Slashdot Mirror
New SANS/FBI Top 20 List
An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of
The Twenty Most Critical Internet Security Vulnerabilities.
As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists.
For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."
Would billy and his band of thugs be the leader of the pack?
What about the second 10 for m$? where would they be with the UNIX top 10? top 20?
No more Micro$oft bashing from me. Its like bashing at the special olympics.
Clicked link to site .. loading very slowly.
.. don't know about other more intentional attacks
Does this mean the security information clearinghouse can be DDOS'd ?
By slashdot obviously
Looks like the site is slashdotted... :)
oh wait...it's my 33.6 modem
That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?
Or am I reading a list from 5 years ago?
Get your own free personal location tracker
still exist between the chair and keyboard... I think they should make a third category for that.
Kjella
Live today, because you never know what tomorrow brings
There aren't two internets running, one for Windows and one for Unix.
Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.
Trolling is a art,
Yeah, SFTP/SCP with applications like WinSCP work out as a nice replacement.
There are several "FTP apps" that support SFTP.
Dreamweaver allows you to do SFTP/SCP via PuTTY, too.
See?! Telnet & FTP aren't on the list anymore.
Right, right... Ehrm... to quote the guy a couple postings before you...
# U5 Clear Text Services
Jobs? Which jobs?
U5 Clear Text Services Think that covers ftp and telnet
My first reaction is to "ditto" your comment. But I can't. I can't because I can't blame the end-user for something that isn't their fault.
... refrigerators for lack of a better similie.
Computers basically come from the manufacturer broke. The remain in states of brokeness -- sometimes entering complete brokeness -- and its all the poor user can do to keep the computer operating.
It's our fault as IT professionals to make computers more like
I can't blame the user for software that contains vulnerabilities which they don't (and shouldn't) have the comprehension or time to understand. I can't blame the user for default settings on devices that are delivered unmodified. I can't blame the user for software that allows a person to accomplish something they shouldn't.
Yeah, I think my answer is better.
"This isn't a study in computer science, its a study in human behavior"
Looks like Dan Bernstein was on to something when he said BIND's design was fundamentally flawed and would result in vulnerability after vulnerability. Just goes to show you that sometimes the most paranoid among us can still be on to something.
Hey freaks: now you're ju
you're missing the point. They aren't trying to criticize these products. They are letting administrators know what services are being succesfully attacked the most. If you are a decent admin that isn't totally overworked, you've probably already patched and secured these services if you are running them. That is the point. They don't have the same agenda as many of the butt munches on /.
I think they forgot to mention the /. effect as being one of the greatest threats on the net. It should rank up there towards #1 on both Windows & Unix.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
- W1 Internet Information Services (IIS) - Keep it patched
- W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
- W3 Windows Authentication - Create and enforce password policies
- W4 Internet Explorer (IE) - Keep it patched
- W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
- W6 Microsoft Data Access Components (MDAC) - Keep it patched
- W7 Windows Scripting Host (WSH) - Disable it
- W8 Microsoft Outlook Outlook Express - Remove it
- W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
- W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing
Unix break/Fixes can be simplistically be broken down this way:- U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
- U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
- U3 Apache Web Server - Don't install it except on web servers and only install modules you need
- U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
- U5 Clear Text Services - Don't install them, use alternatives
- U6 Sendmail - Don't install, use an alternative, and only install on mail servers
- U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
- U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
- U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
- U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.Of course, with Unix, at least you have that choice......
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
How many of them have a computer because the MS WinXP advert convinced them they should own one?
There's a friend of mine whose mother bought a top range piece of kit a couple of years back. What did she do with it? She dusted it and showed it to visitors because when she sat down and said "I want to see The Sound of Music" it didn't work.
You can't even begin to explain security to someone like that. Who's to blame? M$? The company who built it? The guy who sold it to her? My friend for not having the patience to explain how to use it?
Well, this list looks very foolish to me.
Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.
Secondly, just look at the lists.. a large number of the windows services are 'essential' (well, if you believe microsoft) for a windows server.
Most of the unix services are easily replacable with effectively identical but more secure options.
Anyone who runs sendmail rather than postfix gets all they deserve.
RPC? why on earth would you make that available? NFS is hardly essential these days.
No password accounts? my god - I never realised that was forced on you by unix!
Bind? there are certainly secure alternatives to BIND (djbdns, for one) - and even BIND should be running chrooted anyway..
And clear text services? why don't they point out that situating your critical servers outside on the street is also a security risk!
My point is that nearly all of the unix 'problems' are very easy to avoid, or are only problems for very short times (the SSH/SSL problem, for example) - the majority of the windows 'problems' are almost impossible to avoid, patches come late, and sometimes even make things worse.
I see windows machines being virused/hacked about once a month (and trust me - I try to stop this a lot, as it makes my life very difficult) - I've only ever had ONE linux machine hacked in around 4 years - through a sendmail hole, and I stopped running sendmail everywhere the next day (it took about 1 hour to change 5 servers to postfix)
These lists need some form of relative threat rating on these problems!
I'd laugh that a security library from which secure applications are built upon and a protocol to increase security both put one at risk and both made a top ten list.
That's exactly why they are there. Not because they are so badly broken (I bet 99% of apps and libs out there are more broken), but because them being broken is really-really critical. As you said, other apps are built on top of them, so that fact alone will nominate them for that list, no matter how minor or hard-to-exploit the holes are.
The report doesn't try to list the worst or the least secure software. Instead, it tries to list the software that has the greatest potential to cause havoc. And, if anything, I am truly impressed at how responsive the developers are and how quickly the holes are plugged, and, most importantly, how open they are about that.
Jobs? Which jobs?
Does anyone know a good way to make Mac OS X pay attention to passwords longer than 8 characters long?
Are there any caveats?
Sorry this offtopic, it just always annoyed me. I can type fast enough that I'd prefer to have something like this as my password: "I have the most t76uDDd password ever. BTW your mom says hi."
There are no trails. There are no trees out here.
Who's to blame?
How about the user who doesn't take time to figure out how to work the product they buy?
Ignorance shouldn't be an excuse. If you bought a car or house and didn't take the time to learn how to lock the doors, everyone would laugh at you when you got robbed. Why shouldn't it be the same way with computers? People should learn how to properly operate things before they use them.
-- Dr. Eldarion --
Windows! On a more serious note, the web site listed a very nice link for manually removing Outlook Express. At last I can purge my hard drive of that thing!!
Compare with the Windows list. Most of which are application problems and things that have been fixed in the unix world for a long time (such as keeping passwords in /etc/passwd). One of the list has the dubious honour of being the reason for a whole class of vulnerabilities (the "email virus", read, the "Outlook Express virus"). I can remember laughing at people who said "I'll send you a virus in your email" about 6 years ago. The only reason IE isn't higher is because attacks on OE are much more fruitful.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
Look at the "Learn how to improve your system security" frame notice how there are no classes in the Seattle area.
Why not have more security classes in the M$ corporate area? Mabey it would help improve M$ Security if there coders could take a few classes.
If you know what you're talking about, why is it you think that a user-space firewall is more secure than a kernel-space firewall?
When the firewall runs in the kernel, the firewall sees incoming packets FIRST, and can drop them on the spot. When the firewall runs in user-space, incoming packets come in, get handled by a kernel process (which may have a vulnerability), and THEN get handled by the firewall. So if there's a vulnerability in the kernel, the packet has already nailed you before the firewall has "seen" it. It's why every single Unix puts its firewall in the kernel, and has done so for decades.
How did you scan your machine? Did you use nmap? Did you try all the different scans available (there are at least a few dozen).
I'm not trying to give you a hard time, here, I just think you're trusting XP a little too much for your own good.
Farewell! It's been a fine buncha years!
"Can someone give me an example of a compromise based on a weak password?"
If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...
If I didn't have this terrible karma and had some mod points and hadn't started this thread, I'd mod you up.
But why the link to Seagate?
No more Micro$oft bashing from me. Its like bashing at the special olympics.