To prevent yourself from becoming a victim, Trustwave advises that you create passwords that:
- Have at least 10 characters: “Passwords with eight characters, for example, can be cracked within a day using brute-force techniques with technology easily available to attackers,” the report states. “We estimate that the same techniques and technology would crack a 10-character password in 591 days.”
- Are complex and random: Randomly insert symbols and numbers and use a mix of uppercase and lowercase letters. But realize that obvious substitutions — like “[email protected]” instead of “password1” — don’t necessarily strengthen passwords because cracking technology used by attackers can guess predictable patterns.
- Avoid being dictionary-based. In other words, do not include actual words in your password.
Trustwave found at least one vulnerability in more than 90 percent of mobile apps it tested. Such vulnerabilities typically allowed testers to uncover “sensitive information, including cardholder data, usernames and/or passwords, personally identifiable information or even source code.”
Charles Henderson, a director for Trustwave SpiderLabs, tells CBS News that technicians tested apps using the same technologies available to attackers:
“We attack systems just as these criminals do attempting to find flaws, vulnerabilities. … It’s not ninjas dropping through ceilings.”