New SANS/FBI Top 20 List

An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of The Twenty Most Critical Internet Security Vulnerabilities. As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists. For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."

worms... worms worms worms..

[joeldg]

With all the worms this year this must have been quite a job to sift through.

I do however agree with them about the BIND vuln being at the top of the list for unix systems. That was a big issue having to update all our nameservers..

What would be the top 10

[dnotj]

If the windows and UNIX ones where mixed?

Would billy and his band of thugs be the leader of the pack?

What about the second 10 for m$? where would they be with the UNIX top 10? top 20?

Re:What would be the top 10

Micro$oft bashing and complex sarcasm yeilds "Karma: Bad". Guess I'm a Flame Baiting Troll

1. This is Slashdot. MS bashing gives you good karma...especially when you substitute the "S" for a dollar sign.

2. This is a BBS. As in we communicate through text. Sarcasm rarely works. ...as you can see.

3. You're an ass.

Re:What would be the top 10

[DunbarTheInept]

They kept them separate specifically to avoid that debate. Even if your system is more secure than the other, it still is important to know what the top vulnerabilities in your system are, so you know wher e to concentrate your efforts locking things down.

Re:What would be the top 10

[4of12]

Naturally, because of the larger deployed base of Windows machines I would expect any vulnerability for Windows to be magnified in its importance just because of how many machines it affects, independent of whether Windows has more flaws, worse flaws, poor design, etc.

OS flavor is only weakly correlated as a function of importance as a security vulnerability. Vulnerabilities that affect root name servers and routers could be just as important in terms of impact as several thousands of home Windows PC's hooked up to AOL if you look at the economic impact.

Re:What would be the top 10

[Spoing]

1. Naturally, because of the larger deployed base of Windows machines I would expect any vulnerability for Windows to be magnified in its importance just because of how many machines it affects, independent of whether Windows has more flaws, worse flaws, poor design, etc.

Naturally. Obviously. It stands to reason. Common sense. Yadda yadda yadda...Didn't we just go over this one?

Yes, I realize your version is a variation on the dead horse being dragged out and pummled these days...though it's not much different, is it?

Re:What would be the top 10

[t0ny]

Well, considering DNS is used almost EVERYWHERE, and any vanilla install of Linux has DNS, SendMail, Apache, etc, its hard to say. IIS is on the list for MS, but a vanilla install of WinXP doesnt have IIS. And while IE is also on the list, MS's Auto-update will (I think by default after the first prompt) go out to MS and download the latest updates.

So its hard to say.

Does this mean

[satsuke]

Clicked link to site .. loading very slowly.

Does this mean the security information clearinghouse can be DDOS'd ?

By slashdot obviously .. don't know about other more intentional attacks

Re:Does this mean

[c0dedude]

No, it just means that a link from slashdot should be on the list as a potental site vulnerablility :-)

Re:Does this mean

[RedBear]

No, it just means that a link from slashdot should be on the list as a potental site vulnerablility :-)

That's actually a good point. Think about how many sites have been wiped out either momentarily or (sometimes) permanently, and all the money a good /.ing has cost many individuals and companies for excess bandwidth. The sites that even have the capability to block direct /. linking always seem to implement it after the fact.

In light of the problems /. creates, wouldn't it be wise for server admins all over the world to take it for granted that they might be linked to by /., or a handful of other similar sites, and just block direct links from those sites by default? It's not a total solution but it would sure help.

Makes sense to me.

oh no!

Looks like the site is slashdotted...
oh wait...it's my 33.6 modem :)

Re:oh no!

[fuzzix]

A security feature in itself - who could wait that long to root a box?

Some messed up scoring here.

[caluml]

The 3rd highest vulnerability to Unix is Apache?
That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

Or am I reading a list from 5 years ago?

Re:Some messed up scoring here.

[Xerithane]

The 3rd highest vulnerability to Unix is Apache?

Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.

That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.

Re:Some messed up scoring here.

[caluml]

Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.

Well, that could apply to anything. I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.

I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.

But who the hell uses 8 any more? :) (Cue lots of people praising djbdns...)

Re:Some messed up scoring here.

[jmo_jon]

Here is one. Just search for bind on securityfocus and you'll find more

Re:Some messed up scoring here.

[DrEldarion]

But who the hell uses 8 any more?

I've learned that the answer to "Who the hell uses (insert old program here) anymore?" is always "FAR more people than you think..."

My website has had around 3800 unique visitors. 16 of them are STILL running at 640x480. 28 of them are STILL running in 8-bit color. Crazy.

Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."

-- Dr. Eldarion --

Re:Some messed up scoring here.

[Xerithane]

Well, that could apply to anything. I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.

But you have to look at Apache allowing access, through ExecCGI outside of a chroot, etc. If a webserver were to be more secure, it would only run scripts from a unix socket (or some more modern approach) to a chroot jail. I've not seen anything like that in common practice though.

Re:Some messed up scoring here.

[Darby]

I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.

What, you mean you don't do that?!?
Sheesh, what if you forget your password and you're away from home where you have it written on a sticky stuck on your monitor?

What are you gonna do then, Smart Guy?

Re:Some messed up scoring here.

[Spoing]

1. My website has had around 3800 unique visitors. 16 of them are STILL running at 640x480. 28 of them are STILL running in 8-bit color. Crazy.

Or, they are using PDAs, slow connections (cellular), and other newer devices. (OK, probably not...)

Re:Some messed up scoring here.

[110010001000]

It is amazing when reality shatters your worldview, doesn't it?

Re:Some messed up scoring here.

[valdis]

OK.. Speaking as one of the culprits here.. ;)

Those of you who patch regularly and often aren't the problem, or the target audience. Yes, the last Bind exploit was quite some time ago, and patched systems fixed it long ago. On the other hand, want to guess which there are more of out there, fully patched RedHat 9.0 boxes or unpatched RedHat 7.2 boxes?

One of the inputs into the ranking and selection criteria was how heavily exploited the holes were. And you know what? There's more sites being nailed *NOW* with the Apache Chunking hole than the most recent OpenSSH hole (Hint - which has more working exploits in the wild?)

To be blunt, we weren't targeting the admins that do a good job of keeping their systems tied down and up to date (THOSE guys can wander over to www.cisecurity.org (Yes, I'm a co-conspirator there too ;) and see how they do on the benchmarks). We were targeting the sites that are running 3 years behind because they don't have a clue where to start.

It's not a checklist for perfect security. It's a checklist of "If you don't have a clue and the boss only gave you 2 hours to get the box online, do at least this much so you have a fighting chance".

Nobody who helped make this list was particularly thrilled by the need to do it - every single one of us wished it wasn't necessary, either because systems were at least that secured out of the box, or because systems were hardened by people who had both the skill and time to do the job.

And yes, we're collectively ticked by the fact that it's so damned hard to retire items. On the other hand, it's instructive to go back and re-read the original Multics penetration study:

http://www.acsac.org/2002/papers/classic-multics -o rig.pdf (24 pages)

and then look at the author's 30-years-later retrospective:

http://www.acsac.org/2002/papers/classic-multics .p df (8 pages)

Executive Summary: It hasn't gotten much better over 30 years. In fact, it sucks worse.

Re:Some messed up scoring here.

[toddestan]

What amazes more is the people running old browsers. Who the heck still uses Netscape 4? I mean, by today's standards it sucks. Even for old hardware, it still sucks. There are much better choices - Netscape 4 is just bloat, and it's slow. IE 3.0? C'mon people!

Anyhow, my choice for web browsers on ancient machines is Opera 5, which has a nice balance between speed, features, and ability to view fancy webpages that you shouldn't be loading on a 486 anyway.

Re:Some messed up scoring here.

[Maliuta]

My website has had around 3800 unique visitors. 16 of them are STILL running at 640x480. 28 of them are STILL running in 8-bit color. Crazy.

Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."

An some of us still like the way things used to be done. I write this on a circa 1995 HP Xterminal. Why? because I like doing things this way, having 3 or 4 terminals throught my house and accessing my machines via them. I have looked for newer terminals, but none have the specifications I would want in terms of RAM and video performance.

Upgrading hardware and upgrading software are two different things. I keep all my software up-to-date because I know that there are always new exploits being discovered, that doesn't mean that I want go out and by a monitor/video card that will do 1600x1400 in 6 trillion colours.

Re:Some messed up scoring here.

The CIS site doesn't mention OS X or BSD. Will the software for Solaris, Linux or HP-UX work?

Re:Some messed up scoring here.

[bmj]

Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."

You're comparing apples and oranges. There are plenty of folks who are still surfing the Net on "antiquated" equipment (slow machines, tiny monitors, 4.x browsers), and it's not because they're lazy. Grandparents who check email and maybe read a few websites don't need anything more than Windows 9x machine. And they're probably surfing on a dialup connection (on a less than latest/greatest modem, no less), so downloading IE 6 or Moz or Netscape 6 isn't really a choice. And...running 640x480, 8 bit color isn't a security hole. And running an updated 4.x browser isn't a security hole necessarily. Sure, plenty of sites don't "work" but that's a different issue.

Now, there are plenty of lazy sys admins/users who are running newer hardware/software with a dedicated connection. There is NO REASON why those machine shouldn't be properly patched and updated.

Re:Some messed up scoring here.

[Bert64]

Many people still have slow dialup connections, many of which are metered by the minute for online time, updating your os on such a connection is both extremely time consuming and costly.
As for 640x480, thats the default resolution of windows, perhaps these people dont know how to increase it? same for the 8 bit color. Also, windows doesn`t support many displaycards, especially newer ones, without installing third party drivers.. Look at the size of nvidia/ati`s latest drivers, and then imagine downloading them over a dialup, and paying by the minute to do so...
Also consider the time wasted navigating their graphics heavy sites, jumping through hoops just to find the correct drivers.
Also, some people may have poor eyesight, and 640x480 is easier for them to read

But the 10 most critical Security Vulnerabilities

[Kjella]

still exist between the chair and keyboard... I think they should make a third category for that.

Kjella

The #1 vulnerability is obviously "people"

Although the site is already /.'d, so I
can't check on it.

I'd never karma whore...

[dnotj]

Introduction
The SANS Top 20 Internet Security Vulnerabilities

The vast majority of worms and other successful cyber attacks are made possible by vulnerabilities in a small number of common operating system services. Attackers are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.

Three years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty lists that followed one and two years later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to the examples above Blaster, Slammer, and Code Red, as well as NIMDA worms - are on that list.

This updated SANS Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX and Linux. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services.

The Top Twenty is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious federal agencies in the US, UK and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute. A list of participants may be found at the end of this document.

The SANS Top Twenty is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via e-mail to top20@sans.org.

Notes for Readers
CVE Numbers
You'll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You may also see CAN numbers. CAN numbers are candidates for CVE entries that have not yet been fully verified. For more data on the award-winning CVE project, see http://cve.mitre.org.

The CVE and CAN numbers reflect the top priority vulnerabilities that should be checked for each item. Each CVE vulnerability reference is linked to the associated vulnerability entry in the National Institute of Standards and Technology's ICAT vulnerability indexing service (http://icat.nist.gov). ICAT provides a short description of each vulnerability, a list of the characteristics of each vulnerability (e.g. associated attack range and damage potential), a list of the vulnerable software names and version numbers, and links to vulnerability advisory and patch information.

Ports to Block at the Firewall
---- Jump to index of Ports to Block at the Firewall or Gateway ----

At the end of the document, you'll find an extra section offering a list of commonly probed and attacked ports. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistakes and oversights. Note, however, that using a firewall or router to block network traff

Site running slowly.

Top Vulnerabilities to Windows Systems
# W1 Internet Information Services (IIS)
# W2 Microsoft SQL Server (MSSQL)
# W3 Windows Authentication
# W4 Internet Explorer (IE)
# W5 Windows Remote Access Services
# W6 Microsoft Data Access Components (MDAC)
# W7 Windows Scripting Host (WSH)
# W8 Microsoft Outlook Outlook Express
# W9 Windows Peer to Peer File Sharing (P2P)
# W10 Simple Network Management Protocol (SNMP)

Top Vulnerabilities to UNIX Systems
# U1 BIND Domain Name System
# U2 Remote Procedure Calls (RPC)
# U3 Apache Web Server
# U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
# U5 Clear Text Services
# U6 Sendmail
# U7 Simple Network Management Protocol (SNMP)
# U8 Secure Shell (SSH)
# U9 Misconfiguration of Enterprise Services NIS/NFS
# U10 Open Secure Sockets Layer (SSL)

The List

[spoonist]

Top Vulnerabilities to Windows Systems

W1 Internet Information Services (IIS)

W2 Microsoft SQL Server (MSSQL)

W3 Windows Authentication

W4 Internet Explorer (IE)

W5 Windows Remote Access Services

W6 Microsoft Data Access Components (MDAC)

W7 Windows Scripting Host (WSH)

W8 Microsoft Outlook Outlook Express

W9 Windows Peer to Peer File Sharing (P2P)

W10 Simple Network Management Protocol (SNMP)

Top Vulnerabilities to UNIX Systems

U1 BIND Domain Name System

U2 Remote Procedure Calls (RPC)

U3 Apache Web Server

U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords

U5 Clear Text Services

U6 Sendmail

U7 Simple Network Management Protocol (SNMP)

U8 Secure Shell (SSH)

U9 Misconfiguration of Enterprise Services NIS/NFS

U10 Open Secure Sockets Layer (SSL)

Re:The List

I bow to your copy-pasting sk1llz. You could at least have put some nice formatting...

Re:The List

[hackstraw]

Regarding U4 which says:

The most common password vulnerabilities are: (a) user accounts that have weak or nonexistent passwords; (b) users accounts with widely known or openly displayed passwords; (c) system or software created administrative level accounts with widely known, weak, or nonexistent passwords; and (d) weak or well known password hashing algorithms and/or user password hashes that are stored with weak security and are visible to anyone.

The best defense against all of these vulnerabilities is a well developed password policy that includes: detailed instructions for users to create strong passwords; explicit rules for users to ensure their passwords remain secure; a process in place for IT staff to promptly replace weak/insecure/default or widely known passwords and to promptly lock down inactive or close down unused accounts; and a proactive and regular process of checking all passwords for strength and complexity.

Is this entirely true? Nonexistant passwds, yes. Stupid passwords, yes (eg, root:root). Default passwords, yes.

Can someone give me an example of a compromise based on a weak password? It seems that there are so many other ways to break into a system, that resorting to brute force password attacks would be the absolute last thing someone would use. Also, if the system is that important, don't ppl set up a max number of failed attempts?

Re:The List

[Aardpig]

Can someone give me an example of a compromise based on a weak password?

Weak passwords remain vulnerable to dictionary attacks, whereby a large collection of everyday words is passed through the same one-way hashing algorithm that the password system uses. These encrypted strings are then compared against the entries in the system password file, which on many systems is readable by any user (typically for historical reasons). If a match is found, then it is trivial to see which plaintext word produced the encrypted string, and therefore what the password is.

To avoid dictionary attacks like this, you can:

• Make sure World+Dog can't read the password file. The shadow suite on Unix systems is one way of doing this; it prevents ordinary users from accessing encrypted passwords, by storing them in /etc/shadow (readable only by root) rather than /etc/passwd (readable by all logged-on users).
• Choose passwords which are not dictionary words, obviously. A reasonable approach is to join together a number of short dictionary words using punctuation symbols, and mix the case up a bit. I'm paranoid, however, and I go for a completely-random sequence of characters and symbols, which I spend an evening burning into my brain.
• Regularly run crack , which checks for weak passwords. This program was developed by Alec Muffett, one of the original pioneers of dictionary attacks.

Re:The List

[Stonent1]

Watch any computer movie, any hacker can guess a password in 5 minutes. How many admins do you know that grep their logs for failed password attempts?

Re:The List

[Spoing]

1. Can someone give me an example of a compromise based on a weak password?

How would you know?

Re:The List

[valdis]

"Can someone give me an example of a compromise based on a weak password?"

If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...

and the #1 vulnerability is...

[vladkrupin]

Vulnerability of SANS own site to slashdotting!

At least it sure looks slashdotted now... :)

Re:And the #1 vulnerability is...

[Blackknight]

Why should I have to go through all that? Why can't we just hit "uninstall" and get rid of it?

Oh, that's right, people might start using other mail clients, we can't have that.

Woohoo! FTP is safe!

[EvilStein]

See?! Telnet & FTP aren't on the list anymore.

And Gopher! YEAH!

Enough of this ASP/PHP/SSL/SSH crap. Give us the OLD stuff back!
When I was growing up, we had telnet and we liked it!

Re:Woohoo! FTP is safe!

[joeldg]

and WAIS too!!!

Re:Woohoo! FTP is safe!

[vladkrupin]

See?! Telnet & FTP aren't on the list anymore.

Right, right... Ehrm... to quote the guy a couple postings before you...

# U5 Clear Text Services

Re:Woohoo! FTP is safe!

[woozlewuzzle]

U5 Clear Text Services Think that covers ftp and telnet

Re:Woohoo! FTP is safe!

Idiot.

Why two lists?

[grub]

There aren't two internets running, one for Windows and one for Unix.

Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.

Re:Why two lists?

[vladkrupin]

There aren't two internets running, one for Windows and one for Unix

Yes, there are. One is for IE, and one - for everything else.

(Yes, I am expecting flames to correct my narrow view of internet and tell me that there is more than just web browsing, blah,blah. But you see my point, don't you?)

Re:Why two lists?

[woozlewuzzle]

The point of the lists is not to embarass the makers of operating systems. It is to let administrators (of either operating system) what the most successfully attacked services are, so that they can concentrate their efforts. I recall a study, perhaps last year, by NASA of all people that, by just addressing the Top 20 list, they were able to reduce security incidents by over 90%. It doesn't mean you shouldn't secure everything, but you need to prioritize when you are overworked, underpaid and underappreciated

Re:Why two lists?

[Tim+C]

I can't remember the last time I tried to access a site with Mozilla, to find that it only worked in IE.

True, my online banking service advises me to use IE, but I ignore that advice, and it works just fine in Mozilla. Every other site I use is fine. Perhaps that's more indicative of the sorts of sites I visit, though.

Re:Why two lists?

[bill_mcgonigle]

Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.

I looked with a moderate amount of effort to find some kind of numerical data to put next to the items on the list (# of incidents, level of compromise, etc.) but didn't find any. If anyone comes across it, please post, it would be interesting to see how the 'top 20' rank intermixed.

Re:Why two lists?

[vladkrupin]

I can't remember the last time I tried to access a site with Mozilla, to find that it only worked in IE. ...then you haven't browsed web for a while.
- one of my favorite news sources (www.gazeta.ru) sucks in mozilla, at least their news section
- my bank started sucking in mozilla recently
- ebay often freaks out on some items in mozilla, so I have to copy that URL and paste it to IE to view the item.
- my card company works intermittently with mozilla (citiCards)
- MSNBC is sucking up mud in mozilla, even though the put some thought into explicitly supporting mozilla (they are bettern than they used to)
- my own employer's website works in quite-reduced functionality, though we spend a lot of effort into making that better.

That's just off the top of my head. I probably could go on and on and on. And guess what happened when I complained to my bank's IT that there site, once looking fine in mozilla, one day started sucking really bad? - "Mozilla? What's that? Oh, the browser, like Internet Explorer... well, don't use it! Why won't you just save yourself some time and use IE? No, we support only IE 5.0 and above on windows 2000 or XP with at least a pentium-3 processor and 128 mb RAM... yes... Thank you for your call, sir. Is there anything else I can do for you?"

Re:Why two lists?

there is more than just web browsing, blah,blah

Re:Why two lists?

[ThogScully]

Well, I can understand an occasional problem, but this seems like too much. For example, I've never had a problem on citicards with Mozilla. MSNBC doesn't look right? And you're surprised? Oh yeah, and I'd guess your employer is essentially irrelevant if their website doesn't work right, or at least they don't mind being irrelevant.

The only times I've had problems with Mozilla is when a site has explicitly rejected Mozilla because it didn't match one of their accepted browsers (which always include Netscape anyway). The two examples that come to mind are chilis-survey.com, which is the URL on your Chili's restaurant receipt and the site for my bank, which is itself a horrible system. Neither would let me in, so I emailed the sites and told them it should, especially if they advertise support for the equivalent Netscape. And guess what, both sites now support Mozilla. Sometimes people just need to be informed.
-N

Re:Why two lists?

[phear_the_penguin]

I agree, but i find that the most annoying thing is that IE still won't correctly render COMPLIANT HTML/CSS correctly, so unless you want to have 90% of the people that look at your site complaining about the way it looks, you have to either:

a) Create a much more limited website, without some of the stuff you want to add
OR
b) Create a website with completely BROKEN HTML/CSS so that IE can render it correctly

In summary, the problem doesn't neccessarily lie in the fact that certain sites "only" render in IE, but rather that certain sites WON'T render in IE...

Re:Why two lists?

[Darby]

- one of my favorite news sources (www.gazeta.ru) sucks in mozilla, at least their news section

I just looked at it it looked fine apart from all the weird letters I don't know how to read.

What's the problem?

Re:Why two lists?

I just looked at it it looked fine apart from all the weird letters I don't know how to read.

The news part, as I said. Unfortunately, it takes knowing Russian to figure out on which link to click, but, since you asked, here it is:

http://www.gazeta.ru/lenta.shtml

Re:Why two lists?

Yes, there are. One is for IE, and one - for everything else.

(Yes, I am expecting flames to correct my narrow view of internet and tell me that there is more than just web browsing, blah,blah. But you see my point, don't you?)

No, I don't. Can you please explain?

Re:Why two lists?

That page is not valid HTML. http://www.gazeta.ru/intnews.shtml is not valid either, but it seems to display ok for me in Firebird(and I assume Mozilla would display it fine as well). It still looks like crap though, mainly because of there attempts to abuse frames. Send them an email and ask them fix it.

Re:Why two lists?

No, I don't. Can you please explain?
No. If you don't get it, I am sorry, turly sorry, but you either have been living under a rock for the past few years, or do not speak English...

Re:Why two lists?

oh, sure, HTML there is crap. That's not the point. 90% of websites out there seem to htink that if it looks OK in IE, it's good enough. gazeta.ru looks in IE. That's not good enough. Incidentally, nobody cares.

Here's the top 20 should it become unreachable

[fuzzix]

Top Vulnerabilities to Windows Systems
# W1 Internet Information Services (IIS)
# W2 Microsoft SQL Server (MSSQL)
# W3 Windows Authentication
# W4 Internet Explorer (IE)
# W5 Windows Remote Access Services
# W6 Microsoft Data Access Components (MDAC)
# W7 Windows Scripting Host (WSH)
# W8 Microsoft Outlook Outlook Express
# W9 Windows Peer to Peer File Sharing (P2P)
# W10 Simple Network Management Protocol (SNMP)

Top Vulnerabilities to UNIX Systems
# U1 BIND Domain Name System
# U2 Remote Procedure Calls (RPC)
# U3 Apache Web Server
# U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
# U5 Clear Text Services
# U6 Sendmail
# U7 Simple Network Management Protocol (SNMP)
# U8 Secure Shell (SSH)
# U9 Misconfiguration of Enterprise Services NIS/NFS
# U10 Open Secure Sockets Layer (SSL)

Full text too huge to even think about posting...

FTP

[abertoll]

FTP is a pretty universal tool... is there any significant headway on replacing FTP with something more secure?

Re:FTP

[EvilStein]

Yeah, SFTP/SCP with applications like WinSCP work out as a nice replacement.
There are several "FTP apps" that support SFTP.

Dreamweaver allows you to do SFTP/SCP via PuTTY, too.

Re:FTP

[vladkrupin]

scp... errr... sftp or anything else sent over an ssh tunnel, if you need it for your own purposes only. If you need to have other people access some data, I guess you are stuck choosing between ftp and https. At least, I don't know of any replacements that can be reasonably expected to reside on most people's computers without the need to install them first.

Re:FTP

[medina]

basically take the clear-text tool, prepend an "s" and you're safe :)

Re:FTP

[RT+Alec]

Actualy, Dreamweaver requires that use use FTP, and has posted suggestions for tunneling FTP through SSH (e.g. PuTTY). To set this up on the server is not exactly easy, particularly with a firewall on the server (due to the ranges of ports that need to be opened).

While this can be done, to do so is an error prone task at best, and can easily leave a system more vulnerable. I don't see how, with free libraries available, Macromedia can't just do the responsible thing and bundle SFTP into their otherwise excellent products.

Re:FTP

[beakburke]

macromedia does bundle sftp in the new versions of dreamweaver mx 2004

Sans FBI

[Daath]

"Sans FBI" isn't that French for "Without FBI"?
Interesting though, that #8 on unix is SSH... That's supposed to be secure! (Yes I've patched!)
Oh yeah and Apache and other stuff - But most of those are almost always (almost!) misconfigured servers and sloppy admins!

Re:Sans FBI

[theTerribleRobbo]

> "Sans FBI" isn't that French for "Without FBI"?

No, "sans" is latin.

And SANS is an acronym. But you knew that, didn't you? (I hope.)

dhsield.org and isc.sans.org

[caluml]

I haven't been able to get to dshield.org or isc.sans.org for ages now - a few months - with, or without a slashdotting. Any one else?

Re:dhsield.org and isc.sans.org

maybe you made it into their blacklist? try contacting info@dshield.org and see if they can help.

Or whoever '0wnz' your computer doesn't want't you to go there ;-)

Re:dhsield.org and isc.sans.org

[caluml]

That's very interesting. I just SSHd into a box at work, and telnetted to port 80 - boom, there it was. I'm not at all worried about anyone on my box at home - but maybe my cable subnet has been blocked. Aaah well, I don't really care.

Two security specific entries for Linux/Unix

[mytec]

If I'm finger pointing from the Windows side of the fence, I'd laugh that a security library from which secure applications are built upon and a protocol to increase security both put one at risk and both made a top ten list.

Both pieces of software are written by persons with security on their minds. Both pieces of software are written in an open fashion.

Re:Two security specific entries for Linux/Unix

[vladkrupin]

I'd laugh that a security library from which secure applications are built upon and a protocol to increase security both put one at risk and both made a top ten list.

That's exactly why they are there. Not because they are so badly broken (I bet 99% of apps and libs out there are more broken), but because them being broken is really-really critical. As you said, other apps are built on top of them, so that fact alone will nominate them for that list, no matter how minor or hard-to-exploit the holes are.

The report doesn't try to list the worst or the least secure software. Instead, it tries to list the software that has the greatest potential to cause havoc. And, if anything, I am truly impressed at how responsive the developers are and how quickly the holes are plugged, and, most importantly, how open they are about that.

Re:Two security specific entries for Linux/Unix

[mytec]

I absolutely agree with what you wrote. Both teams for OpenSSL and OpenSSH have been *very* responsive and very professional about the situtation. Not only that but the various communities behind each product are always helpful in times of patching and understanding the extent of the situation.

I was simply finding a sort of irony to two of the entries.

Re:But the 10 most critical Security Vulnerabiliti

[airrage]

My first reaction is to "ditto" your comment. But I can't. I can't because I can't blame the end-user for something that isn't their fault.

Computers basically come from the manufacturer broke. The remain in states of brokeness -- sometimes entering complete brokeness -- and its all the poor user can do to keep the computer operating.

It's our fault as IT professionals to make computers more like ... refrigerators for lack of a better similie.

I can't blame the user for software that contains vulnerabilities which they don't (and shouldn't) have the comprehension or time to understand. I can't blame the user for default settings on devices that are delivered unmodified. I can't blame the user for software that allows a person to accomplish something they shouldn't.

Yeah, I think my answer is better.

hurdy gurdy wurdy furdy

[segment]

U3 Apache Web Server
Shouldn't they have stated misconfigurations of Apache...

U8 Secure Shell (SSH)
Oxymoron seeing this here. Secure Shell...

U10 Open Secure Sockets Layer (SSL)
Yay another oxymoron, or according to Bush: An oxycontin!

Multiple vulnerabilities have been found in OpenSSL, of which the most serious are the set of 4 vulnerabilities listed in CAN-2002-0655, CAN-2002-0656, CAN-2002-0557, and CAN-2002-0659. These allow the remote execution of arbitrary code as the user of the OpenSSL libraries (which in some cases, such as 'sendmail', is the 'root' user).

Who the hell uses sendmail as the root user anyway? Please email me if you do so, so I could laugh at you.

SANS should have been more responsible and stated 'Certain versions' of these programs have vulnerabilities as opposed to claiming the entire service is out of whacked. For instance OpenSSL's vuln's are so small one would have to whip out a microscope to see what it really is. They should have also stated 'misconfigurations' in certain daemons (httpd) as opposed to flagging something as insecure. Remember people are the cause of most errors and misconfig crap anyway. Maybe they can go back and post a link to "My Webserver Secure for Dummies" I mean what teh fsck?

Re:hurdy gurdy wurdy furdy

[woozlewuzzle]

you're missing the point. They aren't trying to criticize these products. They are letting administrators know what services are being succesfully attacked the most. If you are a decent admin that isn't totally overworked, you've probably already patched and secured these services if you are running them. That is the point. They don't have the same agenda as many of the butt munches on /.

Re:hurdy gurdy wurdy furdy

[vladkrupin]

Oxymoron seeing this here. Secure Shell... ...untill that oxymoron exploits your openssh...

U10 Open Secure Sockets Layer (SSL) ... or your openssl... Both had more than enough holes lately to warrant even higher placements on that list, IMHO.

Re:hurdy gurdy wurdy furdy

[woozlewuzzle]

OK So I f-ed up my html tags and made it all bold. 1. Sue me 2. ???? 3. Profit!

Re:hurdy gurdy wurdy furdy

[segment]

Bah... They should have stated which services were actually used to access machines. If that's the case, what are the stats for false positives. Meaning are numbers for something like a Scan included. Remember scanning is done daily by millions, should this be considered an attack? Consider this... If someone scans a machine and they have no intentions of attacking it, but something done out of curiousity or some stupid reason, IDS' often see this as an attack. How did SANS gather their data, and if something like an IDS (Snort/Intrusion.com products, etal) detect some scan, did they unknowingly fudge numbers?

TBH I wouldn't care since it really doesn't affect me...

Re:hurdy gurdy wurdy furdy

[woozlewuzzle]

Well, since the article (you did read the article didn't you?) said that it is based on the

"most commonly exploited vulnerable services "

not probed, or scanned, but exploited, I'd have to say that the list is probably more helpful than you give it credit for.

The origin of the list was at NASA. Read more about it here:

http://www.fcw.com/fcw/articles/2002/1014/mgt-nasa -10-14-02.asp

Re:hurdy gurdy wurdy furdy

[valdis]

"Who the hell uses sendmail as the root user anyway? Please email me if you do so, so I could laugh at you."

1) The setuid bit was removed in Sendmail 8.12.0, but there's a lot of 8.9.3 and 8.10.x and 8.11.x versions still out in the field.

2) Note that you *can* use the 'RunAsUser' option so the sendmail that's listening on port 25 and running your queue and all that stuff doesn't run as root - but then a lot of things break. The most notable breakage is that .forward processing gets hosed (because once it's running as non-root, it can't set its UID to the recipient of the mail, so any programs/etc run out of .forward don't get run as the right userid....).

The best line therein

[proj_2501]

Under U5. Clear Text Services:

# ngrep assword

Re:The best line therein

[jkovach]

Actually, that's probably not a typo. Since grep is by default case sensitive, grepping for "assword" you will find occurrences of both "Password" and "password". Of course, "grep -i password" would do the same thing, but it's more keystrokes, so why bother?

Re:The best line therein

[proj_2501]

I figured that, but an official document with "assword" in it? PRICELESS.

Hmm...

[dasmegabyte]

Looks like Dan Bernstein was on to something when he said BIND's design was fundamentally flawed and would result in vulnerability after vulnerability. Just goes to show you that sometimes the most paranoid among us can still be on to something.

Re:Hmm...

[Electrum]

Looks like Dan Bernstein was on to something when he said BIND's design was fundamentally flawed and would result in vulnerability after vulnerability. Just goes to show you that sometimes the most paranoid among us can still be on to something.

You are referring to these pages:

http://cr.yp.to/djbdns/blurb/unbind.html

http://cr.yp.to/djbdns/blurb/security.html

Re:Hmm...

[dmiller]

Most of the problems with bind have been with versions 4 and 8. bind 9 was a complete redesign and has proved itself to be much more secure.

BIND again?

[Kreeblah]

*sigh* BIND has been known to be an exceedingly insecure DNS implementation for . . . how long now? And it's still being used? *glares at root server operators* I realize that not everybody patches their servers, but . . . DNS is the backbone of virtually everybody's Internet connection, once a physical connection has been established. Honestly, very few people have the IP addresses to sites or servers they use memorized, or have them hard-coded in hosts files. Anybody running a DNS server should have an obligation to prevent it from being compromised, even moreso at the higher areas in the DNS hierarchy.

The forgotten vulnerability...

[JRHelgeson]

I think they forgot to mention the /. effect as being one of the greatest threats on the net. It should rank up there towards #1 on both Windows & Unix.

Missed the point

[IdleLay]

I think the list missed the point a bit. Although have listed the most vulnerable apps, it should be ordered to balance against what is most likely to cause the most detrimental effect to the internet and not just what application is vulnerable if they were accessible over the internet.

Bind, if the current version is vulnerable (AFAIK it is not) then that should be at the top of the list.

OpenSSH - patch available almost immediately and firewall configured already to accept only traffic from known hosts.

As for the rest - I have to base my judgement based upon my experience over the last year or so. In this case, I have been affected most by worms such as Code Red and MSBlaster etc.. Even though I have not been infected by these worms personally, the traffic which they generated on the internet has caused the most problem in securing system and ensuring availability.

Re:Missed the point

[woozlewuzzle]

Who missed the point?

Did you read what the list is supposed to signify?

sheesh!

Re:Missed the point

[IdleLay]

did indeed... read it again just now too.

Re:Missed the point

[woozlewuzzle]

Try this bit:

"This updated SANS Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX and Linux. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services."

make more sense??

Re:Missed the point

[IdleLay]

It does indeed... I appreciate your view. What my comment was should they not balance this against what can cause the most detrimental impact on the internet as a whole.

Re:Missed the point

[woozlewuzzle]

I think places like the Internet Storm Center http://isc.sans.org/
keep track of the impact more.

For a list to be of use, it kind of needs to remain focused. As I mentioned in another response, NASA had done a study that found that addressing only the Top 20 resulted in a decrease of (I think) 90% of successful attacks.

This is an important bit of info for the overworked admin. Whack those 20 first and get the rest after (assuming enough time after :-)

Re:Missed the point

[IdleLay]

OK... I guess that I am also surprised that Windows RPC did not make "The Twenty Most Critical Internet Security Vulnerabilities" given the recent impact that it had.

To summarize (or generalize)

[johnlcallaway]

Windows break/Fixes can be simplistically be broken down this way:

• W1 Internet Information Services (IIS) - Keep it patched
• W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
• W3 Windows Authentication - Create and enforce password policies
• W4 Internet Explorer (IE) - Keep it patched
• W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
• W6 Microsoft Data Access Components (MDAC) - Keep it patched
• W7 Windows Scripting Host (WSH) - Disable it
• W8 Microsoft Outlook Outlook Express - Remove it
• W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
• W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing

Unix break/Fixes can be simplistically be broken down this way:

• U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
• U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
• U3 Apache Web Server - Don't install it except on web servers and only install modules you need
• U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
• U5 Clear Text Services - Don't install them, use alternatives
• U6 Sendmail - Don't install, use an alternative, and only install on mail servers
• U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
• U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
• U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
• U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches

The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.

Of course, with Unix, at least you have that choice......

Re:To summarize (or generalize)

[stratjakt]

Of course, with Unix, at least you have that choice.....

Noone forces anyone use IE, IIS, SQL Server, Outlook or Outlook express. I have none but IE on my machine, and I don't use IE to browse outside of my local network (seeing as explorer is the same thing).

Of course, with Windows, at least you have alternatives......

How do I replace ssh, or ssl? Which VPN do you propose, all the open source ones are pretty damn insecure by themselves.

I'm sick of the retarded nerd wangstroking. It's completely counterproductive, and gives unix users a false sense of security, and windows users a false sense of alarm.

Re:To summarize (or generalize)

Unix break/Fixes can be simplistically be broken down this way:

* U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
Good Advice -- only use domain name services on a DNS .

* U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
NFS? Its still one of the fastest solutions.

* U3 Apache Web Server - Don't install it except on web servers and only install modules you need
Only run Apache on web servers. I understand your thinking after reading the DNS thing.

* U6 Sendmail - Don't install, use an alternative, and only install on mail servers
And sendmail on mail servers. Its becoming clearer.

* U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
Home grown alternatives are worse.

* U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
Its 3am. The fan is dirty and you're in transit. A VPN won't save you but secure access from the general internet will. And what exactly, is the VPN providing that SSH doesn't?

* U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
Never cared much for working servers and setting up accounts (and deleting them) on 200 boxes is so much fun.

* U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
Now how are you going to get that VPN working that you love so much?

This is mature stuff that does real work. I have mountains of respect for it and you're advocating DOS 3.

Re:To summarize (or generalize)

[Master+Bait]

Of course, with Windows, at least you have alternatives......

I wonder... does Windows still have the vulnerablity to execute any file if its name ends with .exe, .com, or .bat? Surely this is fundamentally insecure. What wonders would crash upon the world if any UNIX system would automatically assign execute bits to a file just because its name ended with .sh or .bin!

Re:To summarize (or generalize)

Nicely summarised. A side note, however:

"install this only" instructs the user to install [this] and install nothing else.

"only install this" -- instructs the user to perform the installation, and do nothing but perform the installation (i.e. do not configure it, do not use it, do not pass go, etc.).

Re:To summarize (or generalize)

Windows NT (NT 4, 2k, XP, and 2k3) has ACLs. So sure, you can execute anything that ends in .exe, as long as you have the permission to do so. Which is exactly like the UNIX world, where anyone with the power to make a file executable can do so. I'm not really sure what your point is.

Re:To summarize (or generalize)

W4 Internet Explorer (IE) - Keep it patched

I respectfully disagree--this is one where you DON'T USE IT. 99% of the web works fine in Mozilla these days; the only thing I even use IE for is WindowsUpdate. You may also use it for any site that you can't do without visiting that only works in IE, but I haven't seen very many of those.

Re:To summarize (or generalize)

[johnlcallaway]

To address a few valid things you brought up --

NIS/NFS/RPC --- yeah, not having it sucks. But having it also sucks. Using it inside a network on workstations that doesn't have inbound internet access?? OK, I'll buy that. NIS+, limited usage, NFS mounting of only the home directory. Using them on production servers in a a system that transfers money?? I don't think so.

SSH/VPN access to remote servers -- I had a job where I managed several Sun servers remotely. We used a vpn into the office from home/laptops, then another vpn/ssh to an admin server that would only accept public/private key (long pass phrases) authentication from specific IP addresses, then ssh to the servers that would only accept private/public key authentication from the admin servers. Plus a few other things in the way I won't go into. Was it perfect? No, but at least someone had to do a lot of work to figure it out. Root could not create an ssh connection, you had to log in as yourself and su to root.

SNMP/Remote monitoring -- one-way monitoring, production servers send specific info to monitor servers, who gather and forward it to the main monitoring service. No heartbeat? time for an alert. Routers and such send syslog info to syslog server. Perfect? No, but you had to be inside on the secure network to do anything, and we would have been toast by then anyway.

SSL -- Don't get that, you don't need SSL for VPN. At least I don't think so.

Re:To summarize (or generalize)

[johnlcallaway]

Can we both agree?? I said keep it patched, not use it. It is on the Windows machine, you have to have it because you can't get rid of it. Therefore, you have to patch it. Which was one of the points I was trying to make. Windows machines create insecurity by requiring the installation of software you may not use or need.

Now, they are ingraining DRM into the kernel and god nows what else. All will have to be routinely patched, even on servers that have nothing to do with the Internet or MP3s.

Re:To summarize (or generalize)

[johnlcallaway]

You just proved my point. You HAVE to have IE on the machine, you can't get rid of it even if you don't use it. Therefore, you have to constantly patch it.

To your other point, there are both open source and commercial versions of SSH, VPN, and SSL. Because there are options, it is very difficult for one security hole to affect all Unix servers.

Real, secure Unix servers are built secure from the ground up. Real, secure Unix servers have special installation procedures that do not install software they don't need and don't have to rely on the network to remain secure. Windows servers have to be built and then secured by registry hacks, disabling software, etc, and rely partly on network security to remain that way. There is a huge difference in the security models because of it.

And if you don't understand the difference, you shouldn't be an admin.

Re:But the 10 most critical Security Vulnerabiliti

[fuzzix]

How many of them have a computer because the MS WinXP advert convinced them they should own one?

There's a friend of mine whose mother bought a top range piece of kit a couple of years back. What did she do with it? She dusted it and showed it to visitors because when she sat down and said "I want to see The Sound of Music" it didn't work.

You can't even begin to explain security to someone like that. Who's to blame? M$? The company who built it? The guy who sold it to her? My friend for not having the patience to explain how to use it?

It's funny...

[FreeLinux]

The number two Unix vulnerability was RPC, which I was not aware of. However, the last two major windows vulnerabilities were both with the same Windows RPC service and yet that didn't make the list at all. MS Blaster was an exploit of the RPC vulnerability.

Re:It's funny...

[medina]

See

http://isc.sans.org/top20.html#w5

W5 Windows Remote Access Services

Includes
Remote Procedure Calls
Many versions of Microsoft operating systems...One of these vulnerabilities was exploited by Blaster/MSblast/LovSAN and Nachi/Welchia worms. There are also other vulnerabilities that would allow attackers to mount Denial of Service attacks against RPC components.

while we sit here

[wmaker]

While we sit here discussing the major vulnerabilites in unix and windows, and how to exploit them. My boss and his secretary are sitting in the other room putting their minds together trying to figure out how to transfer a file in ASCII mode with WSFTP...

One of the things i find most amusing about this is the fact that I work at a university, and they are FTP'ing into a state ftp server to upload Vendor Reports (whatever those are). To bad I left my laptop with 'dsniff' on it at home.

now, tell me that number 1 on both lists shouldn't be 'human stupidity'

Re:while we sit here

now, tell me that number 1 on both lists shouldn't be 'human stupidity'

I'd say it should be people who whine about the stupidity of others rather than teaching them how to do things properly.

Get over yourself and use what you know to help someone.

A waste of time?

[thesupraman]

Well, this list looks very foolish to me.

Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.

Secondly, just look at the lists.. a large number of the windows services are 'essential' (well, if you believe microsoft) for a windows server.
Most of the unix services are easily replacable with effectively identical but more secure options.
Anyone who runs sendmail rather than postfix gets all they deserve.
RPC? why on earth would you make that available? NFS is hardly essential these days.
No password accounts? my god - I never realised that was forced on you by unix! :P
Bind? there are certainly secure alternatives to BIND (djbdns, for one) - and even BIND should be running chrooted anyway..
And clear text services? why don't they point out that situating your critical servers outside on the street is also a security risk!

My point is that nearly all of the unix 'problems' are very easy to avoid, or are only problems for very short times (the SSH/SSL problem, for example) - the majority of the windows 'problems' are almost impossible to avoid, patches come late, and sometimes even make things worse.

I see windows machines being virused/hacked about once a month (and trust me - I try to stop this a lot, as it makes my life very difficult) - I've only ever had ONE linux machine hacked in around 4 years - through a sendmail hole, and I stopped running sendmail everywhere the next day (it took about 1 hour to change 5 servers to postfix)

These lists need some form of relative threat rating on these problems!

Re:A waste of time?

[stratjakt]

Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.

Because these aren't zealot slashdorks with a lame "you suck!" agenda. They're merely listing what can and has been successfully hacked.

If you want to stick your head in the sand and pretend all unix boxes are inherently impenetrable, go ahead.

This has nothing to do with "threat ratings" or ego stroking, or a wang sucking contest between linus and bill.

It's about letting admins know where the vulnerabilities are on their machines.

Re:A waste of time?

[Chops]

Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.

Probably, they're trying to avoid touching off exactly this sort of religious flaming... maybe they judge that "mine is bigger than yours" is a poor addition to any discussion of security, even if (or maybe even especially if) there is some discernible difference in size between the... er.. security records in question.

Windows's poor security track record is irrelevant to the approach a skilled Unix admin needs to take to securing a network, and vice versa.

Re:A waste of time?

[iabervon]

Two separate lists are useful because they have different target audiences. It doesn't matter how critical a Windows flaw is, there's absolutely nothing I can do about it, because I don't use Windows.

Of course, there's relatively little point in having a yearly report about Unix vulnerabilities, since that's laughably infrequent to think about security in the Unix world.

Re:A waste of time?

[theCoder]

While I agree with most of what you said...

RPC? why on earth would you make that available? NFS is hardly essential these days.

I use NFS both at work and on my home network every day. At work, there is no data stored on the local machine. I do everything over NFS mounts. And I couldn't imagine not using it.

Of course, if you mean offering NFS over a public network like the Internet, then I wholeheartedly agree. But on a private network, it's invaluable.

Re:A waste of time?

[pavon]

Because the purpose of this list isn't about which software is the most secure. It's about what system admins need to do with the systems they have, be it Windows or Unix. Even admins running the most secure software in the world need to be vigilent about their system.

Now you could say that a decent system admin should already know everything on this list, and should have fixed it. I agree, but we know for a fact that not all system admins do this, either out of ignorance or lack of time. That is the whole point of the list - if we just fixed these 20 realitively easy things, it would take care of the majority of security problems that exist today.

So consider this list a wake-up call- If any of these points apply to any of your systems, you need to fix them now!

Re:A waste of time?

I see windows machines being virused/hacked about once a month (and trust me - I try to stop this a lot, as it makes my life very difficult) - I've only ever had ONE linux machine hacked in around 4 years - through a sendmail hole, and I stopped running sendmail everywhere the next day (it took about 1 hour to change 5 servers to postfix)

In my 10 or so years of messing around with Linux and Windows, I have only been hacked once - and it was when I was running Linux. It was back when all there was to be had was either Windows 95 or Linux - and I hated Windows 95. At the time I was fairly new to Linux, and my first installation was Slackware. I had a good root password, and all that, but I think one of the services I was running was severely flawed. At the time I was signed up to a dynamic DNS service to use with my dialup account, but I was usually logged on all the time anyways. Well one day I couldn't even log into my own machine, and was really pissed off. It was my only computer and I didnt really want to hack back in just to later find some rootkit installed, so I really had no choice but to just format and start over. I have since moved onto greener pastures (RedHat Linux and Windows XP), but I will never forget getting hacked. It all comes down to how much you know, and to know the possibility of always getting hacked, regardless of what OS you run. The reason most of these Windows machines are getting hacked is because of stupid admins who just install the server software and setup what they need, without thinking of what they DONT need. There are also the cases where there ISNT even an admin, where the small company has their "computer guy" doing the work - someone who doesn't even know the different between Windows 2000 Professional and Windows 2000 Server.

The Unix ones are not all Unix specific

[EmbeddedJanitor]

Weak passwords, clear text in http, ftp etc are hardly Unix specific and would also feature on the Windows, though lower down.

That these folks had to dig so deep to find 10 Unix vulns heartens me. Apart from BIND, what this says to me is the worst Unix vulnerabilities are only as bad as the fifteenth or twentieth placed Windows ones.

Re:The Unix ones are not all Unix specific

[thebatlab]

The authentication issue is mentioned in the Windows list as well at #3 so they did account for that.

The clear text part though doesn't seem to be accounted for in windows systems unless you count it mentioning IIS. Though I suppose you could view it as them realizing it's a UNIX controlled server world so this is more prevelent on UNIX machines than Windows and also the fact that Windows has other more pressing vulnerabilities ahead of clear text protocols.

Re:The Unix ones are not all Unix specific

In general, Windows is much more equipped to handle hashed passwords than yer typical Unix distro.

For example, IIS accepts "lanman" hashes by default. All RPC and filesharing uses hashed passwords. Etc.

Of course, that's not to say there isn't problems (like weak hash algos in older versions), but Windows just does not have the tradition of cleartext network services like Unix has.

Re:The Unix ones are not all Unix specific

umm. linunx does that too.. samba has supporeted encrypted pass hashes for quite a while now. i really dunno what your talking about unless it is windows useing the same hashes for all thier machines were linux/unix mixes one up for each
machine.
unless microsoft fixed it in thier last service pack that hasn't been released yet, once you figure out the hash sequence for a microsoft machine you can use it to decryte hashes on all thier machines.

Re:The Unix ones are not all Unix specific

Samba does what Windows does. The point is that there's no general infrastructure for this sort of thing in Unix.

weak passwords in mac os x

[Elwood+P+Dowd]

Does anyone know a good way to make Mac OS X pay attention to passwords longer than 8 characters long?

Are there any caveats?

Sorry this offtopic, it just always annoyed me. I can type fast enough that I'd prefer to have something like this as my password: "I have the most t76uDDd password ever. BTW your mom says hi."

Re:weak passwords in mac os x

Does anyone know a good way to make Mac OS X pay attention to passwords longer than 8 characters long?


Yup. It's called Panther, and it's available at the end of October.

Sorry, had to say it.

Re:weak passwords in mac os x

[Elwood+P+Dowd]

Oh. I totally missed that.

Rad.

Re:weak passwords in mac os x

[jaymzter]

First let me say I know nothing about Mac OSX, so YMMV. From what I understand 8 is the default for most *NIXs and to change it is a compile time option for the kernel which I'm supposing you can't do. If you have an /etc/login.defs, the PASS_MAX_LEN field only specifies how many characters are used when crypt() hashes the password for the md5 output.

Re:weak passwords in mac os x

[Joshua+Kolash]

It actually doesn't matter too much you can have a secure 8 character password All you need to do is this

1. use both lower and upper case This brings each char to 48 possibilities
2. use numbers and symbols on the top row and other rows. this will bring the the count to 21*2 possibilities is 42 so 42+48=90
The number of possible passwords is 90^8
Now lets see how long it would take to bruteforce. Lets assume that testing a key would take the same amount of time to increment a register by 1 (in reality it would take longer).

You can write a simple program to do this in C:
#include
int main (){unsigned int i=0; //int is 32 bits on OS X
i++;
while(i++){}
return 0;
}

copy and paste that into a test.c file and in the terminal type:

cc test.c -o test
/usr/bin/time test

On my machine it outputs this:
64.68 real 32.67 user 0.82 sys

It takes about 32 seconds to go through 2^32 many combinations. Now lets divide the time it takes for the program to run by the number of possible keys:
90^8/2^32=1002259 So it would be 30sec *1002259 which would be 30067770 seconds. 30067770/60 is 501129 minutes. 501129/60 is 8352 hours. 8352/24 is 348 days. About 1 year to crack your password (it would actually take longer). Here is a formula for you.

1002259*time/60/60/24

So some nobody on the internet isn't going to break your password via bruteforce. They are more likely to exploit some program running on your computer. Now suppose someone had a user account on your computer and was able to do this in the terminal:

nidump passwd .

This would give some nefarious user the hashkey and allow them to distribute the cracking across multiple computers. So if someone had a lab of 50 computers all hookedup and was able to create a rendevous enabled password cracker the time would be drastically reduced.

1002259*time/60/60/24/50

If someone had 50 of my computers they could crack the password in 6 days. Not that bad. The nidump hole in OS X is more important to patch than the 8 character password. Because anyone who has a user account can compromise your system. There are various places where you can get the computing power. You can zombify various boxes on the internet or go into a college computer lab.
if I have made any mistake post below me

Re:weak passwords in mac os x

[Elwood+P+Dowd]

I know it's possible to have a secure 8 character password. It's more convenient for me to have a longer password that is less secure per character.

Inconvenient security can be as bad as no security at all, if it leads people to take insecure alternate routes.

Re:weak passwords in mac os x

[Phroggy]

First let me say I know nothing about Mac OSX, so YMMV. From what I understand 8 is the default for most *NIXs and to change it is a compile time option for the kernel which I'm supposing you can't do. If you have an /etc/login.defs, the PASS_MAX_LEN field only specifies how many characters are used when crypt() hashes the password for the md5 output.

Wow. Um, hate to say it, but you're completely and totally wrong. For starters, the standard crypt() algorithm, without md5 support, only works on passwords with no more than 8 characters; anything after 8 is ignored. And second, it has nothing whatsoever to do with the kernel; authentication happens entirely in userspace.

As for the Mac OS X-specific bit, the problem is that Mac OS X doesn't support md5.

Re:But the 10 most critical Security Vulnerabiliti

[DrEldarion]

Who's to blame?

How about the user who doesn't take time to figure out how to work the product they buy?

Ignorance shouldn't be an excuse. If you bought a car or house and didn't take the time to learn how to lock the doors, everyone would laugh at you when you got robbed. Why shouldn't it be the same way with computers? People should learn how to properly operate things before they use them.

-- Dr. Eldarion --

Internet vulnerabilities? Hahaha

only 59 comments on the story, and their server's hosed already. And these people are trying to tell us how to keep the net running smoothly?

Unreal

[NotoriousBob]

Of course UNIX has same # of security issues like Windows, A fleet of http://www.azursoft.fr/gameup.com/dossiers/e3/imag es/insolite/car-x-box03.jpg wasn't at SANS HQ yesterday for nothing.

Re:But the 10 most critical Security Vulnerabiliti

[woozlewuzzle]

Are you suggesting that securing Windows is as easy as locking the doors of a car?

And the #1 vulnerability is...

[moltar77]

Windows! On a more serious note, the web site listed a very nice link for manually removing Outlook Express. At last I can purge my hard drive of that thing!!

Re:But the 10 most critical Security Vulnerabiliti

[DrEldarion]

Not quite, but going to Windows Update relatively frequently and also actually listening to the people who say "DON'T OPEN E-MAIL ATTATCHMENTS" isn't exactly rocket science.

If every Joe Schmoe user did those two simple things, we'd have a LOT less problems to worry about.

-- Dr. Eldarion --

Real difference between lists

[i.r.id10t]

The real difference between lists is that on the *nix side, the only problem I see that is related to a machine that is either completely firewalled off, not running the service in question is the weak/no password issue - which is on both lists (what was #11 on each?). Which means that most likely, it is possible to build a non- service offering system that can act just fine as a client and local machine with a *nix (make mine slackware thanks!) base.

The windows list though contains several other items that users would constantly be using (damm users) - email clients and browsers.

BIND should be banned

[Angst+Badger]

It amazes me that BIND (and, for that matter, Sendmail) still ship as defaults with RH and some of the other distributions.

There are still a few obscure cases where Sendmail does a job no other MTA can -- though they are getting obscurer by the minute -- but there really is no excuse to have a copy of BIND running anywhere, on any machine, at any time. It's bloated, unstable, unsafe, poorly coded and, as its long track record demonstrates, its developers lack either the intention or the ability to fix it. Why it remains lauded as some sort of grand tradition is entirely beyond me, as it is proof that open source programmers can produce software as bad as or worse than Microsoft with vastly smaller resources. This isn't a Unix vulnerability, it's a sign that there are too many lazy admins who won't spend the half-hour it takes to understand djbdns or one of the other free/open DNS packages.

Re:BIND should be banned

[Rex+Code]

"there are too many lazy admins who won't spend the half-hour it takes to understand djbdns"

Oh please. Maybe if djb would put it under ANY acceptable license (BSD, MIT, GPL, *all* acceptable choices and there are others) then maybe more people would consider it, but there's no way I'll use something that prohibits me from distributing patched binaries.

Besides that, BIND 9 is exceptionally secure. They were really reaching to try to say that it's even an issue any more, and I'm not aware of any Linux distribution that actually starts BIND by default in a way that lets outside machines contact it. Sendmail is also much more secure than its detractors would have you think. Heard of anyone rooted through that lately (in spite of an advisory that required obscure config settings)? Didn't think so.

Notice something cool about the list?

[crazyphilman]

Most of the windows vulnerabilities are vulns that affect both server and end-user machines, and they're on by default. Hard to turn off, too, without affecting random things in the O/S, and you have to be able to read the list of umpteen million running services (knowing what they are, in other words) in the admin tool MS provides.

Most of the Unix/Linux vulnerabilities affect servers primarily. Most end-users would have these services turned off (workstations wouldn't be running apache or an SSH server, for example). And, it's easy enough to go into /etc/ and just turn off any services that you found on.

Hmm...

Re:Notice something cool about the list?

[swissmonkey]

I personnally don't run either IIS not SQL Server on my XP box, moreover, the firewall which is provided and proposed when I create a DSL connection prevents me from being attack on the RPC port as well as other ports.
The lack of Desktop issues on Unix comes principally from the lack of Unix desktops... That's why they're not considered as important, because almost nobody's hit when there's a failure in Mozilla, it's a drop in the ocean of users.

As for disabling services, I largely prefer the UI provided by MS which includes the dependencies for each service and a description of what the service does to going into /etc and trying to understand what service does what and which service depends on which other service.

Re:Notice something cool about the list?

[crazyphilman]

Not to upset/depress you, but you DO know that all firewalls in the windows world run in userspace (whereas Unix/Linux firewalls run in the kernel) so they're not quite as bulletproof as you might think?

By the way, your windows box is listening on a whole range of ports you don't even know about. And, you have to trust that Microsoft has truly locked down that "firewall" of yours. Considering that they opened up all those weird ports in an end-user machine in the first place (why?) you might want to ask yourself whether they'd firewall themselves out of the very ports they left open in the first place.

But I'm sure you thought of that.

Re:Notice something cool about the list?

[swissmonkey]

Not to upset/depress you, but you DO know that all firewalls in the windows world run in userspace (whereas Unix/Linux firewalls run in the kernel) so they're not quite as bulletproof as you might think?

1) That's not true, you can write a packet filter driver on Windows, running in kernel space to do the filtering, see http://msdn.microsoft.com/library/default.asp?url= /library/en-us/network/hh/network/fltrhook_5xpj.as p

However most people use the IP Filter API to do this in user-mode, thus avoiding putting more code in kernel side, reducing the risk of complete machine crash.

2) Being in kernel space does not provide any security compared to being in user-space.
The only thing it provides, is that in case of buffer overflow in the firewall, in kernel space you own the machine, and in user-space you own the user under which the firewall is running.
Which case is the most secure ? Bingo, the user-space one.

By the way, your windows box is listening on a whole range of ports you don't even know about. And, you have to trust that Microsoft has truly locked down that "firewall" of yours. Considering that they opened up all those weird ports in an end-user machine in the first place (why?) you might want to ask yourself whether they'd firewall themselves out of the very ports they left open in the first place.

I trust them, because I know what ports are open by default on a windows box, I scanned a machine with the firewall on and saw the results, I actually know what I'm talking about...

Re:Notice something cool about the list?

[crazyphilman]

If you know what you're talking about, why is it you think that a user-space firewall is more secure than a kernel-space firewall?

When the firewall runs in the kernel, the firewall sees incoming packets FIRST, and can drop them on the spot. When the firewall runs in user-space, incoming packets come in, get handled by a kernel process (which may have a vulnerability), and THEN get handled by the firewall. So if there's a vulnerability in the kernel, the packet has already nailed you before the firewall has "seen" it. It's why every single Unix puts its firewall in the kernel, and has done so for decades.

How did you scan your machine? Did you use nmap? Did you try all the different scans available (there are at least a few dozen).

I'm not trying to give you a hard time, here, I just think you're trusting XP a little too much for your own good.

Re:Notice something cool about the list?

[swissmonkey]

If you know what you're talking about, why is it you think that a user-space firewall is more secure than a kernel-space firewall?

When the firewall runs in the kernel, the firewall sees incoming packets FIRST, and can drop them on the spot. When the firewall runs in user-space, incoming packets come in, get handled by a kernel process (which may have a vulnerability), and THEN get handled by the firewall. So if there's a vulnerability in the kernel, the packet has already nailed you before the firewall has "seen" it. It's why every single Unix puts its firewall in the kernel, and has done so for decades.

Windows TCP/IP has hooks, which allow the user-space firewall to be alerted when a packet arrives. So, whenever a packet arrives, it is forwarded to the user-space firewall, as it would have been forwarded to the kernel space firewall on Unix, only difference : it's in user-space.
It happens at the same time, simply the time spent in kernel is less in Windows's case. So there's not a bigger risk of failure, packets go through fewer layers in kernel space on Windows than on Unix.
On both Unix and Windows, the firewall is hooked in between layer 2 and 3 of the TCP/IP stack, so the only difference is that the firewall(one more layer) is in kernel space on Unix, and user-space on Windows, that's why Windows's method is more secure, less code run in kernel space.

As for scanning, I used nmap, netstat to see which ports are open directly on the box, my own attack tool, etc...

I have a 10 years Unix background, 5 years of Windows development, all in networking, I perfectly know what I'm talking about.

Re:Notice something cool about the list?

[crazyphilman]

Uh, huh. So, riddle me this, batman:

Let's say you're using a third-party firewall. You install it and configure it to run all the time. So far so good, right? You're on windows, you're using a user-space firewall, and if you're RIGHT, all is well.

So you boot your machine. Your machine is connected to the network, of course, by an ethernet cable. At first when windows boots, no user is logged in. Thus, no firewall is running.

So you log in. Ever watch the order in which things come up? For example, I have Norton Internet Security running on a windows 2000 box. I know, I know -- Norton??? But let me continue.

First, sound, graphics card, etc, all come up and you get the cutesy little icons in the task bar.

Then, the network comes up. Packets start getting sent back and forth, evidenced by the pretty little lit up screens in the icon in the taskbar.

Then, the firewall starts up.

Then, the antivirus.

At first the firewall isn't even enabled (dig that groovy red "x"). Ditto for antivirus. After a few seconds, they finish their init and they're running.

So, the riddle is:

What about the ten or so seconds in which the network is running before your user-space firewall comes up? Just as an example, mind you. Call me curious.

Because if the firewall is running in user-space, and all user apps get shut down when the user logs out, and then restarted when the user logs back in, there's a window, now, isn't there?

Just curious. Lay it on me, yoda.

Re:Notice something cool about the list?

[crazyphilman]

Oh, and PART II:

Tell me:

If the firewall code is in the kernel, it runs whenever the kernel is running, period. So it's always on, always available, always acting as a firewall. If your firewall is running in user-space, IT CAN BE SHUT DOWN without shutting down the kernel. Which of course would leave you wide open. Which is a good reason why unix does it in the kernel.

Next up: If the firewall is running in the kernel and has some kind of devastating crash, it'll probably bring down the kernel with it. You think that's a bad thing, but I think it isn't. After all, the box is no longer accessible, now, is it?

On the other hand, if I manage to crash your user-space firewall, your kernel is still running, and available to me.

Which is more secure again? A box that has effectively shut down? Or a box whose user-space firewall has crashed and is now WIDE OPEN?

Just thinking "aloud"...

P.S. The "appeal to authority" is a logical fallacy as every freshman philosophy student knows. Besides, you can say you have ten years experience, blah blah, but for all I know you're a fourteen year old. Ok, here's one: I've been programming in Unix since 1925! So I know everything! Boo-yah.

Tag, you're it.

Re:Notice something cool about the list?

[swissmonkey]

Because there's a lot of things you don't understand.

The fact that the app runs in user-space has NOTHING to do with the fact that a user has to be logged in.

Example:

On Windows, the RPC service, IIS, etc.. all run in user-space, but you don't have to login in order for them to run.

winlogon.exe, the process that allows you to login, runs in user-space ! Before anybody is logged in obviously since that's what you use to login.

user-space simply means it runs in a memory space different from the kernel, where it can't access the kernel memory and can't execute specific processor instructions.

For example on Unix, KDE, Gnome, etc... run in user-space, even XFree. You can see on your own machine that they run even before you login.

You should go get a book on operating system design, that would help you undestand this concept.

Re:Notice something cool about the list?

[swissmonkey]

You know you can unload modules on Linux without rebooting ?
Do you know that modules run in kernel space ?
Do you know what /proc is ?
Do you know you can modify Kernel behavior using /proc without having to reboot ?
Did you ever remark that you can control the firewall's behavior using commands while being root, thus meaning you can stop the firewall, all this without having to reboot ?

You can stop, start or modify the behavior of kernel modules on Linux and Windows without having to shutdown the machine. You just need to be an administrator(or root on Linux), same thing you need to stop a firewall running on Windows.
There's NO difference on this.

As far as crashing the firewall:
On Windows, the network layer of the TCP/IP stack sends the packets to the firewall, and the firewall decides if it forwards them to the layer 3 of the TCP/IP stack, if the firewall dies, the TCP/IP stack still has the firewall's hooks, and will NOT forward the packets as it would without a firewall.

You lack OS concepts knowledge and mix concepts, you should get a book on OS concepts and understand how kernels and OS are designed before talking about it.

Re:Notice something cool about the list?

[crazyphilman]

Yeah, yeah, yeah, you've answered my question with an answer to a completely different, unrelated question. How typical! Perhaps I should be more specific in what I'm saying then.

When I say "user-space" I'm not just saying that the memory is a different area from what the kernel is using (that's fairly obvious). I mean that the program/firewall/whatever is being run as a separate process, one that can be crashed without necessarily crashing the kernel. THUS, you can kill the firewall without crashing the O/S, THUS it's not as secure.

Everyone on slashdot is so arrogant. You always call other people stupid when they don't agree with you. It's childish, don't you think?

Still, you haven't answered my question. If I start windows, and the network comes up while Norton antivirus and Norton Personal Firewall are still not activated (and then, for several seconds while they're disabled, if the icon in the taskbar is telling the truth), what's protecting the system in that ten to fifteen seconds?

Re:Notice something cool about the list?

[crazyphilman]

All of your points on Linux, which you seem to think I'm not aware of, are irrelevant, and you're a moron for trying to throw them at me. BECAUSE, on Linux, YES, you can work with kernel modules, etc, IF YOU HAVE ROOT. But if you're just probing a machine, and trying to GET root, you're up a creek unless the person is running an exploitable service AND that service is running SUID. If the user is even remotely clueful, he'll be running as an unpriviledged user, he'll have most SUID scripts turned off, and it'll be damned hard for you to get the kind of access you would need to do what you're saying.

Compare this with Windows, where due to poor application design, most users run as administrator (because they're added to the administrator group so they can USE their software) and most services people attack are run as administrator (or a relatively priviledged system user). So if you hack any major service or ANYONE's account you're an administrator, and can do whatever the hell you want. Quite a bit different, now, isn't it?

Keep calling me stupid, everyone on Slashdot does, I don't mind. I have a thick skin. But anyone reading the whole thread will say, "well, they called him stupid, but they're not addressing his points."

And, to your TCP/IP stack notes, thanks for the lecture Mr. Wizard, but I think you're putting a little too much faith in Microsoft's systems, there. Because after all, if someone wanted to kill your pesky windows firewall, they'd attack your IIS, and run some code that disables the firewall, rather than crashing it outright, which pops those hooks RIGHT OUT of your precious TCP/IP stack and we're off to the races. Don't be such a schmuck.

Take your book on OS concepts and put it someplace uncomfortable, you arrogant little noob.

Re:Notice something cool about the list?

[swissmonkey]

Please tell me mister smart.

What's the use of disabling the firewall if you have to penetrate the machine through IIS ?

Once you're in through IIS, you don't need to stop the firewall anymore since you're already in.

So the firewall design has no issue at all.

You should stop here, you're looking more and more stupid with every post.

Re:Notice something cool about the list?

[swissmonkey]

You still don't understand.

If you crash the firewall, the TCP/IP stack will stop responding, so there's no issue.

As for starting the firewall, they start at the same time as the TCP/IP stack.

What the taskbar tells you is not the status of the firewall, even if you don't login the firewall is running, I already told you that.

I repeat it, go buy a book about OS concepts and read it before commenting on such subjects, you're just looking like a fool with your comments.

Re:Notice something cool about the list?

[crazyphilman]

Blah, blah blah. Calling me names again. How old are you, fifteen? You're so rude and immature.

But, since we're not getting anywhere, let me re-iterate: the network connection comes up while Norton Personal Firewall is still displaying an icon that claims it's disabled. SO, if the firewall is disabled, I guess it's not firewalling, now is it?

And, who cares WHAT you tell me; what are you, the pope? Not that anyone listens to him, either...

Re:Notice something cool about the list?

[crazyphilman]

Silly boy.

Almost EVERYONE "penetrates" via IIS. It's like a friggin' freebie, so everyone tends to use it. Barring that, they'll go for the RPC thing, or some other service Microsoft stupidly leaves turned on in almost all of their home machines. Or they'll just send the person an email; for a large percentage of users, that'll work like a charm. (Another reason Linux is safer; most Linux email programs are text-mode, without all the weird scripting bullshit Microsoft tucks into Outlook).

If a little hacker cared about stopping the firewall it would be because they want to run an IRC server, or maybe start doing DDOS, or some other stupid script kiddie trick. Which, by the way, is how most worms propagate. And, how most of the more annoying problems happen on the internet. So I guess the firewall thing DOES matter, doesn't it?

Go soak your arrogant, know-nothing little head until your ego shrinks back to normal size, you demented little shit.

See? I can call names too. Do you feel special now?

Re:Notice something cool about the list?

[swissmonkey]

Go read the docs in the DDK and the SDK, go write some drivers and IP filters, then come back and talk about it.

Until you do this, it's not worth talking with you about it, you don't know a thing about how it works and keep arguing.

Go check by yourself and you'll see that I'm right.

And until you do so, please avoid calling me an immature child, I gave you the way it works, you only gave proofs of your lack of knowledge on the subject.

Re:Notice something cool about the list?

[swissmonkey]

1) the RPC port is blocked by the firewall, same thing for Messenger, NETBios, etc..., good luck if you try that way, you basically don't even know how a firewall works it seems.
2) IIS is not installed by default on XP, and the firewall blocks that port by default
3) There's only 1 exploit for IIS6(the one on WS03, which is not installed by default either), there's more than that for Apache 2
4) Try to send me an e-mail that takes over my machine, I bet you won't get in, even though I read my e-mail with Outlook. Know why ? Because if an exploit of that kind really existed, there would be a worm currently riding the internet through it, and there's none.

So yep, your arguments are worth 0.

I already told you so, go read about the subject first, then come back and talk about it.

Interesting difference between the lists

[hayden]

4 Unix vulnerabilities could be considered to seriously dumb things to do (clear text services, bad passwords, misconfiguration, these are not problems specifically with unix) Sendmail is more about how horribly bad it's history is (which pales into insignificance if you compare it with IIS, IE, outlook etc) and the Apache entry is more about how crap "Web Programmers" are with security than actual problems with Apache.

Compare with the Windows list. Most of which are application problems and things that have been fixed in the unix world for a long time (such as keeping passwords in /etc/passwd). One of the list has the dubious honour of being the reason for a whole class of vulnerabilities (the "email virus", read, the "Outlook Express virus"). I can remember laughing at people who said "I'll send you a virus in your email" about 6 years ago. The only reason IE isn't higher is because attacks on OE are much more fruitful.

Re:Interesting difference between the lists

[fermion]

I would take it even further. The Windows problems tends to be in apps that the average bussiness owner might use, or even the casual users, while the *nix problems tend to be those managed in a more centralised fashion.

For instance, the first four vulnerabilities in Windows are issues that almost every business owner, institution and government entity has to know how to protect themselves against. Yes, businesses do not have to run these, but given MS current business practices and corporate viewpoint, IE is the only browser that matters, and it is far simpler to just buy and the MS products than to mix and match than risk the wrath of the BSA. In fact IE affects almost every user of Windows.

OTOH, of the first four vulnerabilities in *nix, most users are only going to worry about the last two. And given the increasing responsiveness of *nix distributors, none of the four is going to directly affect the causal user.

We see the same thing with the remaining vulnerabilities in each list. Outlook and P2P, and to some degree the others, affects almost every casual user of windows. Even with proper updates these have a good potential to wreak havoc not only on the infected machine, but on the entire internet. But the other *nix problems, if they do affect the casual user, and some certainly do, are pretty much going to a problem for that casual user, and not expand to the general internet.

Which is just to say the MS needs to stop taking about secure computing and trying to secure content and sending programmers to workshop, and just take a top down look at their security model to see how it can be restructured to cause few overall problems.

-sniff!- -sniff!-

quit picking on my shitty operating shsystem you you you bully!

-shniff!-

-sniff! sniff!!-

quit picking on windows you you you jerk! Now you made me cry! Butthole! I'm telling mom! Linux is for people that eat worms! Windows is better because the TV said so! -sniff! sniff!!!-

accounts without passwords...

[bsDaemon]

can we get a big round of 'duh!' for this one please? i mean, accounts without passwords and/or with stolen passwords arn't vulnerabilities with the computer as much as like walking into harlam. alone. dressed in a kkk outfit. singing 'dixie'. it's just asking for trouble.

Few Security Classes in Seattle/Redmond

[RY]

Look at the "Learn how to improve your system security" frame notice how there are no classes in the Seattle area.
Why not have more security classes in the M$ corporate area? Mabey it would help improve M$ Security if there coders could take a few classes.

Re:Few Security Classes in Seattle/Redmond

[valdis]

I'll bite.. Which SANS track would help *CODERS* (as opposed to system admins, DBAs, security officers, and the like)?

Re:Few Security Classes in Seattle/Redmond

[RY]

"Track 5: Securing Windows" or any of the basic courses for the managers who over see the people who code the programs. I know a few people who code at Redmond, they admit to coding which uses unseure methods or flaws in the software which if fixed will break their application.

Re:But the 10 most critical Security Vulnerabiliti

[Fastball]

Your're supposed to jit into a rag, not the keyboard when jacking to pr0n.
</PSA>

clear text with unix but not win32 ??? wtf ??

[kayen_telva]

were they grasping for straws ? telnet and ftp are unix vulnerabilites (clear text) ??!! windows has this built in too !!!

I think dividing it into win and unix was stupid. Just have a top 20 or 30.

Re:But the 10 most critical Security Vulnerabiliti

Oh, for fuck's sake!

If she sat in her new car and said "I want to go to Istanbul", it's GM's fault if she wasn't instantly transported to Turkey?

You should forget about introducing your friend's parents to the magical world of computing, and just bring your guitar along, so you can do the "battling banjos" type of thing instead.

Squeal like a pig, boy!

Interesting report, but....

[mikehunt]

Port 1433 and 1434 (MSSQL server and monitor default ports) have also been regularly registered as two of the most frequently scanned ports by the Internet Storm Center.

Interesting, the only ports that my firewall generally bitches about are 135/tcp and 137/udp.
Seems like MS-Blaster is still alive and kicking!

Seriously though, this list is great, detailed information, but the top 20 is a flamebaiter's dream!

I predict a mass of -1 posts.

Windows Apologist

Two posts from you I've seen on this story and two uses of the word "wang." Good job. Keep it up.

Admit it. You have an MCSE. Talk about head in the sand.

Paranoia

[marnanel]

sometimes the most paranoid among us can still be on to something.

Not the best choice of adjective: leaving aside the question of what Dan Bernstein thinks about anything, in security, paranoia is a survival trait. :)

Re:But the 10 most critical Security Vulnerabiliti

[el-spectre]

Well... there's "knowing how to use" and "knowing how it works". Many computer tasks (especially as regards security) require some knowledge of how the damned thing works. We blame user for 'stupidly using software that has security holes' that they know nothing about; We'd never make the analogous complaint that 'that fool crashed because his axle was made of bad steel', we'd blame the manufacturer, and rightly so.

clear text

[planckscale]

I would think that sniffers on a LAN would be right up at #1. I had never used a sniffer before and was easily able to sniff out a clear text un/pw on my own network with the command

tcpdump -a -X -s 1600 > /home/user/dumpoutput

dsniff looks to make it even easier.

This is an informative article because it provides info for fixing the problems. Not everyone who installs a nix box (or M$ box for that matter) knows how easy someone can steal your password. Looks like I'm going to install SFTP now...

Security

[Detritus]

The primary function of a computer is not security. If that was the goal, I could just pull the plug and beat it with a sledge hammer. See? Perfectly secure!

I bought the computer to do work, some of which involves communicating with other computers. Disabling useful features is not a practical strategy for the long term.

Re:But the 10 most critical Security Vulnerabiliti

[E-Rock]

I think you're misanalyzing the problem. Out of the box my portable cd player can play cds. Unfortunately that's all it will ever be able to do. Out of the box, a computer can't do anything, but it has the abiltiy to do damn near anything.
This is the greatest strength and weakness of the computer. It will always be incomplete, because its potential can never be fully realized.

Netware

Not really a problem here as I use Netware and Novell technologies.

go figure ... no problems!

Lets rip it out!

hmmm think not!

How to start a career in the security field?

May be a bit off topic, but I was asked this question a few days ago by a fellow coder. After spending 5 years in coding, he is contemplating a switch into security side of industry and is thinking of becoming a Security Auditor / Consultant. The problem is that he has no clue how to start down this road. When he asked our inhouse sys admin. the response was "Spend a few years in System Administration and then you can move to security". Sounds to general if you ask me. Was wondering if the folks here had any ideas to share?

Re:How to start a career in the security field?

1. Hack shit up like a m0f0 but don't get caught
2. ???
3. Profit!!!

Re:But the 10 most critical Security Vulnerabiliti

[Laur]

" Well... there's "knowing how to use" and "knowing how it works". Many computer tasks (especially as regards security) require some knowledge of how the damned thing works.

On the contrary, I feel that people should understand how things work, at least the basics. If you own a car, you should understand the basics of how a car works, at least so you don't get completely taken advantage of by auto mechanics. Also, you need to understand that there are basic maintenance tasks associated with car ownership (oil changes, tune ups, etc.). If you own a computer, you should know some basic things, i.e. the difference between a CPU, memory, and a hard disk for starters.

Computers are several times more complex than cars, trying to treat then as a simple device doesn't work. There are some basic maintenace tasks associated with owning a computer connected to the internet, i.e. for Windows check Windows Update, run a firewall and anti-virus program (free versions of which are available). Neglecting to perform these simple tasks is just asking for trouble.

We'd never make the analogous complaint that 'that fool crashed because his axle was made of bad steel', we'd blame the manufacturer, and rightly so.

But we would blame someone for crashing a car who didn't get their brakes checked regularly, they could even be liable for criminal penalties.

Re:weak passwords in mac os x(oops)

[Joshua+Kolash]

that code wont work. It got lost in the html fomatting. the #include line should be
#include

Re:But the 10 most critical Security Vulnerabiliti

[ichimunki]

If you bought a car or house and didn't take the time to learn how to lock the doors, everyone would laugh at you when you got robbed.

Bad analogy. Most robbed homes and stolen/robbed cars are locked, I'm guessing. In fact, I used to know a guy who stopped locking his car because his windows got broken so manny times.

However, I agree completely with your point. If someone is going to spend serious ching on a system, they ought to ask themself: why am I paying all this money for a computer and do I know fuckall about computers in the first place to where I think it will be money well spent? Then, because poor usage can sometimes impact others on the internet, there probably should be some sort of hurdle to jump other than installing an AOL CD and double-clicking before you get to have a machine connected to the network. At least there should be some sense that negligence leads to liability-- which might inspire a little more diligence in understanding and properly maintaining one's system.

OS X

[nate+nice]

When I type openssl version into the terminal on OS X, it returns :
OpenSSL 0.9.6i

Which is lower than 0.9.7. The article said you were vulnerable if you had a version lower than that. Time to self update I guess. I'm surprised Apple has never updated this, and yes I am using 10.2.8 currently.

Re:OS X

[valdis]

Crap. Crappity crappity crap.

My fault.

I totally botched the issue of vendor-backported patches. It's not an OSX-only issue - RedHat 8.0 has a nicely patched version that says 0.9.6b. I couldn't come up with a good way to fit instructions for RedHat, Debian, Suse, Solaris, AIX, Irix, Tru64, Solaris, *BSD, and whatever - all into a few lines. On the flip side, reading http://www.cert.org/advisories/CA-2003-26.html it seems that the CERT crew couldn't do it either - the 'Vendor Info' in Appendix A is over half the advisory.

And yes, OSX 10.2.8 includes a backport patch..

Weak passwords...

Yeah, they sent me an email telling me to use a better password than "bitemefbi". And I haven't installed their new backdoor yet, either. Some people are never satisfied...

Panther

[rsmith-mac]

I'm not entirely sure about 10.2.x on down(I'm pretty sure they're stuck at 8), but 10.3(aka Panther) finally takes care of the issue officially. With Panther, Apple's finally gone to the *nix standard of shadow hashes, so you can have whatever long password you want.

Re:Panther

[Phroggy]

I'm not entirely sure about 10.2.x on down(I'm pretty sure they're stuck at 8), but 10.3(aka Panther) finally takes care of the issue officially. With Panther, Apple's finally gone to the *nix standard of shadow hashes, so you can have whatever long password you want.

10.2 still uses the standard crypt() algorithm without md5 support, so it's still limited to 8 characters. Glad to hear they're finally changing this.

No, the number 1 vulnerability is...

...stupid users.

you must have missed this one.

[Erris]

Naturally, because of the larger deployed base of Windows machines I would expect any vulnerability for Windows to be magnified in its importance just because of how many machines it affects, independent of whether Windows has more flaws, worse flaws, poor design, etc.

Bzzzt, wrong. Please try again. Read this, first. It's better written than my replies. If you already read it, read it again. It does not even mention how inferior the M$ binary and patch distribution method is at keeping the monoculture cleaned. Once a windoze computer is broken, it's typically wiped and reloaded. The poor thing will be broken before it can finish downloading it's first 500MB "patch" from some big dumb M$ "server".

For numbers, free software rulles and runs the internet. Sendmail, exim, etc, are the programs that move your email. Apatche is the program that hosts your web site, Bind and others get you there. Microsoft's move into "serving" has been a disaster wherever anyone has tried it. The result is that M$ continues to lurk in the depths of big dumb clueless nitches of the internet. If Microsoft ever does manage to get IIS's numbers up, it will shut the internet down.

It's dishonest to put the "top ten" lists on the same page. Proportionally, free software has far fewer exploits and breakins. If they were put into a single normalized list, Unix problems would not make the top 100.

Re:you must have missed this one.

[dnotj]

If I didn't have this terrible karma and had some mod points and hadn't started this thread, I'd mod you up.
But why the link to Seagate?

Re:But the 10 most critical Security Vulnerabiliti

Should have gotten her a mac. Pennywise is pound foolish.

A picture of "critical"

V
|
|
|
|
__|___

What does "most critical" look like?

gewg_