Slashdot Mirror
SANS Institute Warns of Attack Shift
JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."
What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.
Patents Drive Free Software as Hurricanes Drive Construction Industry
We've been living with Outlook/Exchange Server for this long... is the worst REALLY ahead of us?
You see? You see? Your stupid minds! Stupid! Stupid!
......the worst vunerablity was being in range of Ballmer's chair.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.
That must be embarrassing for a company that sells security products themselves.
Bradley Holt
the actual top 20 list can be found here: http://www.sans.org/top20
---- join dshield.org Distributed Intrusion Detec
" Microsoft shares"
Microsoft shares? Did I read that right?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.
While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".
$nice = $webHosting + $domainNames + $sslCerts
Sony, looking to expand its product line, is selling the new $sys$Attack package to hackers.
Sharp criticism for this product inspired Sony to offer $sys$CounterAttack, $sys$Peekaboo, and $sys$Shields to private induhviduals and security experts.
A $sys$spokes-person for Sony, who wishes to remain anonymous, says these products are the precurser to the $sith$ branded products that will ensure peace and justice in the galaxy.
I read
I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).
There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.
In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:
No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.
Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others
Thank goodness I'm protecting my well-patched XP system with Norton and a Linksys router, so I'm safe!
This levee is rock-solid baby!
You can have my cynical agnosticism when you pry it from my cold, dead logic.
SANS Top 20, November 22, 2005 is here.
This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.
I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.
I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.
Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.
but if hackers attack security software instead of other apps, maybe it means that security software actually works in protecting these
Interesting theory but the product in question, Veritas BackupExec, is not a security product. To Symantec's credit this is a software product they purchased but it still has the Symantec name on it.
Bradley Holt
These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.
One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.
I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.
Las qué passoun
tournoun pas maï
SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.
Horns are really just a broken halo.
Most of the security establishment is focused on patching holes *after* they're discovered. This goes for application/product vendors as well as the security companies that are tasked with protecting those assets. The reasoning goes something along the lines that the sooner you patch your systems, the sooner you are safe from the "bad guys".
- 11-2005
The problem is that many of the vulnerabilities have been sitting there for YEARS before they're discovered by the establishment. Take Blaster for example... how long was that vulnerability present in shipping product before it was disclosed by Microsoft? Try nearly 7 years. Of course, only a few short weeks after this disclosure, the worm propagated. So, how long were blackhats exploiting the vuln before the disclosure? We'll probably never know. How many other "undiscovered" vulnerabilities have been exploited prior to the vendor acknowledging the vulnerability? Dunno, but I suspect it ain't just a handful. How about yesterday's IE proof of concept remote root exploit that works just as well against a fully patched Windows XP SP2 as it does against Windows 2000? You think any signature or "behavior"-based IDS/IPS can even detect this sort of thing 0-day? I'm willing to bet money on the fact that they can't.
See here for a fun new way to run Calc.exe on your Windows box:
http://www.computerterrorism.com/research/ie/ct21
So long as vendors remain profit motivated and focused on short-term competitiveness, they will never adequately address the software quality issue. Unexposed vulnerabilities are ripe picking for blackhats, while vendors and the security establishment continue to address the reactive post-vulnerability disclosure space.
The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.
IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."
That's the science of Internet Warfare.
=^..^= all your rodent are belong to us
"Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems."
You say this as though there is some dereliction of duty among the IT folks. There are people (http://www.antiphishing.org/, http://www.openantivirus.org/) working on these things. In their spare time too--right? It's quite apparent that your gripe is with M$ and the the general population that has bought into the monopoly, but there's only so much you can do with 6 billion Elvis fans, and the greedy bastards that want to exploit them. I'm sure that most geeks would like to blow them off the planet, but like you, there's no "real" solution among them. I don't think that they (the IT world) should take the hit for an insurmountable task.
You've equated the catastrophies iminent to the internet with global warming. I can see the correlation, however the internet is fairly new compared to the first time we put CO into the atmosphere. Man's presence on Earth is undergoing a huge learning curve, as are man's dealings with the internet. It wasn't long ago that huge corporations were destroying the planet in the name of profit, and the good of human life, but eventually the people that saw the wrong of it came out of the woodwork, and protested. It's still not right, but it's headed in the right direction--I hope. Now, the ones that see the wrong of the "inter-connected" world, and all of the bad that it can inflict are starting to come out of the woodwork. Exponentially so, as is the pace of technology.
The doctor's kids are always sick, the mechanic's car is always broke. Does this mean we are doomed to be ill (bird-flu notwithstanding :-)), or that our cars won't work? No, we are just living the human life, and sometimes--cough...9/11--it takes a catastophy to put things to work....
BTW I'm not an IT guy, I'm just an aerospace weenie that is just as scared of the status-quo as you are. Yet I do have a little faith in the fact that, while most people need a little nudging, a lot of people are paying attention (like me--I carry my own disk with FireFox, AdAware, and OpenOffice--and spread it to anyone that listens).
Hmmmmm....
Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.
5 2212&tid=113&tid=128&tid=172&tid=218
Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!
http://it.slashdot.org/article.pl?sid=05/11/22/13
They wired their browser in largely as a tactic for defeating Netscape. Once again, their customers are paying the price.
What you do with a computer does not constitute the whole of computing.