Slashdot Mirror
New SANS/FBI Top 20 List
An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of
The Twenty Most Critical Internet Security Vulnerabilities.
As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists.
For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."
Clicked link to site .. loading very slowly.
.. don't know about other more intentional attacks
Does this mean the security information clearinghouse can be DDOS'd ?
By slashdot obviously
still exist between the chair and keyboard... I think they should make a third category for that.
Kjella
Live today, because you never know what tomorrow brings
The 3rd highest vulnerability to Unix is Apache?
Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.
That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?
I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.
Dacels Jewelers can't be trusted.
U5 Clear Text Services Think that covers ftp and telnet
My first reaction is to "ditto" your comment. But I can't. I can't because I can't blame the end-user for something that isn't their fault.
... refrigerators for lack of a better similie.
Computers basically come from the manufacturer broke. The remain in states of brokeness -- sometimes entering complete brokeness -- and its all the poor user can do to keep the computer operating.
It's our fault as IT professionals to make computers more like
I can't blame the user for software that contains vulnerabilities which they don't (and shouldn't) have the comprehension or time to understand. I can't blame the user for default settings on devices that are delivered unmodified. I can't blame the user for software that allows a person to accomplish something they shouldn't.
Yeah, I think my answer is better.
"This isn't a study in computer science, its a study in human behavior"
Looks like Dan Bernstein was on to something when he said BIND's design was fundamentally flawed and would result in vulnerability after vulnerability. Just goes to show you that sometimes the most paranoid among us can still be on to something.
Hey freaks: now you're ju
you're missing the point. They aren't trying to criticize these products. They are letting administrators know what services are being succesfully attacked the most. If you are a decent admin that isn't totally overworked, you've probably already patched and secured these services if you are running them. That is the point. They don't have the same agenda as many of the butt munches on /.
But who the hell uses 8 any more?
I've learned that the answer to "Who the hell uses (insert old program here) anymore?" is always "FAR more people than you think..."
My website has had around 3800 unique visitors. 16 of them are STILL running at 640x480. 28 of them are STILL running in 8-bit color. Crazy.
Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."
-- Dr. Eldarion --
That these folks had to dig so deep to find 10 Unix vulns heartens me. Apart from BIND, what this says to me is the worst Unix vulnerabilities are only as bad as the fifteenth or twentieth placed Windows ones.
Engineering is the art of compromise.
I'd laugh that a security library from which secure applications are built upon and a protocol to increase security both put one at risk and both made a top ten list.
That's exactly why they are there. Not because they are so badly broken (I bet 99% of apps and libs out there are more broken), but because them being broken is really-really critical. As you said, other apps are built on top of them, so that fact alone will nominate them for that list, no matter how minor or hard-to-exploit the holes are.
The report doesn't try to list the worst or the least secure software. Instead, it tries to list the software that has the greatest potential to cause havoc. And, if anything, I am truly impressed at how responsive the developers are and how quickly the holes are plugged, and, most importantly, how open they are about that.
Jobs? Which jobs?
Who's to blame?
How about the user who doesn't take time to figure out how to work the product they buy?
Ignorance shouldn't be an excuse. If you bought a car or house and didn't take the time to learn how to lock the doors, everyone would laugh at you when you got robbed. Why shouldn't it be the same way with computers? People should learn how to properly operate things before they use them.
-- Dr. Eldarion --
Look at the "Learn how to improve your system security" frame notice how there are no classes in the Seattle area.
Why not have more security classes in the M$ corporate area? Mabey it would help improve M$ Security if there coders could take a few classes.
I agree, but i find that the most annoying thing is that IE still won't correctly render COMPLIANT HTML/CSS correctly, so unless you want to have 90% of the people that look at your site complaining about the way it looks, you have to either:
a) Create a much more limited website, without some of the stuff you want to add
OR
b) Create a website with completely BROKEN HTML/CSS so that IE can render it correctly
In summary, the problem doesn't neccessarily lie in the fact that certain sites "only" render in IE, but rather that certain sites WON'T render in IE...
"Can someone give me an example of a compromise based on a weak password?"
If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...