Slashdot Mirror
The Twenty Most Critical Internet Security Holes
Ant writes: "A little over a year ago, the SANS Institute and the
National Infrastructure Protection Center (NIPC)
released a document summarizing the Ten Most
Critical Internet Security Vulnerabilities. Thousands of
organizations used that list to prioritize their efforts so
they could close the most dangerous holes first. This
new list, released on October 1, 2001, updates and
expands the Top Ten list. With this new release, we
have increased the list to the Top Twenty
vulnerabilities, and we have segmented it into three
categories: General Vulnerabilities, Windows
Vulnerabilities, and Unix Vulnerabilities."
Being Slashdotted
Here's Google's cache of the page. It's kind of tough to slashdot google : )w ww.sans.org/top20.htm+&hl=en
http://www.google.com/search?q=cache:dbJlh35mihk:
Remember, check those links, you don't want to be goatse'd....
Matthew P. Barnson
I learn what I think when I read what I write
That the top ten list of last year makes an appearance in the top 20 of this year?
Haven't we learned anything?
O.K. So some of them (no/weak passwords) are user related, but so many of them are admin related (bind vulnerabilities, IIS RDS vulnerabilities)
Don't any admins care about these?
Of course, inside a company network some of these problems can be ignored if that is the decision. R commands are useful, but I wouldn't want people using them across the internet to my machines... But at the very least firewall... Please.
Z.
-- Under/Overrated is meta-moderation, and therefore is Redundant.
id add
21. Hiring admin's with no clue about security
I'm surprised to see that this hole didn't make the list.
I only post comments when someone on the internet is wrong.
Intuitive Linux
-Malakai
A Dragon Lives in my Garage
Got Rhinos?
Looks like the feds are considering setting government standards, abcnews article is here. I'm not sure how helpful government standards could be, but I think I could welcome them. I'm sure that if my toaster lit on fire as often as my windows box crashes the government would do something about it, so why not hold software companies more accountable.
Help find a cure for cancer!
"G" stands for "general holes"
"W" stands for "Windows holes"
"U" stands for "Unix holes"
G1 - Default installs of operating systems and applications
G2 - Accounts with No Passwords or Weak Passwords
G3 - Non-existent or Incomplete Backups
G4 - Large number of open ports
G5 - Not filtering packets for correct incoming and outgoing addresses
G6 - Non-existent or incomplete logging
G7 - Vulnerable CGI Programs
W1 - Unicode Vulnerability (Web Server Folder Traversal)
W2 - ISAPI Extension Buffer Overflows
W3 - IIS RDS exploit (Microsoft Remote Data Services)
W4 - NETBIOS - unprotected Windows networking shares
W5 - Information leakage via null session connections
W6 - Weak hashing in SAM (LM hash)
U1 - Buffer Overflows in RPC Services
U2 - Sendmail Vulnerabilities
U3 - Bind Weaknesses
U4 - R Commands (rlogin, rsh, rcp)
U5 - LPD (remote print protocol daemon)
U6 - sadmind and mountd
U7 - Default SNMP Strings
MadCow
I used to have a sig, but I set it free and it never came back.
Of course, all security holes are important.. but some are more important than others.
1. For instance, say you run a public Webserver.. then remote root-exploits are normally more important than local root-exloits.
2. Difficulty. If the exploit is very easy to trigger, then it's generally more important than a devilishly hard one.
3. Widespread use. Holes that are used by every script-kiddie or worm on the Web, is generally more important than others. See 2. as well.
4. Level of access. Exploits that lead to user-access is normally less important than exploits that lead to root-access. This is one of the advantages of most versions of UNIX/Linux vs. Windows. They are normally better at making sure services run as a less priviliged user, and not as root, thus making sure that any exploits in them do not lead to root-access... of course, there are exceptions.
It's not all about patches. Sure, it's responsible behaviour to be up to date, but it's more important to know what your machines are doing in the first place so you can take steps to
minimize your risks up front. If you do the right thing beforehand you can have some peace of mind *before* patches get issued. Remember, exploits are around for a while before vendors get around to supplying a fix.
I have worked for SANS in the past but I have to disagree with the way they compiled this list. The fact that there are a larger number of "vulnerabilities" for *NIX than Windows is misleading. I just bet the M$ people latch onto this "See, Windows is less vulnerable!" Even though most of the *NIX stuff is so old you rarely find it occuring in the real world.
What is more useful IMO is to have a ranking of these "vulnerabilities". Right now an unpatched IIS box can be hit even though you have it firewalled so only port 80 is open. With the *NIX stuff, the only way to hit a sytem via port 80 is bad CGI or a new exploit to the webserver software. And when was the last time an Apache exploit was released?
Look at the CVE numbers. That tells a tale of what is going on _now_. The number has the year and there are many of the *NIX exploits that are 2 years old or more. Many of the Win exploits are within the last year.
Do really dense people warp space more than others?
Linux boxes are much more secure than any of the competitors. Solaris is getting better; UnixWare is pretty hopeless (see BUGTRAQ). NT is ... well, draw your own conclusions about NT. I feel much safer with a Linux server than with any other OS and the security just keeps getting better.
-sting3r
Until managers understand and treat computer security SERIOUSLY, the same basic weaknesses will remain.
One thing that helps is for companies to hire computer security specialists, and make this their primary job. Instead, many businesses that I work with expect their already-overburdened sysadmin or network administrator to "protect" the network, something he/she has never been trained to do. The average NT Administrator does NOT know much about network security. The new Win2K Security certification is a step in the right direction, but it is only a baby step.
-------------
"Against stupidity the gods themselves content in vain." - Schiller
Nah, I say non computer literate users... that is the biggest risk...
Think of the chaos one could start by simply emailing everyone instructions on how to 'protect your system', while in reality sending instructions on how to disable their firewalls... The amount of people that would fall for it would be insane!
No, I say the biggest vulnerability is lack of knowledge and ignorance.
---
Programming is like sex... Make one mistake and support it the rest of your life.
In one credible place with annotations and links are the most common problems. Sure most of them aren't news to /.'ers but they're likely news to lots of other folks and exactly the thing to light a fire under the PHB's of the world. It's almost a checklist of "Are these implemented and if not *why* not?"-items for the semi-technical and as such is invaluable.
My thanks to the SANS Institute and the NIPC for releasing such a well-written & useful document.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Nah, I say non computer literate users... that is the biggest risk...
Agreed. Many (most?) of the "incompetent admins" are, in fact, home computer users who have no idea they've become admins simply by taking responsibility for their own computer. I wonder if a PSA warning people about this, and instructing them on "what you can do to fight cyberterrorism" (I hate that term, but it pulls the right heart strings just now), would cause a good percent of the vulnerable systems to get patched.
Maybe not on UNIX machines, where SNMP is generally turned off by default - but on Cisco devices where it is enabled by default with the common SNMP names . . .
SNMP on cisco devices is weak because of the default community string names (public, private and secret). To add to the situation, the secret string will allow you to bring interfaces up and down at will, all without a trace of intrusion in the logs. While the big guys like ATT and Wcom may fix these using default config files, may universities and smaller carriers dont even know it exists.
The most secure system is a Unix box run by a 40+ year old bloke who has seen the virtual deaths of more script kiddies than I've had hot dinners.
Actually Mainframe admins run pretty tight ships as well. Its a sad reflection on the new generation of admins that most of these are things the old school had never even thought of doing wrong. The current raft of virii are an example. The people hit had new school systems, the old school companies survived untouched.
Old blokes in a distant room of the organisation, possibly called "Gary" or "Dave" never seem to be doing much, but their network never fails.
An Eye for an Eye will make the whole world blind - Gandhi
http://support.microsoft.com/support/kb/articles/Q 303/2/15.ASP
... in programs (setting aside administration issues such as passwords)
1. string.h
2. sprintf
3. system
4. char buff[255];
5. snprintf(buf,len,user_input);
Let's face it, C's string handling is the biggest cause of security problems on the Internet. Static strings are evil. Too bad there is no standard way to handle them in C.
...is that, for the Unix vulnerabilities, most of them have long since been replaced by better, more secure alternatives. Where I work, nobody has used the word "telnet" or "rexec" for years. Nobody here runs sendmail, or sadmind, or SNMP stuff. It's basically a list of "don't ever use this ancient crap" tools.
But for the Windows vulnerabilities, they're all related to current, recent, flagship, "this is what you should be using" products. No alternatives within the Windows world.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
"Why is that dangerous?" I hear you ask? As we drive more and more traffic to a small number of ports (read: everything on port 80) because of draconian firewall and proxy servers, and even driving all traffic to one protocol (read: http) a large number of services will still be running, but will now be undetectable without traffic analysis, which is mostly voodoo technology right now. The bugs and security holes are still there, but now they are hidden from us because we've conditioned everyone that non-80 is firewalled (see SOAP and Microsoft's dotNET -- in order to avoid firewalling, they are basically going to do RPC over port 80 using HTTP!)
I agree that unused services need to be shut down, but at the source of the problem and not at the firewall. We need to encourage new protocols to make use of new ports so that we can manage thus stuff -- the more we drive traffic away, the harder our job will be. Please, if you are in charge of a firewall, take time to think about what you are doing to everyone else when you institute strict policies that only make you safer in the very short term. Not only are you hurting yourself, but you're giving your users and network a false sense of security.
Besides, the attacks de jour of late have all propogated over SMTP and HTTP, haven't they?
The wheel is turning, but the hamster is dead.
They don't have to be new. The lesson of code red and nimda is that many, many servers aren't properly maintained. Sometimes a refresher course on the basics is just what the doctor ordered.
sulli
RTFJ.
Equally negligent are broadband vendors that give away connection hardware, but can't be bothered to include a firewall or software that will check for open ports. These vendors won't make the simplest effort to insure the product they are selling is secure, yet will not take the responsibility when their service dies due to DOS attacks. These DOS attacks are largely possible because of the massive number of wide-open computers created by their broadband connections.
This is not a rant; this is a statement of reality. Vendors can not, and should not, expect the consumer to be skilled enough to provide adequate levels of security. This is why houses and cars come with locks. Sometimes consumers lock themselves out, but that is a minor inconvenience. As an extreme example, many shoes now have Velcro, and most cars, at least in the U.S., have automatic transmissions.
No stream of security patches, warnings, and news items will solve the problem. The consumer is not skilled enough to keep up. Until the default configuration is secure, until vendors are forced to take monetary consequences for their defective products, and until the consumer is trained to suffer the imposed inconveniences, we will continue to see the same sort of problems.
- DDOS attacks, etc. that use your machine to do the dirty work,
- Net worms which may be propagated from an insecure machine
- back doors: perhaps you will do something useful, valuable, or important on your computer in the future, only to get clobbered or ripped off by whoever's bug installed the backdoor, not to mention the loss of your time to recover your valuable work (if you even can) or to reinstall and reformat.
- remote keyboard monitors... first time you use your credit card to make an online purchase, and bam, script kiddie has your cc # and can attempt to use it or sell it to even less scrupulous folks,
- and my personal favorite reason: to make it less worth the script kiddies time to try to take down yours, mine, and everybody else's machines for kicks and giggles. Think about the bragging rights between "hey my new ultra-virus took down four machines, or "hey, my new ultra-virus took down 200,000 machines..."
But let me offer a different perspective. What if the security holes in your machine allowed big gov't, or someone else to snoop on what you were doing online all the time? Would you think about closing the security holes in your machine then?Course, if those four machines were the front end machines for M$, that might be worth a brag or two ;-)
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
A year and a half old advisory, and sites still refuse to fix it. http://www.cert.org/advisories/CA-2000-02.html
Some of you will remember the problems with Hotmail relating to cross site scripting. Newsflash, it affects your site too!
-- these are only opinions and they might not be mine.
The trouble is that most Linux distros come with NFS, BIND, Sendmail and rlogin/rsh installed by default. They're getting a bit more savvy about this, but it's still a major problem. If you're a competent administrator, you can deal with it. Most people aren't. I certainly am not, which is why I prefer systems that don't turn on every damned vulnerability known to man.
Too many distros want to make you do all of your sysadmining from DistroConf2. You don't tune your automobile engine from your dashboard, and you don't secure your system from a GUI.
A Government Is a Body of People, Usually Notably Ungoverned
Linux boxes are much more secure than any of the competitors. Solaris is getting better; UnixWare is pretty hopeless (see BUGTRAQ). NT is
Bullshit. You're lying to yourself. One OS is not automatically more secure than another. Notice the first problem they noted: Default installations of operating systems and applications. They meant all operating systems, they didn't say 'RedHat and Debian are pretty good, you'll probably be okay with them, or at least more okay than someone using Windows.' Not only is this the most important point of the article, all other vulnerabilities stem from it. They all exist because of complacency with the current state of security of a system.
Security is not determined by OS. Period.
A systems security depends on the administrator's vigilance in keeping up to date on patches. Sure, windows has had a lot of exploits lately, but how many of these exploits were not patchable? Hmm. Conversly, Linux and other Unix systems have been not as widely or at least as publically attacked lately. Is this because they have less holes? Redhat 7.1, about 6 months old has 23 security alerts listed. 7.0 and 6.2 both have over 60. So, there's likely likely more out there in 7.1. Many of these are critical and involve remote root exploits. Feel safe? I hope not.
(Li||U)nix can be attacked with the same efficiency of what we've seen happen to Windows systems in the past few months. Administrators aren't simply better because they admin unix boxes, that's proven in the article that 50% of the copies of BIND that were running in mid 1999 were vulnerable. It would make sense that a similar percentage of other security risks exist as well.
I'm not bashing Unix, and I'm certainly not saying that Windows is a more secure OS. Its a moot point. What I'm saying is that people who blame the OS for their mistakes are wrong. They're using windows as a scapegoat, and ignoring the real problem behind this.
Unix will be hit by one of these sometime or another, and it will be just as publicized because it will likely use the same distrubution methods as before, email.
Go back, read the article again, paying close attention to the generic problems they mention. These are the basic things that any admin has to look at, every day. A machine is never secure. You can be sure of that.
MY_NET=1.2.3.4/5
INT_DEV=eth0
EXT_DEV=eth1
# 1. Any packet coming into your network must not have a source address of your internal network
ipchains -A forward -i $EXT_DEV -j DENY -s $MY_NET
# 2. Any packet coming into your network must have a destination address of your internal network
ipchains -A forward -i $EXT_DEV -j DENY -d ! $MY_NET
# 3. Any packet leaving your network must have a source address of your internal network
ipchains -A forward -i $INT_DEV -j DENY -s ! $MY_NET
# 4. Any packet leaving your network must not have a destination address of your internal network.
ipchains -A forward -i $INT_DEV -j DENY -d ! $MY_NET
# 5. Any packet coming into your network or leaving your network must not have a source or destination address of a private address or an address listed in RFC1918 reserved space. These include 10.x.x.x/8, 172.16.x.x/12 or 192.168.x.x/16 and the loopback network 127.0.0.0/8.
ipchains -A forward -i $EXT_DEV -j DENY -s 10.0.0.0/8
ipchains -A forward -i $EXT_DEV -j DENY -s 172.16.0.0/12
ipchains -A forward -i $EXT_DEV -j DENY -s 192.168.0.0/16
ipchains -A forward -j DENY -d 10.0.0.0/8
ipchains -A forward -j DENY -d 172.16.0.0/12
ipchains -A forward -j DENY -d 192.168.0.0/16
### REMOVE the next 3 rules for masquerading systems
ipchains -A forward -i $INT_DEV -j DENY -s 10.0.0.0/8
ipchains -A forward -i $INT_DEV -j DENY -s 172.16.0.0/12
ipchains -A forward -i $INT_DEV -j DENY -s 192.168.0.0/16
# 6. Block any source routed packets or any packets with the IP options field set.
# This is done at the kernel level under Linux, and is usually set by default.