Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS Institute Warns of Attack Shift

Posted by Zonk on from the new-targets dept.

JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."

10 of 80 comments (clear)

  1. Symantec by mysqlrocks · · Score: 3, Interesting

    The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.

    That must be embarrassing for a company that sells security products themselves.

    --
    Bradley Holt
  2. What about Chinese attacks? by Anonymous Coward · · Score: 4, Interesting

    I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.

    Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.

  3. Time the attack shifted to the CEO's office by FishandChips · · Score: 3, Interesting

    These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.

    One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.

    I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.

    --
    Las qué passoun
    tournoun pas maï
  4. SANS by Heembo · · Score: 3, Interesting

    SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.

    --
    Horns are really just a broken halo.
  5. There is a huge unaddressed problem here... by Gordo_1 · · Score: 2, Interesting

    Most of the security establishment is focused on patching holes *after* they're discovered. This goes for application/product vendors as well as the security companies that are tasked with protecting those assets. The reasoning goes something along the lines that the sooner you patch your systems, the sooner you are safe from the "bad guys".

    The problem is that many of the vulnerabilities have been sitting there for YEARS before they're discovered by the establishment. Take Blaster for example... how long was that vulnerability present in shipping product before it was disclosed by Microsoft? Try nearly 7 years. Of course, only a few short weeks after this disclosure, the worm propagated. So, how long were blackhats exploiting the vuln before the disclosure? We'll probably never know. How many other "undiscovered" vulnerabilities have been exploited prior to the vendor acknowledging the vulnerability? Dunno, but I suspect it ain't just a handful. How about yesterday's IE proof of concept remote root exploit that works just as well against a fully patched Windows XP SP2 as it does against Windows 2000? You think any signature or "behavior"-based IDS/IPS can even detect this sort of thing 0-day? I'm willing to bet money on the fact that they can't.

    See here for a fun new way to run Calc.exe on your Windows box:
    http://www.computerterrorism.com/research/ie/ct21- 11-2005

    So long as vendors remain profit motivated and focused on short-term competitiveness, they will never adequately address the software quality issue. Unexposed vulnerabilities are ripe picking for blackhats, while vendors and the security establishment continue to address the reactive post-vulnerability disclosure space.

  6. attack shift? or change in strategies? by theCat · · Score: 4, Interesting

    The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.

    IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."

    That's the science of Internet Warfare.

    --
    =^..^= all your rodent are belong to us
  7. Re:Coding practices by Anonymous Coward · · Score: 4, Interesting

    I disagree, that's like saying an airplane will fall out of the sky if you forget one little thing.

    You know how the people who make airplanes avoid this type of situation? They double-check. They triple-check. They fire people who can't do a good job and hire ones who can. They actually, you know, *try*. Can you honestly say the same thing for the average coder?

    If you have a network app, and it accepts a finite language of bytes, just how hard is it to secure this? Not very hard. Either you can do it, or your app is too complex, and you need to simplify it.

    I don't think software with security holes should *ever* be "the norm". That's a dangerous way of thinking. It just makes software worse and worse. I have no problem with calling any software with holes the result of "bad coding practices". Including my own.

    Every single time a flaw is discovered, it's a failure. It's not business as usual. Just because it happens a lot in our industry doesn't change that.

  8. Re:Hey! The sky is falling! The sky is falling! by JWtW · · Score: 2, Interesting

    "Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems."

    You say this as though there is some dereliction of duty among the IT folks. There are people (http://www.antiphishing.org/, http://www.openantivirus.org/) working on these things. In their spare time too--right? It's quite apparent that your gripe is with M$ and the the general population that has bought into the monopoly, but there's only so much you can do with 6 billion Elvis fans, and the greedy bastards that want to exploit them. I'm sure that most geeks would like to blow them off the planet, but like you, there's no "real" solution among them. I don't think that they (the IT world) should take the hit for an insurmountable task.

    You've equated the catastrophies iminent to the internet with global warming. I can see the correlation, however the internet is fairly new compared to the first time we put CO into the atmosphere. Man's presence on Earth is undergoing a huge learning curve, as are man's dealings with the internet. It wasn't long ago that huge corporations were destroying the planet in the name of profit, and the good of human life, but eventually the people that saw the wrong of it came out of the woodwork, and protested. It's still not right, but it's headed in the right direction--I hope. Now, the ones that see the wrong of the "inter-connected" world, and all of the bad that it can inflict are starting to come out of the woodwork. Exponentially so, as is the pace of technology.

    The doctor's kids are always sick, the mechanic's car is always broke. Does this mean we are doomed to be ill (bird-flu notwithstanding :-)), or that our cars won't work? No, we are just living the human life, and sometimes--cough...9/11--it takes a catastophy to put things to work....

    BTW I'm not an IT guy, I'm just an aerospace weenie that is just as scared of the status-quo as you are. Yet I do have a little faith in the fact that, while most people need a little nudging, a lot of people are paying attention (like me--I carry my own disk with FireFox, AdAware, and OpenOffice--and spread it to anyone that listens).

    --
    Hmmmmm....
  9. Re:I believe it: OS' are getting solid by VENONA · · Score: 3, Interesting

    Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.

    Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!

    http://it.slashdot.org/article.pl?sid=05/11/22/135 2212&tid=113&tid=128&tid=172&tid=218

    They wired their browser in largely as a tactic for defeating Netscape. Once again, their customers are paying the price.

    --
    What you do with a computer does not constitute the whole of computing.
  10. Re:Coding practices by Billosaur · · Score: 2, Interesting
    All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".

    Bad coding can take on many forms. The single hardest thing to get people to do is sanity-check data. I work in Perl and I swear by the -T switch (taint mode) because it forces me to verify that data passed in from the real world is in fact valid and doesn't contain any surprises. Now mind you, it can lead to some ugly-looking regexs, but if you're writing a CGI that calls for access to a database or activates some internal process, you can't take the risk that someone won't try to force malicious code into it to get it do what they want.

    That said, you can be as thorough as you like, run the code through several evaluations, UAT it to death, and end up overlooking an obvious avenue. It's a good idea to make sure all code that interfaces with the real world gets put through a code review, especially by people who don't work with that code every day. You may not be able to stop everything but you can sure whittle down your vulnerabilities to an insignificant number and make them much easier to fix if they become exploited.

    --
    GetOuttaMySpace - The Anti-Social Network