Slashdot Mirror
SANS Institute Warns of Attack Shift
JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."
What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.
Patents Drive Free Software as Hurricanes Drive Construction Industry
From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.
While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".
$nice = $webHosting + $domainNames + $sslCerts
I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).
There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.
In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:
No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.
SANS Top 20, November 22, 2005 is here.
This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.
I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.
No, that must be profitable.
Patents Drive Free Software as Hurricanes Drive Construction Industry
As much as I laughed at your post, i remembered that "microsoft and symantec were consulted to ignore the rootkit," meaning they knew damn well what it was and their lawyers advised them to feign ignorance for fear of fisticuffs with Sony.
Now Microsoft and Symantec are going to hang out together and tell us what the new threats are? I wish I could be there to voice concerns over the "private backroom deal for corporate interests" attack vector. It's an old one, but it's only getting bigger.
If you really want to see how bad it is, consider the above then read aticles such as this ones p
http://www.eweek.com/article2/0,1895,1884677,00.a
and note the wording. Oh, Microsoft is now "concerned," are they? As of the 9th or so when the back really hit the lash? What pathetic public posturing they've perfected. But the various news sites report this - you can find a dozen easy with identical copy, from the 9th and 10th - with no comment on their earlier complicity. They couch it terms of "not sure what kind of threat," instead of "not sure which way the wind is blowing" or "how little they can get away with doing" or "stabbing their buddies in the back to damage-control the PR angle."
Microsoft and Symantec know, do nothing, then pretend to be "concerned" when the pressure grows. F4I screams and points at Symantec, "But but but they said it wasn't malware when we asked!" Sony has done nothing wrong, just ask 'em. The RIAA, meanwhile, as we all i'm sure have read by now, realized its Stupid Statement Quota wasn't met this month and came out to spew some nonsensical gibberish about All Our PCs Will Belong To Them.
It's too soon to declare this a Victory of the Blogs over the Giants, as some euphorically have. The spin continues, and even the short-term promises of those involved have yet to be fully imped.
It's interesting to note how all the players here point fingers at all the others for the responsibility, while, say, wielding the Australian legal system to hold Kazaa's creators and maintainers responsible for every past, present and potential user of the software.
This is a significant ground gain, no question. But that's when it's time to press the attack, not sit back and congratulate each other how we stuck it to the man. It's time to get legislation changes and public awareness that WILL stick, and force the issue of equal enforcement that will demonstrate all current and planned forms of DRM and the DCMA as undesireable, impractical, unenforceable crap. It's buggy, hole-ridden, crap legislation like the code of this damn rootkit.
That which does not kill us makes us... st