New SANS/FBI Top 20 List

An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of The Twenty Most Critical Internet Security Vulnerabilities. As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists. For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."

What would be the top 10

[dnotj]

If the windows and UNIX ones where mixed?

Would billy and his band of thugs be the leader of the pack?

What about the second 10 for m$? where would they be with the UNIX top 10? top 20?

Why two lists?

[grub]

There aren't two internets running, one for Windows and one for Unix.

Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.

Re:Why two lists?

[woozlewuzzle]

The point of the lists is not to embarass the makers of operating systems. It is to let administrators (of either operating system) what the most successfully attacked services are, so that they can concentrate their efforts. I recall a study, perhaps last year, by NASA of all people that, by just addressing the Top 20 list, they were able to reduce security incidents by over 90%. It doesn't mean you shouldn't secure everything, but you need to prioritize when you are overworked, underpaid and underappreciated

Re:But the 10 most critical Security Vulnerabiliti

[fuzzix]

How many of them have a computer because the MS WinXP advert convinced them they should own one?

There's a friend of mine whose mother bought a top range piece of kit a couple of years back. What did she do with it? She dusted it and showed it to visitors because when she sat down and said "I want to see The Sound of Music" it didn't work.

You can't even begin to explain security to someone like that. Who's to blame? M$? The company who built it? The guy who sold it to her? My friend for not having the patience to explain how to use it?

A waste of time?

[thesupraman]

Well, this list looks very foolish to me.

Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.

Secondly, just look at the lists.. a large number of the windows services are 'essential' (well, if you believe microsoft) for a windows server.
Most of the unix services are easily replacable with effectively identical but more secure options.
Anyone who runs sendmail rather than postfix gets all they deserve.
RPC? why on earth would you make that available? NFS is hardly essential these days.
No password accounts? my god - I never realised that was forced on you by unix! :P
Bind? there are certainly secure alternatives to BIND (djbdns, for one) - and even BIND should be running chrooted anyway..
And clear text services? why don't they point out that situating your critical servers outside on the street is also a security risk!

My point is that nearly all of the unix 'problems' are very easy to avoid, or are only problems for very short times (the SSH/SSL problem, for example) - the majority of the windows 'problems' are almost impossible to avoid, patches come late, and sometimes even make things worse.

I see windows machines being virused/hacked about once a month (and trust me - I try to stop this a lot, as it makes my life very difficult) - I've only ever had ONE linux machine hacked in around 4 years - through a sendmail hole, and I stopped running sendmail everywhere the next day (it took about 1 hour to change 5 servers to postfix)

These lists need some form of relative threat rating on these problems!

weak passwords in mac os x

[Elwood+P+Dowd]

Does anyone know a good way to make Mac OS X pay attention to passwords longer than 8 characters long?

Are there any caveats?

Sorry this offtopic, it just always annoyed me. I can type fast enough that I'd prefer to have something like this as my password: "I have the most t76uDDd password ever. BTW your mom says hi."

Interesting difference between the lists

[hayden]

4 Unix vulnerabilities could be considered to seriously dumb things to do (clear text services, bad passwords, misconfiguration, these are not problems specifically with unix) Sendmail is more about how horribly bad it's history is (which pales into insignificance if you compare it with IIS, IE, outlook etc) and the Apache entry is more about how crap "Web Programmers" are with security than actual problems with Apache.

Compare with the Windows list. Most of which are application problems and things that have been fixed in the unix world for a long time (such as keeping passwords in /etc/passwd). One of the list has the dubious honour of being the reason for a whole class of vulnerabilities (the "email virus", read, the "Outlook Express virus"). I can remember laughing at people who said "I'll send you a virus in your email" about 6 years ago. The only reason IE isn't higher is because attacks on OE are much more fruitful.

Netware

Not really a problem here as I use Netware and Novell technologies.

go figure ... no problems!

Lets rip it out!

hmmm think not!