Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SANS/FBI Top 20 List

Posted by timothy on from the reverse-pecking-order dept.

An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of The Twenty Most Critical Internet Security Vulnerabilities. As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists. For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."

19 of 199 comments (clear)

  1. What would be the top 10 by dnotj · · Score: 5, Interesting
    If the windows and UNIX ones where mixed?

    Would billy and his band of thugs be the leader of the pack?

    What about the second 10 for m$? where would they be with the UNIX top 10? top 20?

    --
    No more Micro$oft bashing from me. Its like bashing at the special olympics.
  2. Does this mean by satsuke · · Score: 3, Insightful

    Clicked link to site .. loading very slowly.

    Does this mean the security information clearinghouse can be DDOS'd ?

    By slashdot obviously .. don't know about other more intentional attacks

    1. Re:Does this mean by c0dedude · · Score: 4, Funny

      No, it just means that a link from slashdot should be on the list as a potental site vulnerablility :-)

      --
      Since when has this country used intellectual elite as a pejorative term?
  3. Some messed up scoring here. by caluml · · Score: 5, Informative
    The 3rd highest vulnerability to Unix is Apache?
    That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

    Or am I reading a list from 5 years ago?

    --
    Get your own free personal location tracker
    1. Re:Some messed up scoring here. by Xerithane · · Score: 4, Insightful

      The 3rd highest vulnerability to Unix is Apache?

      Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.

      That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?

      I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.

      --
      Dacels Jewelers can't be trusted.
    2. Re:Some messed up scoring here. by DrEldarion · · Score: 4, Insightful

      But who the hell uses 8 any more?

      I've learned that the answer to "Who the hell uses (insert old program here) anymore?" is always "FAR more people than you think..."

      My website has had around 3800 unique visitors. 16 of them are STILL running at 640x480. 28 of them are STILL running in 8-bit color. Crazy.

      Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."

      -- Dr. Eldarion --

  4. But the 10 most critical Security Vulnerabilities by Kjella · · Score: 4, Insightful

    still exist between the chair and keyboard... I think they should make a third category for that.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  5. Re:Woohoo! FTP is safe! by vladkrupin · · Score: 3, Informative

    See?! Telnet & FTP aren't on the list anymore.

    Right, right... Ehrm... to quote the guy a couple postings before you...

    # U5 Clear Text Services

    --

    Jobs? Which jobs?
  6. Re:But the 10 most critical Security Vulnerabiliti by airrage · · Score: 4, Insightful

    My first reaction is to "ditto" your comment. But I can't. I can't because I can't blame the end-user for something that isn't their fault.

    Computers basically come from the manufacturer broke. The remain in states of brokeness -- sometimes entering complete brokeness -- and its all the poor user can do to keep the computer operating.

    It's our fault as IT professionals to make computers more like ... refrigerators for lack of a better similie.

    I can't blame the user for software that contains vulnerabilities which they don't (and shouldn't) have the comprehension or time to understand. I can't blame the user for default settings on devices that are delivered unmodified. I can't blame the user for software that allows a person to accomplish something they shouldn't.

    Yeah, I think my answer is better.

    --
    "This isn't a study in computer science, its a study in human behavior"
  7. Re:Why two lists? by vladkrupin · · Score: 4, Funny

    There aren't two internets running, one for Windows and one for Unix

    Yes, there are. One is for IE, and one - for everything else.

    (Yes, I am expecting flames to correct my narrow view of internet and tell me that there is more than just web browsing, blah,blah. But you see my point, don't you?)

    --

    Jobs? Which jobs?
  8. Re:oh no! by fuzzix · · Score: 3, Funny

    A security feature in itself - who could wait that long to root a box?

  9. Re:Why two lists? by woozlewuzzle · · Score: 4, Interesting

    The point of the lists is not to embarass the makers of operating systems. It is to let administrators (of either operating system) what the most successfully attacked services are, so that they can concentrate their efforts. I recall a study, perhaps last year, by NASA of all people that, by just addressing the Top 20 list, they were able to reduce security incidents by over 90%. It doesn't mean you shouldn't secure everything, but you need to prioritize when you are overworked, underpaid and underappreciated

  10. Re:hurdy gurdy wurdy furdy by woozlewuzzle · · Score: 5, Insightful

    you're missing the point. They aren't trying to criticize these products. They are letting administrators know what services are being succesfully attacked the most. If you are a decent admin that isn't totally overworked, you've probably already patched and secured these services if you are running them. That is the point. They don't have the same agenda as many of the butt munches on /.

  11. The forgotten vulnerability... by JRHelgeson · · Score: 3, Funny

    I think they forgot to mention the /. effect as being one of the greatest threats on the net. It should rank up there towards #1 on both Windows & Unix.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  12. To summarize (or generalize) by johnlcallaway · · Score: 3, Informative
    Windows break/Fixes can be simplistically be broken down this way:
    • W1 Internet Information Services (IIS) - Keep it patched
    • W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
    • W3 Windows Authentication - Create and enforce password policies
    • W4 Internet Explorer (IE) - Keep it patched
    • W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
    • W6 Microsoft Data Access Components (MDAC) - Keep it patched
    • W7 Windows Scripting Host (WSH) - Disable it
    • W8 Microsoft Outlook Outlook Express - Remove it
    • W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
    • W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing
    Unix break/Fixes can be simplistically be broken down this way:
    • U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
    • U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
    • U3 Apache Web Server - Don't install it except on web servers and only install modules you need
    • U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
    • U5 Clear Text Services - Don't install them, use alternatives
    • U6 Sendmail - Don't install, use an alternative, and only install on mail servers
    • U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
    • U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
    • U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
    • U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
    The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.

    Of course, with Unix, at least you have that choice......
    --
    I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
  13. Re:Two security specific entries for Linux/Unix by vladkrupin · · Score: 4, Insightful

    I'd laugh that a security library from which secure applications are built upon and a protocol to increase security both put one at risk and both made a top ten list.

    That's exactly why they are there. Not because they are so badly broken (I bet 99% of apps and libs out there are more broken), but because them being broken is really-really critical. As you said, other apps are built on top of them, so that fact alone will nominate them for that list, no matter how minor or hard-to-exploit the holes are.

    The report doesn't try to list the worst or the least secure software. Instead, it tries to list the software that has the greatest potential to cause havoc. And, if anything, I am truly impressed at how responsive the developers are and how quickly the holes are plugged, and, most importantly, how open they are about that.

    --

    Jobs? Which jobs?
  14. weak passwords in mac os x by Elwood+P+Dowd · · Score: 3, Interesting

    Does anyone know a good way to make Mac OS X pay attention to passwords longer than 8 characters long?

    Are there any caveats?

    Sorry this offtopic, it just always annoyed me. I can type fast enough that I'd prefer to have something like this as my password: "I have the most t76uDDd password ever. BTW your mom says hi."

    --

    There are no trails. There are no trees out here.
  15. And the #1 vulnerability is... by moltar77 · · Score: 4, Informative

    Windows! On a more serious note, the web site listed a very nice link for manually removing Outlook Express. At last I can purge my hard drive of that thing!!

  16. Interesting difference between the lists by hayden · · Score: 4, Interesting
    4 Unix vulnerabilities could be considered to seriously dumb things to do (clear text services, bad passwords, misconfiguration, these are not problems specifically with unix) Sendmail is more about how horribly bad it's history is (which pales into insignificance if you compare it with IIS, IE, outlook etc) and the Apache entry is more about how crap "Web Programmers" are with security than actual problems with Apache.

    Compare with the Windows list. Most of which are application problems and things that have been fixed in the unix world for a long time (such as keeping passwords in /etc/passwd). One of the list has the dubious honour of being the reason for a whole class of vulnerabilities (the "email virus", read, the "Outlook Express virus"). I can remember laughing at people who said "I'll send you a virus in your email" about 6 years ago. The only reason IE isn't higher is because attacks on OE are much more fruitful.

    --
    Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.