Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS Institute Warns of Attack Shift

Posted by Zonk on from the new-targets dept.

JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."

18 of 80 comments (clear)

  1. Interesting article, but... by someone1234 · · Score: 4, Insightful

    What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
  2. And here I thought that..... by 8127972 · · Score: 3, Funny

    ......the worst vunerablity was being in range of Ballmer's chair.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  3. Symantec by mysqlrocks · · Score: 3, Interesting

    The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.

    That must be embarrassing for a company that sells security products themselves.

    --
    Bradley Holt
    1. Re:Symantec by someone1234 · · Score: 4, Insightful
      That must be embarrassing for a company that sells security products themselves.

      No, that must be profitable.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
  4. Link to list by UnderAttack · · Score: 5, Informative

    the actual top 20 list can be found here: http://www.sans.org/top20

    --
    ---- join dshield.org Distributed Intrusion Detec
  5. shares? by gcnaddict · · Score: 5, Funny

    " Microsoft shares"

    Microsoft shares? Did I read that right?

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  6. Coding practices by Dekortage · · Score: 4, Insightful

    From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.

    While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".

    --
    $nice = $webHosting + $domainNames + $sslCerts
    1. Re:Coding practices by Anonymous Coward · · Score: 4, Interesting

      I disagree, that's like saying an airplane will fall out of the sky if you forget one little thing.

      You know how the people who make airplanes avoid this type of situation? They double-check. They triple-check. They fire people who can't do a good job and hire ones who can. They actually, you know, *try*. Can you honestly say the same thing for the average coder?

      If you have a network app, and it accepts a finite language of bytes, just how hard is it to secure this? Not very hard. Either you can do it, or your app is too complex, and you need to simplify it.

      I don't think software with security holes should *ever* be "the norm". That's a dangerous way of thinking. It just makes software worse and worse. I have no problem with calling any software with holes the result of "bad coding practices". Including my own.

      Every single time a flaw is discovered, it's a failure. It's not business as usual. Just because it happens a lot in our industry doesn't change that.

  7. In other news... by pmike_bauer · · Score: 4, Funny

    Sony, looking to expand its product line, is selling the new $sys$Attack package to hackers.

    Sharp criticism for this product inspired Sony to offer $sys$CounterAttack, $sys$Peekaboo, and $sys$Shields to private induhviduals and security experts.

    A $sys$spokes-person for Sony, who wishes to remain anonymous, says these products are the precurser to the $sith$ branded products that will ensure peace and justice in the galaxy.

    --
    I read /. for the (Score:-1, Conservative) comments.
  8. Hey! The sky is falling! The sky is falling! by yagu · · Score: 3, Insightful

    I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).

    There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.

    In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:

    • Microsoft and their global domination of IT and their abysmal track record around security. Microsoft has proclaimed loudly their ongoing dedication to improving and eventually fixing their security flaws but there is little to show for their efforts. Microsoft, however, has not suffered greatly from this.
    • The complementary side, or the "consumers". I don't blame them as they see the world typically today through Microsoft colored glasses. They don't know of many alternatives, they don't know much about alternatives of which they're aware, and they don't much care because, "Nobody ever got fired for choosing Microsoft." (Remember when that was IBM?)

    No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.

  9. Yes, but I'm safe by punxking · · Score: 5, Funny

    Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others

    Thank goodness I'm protecting my well-patched XP system with Norton and a Linksys router, so I'm safe!
    This levee is rock-solid baby!

    --
    You can have my cynical agnosticism when you pry it from my cold, dead logic.
  10. Get the actual report here by hal9000(jr) · · Score: 4, Insightful

    SANS Top 20, November 22, 2005 is here.

    This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.

    I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.

  11. What about Chinese attacks? by Anonymous Coward · · Score: 4, Interesting

    I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.

    Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.

    1. Re:What about Chinese attacks? by graemecoates · · Score: 3, Informative

      On linux, I use iptables with some rate limiting rules on "NEW" connections to only allow x number of connections per y minutes from any host:

      # setup recent state list
      /sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name SSHLIST --set
      # hitcounter rule - send to DUMP table if matching
      /sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name SSHLIST \
      --update --seconds 600 --hitcount 4 -j DUMP

      That pretty much stops any brute force attacks dead after 3 connections.

      Of course, you can set up prior permit rules to allow access from known hosts at any rate if need be, and if you users screw up logging in, it's easy to remove them from the block list if it's really urgent (they could also wait 10 minutes):

      echo "-123.45.67.89" > /proc/net/ipt_recent/SSHLIST

  12. Time the attack shifted to the CEO's office by FishandChips · · Score: 3, Interesting

    These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.

    One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.

    I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.

    --
    Las qué passoun
    tournoun pas maï
  13. SANS by Heembo · · Score: 3, Interesting

    SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.

    --
    Horns are really just a broken halo.
  14. attack shift? or change in strategies? by theCat · · Score: 4, Interesting

    The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.

    IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."

    That's the science of Internet Warfare.

    --
    =^..^= all your rodent are belong to us
  15. Re:I believe it: OS' are getting solid by VENONA · · Score: 3, Interesting

    Actually, the egg was a permissions problem, not a buffer overflow. Many people consider permissions issues much more common in Windows. Especially if you think of having to run as Admin for so many things as a permissions issue.

    Nor would I agree with "today's modern OS' are pretty damn secure/solid as well as stable." There have been far to many worms, etc. Also, I *really* wish Microsoft would get their browser out of the OS. Yet another unpatched, zero-day, control of system exploit was announced today. It's even been mentioned on Slashdot!

    http://it.slashdot.org/article.pl?sid=05/11/22/135 2212&tid=113&tid=128&tid=172&tid=218

    They wired their browser in largely as a tactic for defeating Netscape. Once again, their customers are paying the price.

    --
    What you do with a computer does not constitute the whole of computing.