The Twenty Most Critical Internet Security Holes

Ant writes: "A little over a year ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list to prioritize their efforts so they could close the most dangerous holes first. This new list, released on October 1, 2001, updates and expands the Top Ten list. With this new release, we have increased the list to the Top Twenty vulnerabilities, and we have segmented it into three categories: General Vulnerabilities, Windows Vulnerabilities, and Unix Vulnerabilities."

people are your number 1 asset.

[new-black-hand]

id add

21. Hiring admin's with no clue about security

Here's the quick list...

[MadCow42]

The site is already fairly well /.'ed... Here's the top 20 holes they mention, without the detail for each point (sorry).

"G" stands for "general holes"
"W" stands for "Windows holes"
"U" stands for "Unix holes"

G1 - Default installs of operating systems and applications
G2 - Accounts with No Passwords or Weak Passwords
G3 - Non-existent or Incomplete Backups
G4 - Large number of open ports
G5 - Not filtering packets for correct incoming and outgoing addresses
G6 - Non-existent or incomplete logging
G7 - Vulnerable CGI Programs
W1 - Unicode Vulnerability (Web Server Folder Traversal)
W2 - ISAPI Extension Buffer Overflows
W3 - IIS RDS exploit (Microsoft Remote Data Services)
W4 - NETBIOS - unprotected Windows networking shares
W5 - Information leakage via null session connections
W6 - Weak hashing in SAM (LM hash)
U1 - Buffer Overflows in RPC Services
U2 - Sendmail Vulnerabilities
U3 - Bind Weaknesses
U4 - R Commands (rlogin, rsh, rcp)
U5 - LPD (remote print protocol daemon)
U6 - sadmind and mountd
U7 - Default SNMP Strings

MadCow

New easy way to make sure W2K/IIS is patched.

[NineNine]

http://support.microsoft.com/support/kb/articles/Q 303/2/15.ASP

The 5 most common reasons for security problems

[Nicolas+MONNET]

... in programs (setting aside administration issues such as passwords)

1. string.h
2. sprintf
3. system
4. char buff[255];
5. snprintf(buf,len,user_input);

Let's face it, C's string handling is the biggest cause of security problems on the Internet. Static strings are evil. Too bad there is no standard way to handle them in C.

Re:obsession with security ridiculous? NO!!!

[CodeShark]

I hope you were being sarcastic, but if not and for any body else who might not understand, here's my list of reasons why a high degree of focus on security is not ridiculous, but mandatory:

• DDOS attacks, etc. that use your machine to do the dirty work,
• Net worms which may be propagated from an insecure machine
• back doors: perhaps you will do something useful, valuable, or important on your computer in the future, only to get clobbered or ripped off by whoever's bug installed the backdoor, not to mention the loss of your time to recover your valuable work (if you even can) or to reinstall and reformat.
• remote keyboard monitors... first time you use your credit card to make an online purchase, and bam, script kiddie has your cc # and can attempt to use it or sell it to even less scrupulous folks,
• and my personal favorite reason: to make it less worth the script kiddies time to try to take down yours, mine, and everybody else's machines for kicks and giggles. Think about the bragging rights between "hey my new ultra-virus took down four machines, or "hey, my new ultra-virus took down 200,000 machines..."

  Course, if those four machines were the front end machines for M$, that might be worth a brag or two ;-)

But let me offer a different perspective. What if the security holes in your machine allowed big gov't, or someone else to snoop on what you were doing online all the time? Would you think about closing the security holes in your machine then?