Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Twenty Most Critical Internet Security Holes

Posted by ryuzaki0 on from the casey-kasem-is-out-to-lunch dept.

Ant writes: "A little over a year ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list to prioritize their efforts so they could close the most dangerous holes first. This new list, released on October 1, 2001, updates and expands the Top Ten list. With this new release, we have increased the list to the Top Twenty vulnerabilities, and we have segmented it into three categories: General Vulnerabilities, Windows Vulnerabilities, and Unix Vulnerabilities."

3 of 250 comments (clear)

  1. people are your number 1 asset. by new-black-hand · · Score: 5, Informative

    id add

    21. Hiring admin's with no clue about security

  2. Here's the quick list... by MadCow42 · · Score: 5, Informative
    The site is already fairly well /.'ed... Here's the top 20 holes they mention, without the detail for each point (sorry).

    "G" stands for "general holes"
    "W" stands for "Windows holes"
    "U" stands for "Unix holes"

    G1 - Default installs of operating systems and applications
    G2 - Accounts with No Passwords or Weak Passwords
    G3 - Non-existent or Incomplete Backups
    G4 - Large number of open ports
    G5 - Not filtering packets for correct incoming and outgoing addresses
    G6 - Non-existent or incomplete logging
    G7 - Vulnerable CGI Programs
    W1 - Unicode Vulnerability (Web Server Folder Traversal)
    W2 - ISAPI Extension Buffer Overflows
    W3 - IIS RDS exploit (Microsoft Remote Data Services)
    W4 - NETBIOS - unprotected Windows networking shares
    W5 - Information leakage via null session connections
    W6 - Weak hashing in SAM (LM hash)
    U1 - Buffer Overflows in RPC Services
    U2 - Sendmail Vulnerabilities
    U3 - Bind Weaknesses
    U4 - R Commands (rlogin, rsh, rcp)
    U5 - LPD (remote print protocol daemon)
    U6 - sadmind and mountd
    U7 - Default SNMP Strings

    MadCow

    --
    I used to have a sig, but I set it free and it never came back.
  3. The 5 most common reasons for security problems by Nicolas+MONNET · · Score: 5, Informative

    ... in programs (setting aside administration issues such as passwords)

    1. string.h
    2. sprintf
    3. system
    4. char buff[255];
    5. snprintf(buf,len,user_input);

    Let's face it, C's string handling is the biggest cause of security problems on the Internet. Static strings are evil. Too bad there is no standard way to handle them in C.