SANS Institute Warns of Attack Shift

JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."

Symantec

[mysqlrocks]

The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.

That must be embarrassing for a company that sells security products themselves.

What about Chinese attacks?

I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.

Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.

Time the attack shifted to the CEO's office

[FishandChips]

These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.

One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.

I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.

SANS

[Heembo]

SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.

attack shift? or change in strategies?

[theCat]

The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.

IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."

That's the science of Internet Warfare.

Re:Coding practices

I disagree, that's like saying an airplane will fall out of the sky if you forget one little thing.

You know how the people who make airplanes avoid this type of situation? They double-check. They triple-check. They fire people who can't do a good job and hire ones who can. They actually, you know, *try*. Can you honestly say the same thing for the average coder?

If you have a network app, and it accepts a finite language of bytes, just how hard is it to secure this? Not very hard. Either you can do it, or your app is too complex, and you need to simplify it.

I don't think software with security holes should *ever* be "the norm". That's a dangerous way of thinking. It just makes software worse and worse. I have no problem with calling any software with holes the result of "bad coding practices". Including my own.

Every single time a flaw is discovered, it's a failure. It's not business as usual. Just because it happens a lot in our industry doesn't change that.

Re:I believe it: OS' are getting solid

[VENONA]

Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.

Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!

http://it.slashdot.org/article.pl?sid=05/11/22/135 2212&tid=113&tid=128&tid=172&tid=218

They wired their browser in largely as a tactic for defeating Netscape. Once again, their customers are paying the price.