Slashdot Mirror
The Twenty Most Critical Internet Security Holes
Ant writes: "A little over a year ago, the SANS Institute and the
National Infrastructure Protection Center (NIPC)
released a document summarizing the Ten Most
Critical Internet Security Vulnerabilities. Thousands of
organizations used that list to prioritize their efforts so
they could close the most dangerous holes first. This
new list, released on October 1, 2001, updates and
expands the Top Ten list. With this new release, we
have increased the list to the Top Twenty
vulnerabilities, and we have segmented it into three
categories: General Vulnerabilities, Windows
Vulnerabilities, and Unix Vulnerabilities."
Looks like the feds are considering setting government standards, abcnews article is here. I'm not sure how helpful government standards could be, but I think I could welcome them. I'm sure that if my toaster lit on fire as often as my windows box crashes the government would do something about it, so why not hold software companies more accountable.
Help find a cure for cancer!
Not trolling here but, you have to notice that there are 7 general, 6 windows, and 7 unix vulnerabilities.
IIS is bad, but Unix admins that don't patch BIND and SendMail are worse. The IIS versions change every year or so and the patches come fast and furious, but SendMail and BIND have had stable versions and patches for a while.
Almost everyone reading this will admit that it takes a bit more expertise to get SendMail and BIND up and running than IIS (which is installed by default in Win2kSrv). Therefore the admins with more expertise should be held MORE accountable since they have greater responsibility by running BIND and SendMail.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Well, the interesting thing is the the "Windows" holes are more "bugs" than general architecture problems. Bugs can be easily fixed (if users patch their machines), and in fact most of the Windows ones already are fixed.
The UNIX holes listed are more fundamental in nature, requiring a significant re-development effort, and in some cases, redefining of protocols and fundamental tools.
Although the Windows "bugs" have been exploited more (and are easier to exploit in general), it'll take longer to address the issues in the UNIX list than those in the Windows list.
Sorry... I'm not a M$ advocate, but it does point out some significant issues that we need to overcome in the UNIX world, and quickly.
MadCow.
I used to have a sig, but I set it free and it never came back.
Nah, I say non computer literate users... that is the biggest risk...
Agreed. Many (most?) of the "incompetent admins" are, in fact, home computer users who have no idea they've become admins simply by taking responsibility for their own computer. I wonder if a PSA warning people about this, and instructing them on "what you can do to fight cyberterrorism" (I hate that term, but it pulls the right heart strings just now), would cause a good percent of the vulnerable systems to get patched.
O.K. So some of them (no/weak passwords) are user related, but so many of them are admin related (bind vulnerabilities, IIS RDS vulnerabilities)
well - in theory admin problems should be the only holes. the software should be able to be configured in a manner that is 'completely secure' (as far as anything can be). Programs shouldn't be insecure because of programming faults - only insecure becasue they're not configured properly.
speaking of security problems - has anyone thought of/made a version of code red/etc that goes around and downloads the security patches and the resends itself?
-shpoffo
This is true, but in addition to the superior security, I find that simply as a user I prefer the way Samba works. When I browse a Windows machine's list of shares, I see everything -- even shares that I'm not allowed to access. I can only find out which ones I can use by trying to access them and seeing which ones succeed. With Samba, by contrast, I find that I can only see the shares that I am allowed to access. One might say that the the signal-to-noise ratio is better with Samba, since you aren't shown things that aren't relevant to you.
Congratulations! You've just conditioned the next wave of software developers to use port 80 for all their traffic because of your silly firewall rules. Don't believe me? Take a look at Microsoft's dotNet architecture sometime. Take a look at the IM protocols. Take a look at the new P2P protocols. What an excellent job you've done....
Attack the source of the problem: individual computers. People like you only cause more headaches for the rest of us in the long term.
The wheel is turning, but the hamster is dead.
Of course, anybody who really is into security knows every problem mentioned by the document. However, some people do not stay informed on a daily basis. This kind of analysis is useful for neophytes and for people outside of the security domain. Also, as the document mentioned, the idea was to help sysadmin choose which problem to fix first.
Something interesting comes out of this analysis:
-General problems remain present with years. Negligence from the users, programmer and administrators are the cause of all the security problems.
-Unix and Windows problems have basically the same roots: programming errors (buffer overflow, bad input validation) and inadequate trust.
Not mentioned in this article:
-Windows users are less computer-literate than Unix users. This is the major why so much problems occur on Windows (virus, worms, executable mail attachments, etc...).
System security is a very pragmatic issue. Some relatively well-known pratices will increase a lot the security of a network/system. There is always a hole somewhere but removing the well-known ones will make a huge difference.
All humans are mortal. Socrates is a human. Socrates is dead.
Atleast i learned that not even the services that have 'secure' in their name are to be trusted completely :-)
The most secure system is a Unix box run by a 40+ year old bloke who has seen the virtual deaths of more script kiddies than I've had hot dinners.
:-) That also means the other sites get r00ted immediately after the skriptadmin leaves.
Thats me. 40+, and always losing jobs to script kiddies turned sysadmins who underbid the job by several orders of magnitude. That means I get the jobs with clued bosses
I lost a bid a few weeks ago to secure a big network in the midst of a complete rebuild. My bid was around 400 hours to do the work, plus 200 hours testing and fixing, using expensive cisco and nokia hardware. The guy who got the contract claimed he could do it in only 3 days onsite with a single linux box.
He left after a week, after he managed to trash the network, and left the whole thing open to the internet over the weekend. CodeRed, nimda, and every box sploited, anon FTP server full of porn, etc. They arent paying him. They cant even find him to prosecute.
They called me monday morning, and my price doubled from the original estimate, and they have no choice but to pay. This will make for a nice month long vacation at the end, a sunny beach or maybe a skiing holiday.
Cant use my nic from this secure location. awwww.
The trouble is that most Linux distros come with NFS, BIND, Sendmail and rlogin/rsh installed by default. They're getting a bit more savvy about this, but it's still a major problem. If you're a competent administrator, you can deal with it. Most people aren't. I certainly am not, which is why I prefer systems that don't turn on every damned vulnerability known to man.
Too many distros want to make you do all of your sysadmining from DistroConf2. You don't tune your automobile engine from your dashboard, and you don't secure your system from a GUI.
A Government Is a Body of People, Usually Notably Ungoverned
Than what?
OpenBSD???
Look at the default install of OpenBSD, and you'll find most of the "Top 20" are already addressed. Linux is generally very good, but I wouldn't put the default install of RedHat between my business and the world. It's just too risky.
Healthcare article at Kuro5hin