New SANS/FBI Top 20 List 199
An anonymous reader submits "The SANS Institute (together with the FBI) published today an updated version of its list of
The Twenty Most Critical Internet Security Vulnerabilities.
As usual, part of the news is that not too much has changed. The list is split into 10 Unix and 10 Windows vulnerabilities. Leaders are BIND and IIS (last year it was RPC on the Unix side). But some issues (weak passwords) made it into both lists.
For last years version, see here. In addition to this list, and a lot of other stuff, the SANS institute is behind DShield and the Internet Storm Center."
worms... worms worms worms.. (Score:2)
I do however agree with them about the BIND vuln being at the top of the list for unix systems. That was a big issue having to update all our nameservers..
What would be the top 10 (Score:5, Interesting)
Would billy and his band of thugs be the leader of the pack?
What about the second 10 for m$? where would they be with the UNIX top 10? top 20?
Re:What would be the top 10 (Score:2)
Re:What would be the top 10 (Score:2)
Naturally, because of the larger deployed base of Windows machines I would expect any vulnerability for Windows to be magnified in its importance just because of how many machines it affects, independent of whether Windows has more flaws, worse flaws, poor design, etc.
OS flavor is only weakly correlated as a function of importance as a security vulnerability. Vulnerabilities that affect root name servers and routers could be just as important in terms of impact as several thousands of home Windows PC's ho
you must have missed this one. (Score:2)
Bzzzt, wrong. Please try again. Read this, first. It's better written than my replies [seagate.com]. If you already read it, read it again. It does not even mention how inferior the M$ binary and patch distribution method is at keeping the monocultur
Re:you must have missed this one. (Score:2)
But why the link to Seagate?
Re:What would be the top 10 (Score:2)
So its hard to say.
Does this mean (Score:4, Insightful)
Does this mean the security information clearinghouse can be DDOS'd ?
By slashdot obviously
Re:Does this mean (Score:5, Funny)
oh no! (Score:2, Funny)
oh wait...it's my 33.6 modem
Re:oh no! (Score:3, Funny)
Some messed up scoring here. (Score:5, Informative)
That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?
Or am I reading a list from 5 years ago?
Re:Some messed up scoring here. (Score:5, Insightful)
Yes, but not because of Apache. It's because of people who don't properly handle data coming in from the user, etc. It's a tool that is used most dangerously, most often.
That's just crazy. OpenSSL and OpenSSH are having lots more problems right now. And Bind? When was the last remotely exploitable problem with that?
I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.
Re:Some messed up scoring here. (Score:2)
Well, that could apply to anything. I could bind /bin/sh to a port running as root via inetd, and that would be a big problem.
I know there was one in Bind8 last year. I'm not sure of any more recent with 8 or 9, though.
But who the hell uses 8 any more? :) (Cue lots of people praising djbdns...)
Comment removed (Score:5, Insightful)
Re:Some messed up scoring here. (Score:2)
Anyhow, my choice for web browsers on ancient machines is Opera 5, which has a nice balance between speed, features, and ability to view fancy webpages that you shouldn't be loading on a 486 anyway.
Re:Some messed up scoring here. (Score:2)
Some people are just too lazy to update anything on their machines. I propose that the number one security problem on both lists be changed to "Lazy Users/Sysadmins who never update their systems."
You're comparing apples and oranges. There are plenty of folks who are still surfing the Net on "antiquated" equipment (slow machines, tiny monitors, 4.x browsers), and it's not because they're lazy. Grandparents who check email and maybe read a few websites don't need anything more than Windows 9x machine.
Re:Some messed up scoring here. (Score:2)
But you have to look at Apache allowing access, through ExecCGI outside of a chroot, etc. If a webserver were to be more secure, it would only run scripts from a unix socket (or some more modern approach) to a chroot jail. I've not seen anything like that in common practice though.
Re:Some messed up scoring here. (Score:2)
What, you mean you don't do that?!?
Sheesh, what if you forget your password and you're away from home where you have it written on a sticky stuck on your monitor?
What are you gonna do then, Smart Guy?
Re:Some messed up scoring here. (Score:2)
Re:Some messed up scoring here. (Score:3, Informative)
Those of you who patch regularly and often aren't the problem, or the target audience. Yes, the last Bind exploit was quite some time ago, and patched systems fixed it long ago. On the other hand, want to guess which there are more of out there, fully patched RedHat 9.0 boxes or unpatched RedHat 7.2 boxes?
One of the inputs into the ranking and selection criteria was how heavily exploited the holes were. And you know what? There's more sites being nailed *NO
But the 10 most critical Security Vulnerabilities (Score:5, Insightful)
Kjella
Re:But the 10 most critical Security Vulnerabiliti (Score:5, Insightful)
Computers basically come from the manufacturer broke. The remain in states of brokeness -- sometimes entering complete brokeness -- and its all the poor user can do to keep the computer operating.
It's our fault as IT professionals to make computers more like
I can't blame the user for software that contains vulnerabilities which they don't (and shouldn't) have the comprehension or time to understand. I can't blame the user for default settings on devices that are delivered unmodified. I can't blame the user for software that allows a person to accomplish something they shouldn't.
Yeah, I think my answer is better.
Re:But the 10 most critical Security Vulnerabiliti (Score:2, Interesting)
There's a friend of mine whose mother bought a top range piece of kit a couple of years back. What did she do with it? She dusted it and showed it to visitors because when she sat down and said "I want to see The Sound of Music" it didn't work.
You can't even begin to explain security to someone like that. Who's to blame? M$? The company who built it? The guy who sold it to her? My friend for not having the pati
Re: (Score:3, Insightful)
Re:But the 10 most critical Security Vulnerabiliti (Score:2)
Re:But the 10 most critical Security Vulnerabiliti (Score:2)
On the contrary, I feel that people should understand how things work, at least the basics. If you own a car, you should understand the basics of how a car works, at least so you don't get completely taken advantage of by auto mechanics. Also, you need to understand that there are basic maintenance tasks associated with car ownersh
Re:But the 10 most critical Security Vulnerabiliti (Score:2)
This is the greatest strength and weakness of the computer. It will always be incomplete, because its potential can never be fully realized.
The List (Score:2, Redundant)
Top Vulnerabilities to Windows Systems
W1 Internet Information Services (IIS)
W2 Microsoft SQL Server (MSSQL)
W3 Windows Authentication
W4 Internet Explorer (IE)
W5 Windows Remote Access Services
W6 Microsoft Data Access Components (MDAC)
W7 Windows Scripting Host (WSH)
W8 Microsoft Outlook Outlook Express
W9 Windows Peer to Peer File Sharing (P2P)
W10 Simple Network Management Protocol (SNMP)
Top Vulnerabilities to UNIX Systems
U1 BIND Domain Name System
U2 Remote Procedure Calls
Re:The List (Score:2)
Re:The List (Score:2)
Can someone give me an example of a compromise based on a weak password?
Weak passwords remain vulnerable to dictionary attacks, whereby a large collection of everyday words is passed through the same one-way hashing algorithm that the password system uses. These encrypted strings are then compared against the entries in the system password file, which on many systems is readable by any user (typically for historical reasons). If a match is found, then it is trivial to see which plaintext word produced t
Re:The List (Score:2)
Re:The List (Score:2)
How would you know?
Re:The List (Score:3, Insightful)
If I had a dollar for every time we've had User A hack into User B's computer/mailbox/whatever because User A guessed that User B used their lover's name as a password...
and the #1 vulnerability is... (Score:2)
At least it sure looks slashdotted now...
Woohoo! FTP is safe! (Score:2)
And Gopher! YEAH!
Enough of this ASP/PHP/SSL/SSH crap. Give us the OLD stuff back!
When I was growing up, we had telnet and we liked it!
Re:Woohoo! FTP is safe! (Score:2)
Re:Woohoo! FTP is safe! (Score:4, Informative)
Right, right... Ehrm... to quote the guy a couple postings before you...
# U5 Clear Text Services
Re:Woohoo! FTP is safe! (Score:2, Insightful)
Why two lists? (Score:2, Interesting)
There aren't two internets running, one for Windows and one for Unix.
Methinks this is to avoid having loads of MS crud being labelled as the bulk of the threats. MS advertisment money is always nice, wink wink nudge nudge.
Re:Why two lists? (Score:5, Funny)
Yes, there are. One is for IE, and one - for everything else.
(Yes, I am expecting flames to correct my narrow view of internet and tell me that there is more than just web browsing, blah,blah. But you see my point, don't you?)
Re:Why two lists? (Score:2)
True, my online banking service advises me to use IE, but I ignore that advice, and it works just fine in Mozilla. Every other site I use is fine. Perhaps that's more indicative of the sorts of sites I visit, though.
Re:Why two lists? (Score:2)
- one of my favorite news sources (www.gazeta.ru) sucks in mozilla, at least their news section
- my bank started sucking in mozilla recently
- ebay often freaks out on some items in mozilla, so I have to copy that URL and paste it to IE to view the item.
- my card company works intermittently with mozilla (citiCards)
- MSNBC is sucking up mud in mozilla, even tho
Re:Why two lists? (Score:2)
The only times I've had problems with Mozilla is when a site has explicitly rejected Mozilla because it didn't match one of their accepted browsers (which always include Nets
Re:Why two lists? (Score:2, Insightful)
a) Create a much more limited website, without some of the stuff you want to add
OR
b) Create a website with completely BROKEN HTML/CSS so that IE can render it correctly
In summary, the problem doesn't neccessarily lie in the fact that certain sites "only" render in
Re:Why two lists? (Score:4, Interesting)
Re:Why two lists? (Score:2)
I looked with a moderate amount of effort to find some kind of numerical data to put next to the items on the list (# of incidents, level of compromise, etc.) but didn't find any. If anyone comes across it, please post, it would be interesting to see how the 'top 20' rank intermixed.
Sans FBI (Score:2)
Interesting though, that #8 on unix is SSH... That's supposed to be secure! (Yes I've patched!)
Oh yeah and Apache and other stuff - But most of those are almost always (almost!) misconfigured servers and sloppy admins!
hurdy gurdy wurdy furdy (Score:2)
U3 Apache Web Server
Shouldn't they have stated misconfigurations of Apache...
U8 Secure Shell (SSH)
Oxymoron seeing this here. Secure Shell...
U10 Open Secure Sockets Layer (SSL)
Yay another oxymoron, or according to Bush: An oxycontin!
Re:hurdy gurdy wurdy furdy (Score:5, Insightful)
Re:hurdy gurdy wurdy furdy (Score:2)
Bah... They should have stated which services were actually used to access machines. If that's the case, what are the stats for false positives. Meaning are numbers for something like a Scan included. Remember scanning is done daily by millions, should this be considered an attack? Consider this... If someone scans a machine and they have no intentions of attacking it, but something done out of curiousity or some stupid reason, IDS' often see this as an attack. How did SANS gather their data, and if somethi
Re:hurdy gurdy wurdy furdy (Score:2)
U10 Open Secure Sockets Layer (SSL)
Re:hurdy gurdy wurdy furdy (Score:2)
1) The setuid bit was removed in Sendmail 8.12.0, but there's a lot of 8.9.3 and 8.10.x and 8.11.x versions still out in the field.
2) Note that you *can* use the 'RunAsUser' option so the sendmail that's listening on port 25 and running your queue and all that stuff doesn't run as root - but then a lot of things break. The most notable breakage is that
The best line therein (Score:2)
# ngrep assword
Re:The best line therein (Score:2)
Re:The best line therein (Score:2)
Hmm... (Score:3, Insightful)
Re:Hmm... (Score:2)
You are referring to these pages:
http://cr.yp.to/djbdns/blurb/unbind.html [cr.yp.to]
http://cr.yp.to/djbdns/blurb/security.html [cr.yp.to]
Paranoia (Score:2)
sometimes the most paranoid among us can still be on to something.
Not the best choice of adjective: leaving aside the question of what Dan Bernstein thinks about anything, in security, paranoia is a survival trait. :)
Re:Hmm... (Score:2)
The forgotten vulnerability... (Score:4, Funny)
To summarize (or generalize) (Score:4, Informative)
- W1 Internet Information Services (IIS) - Keep it patched
- W2 Microsoft SQL Server (MSSQL) - Keep it patched and don't connect it to the web
- W3 Windows Authentication - Create and enforce password policies
- W4 Internet Explorer (IE) - Keep it patched
- W5 Windows Remote Access Services - Don't use it/keep it patched/hack the registry
- W6 Microsoft Data Access Components (MDAC) - Keep it patched
- W7 Windows Scripting Host (WSH) - Disable it
- W8 Microsoft Outlook Outlook Express - Remove it
- W9 Windows Peer to Peer File Sharing (P2P) - Don't install it
- W10 Simple Network Management Protocol (SNMP) - Disable it unless you know what you are doing
Unix break/Fixes can be simplistically be broken down this way:- U1 BIND Domain Name System - Don't install or use an alternative and only on DNS servers
- U2 Remote Procedure Calls (RPC) - Don't install it, period. Nasty, nasty, little things.
- U3 Apache Web Server - Don't install it except on web servers and only install modules you need
- U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords - Create and enforce password policies
- U5 Clear Text Services - Don't install them, use alternatives
- U6 Sendmail - Don't install, use an alternative, and only install on mail servers
- U7 Simple Network Management Protocol (SNMP) - Don't install it unless you know what you are doing
- U8 Secure Shell (SSH) - Keep up to date with patches and don't allow access from Internet except over VPN
- U9 Misconfiguration of Enterprise Services NIS/NFS - Don't install them
- U10 Open Secure Sockets Layer (SSL) - Don't install or install only where needed and keep up to date with patches
The best choice is if you don't need it, don't install it. If software isn't on the machine, it can't be hacked.Of course, with Unix, at least you have that choice......
Security (Score:2)
I bought the computer to do work, some of which involves communicating with other computers. Disabling useful features is not a practical strategy for the long term.
Re:To summarize (or generalize) (Score:2)
I wonder... does Windows still have the vulnerablity to execute any file if its name ends with .exe, .com, or .bat? Surely this is fundamentally insecure. What wonders would crash upon the world if any UNIX system would automatically assign execute bits to a file just because its name ended with .sh or .bin!
Re:To summarize (or generalize) (Score:2)
To your other point, there are both open source and commercial versions of SSH, VPN, and SSL. Because there are options, it is very difficult for one security hole to affect all Unix servers.
Real, secure Unix servers are built secure from the ground up. Real, secure Unix servers have special installation procedures that do not install software they
Re:To summarize (or generalize) (Score:2)
NIS/NFS/RPC --- yeah, not having it sucks. But having it also sucks. Using it inside a network on workstations that doesn't have inbound internet access?? OK, I'll buy that. NIS+, limited usage, NFS mounting of only the home directory. Using them on production servers in a a system that transfers money?? I don't think so.
SSH/VPN access to remote servers -- I had a job where I managed several Sun servers remotely. We used a vpn into the office from home/la
Re:To summarize (or generalize) (Score:2)
Now, they are ingraining DRM into the kernel and god nows what else. All will have to be routinely patched, even on servers that have nothing to do with the Internet or MP3s.
It's funny... (Score:2)
A waste of time? (Score:3, Interesting)
Well, this list looks very foolish to me.
Firstly, why two seperate lists? are they saying there are as many unix security violations and windows? I wonder what colour the sky is in their world.
Secondly, just look at the lists.. a large number of the windows services are 'essential' (well, if you believe microsoft) for a windows server.
Most of the unix services are easily replacable with effectively identical but more secure options.
Anyone who runs sendmail rather than postfix gets all they deserve.
RPC? why on earth would you make that available? NFS is hardly essential these days.
No password accounts? my god - I never realised that was forced on you by unix!
Bind? there are certainly secure alternatives to BIND (djbdns, for one) - and even BIND should be running chrooted anyway..
And clear text services? why don't they point out that situating your critical servers outside on the street is also a security risk!
My point is that nearly all of the unix 'problems' are very easy to avoid, or are only problems for very short times (the SSH/SSL problem, for example) - the majority of the windows 'problems' are almost impossible to avoid, patches come late, and sometimes even make things worse.
I see windows machines being virused/hacked about once a month (and trust me - I try to stop this a lot, as it makes my life very difficult) - I've only ever had ONE linux machine hacked in around 4 years - through a sendmail hole, and I stopped running sendmail everywhere the next day (it took about 1 hour to change 5 servers to postfix)
These lists need some form of relative threat rating on these problems!
Re:A waste of time? (Score:2)
Probably, they're trying to avoid touching off exactly this sort of religious flaming... maybe they judge that "mine is bigger than yours" is a poor addition to any discussion of security, even if (or maybe even especially if) there is some discernible difference in size between the... er.. security records in question.
Windows's poor security track recor
Re:A waste of time? (Score:2)
Of course, there's relatively little point in having a yearly report about Unix vulnerabilities, since that's laughably infrequent to think about security in the Unix world.
Re:A waste of time? (Score:2)
RPC? why on earth would you make that available? NFS is hardly essential these days.
I use NFS both at work and on my home network every day. At work, there is no data stored on the local machine. I do everything over NFS mounts. And I couldn't imagine not using it.
Of course, if you mean offering NFS over a public network like the Internet, then I wholeheartedly agree. But on a private network, it's invaluable.
Re:A waste of time? (Score:2)
Now you could say that a decent system admin should already know everything on this list, and should have fixed it. I agree, but we know for a fact that not all system admins do this, either out of ignorance or lack of time. That is the whole
The Unix ones are not all Unix specific (Score:2, Insightful)
That these folks had to dig so deep to find 10 Unix vulns heartens me. Apart from BIND, what this says to me is the worst Unix vulnerabilities are only as bad as the fifteenth or twentieth placed Windows ones.
Re:The Unix ones are not all Unix specific (Score:2)
The clear text part though doesn't seem to be accounted for in windows systems unless you count it mentioning IIS. Though I suppose you could view it as them realizing it's a UNIX controlled server world so this is more prevelent on UNIX machines than Windows and also the fact that Windows has other more pressing vulnerabilities ahead of clear text protocols.
weak passwords in mac os x (Score:4, Interesting)
Are there any caveats?
Sorry this offtopic, it just always annoyed me. I can type fast enough that I'd prefer to have something like this as my password: "I have the most t76uDDd password ever. BTW your mom says hi."
Re:weak passwords in mac os x (Score:2)
Panther (Score:2)
Re:Panther (Score:2)
10.2 still uses the standard crypt() algorithm without md5 support, so it's still limited to 8 characters. Glad to hear they're finally changing this.
Re:weak passwords in mac os x (Score:2)
Inconvenient security can be as bad as no security at all, if it leads people to take insecure alternate routes.
And the #1 vulnerability is... (Score:4, Informative)
Re:And the #1 vulnerability is... (Score:2)
Oh, that's right, people might start using other mail clients, we can't have that.
Real difference between lists (Score:2)
The windows list though contains several other items tha
BIND should be banned (Score:2)
There are still a few obscure cases where Sendmail does a job no other MTA can -- though they are getting obscurer by the minute -- but there really is no excuse to have a copy of BIND running anywhere, on any machine, at any time. It's bloated, unstable, unsafe, poorly coded and, as its long track record demonstrates, its developers lack either the intention or the ability to fix it.
Notice something cool about the list? (Score:2)
Most of the Unix/Linux vulnerabilities affect servers primarily. Most end-users would have these services turned off (workstations wouldn't be running apache or an SSH server, f
Re:Notice something cool about the list? (Score:2)
The lack of Desktop issues on Unix comes principally from the lack of Unix desktops... That's why they're not considered as important, because almost nobody's hit when there's a failure in Mozilla, it's a drop in the ocean of users.
As for disabling services, I largely prefer the UI provided b
Re:Notice something cool about the list? (Score:2)
By the way, your windows box is listening on a whole range of ports you don't even know about. And, you have to trust that Microsoft has truly locked down that "firewall" of yours. Considering that they opened up all those weird ports in an end-user machine in the first place (why?) you might want to ask yo
Re:Notice something cool about the list? (Score:2)
1) That's not true, you can write a packet filter driver on Windows, running in kernel space to do the filtering, see http://msdn.microsoft.com/library/default.asp?url =
However most people use the IP Filter API to do this in user-mode, thus avoiding pu
Re:Notice something cool about the list? (Score:3, Informative)
When the firewall runs in the kernel, the firewall sees incoming packets FIRST, and can drop them on the spot. When the firewall runs in user-space, incoming packets come in, get handled by a kernel process (which may have a vulnerability), and THEN get handled by the firewall. So if there's a vulnerability in the kernel, the packet has already nailed you before the firewall ha
Interesting difference between the lists (Score:5, Interesting)
Compare with the Windows list. Most of which are application problems and things that have been fixed in the unix world for a long time (such as keeping passwords in /etc/passwd). One of the list has the dubious honour of being the reason for a whole class of vulnerabilities (the "email virus", read, the "Outlook Express virus"). I can remember laughing at people who said "I'll send you a virus in your email" about 6 years ago. The only reason IE isn't higher is because attacks on OE are much more fruitful.
accounts without passwords... (Score:2)
Few Security Classes in Seattle/Redmond (Score:2, Insightful)
Why not have more security classes in the M$ corporate area? Mabey it would help improve M$ Security if there coders could take a few classes.
Re:Few Security Classes in Seattle/Redmond (Score:2)
OS X (Score:2)
OpenSSL 0.9.6i
Which is lower than 0.9.7. The article said you were vulnerable if you had a version lower than that. Time to self update I guess. I'm surprised Apple has never updated this, and yes I am using 10.2.8 currently.
Re:OS X (Score:2)
My fault.
I totally botched the issue of vendor-backported patches. It's not an OSX-only issue - RedHat 8.0 has a nicely patched version that says 0.9.6b. I couldn't come up with a good way to fit instructions for RedHat, Debian, Suse, Solaris, AIX, Irix, Tru64, Solaris, *BSD, and whatever - all into a few lines. On the flip side, reading http://www.cert.org/advisories/CA-2003-26.html it seems that the CERT crew couldn't do it either - the 'Vendor Info' in Appendix A is ove
Re:FTP (Score:3, Informative)
There are several "FTP apps" that support SFTP.
Dreamweaver allows you to do SFTP/SCP via PuTTY, too.
Re:FTP (Score:2)
Actualy, Dreamweaver requires that use use FTP, and has posted suggestions for tunneling FTP through SSH (e.g. PuTTY). To set this up on the server is not exactly easy, particularly with a firewall on the server (due to the ranges of ports that need to be opened).
While this can be done, to do so is an error prone task at best, and can easily leave a system more vulnerable. I don't see how, with free libraries available, Macromedia can't just do the responsible thing and bundle SFTP into their otherwise ex
Re:FTP (Score:2)
Re:Two security specific entries for Linux/Unix (Score:5, Insightful)
That's exactly why they are there. Not because they are so badly broken (I bet 99% of apps and libs out there are more broken), but because them being broken is really-really critical. As you said, other apps are built on top of them, so that fact alone will nominate them for that list, no matter how minor or hard-to-exploit the holes are.
The report doesn't try to list the worst or the least secure software. Instead, it tries to list the software that has the greatest potential to cause havoc. And, if anything, I am truly impressed at how responsive the developers are and how quickly the holes are plugged, and, most importantly, how open they are about that.
Re:dhsield.org and isc.sans.org (Score:2)