Slashdot Mirror
SANS Institute Warns of Attack Shift
JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."
Did you know there is a hole in cat that will allow attackers to concatenate files and even redirect the standard output to yet another location? It's so scary it keeps me up at night.
What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.
Patents Drive Free Software as Hurricanes Drive Construction Industry
We've been living with Outlook/Exchange Server for this long... is the worst REALLY ahead of us?
You see? You see? Your stupid minds! Stupid! Stupid!
......the worst vunerablity was being in range of Ballmer's chair.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I don't doubt this for a second!
IMO, today's modern OS' are pretty damn secure/solid as well as stable.
The "pre-cursor" to this 'prediction' etc./et all might be just looking @ how tools like Outlook Express/"full" Outlook from Office has gotten abused by attachments that house virii & spam as well.
(Personally, because of that? I wouldn't call this a "breakthru" epiphany type of thing, some utterly new concept @ all... just a rehash of an older one. What one's that? Read the novel "The Cuckoo's Egg" by Clifford Stoll. It outlines how a team of German Hacker/Cracker types under hire by the Russian KGB penetrated U.S. Military bases by abusing the buffer overflow's possible in a program written by Richard Stallman of GNU fame & on UNIX systems... sound familiar to the buffer overflow exploits you hear about today?)
APK
you got a link on that? hope you aren't serious.
The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.
That must be embarrassing for a company that sells security products themselves.
Bradley Holt
the actual top 20 list can be found here: http://www.sans.org/top20
---- join dshield.org Distributed Intrusion Detec
" Microsoft shares"
Microsoft shares? Did I read that right?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Crackers need care and feeding. When they can no longer get what they need from maturing operating systems the move on. In other words, nothing to see here. move along.
From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.
While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".
$nice = $webHosting + $domainNames + $sslCerts
Sony, looking to expand its product line, is selling the new $sys$Attack package to hackers.
Sharp criticism for this product inspired Sony to offer $sys$CounterAttack, $sys$Peekaboo, and $sys$Shields to private induhviduals and security experts.
A $sys$spokes-person for Sony, who wishes to remain anonymous, says these products are the precurser to the $sith$ branded products that will ensure peace and justice in the galaxy.
I read
I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).
There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.
In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:
No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.
Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others
Thank goodness I'm protecting my well-patched XP system with Norton and a Linksys router, so I'm safe!
This levee is rock-solid baby!
You can have my cynical agnosticism when you pry it from my cold, dead logic.
SANS Top 20, November 22, 2005 is here.
This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.
I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.
Nice to see, though, that the only Unix problems they talk about are misconfigurations. This isn't really accurate, but nice to see anyway.
Free Conference Call -- No Spam, High Quality
I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.
Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.
You are wrong on both counts and you are spreading FUD.
The global warming threat is far from confirmed. There is overwhelming evidence to the contrary. And there have been catastrophic events to the Internet (not including the AOL invasion (ok, karma whore cheap shot. Laugh, it's supposed to be funny)). Remember Slammer, Melissa, and a handful of other fast moving worms that took out large portions of the network for several hours at a time? That was pretty catastrpohic. However, let's also remember that those events were pretty much mitigated within a day or two.
About the only thing that is really going to threaten the "Internet" is taking out the NAPs.
Embarrasment, maybe for a time - but if hackers attack security software instead of other apps, maybe it means that security software actually works in protecting these.
I'm still trying to figure out what people mean by 'social skills' here.
I think if you'd read my post, you'd see I explicitly stated:
I was merely mentioning the behavior of the general populace is similar around both ongoing debates.
As for your contention that the internet catastrophe's have already happened, you pointed out some things that created inconvenience for many, but the net effect of those "events" were hardly catastrophic as you astutely pointed out in your next (but contradicting your point) statement:
These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.
One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.
I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.
Las qué passoun
tournoun pas maï
SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.
Horns are really just a broken halo.
Who's behind these attacks and what's being done to put an end to them?
I don't know (or much care) who is behind these attacks, but there's a simple and very effective solution for you. Just turn off password-based SSH authentication, and enable only the public-key method. It's simple to configure and use, and nobody even bothers to attempt a brute force attack against the huge key space. You'll see those dictionary attempts drop from thousands to zero immediately.
Most of the security establishment is focused on patching holes *after* they're discovered. This goes for application/product vendors as well as the security companies that are tasked with protecting those assets. The reasoning goes something along the lines that the sooner you patch your systems, the sooner you are safe from the "bad guys".
- 11-2005
The problem is that many of the vulnerabilities have been sitting there for YEARS before they're discovered by the establishment. Take Blaster for example... how long was that vulnerability present in shipping product before it was disclosed by Microsoft? Try nearly 7 years. Of course, only a few short weeks after this disclosure, the worm propagated. So, how long were blackhats exploiting the vuln before the disclosure? We'll probably never know. How many other "undiscovered" vulnerabilities have been exploited prior to the vendor acknowledging the vulnerability? Dunno, but I suspect it ain't just a handful. How about yesterday's IE proof of concept remote root exploit that works just as well against a fully patched Windows XP SP2 as it does against Windows 2000? You think any signature or "behavior"-based IDS/IPS can even detect this sort of thing 0-day? I'm willing to bet money on the fact that they can't.
See here for a fun new way to run Calc.exe on your Windows box:
http://www.computerterrorism.com/research/ie/ct21
So long as vendors remain profit motivated and focused on short-term competitiveness, they will never adequately address the software quality issue. Unexposed vulnerabilities are ripe picking for blackhats, while vendors and the security establishment continue to address the reactive post-vulnerability disclosure space.
This correlates with research published by others earlier this year. [Disclaimer: I know the author.]
What worries me is the ability of attackers to do real-time attacks on a service. To hit a system that they know very little about and create zero-days in near real time. That is where things really become dangerious because attackers can then, once a target is chosen, attack the very uncommon software on it and still have reasonable payoff.
I do security
The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.
IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."
That's the science of Internet Warfare.
=^..^= all your rodent are belong to us
I apologize to all the eyes that were harmed from trying to read my previous comment. In penance I shall now cross mine 'til they stay that way like my mother warned me they would.
That which does not kill us makes us... st
. . . Sony was attacking Shift do you can't bypass their DRM . . .
Imagine all the thousands of exploits that have been found (and corrected) by now in browsers, operating systems, and applications, with still no end in sight. We are so fortunate that the vast majority of exploits in this past decade were not more sinister and destructive in nature, when they easily could have been so. Because of the efforts of thousands of hackers looking mostly to make a name for themselves, at least we have learned a tremendous amount about computer security in the last decade.
I ask - where would we be right now without them?
Our computers and software would be so full of holes that a concerted attack by a seriously hostile enemy could bring civilization to it knees. How much would have cost if we had had to pay engineers to debug our (collective) software to bring it to the level of security it is at now? In our annoyance with hackers, we must never forget our indebtedness to them for having made our security stronger than it would ever have been without them.
I am sure this must have been considered before, but why don't we focus the energies of hackers into constructive directions, instead of criminalizing them? Most hackers that have been arrested seem to be just kids looking for fame and attention. Putting them in jail isn't going to solve the problem, only drive it deeper underground.
I suggest instead that a large fund be established via a tax on big software companies or even paid into by governments to reward hackers for finding vulnerabilities, perhaps in specially set up target machines on the internet where appropriate. There could be an annual awards ceremony, with big ca$h prizes for the best of the best. A huge network of white hats could arise and contribute their ideas on how to prevent other forms of threats such as phishing and other social engineering methods, and how to counteract the real criminals. It just seems to me that if we are all working together, we can beat these problems.
Imagine the day when a hacker can feel pride in his justly rewarded contribution to society rather than just in how many machines he has managed to knock out.
"Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems."
You say this as though there is some dereliction of duty among the IT folks. There are people (http://www.antiphishing.org/, http://www.openantivirus.org/) working on these things. In their spare time too--right? It's quite apparent that your gripe is with M$ and the the general population that has bought into the monopoly, but there's only so much you can do with 6 billion Elvis fans, and the greedy bastards that want to exploit them. I'm sure that most geeks would like to blow them off the planet, but like you, there's no "real" solution among them. I don't think that they (the IT world) should take the hit for an insurmountable task.
You've equated the catastrophies iminent to the internet with global warming. I can see the correlation, however the internet is fairly new compared to the first time we put CO into the atmosphere. Man's presence on Earth is undergoing a huge learning curve, as are man's dealings with the internet. It wasn't long ago that huge corporations were destroying the planet in the name of profit, and the good of human life, but eventually the people that saw the wrong of it came out of the woodwork, and protested. It's still not right, but it's headed in the right direction--I hope. Now, the ones that see the wrong of the "inter-connected" world, and all of the bad that it can inflict are starting to come out of the woodwork. Exponentially so, as is the pace of technology.
The doctor's kids are always sick, the mechanic's car is always broke. Does this mean we are doomed to be ill (bird-flu notwithstanding :-)), or that our cars won't work? No, we are just living the human life, and sometimes--cough...9/11--it takes a catastophy to put things to work....
BTW I'm not an IT guy, I'm just an aerospace weenie that is just as scared of the status-quo as you are. Yet I do have a little faith in the fact that, while most people need a little nudging, a lot of people are paying attention (like me--I carry my own disk with FireFox, AdAware, and OpenOffice--and spread it to anyone that listens).
Hmmmmm....
All hardware and software products have flaws. Show me who made a perfect product that never had problems. The important part is how fast and the support of fixing those issues.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I can't be the only one who misread the title and thought the flaming-bag-of-poo-ding-dong-run had been made into an online exploit.
I'll be your candy shop of infinite deliciousity if you'll be my discotheque of endless rump-shaking.
In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet.
Well, I'd say we've either already had those catastrophes, or the Internet isn't vulnerable to what we think of as a catastrophe. When I think of catastrophe, I think of something that happens in a short period of time and causes wisespread damage that takes months to cleanup.
So.. either the various virus outbreaks, phishing attacks, and DOS attacks on major websites are all catastrophes, or the internet as a whole isn't really vulnerable to major catastrophes. What's currently happening is lots of minor catastrophes every day.
So, what I'm getting at is the model you should be looking at is a disease model, not a catastrophe model. Phishing, viruses, DOS attacks are all more like diseases that different parts of the internet develop.
AccountKiller
I used to work for this company in a "high level position".. at least that's what they claimed when I started! This company is so out of touch, it shouldn't surprise you to know that the so-called "Top 20" is just recycled from old net detritus you can find anywhere. I mean, is anyone really surprised that M$ software is vulnerable? C'mon! What's much more vulnerable than Microsoft are the poor people who actually volunteer for companies like SANS when the highly paid principals build themselves multimillion-dollar homes in Hawaii.