Slashdot Mirror
SANS Institute Warns of Attack Shift
JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."
What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.
Patents Drive Free Software as Hurricanes Drive Construction Industry
We've been living with Outlook/Exchange Server for this long... is the worst REALLY ahead of us?
You see? You see? Your stupid minds! Stupid! Stupid!
......the worst vunerablity was being in range of Ballmer's chair.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.
That must be embarrassing for a company that sells security products themselves.
Bradley Holt
the actual top 20 list can be found here: http://www.sans.org/top20
---- join dshield.org Distributed Intrusion Detec
" Microsoft shares"
Microsoft shares? Did I read that right?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Crackers need care and feeding. When they can no longer get what they need from maturing operating systems the move on. In other words, nothing to see here. move along.
From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.
While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".
$nice = $webHosting + $domainNames + $sslCerts
Sony, looking to expand its product line, is selling the new $sys$Attack package to hackers.
Sharp criticism for this product inspired Sony to offer $sys$CounterAttack, $sys$Peekaboo, and $sys$Shields to private induhviduals and security experts.
A $sys$spokes-person for Sony, who wishes to remain anonymous, says these products are the precurser to the $sith$ branded products that will ensure peace and justice in the galaxy.
I read
I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).
There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.
In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:
No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.
Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others
Thank goodness I'm protecting my well-patched XP system with Norton and a Linksys router, so I'm safe!
This levee is rock-solid baby!
You can have my cynical agnosticism when you pry it from my cold, dead logic.
SANS Top 20, November 22, 2005 is here.
This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.
I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.
Nice to see, though, that the only Unix problems they talk about are misconfigurations. This isn't really accurate, but nice to see anyway.
Free Conference Call -- No Spam, High Quality
I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.
Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.
You are wrong on both counts and you are spreading FUD.
The global warming threat is far from confirmed. There is overwhelming evidence to the contrary. And there have been catastrophic events to the Internet (not including the AOL invasion (ok, karma whore cheap shot. Laugh, it's supposed to be funny)). Remember Slammer, Melissa, and a handful of other fast moving worms that took out large portions of the network for several hours at a time? That was pretty catastrpohic. However, let's also remember that those events were pretty much mitigated within a day or two.
About the only thing that is really going to threaten the "Internet" is taking out the NAPs.
Embarrasment, maybe for a time - but if hackers attack security software instead of other apps, maybe it means that security software actually works in protecting these.
I'm still trying to figure out what people mean by 'social skills' here.
I think if you'd read my post, you'd see I explicitly stated:
I was merely mentioning the behavior of the general populace is similar around both ongoing debates.
As for your contention that the internet catastrophe's have already happened, you pointed out some things that created inconvenience for many, but the net effect of those "events" were hardly catastrophic as you astutely pointed out in your next (but contradicting your point) statement:
These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.
One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.
I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.
Las qué passoun
tournoun pas maï
SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.
Horns are really just a broken halo.
Most of the security establishment is focused on patching holes *after* they're discovered. This goes for application/product vendors as well as the security companies that are tasked with protecting those assets. The reasoning goes something along the lines that the sooner you patch your systems, the sooner you are safe from the "bad guys".
- 11-2005
The problem is that many of the vulnerabilities have been sitting there for YEARS before they're discovered by the establishment. Take Blaster for example... how long was that vulnerability present in shipping product before it was disclosed by Microsoft? Try nearly 7 years. Of course, only a few short weeks after this disclosure, the worm propagated. So, how long were blackhats exploiting the vuln before the disclosure? We'll probably never know. How many other "undiscovered" vulnerabilities have been exploited prior to the vendor acknowledging the vulnerability? Dunno, but I suspect it ain't just a handful. How about yesterday's IE proof of concept remote root exploit that works just as well against a fully patched Windows XP SP2 as it does against Windows 2000? You think any signature or "behavior"-based IDS/IPS can even detect this sort of thing 0-day? I'm willing to bet money on the fact that they can't.
See here for a fun new way to run Calc.exe on your Windows box:
http://www.computerterrorism.com/research/ie/ct21
So long as vendors remain profit motivated and focused on short-term competitiveness, they will never adequately address the software quality issue. Unexposed vulnerabilities are ripe picking for blackhats, while vendors and the security establishment continue to address the reactive post-vulnerability disclosure space.
This correlates with research published by others earlier this year. [Disclaimer: I know the author.]
What worries me is the ability of attackers to do real-time attacks on a service. To hit a system that they know very little about and create zero-days in near real time. That is where things really become dangerious because attackers can then, once a target is chosen, attack the very uncommon software on it and still have reasonable payoff.
I do security
The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.
IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."
That's the science of Internet Warfare.
=^..^= all your rodent are belong to us
I apologize to all the eyes that were harmed from trying to read my previous comment. In penance I shall now cross mine 'til they stay that way like my mother warned me they would.
That which does not kill us makes us... st
"Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems."
You say this as though there is some dereliction of duty among the IT folks. There are people (http://www.antiphishing.org/, http://www.openantivirus.org/) working on these things. In their spare time too--right? It's quite apparent that your gripe is with M$ and the the general population that has bought into the monopoly, but there's only so much you can do with 6 billion Elvis fans, and the greedy bastards that want to exploit them. I'm sure that most geeks would like to blow them off the planet, but like you, there's no "real" solution among them. I don't think that they (the IT world) should take the hit for an insurmountable task.
You've equated the catastrophies iminent to the internet with global warming. I can see the correlation, however the internet is fairly new compared to the first time we put CO into the atmosphere. Man's presence on Earth is undergoing a huge learning curve, as are man's dealings with the internet. It wasn't long ago that huge corporations were destroying the planet in the name of profit, and the good of human life, but eventually the people that saw the wrong of it came out of the woodwork, and protested. It's still not right, but it's headed in the right direction--I hope. Now, the ones that see the wrong of the "inter-connected" world, and all of the bad that it can inflict are starting to come out of the woodwork. Exponentially so, as is the pace of technology.
The doctor's kids are always sick, the mechanic's car is always broke. Does this mean we are doomed to be ill (bird-flu notwithstanding :-)), or that our cars won't work? No, we are just living the human life, and sometimes--cough...9/11--it takes a catastophy to put things to work....
BTW I'm not an IT guy, I'm just an aerospace weenie that is just as scared of the status-quo as you are. Yet I do have a little faith in the fact that, while most people need a little nudging, a lot of people are paying attention (like me--I carry my own disk with FireFox, AdAware, and OpenOffice--and spread it to anyone that listens).
Hmmmmm....
Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.
5 2212&tid=113&tid=128&tid=172&tid=218
Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!
http://it.slashdot.org/article.pl?sid=05/11/22/13
They wired their browser in largely as a tactic for defeating Netscape. Once again, their customers are paying the price.
What you do with a computer does not constitute the whole of computing.
All hardware and software products have flaws. Show me who made a perfect product that never had problems. The important part is how fast and the support of fixing those issues.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I can't be the only one who misread the title and thought the flaming-bag-of-poo-ding-dong-run had been made into an online exploit.
I'll be your candy shop of infinite deliciousity if you'll be my discotheque of endless rump-shaking.
In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet.
Well, I'd say we've either already had those catastrophes, or the Internet isn't vulnerable to what we think of as a catastrophe. When I think of catastrophe, I think of something that happens in a short period of time and causes wisespread damage that takes months to cleanup.
So.. either the various virus outbreaks, phishing attacks, and DOS attacks on major websites are all catastrophes, or the internet as a whole isn't really vulnerable to major catastrophes. What's currently happening is lots of minor catastrophes every day.
So, what I'm getting at is the model you should be looking at is a disease model, not a catastrophe model. Phishing, viruses, DOS attacks are all more like diseases that different parts of the internet develop.
AccountKiller
"I have the novel, read it last year, do you? Or, did you just read some "synopsis" of it online?? I am curious, please answer that."
/not/ been met."
and
"Here's some reference material for you, a quote from a review (since you don't have this novel apparently)"
Yes, I own the novel. Read it years ago. Just dragged it from the shelf again, and found the reference to a permissions problem. I have the 2000 printing of the Pocket Books edition. In that edition, the explanation starts on page 27. From there to the end of the explanation on page 29 or so, there is no mention of a buffer overflow. The novel isn't written for a very technical audience. Explaining a buffer overflow was probably a bit much to expect.
I didn't worry too much about it, as the flaw had long since been patched. Just looked at the Gillette overflow paper you linked to. I won't have time to read it 'till tonight, but it looks interesting. Thanks for the link.
As to the presence of zero-day exploits in Linux, I say yes, there are. At any one time, there are probably several. Most any complex system will have them. A quote from Edsger Dijkstra: "I would therefore like to posit that computing's central challenge, viz. "How not to make a mess of it," has
My take is that Linux has fewer of them, and they tend to be fixed more quickly--particularly the remote root exploits. The fixes also tend to be of higher quality. There are very few cases of the patch not really fixing the problem, and they tend to be more robust. You won't see many partial fixes, such as the many that have come out from Microsoft related to RPC/DCOM.
As to the Secunia reference--no way do I have time to chase all these down for a few days. I did check a couple, and they were DoS exploits, not remote root. Probably few if any are remote root.
"BOATLOADS OF SECURITY FLAWS STILL EXIST IN LINUX, local & remote exploitable, period, with various ratings from "critical", "less critical", to "not critical" (although, this last one is subject to opinion & discussion imo)."
MS is famous for claiming something isn't critical until exploit code is circulating in the wild. I expect you know this, and are now attempting to FUD a famous MS problem into something generic enough to apply to all operating systems.
Since you're generating "please answers", here's two points.
1- You haven't responded to anything I've said about Internet Explorer. A famous source of problems.
2- Quit posting as an AC if you want an ongoing discussion.
What you do with a computer does not constitute the whole of computing.
"Your "screwup" post was rated 3 & modded-up, & it had blatant "I read it in a book review/wikipedia/google" mistakes to it!"
My post was made from having read the book, as I replied above. When the event actually happened, I was a Unix user, not any sort of coder, beyond a bit of shell scripting. I had no security responsibilities. In 2000, when I read the book, there was little point in researching the root cause--it had long since been patched.
"P.S.=> Now, if you don't like that? Disprove what I wrote &/or quoted above! Pretty simple... somehow, I think that VENONA won't reply here again... apk"
And why wouldn't I reply? Because I didn't reply to a flurry of you replying to yourself, all in a 3 1/2 hour period, as an AC? I've been in !@#$ meetings all morning, not hanging on Slashdot! Given the subject of the meetings, I'd have accomplished as much either way. The discussion is valid, and useful.
I think it would be nice if any interested party with Linux experience would chase through that Secunia reference, for instance. I know that all critical systems I'm responsible for are fully patched, well hardened, and not 0wn3d. So I have nether the time nor a driving need to chase through the reference myself. Maybe I can shake lose for a couple of hours this evening, or by this weekend, at any rate. If anyone wants to look through it, start at the top. I'll start at the bottom, and we'll meet in the middle.
Look, I'll even give *you* a bit of ammunition. I have annecdotal evidence that at least one core kernel developer has some track record of fixing security bugs with no corresponding CVS entries. IMHO, that's wrong. It's security by obscurity. When bugs like that are found, they should be published so that people know to upgrade their kernel. I'm not saying this is some huge widespread thing. Just that I have some evidence that it's happened on a small scale.
What you do with a computer does not constitute the whole of computing.
Dude, will you relax? None of this is meant to be any sort of personal attack or challenge. If it came off that way, I apologize.
I don't care what OS you use. I prefer Linux on the desktop, because I'm more used to it, and more productive in it. On the server, I use it a lot, and OpenBSD on rare occasions. If I have to, by the nature of the job, I'll use Solaris or HP-UX. I have little exposure to AIX. I own Microsoft Windows and Office, and use them when I have to. That's actually pretty frequently, as there are a couple of serious gaps in Open Source app coverage.
I much prefer Linux, all else being equal, but I am definitely not some raving Linux-only guy. Nor am I responsible for what some of the more adamant Linux fans here post.
I brought IE into this because of the cooincidence of yet another remote admin vulnerability, which was published the very same day, and because Microsoft *should not* have bundled it into the OS. Both for security reasons, and because IMHO, doing it abused a monopoly position in the market to destroy a competitor.
As far as some of the Secunia content not involving remote root, that's what the discussion is all about. That's what made the Cuckoos egg that you initially posted about so devastating. That's why we're talking about kernel exploits. Root access.
I still don't know why you're so upset about my original remark about your Cuckoo's Egg post. I've already explained why I hadn't dug deeply into the exploit--already patched. If you'd given overflow reference in your post, I'd have just read it, and thought, "Cool. Thanks, AC, whoever you are." I'd probably have posted to say thanks.
As it happens, you'd probably no idea that that would be a good thing to do, and made a casual post. I did the same thing--made a casual post, based on what I remembered was in the book. If I'd known this was going to turn into some sort of hostile punch and counter-punch, I'd have either checked very thoroughly, or more likely taken the easy way out and not posted at all. This is turning into way more of a time sink than I can deal with right now.
Nor am I ordering you to not post as an AC. I'm well aware I have no means of enforcing such an order, and wouldn't do it in any case. I'd have a really serious ethics problem with that. It just makes it easier to keep postings straight, when you're following a thread, if usernames are used. It's a politeness thing, like NOT SHOUTING IN ALL CAPS.
"Your OS just does not do as well as Microsoft offerings, period, & YOU KNOW IT!"
No, I don't. I know they've made a lot of progress. For example, their Web server is no longer a source of what seemed like weekly holes for quite some time. Eventually, they got enough heat that they had to fix that service, and they've largely done that. They took a lot of heat about buffer overflows, and now they're apparently coming along nicely with code sweeping tools to address that issue. Not a run-time system--this is a true code-sweeper.
I just wish they would do this sort of thing before they were forced into it. They're generating tons of distrust by doing that. Even amongst some very competent Windows developers and admins that I know. It's not like I know two people, and they're both complete Penguinistas. Long-term, this can't be good for them.
Personally, I hope their code-sweeping tools get amazingly good, very fast, and come into widespread use. Better for overall network health, protection of user's confidential data, etc. It would also generate more effort along corresponding lines in the Open Source world. It's good for everyone, and MS is more than welcome to any whatever good press the garner from it, IMHO.
In fact, I've just tried to give them some, with a link, and came up empty in a quick google. This has been in the news within the last couple of weeks. Maybe you can find it.
Again, none of this is meant as a personal attack or challenge. I think that we can agree that if the discussion devolves into a flame-war, it's no longer useful?
What you do with a computer does not constitute the whole of computing.
I'm all done apologizing. It doesn't seem to have helped.
BTW, I'm not a network admin. But I have enough sense to listen to them, not trash them. They're in the trenches every day, and have valuable insights. Sometimes the critical bit of info you need. Thank $DEITY not all coders came from your ranks, and now feel that they are somehow above them. In fact, *none* of the better coders I know have your attitude.
To make it very clear, I do code. In a dozen languages or so. You accuse me of not knowing much about security. Well, that's relative. There's always someone better, and you have to plan for that, in case they're a Bad Buy. But I have to wonder how you can be competent. More than one protocol has been broken because the API docs did not match what was actually seen on the wire, and network tools are valuable.
To avoid shouting in The Great Runes, let me just quietly state that you're not as cluefull as you imagine.
I'm pretty much done with this thread. Others will judge whether there's anything influential about it. There's certainly nothing important here, despite the fact that you seem to be all wound up about it. It's not going to change minds or anything. It's just Slashdot--the One True Home of religious arguments.
What you do with a computer does not constitute the whole of computing.