Slashdot Mirror
SANS/FBI Release Top 20 Security Vulnerabilities
theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.
IIS!!
Not any particular 'sploit, but on the page, IIS is THE NUMBER ONE vulnerability for Windows boxen.
Like Mr. Valentine said, "[Microsoft's] products are not engineered for security". Or something like that.
--j
#8 is listed here.
If you are using IE, your computer is vunerable to numerous security breaches.
If this is installed on EVERY Windows computer by default, I believe that this should be rated higher than those vunerabilities in applications that are only installed by default on SOME Windows versions (IIS).
And if memory serves, the Unix list is exactly the same, with perhaps the exception of Apache. The r* services, sendmail, yep, all still there. Who in their right mind uses r* and sendmail on anything connected to the public internet?
Anyone correct me on whether the others have changed? They all look familiar to me.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
They are exactly equal because they chose 10 windows exploits and 10 *nix exploits. If they had chosen 20 exploits from both windows and *nix they would have numbered from 1 to 20.
I do security
...is Apache listed as #2 under UNIX? It's not exactly bug-rittled doom-ware like IIS. A few mistakes every now and then hardly qualifies for a #2 rateing. it's not like, 50 new exploits are found a month or something. and as for RPC at #1...you get what you ask for.
They left Outlook and it's derivatives off the Windows list. Nevermind the root VBS cause.
But they seem to have really had to reach to get 10 for Unix.
Man... how much did this 'study' cost?
when a vendor installs an application BY DEFAULT on EVERY single version they ship and it is considered at top 10 vundeability I would say that is more important (see previous comment here) than individual applications that are GENERALLY not installed by default on UNIX based OSs.
.02
Just my worthless
They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.
If you can get the information that you want (eg passwords) from a person who knows the information, all the patches in the world won't protect your network...
--
http://www.aikiweb.com - AikiWeb Aikido Information
At the end of the document, you'll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistake
This seems like a really bad idea. Giving people a list of port they should block traffic to implies that they needn't properly lock down their rulesets properly, andd have accept as the default policy.
Plus, you don't even need to spend on AV software from snake oil vendors.
All that's needed is to make the 'Edit' command the default in the registry for all types of WSH-recognized extensions, such as .js and .wsh. Unfortunately the default is 'Open', which executes the script.
Once you do this you can simply sit there and watch the script worms hit - the only thing you'll see are instances of Notepad all over the place (with the code, to boot). Quite funny (in a sick sort of way).
Free Clue: if you didn't get in on the first 2000 tries, go waste someone else's bandwidth!
take a look
http://www.sans.org/top20/top20_Oct01.htm is the list from 2001
http://www.sans.org/topten.htm is the list from 2000
Version number hiding is not the way to go. And let me explain why: Nimda / Code Red. ISS only. Certain versions of ISS only. And do you think that the virus checks for the HTTP Server-string before it sends it payload? No way. Brute force. Just send the exploit and check later if it was successfull. I have the logs of my Apache webservers to show this behaviour.
Same with the bugbear[sp] worm at this moment. "Check all the shares on the system. Found one! Let's copy to there." Zwoooosh there goes another sheet of paper through the printer.
For administrative purposes, being able to find out what version of software is running is essential. In a company with tens of locations and thousands of computers, nobody will be able to keep a list of software installed on all these things, let alone keep track of the versions.
A weekly scan by the corperate IT department and they know what MTAs and versions are there, what FTP servers and version, what DNS servers and versions are there. An update is released? Just inform the right people (i.e. the LAN administrators, not the people who own these servers). An exploit has become known? At least you know how vulnerable you are instead of panicing and trying to get (obsolete) lists from all over the place.
So yeah, version number hiding doesn't reduce the attackrate but does reduce the ability to act.
bash$
Not only is Apache very widely deployed, it is also quite easy to misconfigure it. If you read the article, they're not talking about software insecurities alone: they're talking about misconfiguration and bad management of machines. For example, weak/non-existant passwords is on both lists.
They're not saying that Apache is insecure but rather that it is a potential risk if the admin is not sufficiently competent.
In Soviet Russia, hot grits put YOU down THEIR pants.
Saying that "The Twenty Most Critical Internet Security Vulnerabilities" is the same as the top ten Windows vulnerabilities plus the top ten Unix vulnerabilities, is just plain stupid.
the "Slashdot Effect" DOS did not make the top 20.
Never answer an anonymous letter. - Yogi Berra
Apache is optimized and was originally designed for Unix. FTP is a standard Internet protocol that likely had its origins in Unix. While the problems you state afflict Windows and Unix alike, they cannot be "traced to Windows." They should be under a generic category for all systems, as HTTP and FTP servers are, in general, large security risks, if caused by nothing more than improper setup.
The user. Windows OR Unix.
What's in a Sig?
They're all security holes, if they aren't patched. Very few of the things that they listed aren't completely patchable (yes, including IIS). Keep up with the patches, and don't do stupid things, and you'll be fine.
Here's a note I just sent to their web master (they had no other place to send "comments"):
Overall the top20 list is a good summary as always.
However, I can't believe the lack of knowledge about at least the SNMP portion of it. SNMP *used to use* clear-text community strings in the first and second versions of the protocols. The following statement, along with others in the section:
'SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough...'
Is spreading simply incomplete information. At a minimum, it should be suggested that all users upgrade their SNMP enabled software to version 3 compliant SNMP agents and to disable the version 1 and version 2 SNMP protocols. All of the major network vendors, as well as software vendors implement the v3 protocol so there is very little excuse for not using it (and, worst case you can deploy v3->v1 proxies near v1-devices to minimize the transmision distance of clear-text v1 community strings). *Please* change the wording to suggest that people upgrade their equipment to SNMPv3 compliant software, which will take care of at least the insecure problems with the protocol.
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
However, 4(w4, w5, w7, w10) of the Win vulnerabilities are integral parts of the OS so you can't remove/fix them without hosing your PC.
Gee, which OS is more secure...looks like *nix again. So no, they are completely different.
Just to be a /bot for a second, I thought it was funny that the primary concern with Apache was insecure CGI scripts. And the point about "even Apache's own website was defaced" says nothing about boxes being 0wned. Just a chrooted nobody user account. (And yes, I assume that Apache runs their own server chrooted)
As to the submitter saying the vulnerable UNIX apps are basically a laundry list of apps he uses daily, that's too bad. Never once have I needed to put NFS, rlogin, or FTP into production. I was always taught that the "r" meant "raped".
Intelligent Life on Earth
I love W5. It implies that the vulnerability is the leakage of information to an intruder.
It seems to me that, since it points out the the scans are often run as "System" by the legitimate users, then by properly crafting a response to an inquiry, and puttting my machine out there, the real vulnerability is to the systems, like the domain controllers, which scan (potentially trojaned) remote machine, without dropping "System" priviledge first.
It seems to me that an exploit using SAMBA source code ought not to be that hard to write...
-- Terry
Nearly all Linux systems and many other Unix systems come with Apache installed and often by fault enabled.
Although I presume that they meant to say 'by default enabled', I (like many others) feel that it is an error to have most facilities enabled by default. Thus the default is IMHO a fault.
I would much rather have various facilities disabled by default, with easily-accessible tools which enable those facilities (and give appropriate security warnings). Manufacturers, like sun, who ship machines with everything and their dogs enabled should be hung by their toes and beaten mercilessly with burnt-out '286s.
The standard defence that most of these systems ship to sites with well-traind sysadmins who know what to disable is silly. If a site has well-trained sysadmins, then they should know how to enable the required facilities. Sites without well trained sysadmins probably don't have good security, either, and most desparately need to have all of those holes covered when the system ships.
For admins who care more about getting a system running easily than they do about security, vendors like sun could have a program (named 'goahead-shootme') that enables all facilities just like the old (de)fault had it. Better yet, of course, would be a simple menu-driven / GUI program that allowed you to turn on/of various facilites and daemons (and possibly even provided an explanation of why). -- Bastille Linux comes to mind...
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
- Buffer Overflows! If people are going to insist on using C to write important applications, they need to use libraries that check input properly if they're not going to do the job themselves! This is about the most basic bug you learn to avoid when you learn arrays, and C's pointers don't give you protection so you're warned to do it yourself where you need it.
- Not Checking Input for Validity! This is about the second lesson in CS100 classes, or was back when I took them - Never Never Never trust that your program has been given correct input, especially input that cares about size and type.
- Not checking for Cleverly Malicious Domain-Dependant Input - OK, some kinds of input checking go beyond the basics, but at least make sure not to let users provide input that uses ".." in directory paths or lets unauthorized people store important data.
- Running things are ROOT that don't critically need to - Mail doesn't need to run as root just to deliver mail to mailboxes - group permissions with the application running as group mail works just fine. Web Servers doesn't need to be root, and DNS doesn't need to be root, and Printer Daemons don't need to be, and most ftp servers don't need to be (a few might). SSH probably does, but there may be ways to work around that.
- Operating Systems that force applications to user root privileges - TCP and UDP well-known ports shouldn't need root permissions to run them, except perhaps in very special cases, and forcing them to have root permissions increases the probability that an inadequately-written application will be running as root instead of chroot-jailed.
- Applications writing over their own configuration files - if you take advantage of operating system permissions, that reduces your need to defend against cleverly malicious input. Be careful out there, and use them.
- Applications that force users to use too-short passwords - 8-character passwords have been obsolete for years. Even if you let users pick wimpy ones, at least don't *force* them to.
That's certainly not everything, but it's an appallingly high fraction. Making sure applications don't run as root doesn't prevent things like mail viruses or web server viruses from flooding the net with bogus emails, but it makes it harder, and reduces the potential damage. At least practice enough basic hygiene that attackers have to be careful, creative, and hardworking....Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
C'mon...the snmp one should be thrown off the unix list. Winders has snmp, and network devices have snmp. Just because you can do snmp stuff with Unix doesn't make it a unix vulnerability anymore than a windows one.
As for userid's and passwords - I've seen equally week NT setups - even more common for people to use no passwords on NT, since Win clients are connecting. As for tracking what a user is doing - ps anyone? Lets see you track what an authenticated user can do with RPC on a windows network.
If you have ActivePerl installed (recent build) you might want to do the same to the .pl extension, just in case.