Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Twenty Most Critical Internet Security Holes

Posted by ryuzaki0 on from the casey-kasem-is-out-to-lunch dept.

Ant writes: "A little over a year ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list to prioritize their efforts so they could close the most dangerous holes first. This new list, released on October 1, 2001, updates and expands the Top Ten list. With this new release, we have increased the list to the Top Twenty vulnerabilities, and we have segmented it into three categories: General Vulnerabilities, Windows Vulnerabilities, and Unix Vulnerabilities."

11 of 250 comments (clear)

  1. #21 by smnolde · · Score: 5, Funny

    Being Slashdotted

  2. Google cache mirror by Doc+Hopper · · Score: 5, Funny

    Here's Google's cache of the page. It's kind of tough to slashdot google : )
    http://www.google.com/search?q=cache:dbJlh35mihk:w ww.sans.org/top20.htm+&hl=en
    Remember, check those links, you don't want to be goatse'd....

    --

    Matthew P. Barnson
    I learn what I think when I read what I write

  3. people are your number 1 asset. by new-black-hand · · Score: 5, Informative

    id add

    21. Hiring admin's with no clue about security

  4. You forgot about this one by Kozz · · Score: 5, Funny

    I'm surprised to see that this hole didn't make the list.

    --
    I only post comments when someone on the internet is wrong.
  5. Government set software standards by bark76 · · Score: 5, Interesting

    Looks like the feds are considering setting government standards, abcnews article is here. I'm not sure how helpful government standards could be, but I think I could welcome them. I'm sure that if my toaster lit on fire as often as my windows box crashes the government would do something about it, so why not hold software companies more accountable.

    --
    Help find a cure for cancer!
  6. Here's the quick list... by MadCow42 · · Score: 5, Informative
    The site is already fairly well /.'ed... Here's the top 20 holes they mention, without the detail for each point (sorry).

    "G" stands for "general holes"
    "W" stands for "Windows holes"
    "U" stands for "Unix holes"

    G1 - Default installs of operating systems and applications
    G2 - Accounts with No Passwords or Weak Passwords
    G3 - Non-existent or Incomplete Backups
    G4 - Large number of open ports
    G5 - Not filtering packets for correct incoming and outgoing addresses
    G6 - Non-existent or incomplete logging
    G7 - Vulnerable CGI Programs
    W1 - Unicode Vulnerability (Web Server Folder Traversal)
    W2 - ISAPI Extension Buffer Overflows
    W3 - IIS RDS exploit (Microsoft Remote Data Services)
    W4 - NETBIOS - unprotected Windows networking shares
    W5 - Information leakage via null session connections
    W6 - Weak hashing in SAM (LM hash)
    U1 - Buffer Overflows in RPC Services
    U2 - Sendmail Vulnerabilities
    U3 - Bind Weaknesses
    U4 - R Commands (rlogin, rsh, rcp)
    U5 - LPD (remote print protocol daemon)
    U6 - sadmind and mountd
    U7 - Default SNMP Strings

    MadCow

    --
    I used to have a sig, but I set it free and it never came back.
  7. How Linux Fares by sting3r · · Score: 5, Insightful
    Many of these vulnerabilities have been addressed in the past 1-2 years by the major Linux vendors. Redhat and Debian, in particular, have been quite good at reducing the avenues of attack. For instance, the changes I've observed include:

    • Redhat used to open up the xfs port to internet traffic, but now uses a local UNIX socket. No access -> no exploit.
    • After many problems with lpd, most Linux distros now restrict the internet hosts that can connect to port 515 to localhost only.
    • I don't know of a single Linux distro that ships with default passwords for any user. (Even Solaris and the other oldskool unices stopped this practice within the past few years.)
    • With the rp_filter option, Linux (by default) drops packets that are spoofed to look like they come from a different network. For instance, traffic from the internet with your internal network's addresses in the header is automatically discarded. (FreeBSD should really do the same but they're being stubborn about it.)
    • GNU Apache and most of the distros out there remove all of the sample cgis (like nph) that used to be a security threat. Indeed, my Debian box has only the Apache manual (static html) installed; and that's damn hard to exploit. :)
    • Samba has never been vulnerable to the NETBIOS unprotected share vulnerabilities. It takes a considerable amount of effort to enable sharing anything via Samba to the general public - if you don't intend for that to happen, it's not going to happen.
    • Samba has no Null Session support. Samba does not send out lists of users (the equivalent of /etc/passwd under shadowing) like NT does. It is very difficult to break into a Linux box through SMB networking.
    • In general, setuid root programs have become setgid (something else) programs through the years. xterm and xlock immediately come to mind; on other platforms (even OpenBSD) they are still setuid root. This further hardens the GNU/Linux system. ps and netstat do not need privilege because of the privilege-bracketing nature of /proc.

    Linux boxes are much more secure than any of the competitors. Solaris is getting better; UnixWare is pretty hopeless (see BUGTRAQ). NT is ... well, draw your own conclusions about NT. I feel much safer with a Linux server than with any other OS and the security just keeps getting better.

    -sting3r

  8. The 5 most common reasons for security problems by Nicolas+MONNET · · Score: 5, Informative

    ... in programs (setting aside administration issues such as passwords)

    1. string.h
    2. sprintf
    3. system
    4. char buff[255];
    5. snprintf(buf,len,user_input);

    Let's face it, C's string handling is the biggest cause of security problems on the Internet. Static strings are evil. Too bad there is no standard way to handle them in C.

  9. The really interesting part of that list... by devphil · · Score: 5, Insightful


    ...is that, for the Unix vulnerabilities, most of them have long since been replaced by better, more secure alternatives. Where I work, nobody has used the word "telnet" or "rexec" for years. Nobody here runs sendmail, or sadmind, or SNMP stuff. It's basically a list of "don't ever use this ancient crap" tools.

    But for the Windows vulnerabilities, they're all related to current, recent, flagship, "this is what you should be using" products. No alternatives within the Windows world.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  10. G4 - Large number of open ports by ink · · Score: 5, Insightful
    It's very very dangerous to keep on complaining about having a "large" number of open ports. Many system administrators will take this to mean "firewall all these ports at the border".

    "Why is that dangerous?" I hear you ask? As we drive more and more traffic to a small number of ports (read: everything on port 80) because of draconian firewall and proxy servers, and even driving all traffic to one protocol (read: http) a large number of services will still be running, but will now be undetectable without traffic analysis, which is mostly voodoo technology right now. The bugs and security holes are still there, but now they are hidden from us because we've conditioned everyone that non-80 is firewalled (see SOAP and Microsoft's dotNET -- in order to avoid firewalling, they are basically going to do RPC over port 80 using HTTP!)

    I agree that unused services need to be shut down, but at the source of the problem and not at the firewall. We need to encourage new protocols to make use of new ports so that we can manage thus stuff -- the more we drive traffic away, the harder our job will be. Please, if you are in charge of a firewall, take time to think about what you are doing to everyone else when you institute strict policies that only make you safer in the very short term. Not only are you hurting yourself, but you're giving your users and network a false sense of security.

    Besides, the attacks de jour of late have all propogated over SMTP and HTTP, haven't they?

    --
    The wheel is turning, but the hamster is dead.
  11. Dammit, How many times do I have to say this? by trcooper · · Score: 5, Insightful


    Linux boxes are much more secure than any of the competitors. Solaris is getting better; UnixWare is pretty hopeless (see BUGTRAQ). NT is ... well, draw your own conclusions about NT. I feel much safer with a Linux server than with any other OS and the security just keeps getting better.


    Bullshit. You're lying to yourself. One OS is not automatically more secure than another. Notice the first problem they noted: Default installations of operating systems and applications. They meant all operating systems, they didn't say 'RedHat and Debian are pretty good, you'll probably be okay with them, or at least more okay than someone using Windows.' Not only is this the most important point of the article, all other vulnerabilities stem from it. They all exist because of complacency with the current state of security of a system.

    Security is not determined by OS. Period.

    A systems security depends on the administrator's vigilance in keeping up to date on patches. Sure, windows has had a lot of exploits lately, but how many of these exploits were not patchable? Hmm. Conversly, Linux and other Unix systems have been not as widely or at least as publically attacked lately. Is this because they have less holes? Redhat 7.1, about 6 months old has 23 security alerts listed. 7.0 and 6.2 both have over 60. So, there's likely likely more out there in 7.1. Many of these are critical and involve remote root exploits. Feel safe? I hope not.

    (Li||U)nix can be attacked with the same efficiency of what we've seen happen to Windows systems in the past few months. Administrators aren't simply better because they admin unix boxes, that's proven in the article that 50% of the copies of BIND that were running in mid 1999 were vulnerable. It would make sense that a similar percentage of other security risks exist as well.

    I'm not bashing Unix, and I'm certainly not saying that Windows is a more secure OS. Its a moot point. What I'm saying is that people who blame the OS for their mistakes are wrong. They're using windows as a scapegoat, and ignoring the real problem behind this.

    Unix will be hit by one of these sometime or another, and it will be just as publicized because it will likely use the same distrubution methods as before, email.

    Go back, read the article again, paying close attention to the generic problems they mention. These are the basic things that any admin has to look at, every day. A machine is never secure. You can be sure of that.