Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS/FBI Release Top 20 Security Vulnerabilities

Posted by CowboyNeal on from the lock-them-boxes-down dept.

theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.

25 of 268 comments (clear)

  1. *ALL* versions of Unix vs Windows? by Anonymous Coward · · Score: 1, Insightful

    Should this even be competitive?

  2. Missed a couple of big ones by Anonymous Coward · · Score: 5, Insightful

    They left Outlook and it's derivatives off the Windows list. Nevermind the root VBS cause.

    But they seem to have really had to reach to get 10 for Unix.

    Man... how much did this 'study' cost?

  3. Re:Well, that settles that argument by garcia · · Score: 5, Insightful

    when a vendor installs an application BY DEFAULT on EVERY single version they ship and it is considered at top 10 vundeability I would say that is more important (see previous comment here) than individual applications that are GENERALLY not installed by default on UNIX based OSs.

    Just my worthless .02

  4. Social Engineering by akiy · · Score: 5, Insightful

    They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.

    If you can get the information that you want (eg passwords) from a person who knows the information, all the patches in the world won't protect your network...

    --

    --
    http://www.aikiweb.com - AikiWeb Aikido Information

    1. Re:Social Engineering by Gurp · · Score: 2, Insightful
      They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.

      Not forgot, deliberately left out. This document is limited in scope to only Windows and Unix vulnerabilities.

      If they had tried to make this more encompassing (say, by including physical security or common weaknesses in operational processes) the document would be so long no one would read it.

  5. Firewalls that accept traffic by default? by Nailer · · Score: 3, Insightful

    At the end of the document, you'll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistake

    This seems like a really bad idea. Giving people a list of port they should block traffic to implies that they needn't properly lock down their rulesets properly, andd have accept as the default policy.

  6. Not again by The+Bungi · · Score: 5, Insightful
    Item 'W10 Windows Scripting Host' lists the 'solution' to be removing WSH. This is about as useful as removing Perl from a Unix box - it's not viable. The WSH is an important tool and the knee-jerk "let's get rid of it!" reaction will eventually be more trouble than not given how many other Microsoft and third-party software requires it. Also, the WSH is only a hosting implementation. The VBScript and JScript interpreters are not removed when you disable the WSH.

    Plus, you don't even need to spend on AV software from snake oil vendors.

    All that's needed is to make the 'Edit' command the default in the registry for all types of WSH-recognized extensions, such as .js and .wsh. Unfortunately the default is 'Open', which executes the script.

    Once you do this you can simply sit there and watch the script worms hit - the only thing you'll see are instances of Notepad all over the place (with the code, to boot). Quite funny (in a sick sort of way).

  7. Re:The number one vulnerability for Windows boxen by Anonymous Coward · · Score: 1, Insightful

    I think they made a mistake. The #1 security vulnerability is Windows itself. Running Windows is really what puts people at risk unless perhaps they close their computers to the oiutside world, i.e. no internet, and install no software on them.

  8. version number hiding is not the way to go. by MavEtJu · · Score: 4, Insightful

    Version number hiding is not the way to go. And let me explain why: Nimda / Code Red. ISS only. Certain versions of ISS only. And do you think that the virus checks for the HTTP Server-string before it sends it payload? No way. Brute force. Just send the exploit and check later if it was successfull. I have the logs of my Apache webservers to show this behaviour.

    Same with the bugbear[sp] worm at this moment. "Check all the shares on the system. Found one! Let's copy to there." Zwoooosh there goes another sheet of paper through the printer.

    For administrative purposes, being able to find out what version of software is running is essential. In a company with tens of locations and thousands of computers, nobody will be able to keep a list of software installed on all these things, let alone keep track of the versions.
    A weekly scan by the corperate IT department and they know what MTAs and versions are there, what FTP servers and version, what DNS servers and versions are there. An update is released? Just inform the right people (i.e. the LAN administrators, not the people who own these servers). An exploit has become known? At least you know how vulnerable you are instead of panicing and trying to get (obsolete) lists from all over the place.

    So yeah, version number hiding doesn't reduce the attackrate but does reduce the ability to act.

    --
    bash$ :(){ :|:&};:
  9. Misconfiguration by Kris+Warkentin · · Score: 4, Insightful

    Not only is Apache very widely deployed, it is also quite easy to misconfigure it. If you read the article, they're not talking about software insecurities alone: they're talking about misconfiguration and bad management of machines. For example, weak/non-existant passwords is on both lists.

    They're not saying that Apache is insecure but rather that it is a potential risk if the admin is not sufficiently competent.

    --

    In Soviet Russia, hot grits put YOU down THEIR pants.
    1. Re:Misconfiguration by chris_mahan · · Score: 3, Insightful

      You've hit the nail on the head:

      "but rather that it is a potential risk if the admin is not sufficiently competent."

      You see, if the admin is a groking wizard with luser hate-filled eyes, whatever box he installs will be Fort Knox, regardless of the OS.

      Take your typical $36k/yr MCSE admin, and any system they setup will be like grated cheese.

      It's called experience, savvy, knowledge, tenacity, and not a little geekiness. And it's worth money.

      So, if you're a CIO and you don't want your company name to appear on the marketplace section of the Wall Street journal under the heading "Hacker steals 50,000 credit cards from..." then pay your good admins, even if they look like they're sleeping in meetings, even if their tie rotation schedule becomes glaringly apparent.

      Security is like seatbelts. The instant you need it it's too late to put it on. You have to put it on before.

      Good admins: When it looks like they are not doing anything, that when they've done everything right.

      Oh, and that list for windows: If you didn't already know all of that by heart, there's no chance in hell you'd get anywhere near production servers at our company.

      And now for something ot: There was a story a few days ago here about what would happen to the DNS system if the root servers for .com etc were misconfigured, replicating the misconfiguration accross all DNS servers... Eerily, see WorldCom's troubles today...

      --

      "Piter, too, is dead."

  10. Re:Clueless FBI by davidstrauss · · Score: 5, Insightful
    Interesting that all but one of the UNIX probs can also be traced to Windows. Apache runs on on Unix and Windows. FTP, RPC etc etc

    Apache is optimized and was originally designed for Unix. FTP is a standard Internet protocol that likely had its origins in Unix. While the problems you state afflict Windows and Unix alike, they cannot be "traced to Windows." They should be under a generic category for all systems, as HTTP and FTP servers are, in general, large security risks, if caused by nothing more than improper setup.

  11. Missing the most obvious vulnerability... by Zspdude · · Score: 5, Insightful

    The user. Windows OR Unix.

    --
    What's in a Sig?
  12. Re:Well, that settles that argument by Otter · · Score: 2, Insightful
    C'mon, both of you are missing the point. Reported vulnerabilities in IIS, IE or MS SQL demonstrate the poor security of closed-source software. Reported vulnerabilities in Apache, Sendmail and openssh prove the value of open-source development , which allows thousands of eyes to spot bugs to be fixed.

    So according to these lists, Linux is 2^20 times better than Windows.

    Now just learn to interject "Security through obscurity doesn't work!" and "Security is a process, not a product!" whenever they seem like they might be relevant and you could be a /. security expert like me.

    --
    What I'm listening to now on Pandora...
  13. Re:Why... by Anonymous Coward · · Score: 1, Insightful

    Why...is Apache listed as #2 under UNIX? It's not exactly bug-rittled doom-ware like IIS.

    Because in UNIX we don't have such doomed bugs. But rank wise, it's probably some of the most crucial ones because of its prevalence. If you compared UNIX's #1 bug versus Windows #10, you'll be convinced that UNIX's #1 threat is far less deadly as Windows #10.

    Of course, some people will object this...

  14. All of these are ridiculous... by NineNine · · Score: 3, Insightful

    They're all security holes, if they aren't patched. Very few of the things that they listed aren't completely patchable (yes, including IIS). Keep up with the patches, and don't do stupid things, and you'll be fine.

    1. Re:All of these are ridiculous... by TheAwfulTruth · · Score: 3, Insightful

      That was more or less the point of the list. To point out the top 10 POTENTIAL security problem areas. Lazy admins could make great strides by merely keeping tabs on these top 10 items alone.

      It seems incredable to me too that anyone with the title of "administrator" could NOT already be doing this, but then there is reality.

      --
      Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
  15. Re:#8 = Internet Explorer. by Zathrus · · Score: 4, Insightful

    If you are using IE, your computer is vunerable to numerous security breaches

    Yes. If you're not downloading security updates.

    But the same is true for everything else on the list. Conversely, if you are constantly keeping up to date on security patches then you are considerably less vulnerable.

    I believe the point you were trying to make is that it's the only client program on the list - all the others are servers. And I'm honestly surprised that neither Outlook nor Outlook Express made the list - they're considerably more problematic with regards to security IMO (but I'm not a "professional" in this context).

    As to why it's not #1 - well, first there's a lot fewer vulnerabilities listed. Additionally the extent of the vulnerabilities are not as large. Relatively few virii/trojans/etc. spread via IE, while there are still IIS servers out there spamming the world with Code Red. Secondly, as a client program it is somewhat more secure than a server by design. I could be running a totally unpatched client that's vulnerable six ways to Sunday, but if I don't surf to your site (or open a local infected file with the client) then I can't be infected. Servers, however, are vulnerable if they're running - I don't have to invite you to break into my system, I left the door open with a lovely "Open House" sign up.

  16. Re:#8 = Internet Explorer. by flacco · · Score: 5, Insightful
    Yes. If you're not downloading security updates.

    ...which, lately, have come with unacceptable EULA terms and mandatory downloads of other software.

    Software vendors should be required to supply security patches in isolation, and WITHOUT ANY additional licensing requirements.

    --
    pr0n - keeping monitor glass spotless since 1981.
  17. Re:NO MACS is GOOD NEWS by WinterSolstice · · Score: 2, Insightful
    There are no Amiga vulnerabilities mentioned either. Does that mean anything in particular?

    No. Didn't think so.

    -WS

    --
    An operating system should be like a light switch... simple, effective, easy to use, and designed for everyone.
  18. FTP? by GigsVT · · Score: 2, Insightful

    So what to do with FTP?

    The openSSH sftp client really sucks, it's barely usable, no frills, almost seems like a "proof of concept" as it were. It gets the job done, barely.

    So our customers need to upload files. With FTP in IE and Netscape and Mozilla, they can drag and drop the files into the browser and log in and send the files.

    Another option is to use HTTP PUT, but since our clients are uploading 50 meg files, no progress feedback is a killer there. Is there some open source client-side-java-pretty-HTTP-PUT-uploader out there? Even then you have to have your clients have Java installed, something that can't really be counted on.

    Other options.... Put putty on the site and make them install it and use sftp.. Not an ideal option, but somewhat workable.

    So where is the drop in replacement for FTP? Why isn't anyone working on this?

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  19. Re:Lather, rinse, repeat by sporty · · Score: 4, Insightful

    Who in their right mind uses r* and sendmail on anything connected to the public internet?

    Actually, as the article pointed out, sendmail hasn't had any serious problems in the past 2 years. Quite frankly, it's quite powerful and its default install is kinda simple to use except (except!) for that stupid map command to build virtual users, access tables and the likes.

    It's not the end of the world if you use it, just like it's not the end of the world if you use proftpd.

    --

    -
    ping -f 255.255.255.255 # if only

  20. Re:Am I the only one that noticed... by lugonn · · Score: 4, Insightful
    ...the fact that only one(u10) Unix vulnerablity has to do with the OS itself, and the rest are program related. All of which can easily be removed without harm to your boxen.

    However, 4(w4, w5, w7, w10) of the Win vulnerabilities are integral parts of the OS so you can't remove/fix them without hosing your PC.

    Gee, which OS is more secure...looks like *nix again. So no, they are completely different.

  21. Re:Ever heard of a UID? by Osty · · Score: 2, Insightful

    Given that Win doesn't have group ownership for files, it really doesn't matter if your running as admin or guest. You can still use WSH as a guest and be able to fuck with system files, you just can't play with the registry...nice security model, it doesn't exist for files on Win systems.

    You'd be right, if your system is using FAT16/32, though why you'd ever use that on an NT-based system (note my comment about NT-based Windows systems, and Win9x being dead), I don't know. Use NTFS, setup proper permissions (should be setup by default, if you installed using NTFS), and you have a better ACL system than the default user/group/other UNIX permission system (yes, I know various unices have better ACL systems, and various filesystems for Linux do as well, but most people use ext2 at the moment, which just does ugo by default -- you can add patches that do real ACLs, but last I checked that wasn't part of 2.4).


    Just taking a quick look of C:\Windows on my XP system, I see:

    • Administrators group has full permissions
    • Power Users group has modify, read&exec, list folder contents, read, and write permissions (missing "special permissions")
    • SYSTEM has full control
    • Users (which is where you should normally be running) has read&exec, list folder contents, and read permission. No modify, no write.

    So how is it, again, that Windows doesn't have group ownership?
  22. Re:#8 = Internet Explorer. by tqbf · · Score: 5, Insightful
    You say "if I don't surf to your site... then I can't be infected". It almost sounds like you believe you have some control over whether your browser will hit his evil web page. Could it be that you actually think that both Internet routing and the DNS are hard to subvert?

    Clientside security is still a joke. Clients get attention in the places where they "asynchronously" give up control to foreign command, like embedded scripts in email and virtual machines for things like Java. But the overwhelming majority of client code was designed assuming that it interacts in good faith with the rest of the world.

    The flood of server-side vulnerabilities will slow. Desktop environments will get more and more homogenous. The payoff for writing a single exploit will grow. You should expect not only to see more client-targetting attacks, but also more attacks leveraging the ancient and festering weaknesses in global Internet routing and in DNS.

    Consider that today, Internet routing is being subverted with some regularity to play pranks on IRC and to hijack address space for spamming. These are high-risk, low-reward enterprises. It's only a matter of time before smarter people figure out how to use the same tricks to more productive ends.