Slashdot Mirror
The Twenty Most Critical Internet Security Holes
Ant writes: "A little over a year ago, the SANS Institute and the
National Infrastructure Protection Center (NIPC)
released a document summarizing the Ten Most
Critical Internet Security Vulnerabilities. Thousands of
organizations used that list to prioritize their efforts so
they could close the most dangerous holes first. This
new list, released on October 1, 2001, updates and
expands the Top Ten list. With this new release, we
have increased the list to the Top Twenty
vulnerabilities, and we have segmented it into three
categories: General Vulnerabilities, Windows
Vulnerabilities, and Unix Vulnerabilities."
Looks like the feds are considering setting government standards, abcnews article is here. I'm not sure how helpful government standards could be, but I think I could welcome them. I'm sure that if my toaster lit on fire as often as my windows box crashes the government would do something about it, so why not hold software companies more accountable.
Help find a cure for cancer!
Well, the interesting thing is the the "Windows" holes are more "bugs" than general architecture problems. Bugs can be easily fixed (if users patch their machines), and in fact most of the Windows ones already are fixed.
The UNIX holes listed are more fundamental in nature, requiring a significant re-development effort, and in some cases, redefining of protocols and fundamental tools.
Although the Windows "bugs" have been exploited more (and are easier to exploit in general), it'll take longer to address the issues in the UNIX list than those in the Windows list.
Sorry... I'm not a M$ advocate, but it does point out some significant issues that we need to overcome in the UNIX world, and quickly.
MadCow.
I used to have a sig, but I set it free and it never came back.
Nah, I say non computer literate users... that is the biggest risk...
Agreed. Many (most?) of the "incompetent admins" are, in fact, home computer users who have no idea they've become admins simply by taking responsibility for their own computer. I wonder if a PSA warning people about this, and instructing them on "what you can do to fight cyberterrorism" (I hate that term, but it pulls the right heart strings just now), would cause a good percent of the vulnerable systems to get patched.
This is true, but in addition to the superior security, I find that simply as a user I prefer the way Samba works. When I browse a Windows machine's list of shares, I see everything -- even shares that I'm not allowed to access. I can only find out which ones I can use by trying to access them and seeing which ones succeed. With Samba, by contrast, I find that I can only see the shares that I am allowed to access. One might say that the the signal-to-noise ratio is better with Samba, since you aren't shown things that aren't relevant to you.
Congratulations! You've just conditioned the next wave of software developers to use port 80 for all their traffic because of your silly firewall rules. Don't believe me? Take a look at Microsoft's dotNet architecture sometime. Take a look at the IM protocols. Take a look at the new P2P protocols. What an excellent job you've done....
Attack the source of the problem: individual computers. People like you only cause more headaches for the rest of us in the long term.
The wheel is turning, but the hamster is dead.
The most secure system is a Unix box run by a 40+ year old bloke who has seen the virtual deaths of more script kiddies than I've had hot dinners.
:-) That also means the other sites get r00ted immediately after the skriptadmin leaves.
Thats me. 40+, and always losing jobs to script kiddies turned sysadmins who underbid the job by several orders of magnitude. That means I get the jobs with clued bosses
I lost a bid a few weeks ago to secure a big network in the midst of a complete rebuild. My bid was around 400 hours to do the work, plus 200 hours testing and fixing, using expensive cisco and nokia hardware. The guy who got the contract claimed he could do it in only 3 days onsite with a single linux box.
He left after a week, after he managed to trash the network, and left the whole thing open to the internet over the weekend. CodeRed, nimda, and every box sploited, anon FTP server full of porn, etc. They arent paying him. They cant even find him to prosecute.
They called me monday morning, and my price doubled from the original estimate, and they have no choice but to pay. This will make for a nice month long vacation at the end, a sunny beach or maybe a skiing holiday.
Cant use my nic from this secure location. awwww.
The trouble is that most Linux distros come with NFS, BIND, Sendmail and rlogin/rsh installed by default. They're getting a bit more savvy about this, but it's still a major problem. If you're a competent administrator, you can deal with it. Most people aren't. I certainly am not, which is why I prefer systems that don't turn on every damned vulnerability known to man.
Too many distros want to make you do all of your sysadmining from DistroConf2. You don't tune your automobile engine from your dashboard, and you don't secure your system from a GUI.
A Government Is a Body of People, Usually Notably Ungoverned
Than what?
OpenBSD???
Look at the default install of OpenBSD, and you'll find most of the "Top 20" are already addressed. Linux is generally very good, but I wouldn't put the default install of RedHat between my business and the world. It's just too risky.
Healthcare article at Kuro5hin