Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

SANS/FBI Release Top 20 Security Vulnerabilities 268

theBraindonor writes "SANS Institute and the FBI have compiled a listing of the The Twenty Most Critical Internet Security Vulnerabilities. The list is broken down into two groups: Windows Systems and Unix Systems." The list of Unix vulnerabilities is also a list of the network programs I (and presumably many others) use most. It's a good thing there's BugTraq.
This discussion has been archived. No new comments can be posted.

SANS/FBI Release Top 20 Security Vulnerabilities

Comments Filter:
  • IIS!!

    Not any particular 'sploit, but on the page, IIS is THE NUMBER ONE vulnerability for Windows boxen.

    Like Mr. Valentine said, "[Microsoft's] products are not engineered for security". Or something like that.

    --j
  • by garcia ( 6573 ) on Thursday October 03, 2002 @05:49PM (#4384034)
    #8 [sans.org] is listed here.

    If you are using IE, your computer is vunerable to numerous security breaches.

    If this is installed on EVERY Windows computer by default, I believe that this should be rated higher than those vunerabilities in applications that are only installed by default on SOME Windows versions (IIS).
    • When I'm trying to secure a Wintel box the first thing I do is install a firewall program and tell it not to allow IE to do ANYTHING. Then install Mozilla or something similar. Not perfect, but at least the lizard has a verifiable codebase.
      • Not perfect, but at least the lizard has a verifiable codebase.

        Not in the sense people who talk about verifying means. Mozilla would probably take at least 1k man years to verify. If you don't understand what I mean, take a look at e.g. this [nec.com], which should give you an idea of what verifyable programming means.

    • by Zathrus ( 232140 ) on Thursday October 03, 2002 @06:25PM (#4384216) Homepage
      If you are using IE, your computer is vunerable to numerous security breaches

      Yes. If you're not downloading security updates.

      But the same is true for everything else on the list. Conversely, if you are constantly keeping up to date on security patches then you are considerably less vulnerable.

      I believe the point you were trying to make is that it's the only client program on the list - all the others are servers. And I'm honestly surprised that neither Outlook nor Outlook Express made the list - they're considerably more problematic with regards to security IMO (but I'm not a "professional" in this context).

      As to why it's not #1 - well, first there's a lot fewer vulnerabilities listed. Additionally the extent of the vulnerabilities are not as large. Relatively few virii/trojans/etc. spread via IE, while there are still IIS servers out there spamming the world with Code Red. Secondly, as a client program it is somewhat more secure than a server by design. I could be running a totally unpatched client that's vulnerable six ways to Sunday, but if I don't surf to your site (or open a local infected file with the client) then I can't be infected. Servers, however, are vulnerable if they're running - I don't have to invite you to break into my system, I left the door open with a lovely "Open House" sign up.
      • by flacco ( 324089 ) on Thursday October 03, 2002 @06:31PM (#4384250)
        Yes. If you're not downloading security updates.

        ...which, lately, have come with unacceptable EULA terms and mandatory downloads of other software.

        Software vendors should be required to supply security patches in isolation, and WITHOUT ANY additional licensing requirements.

      • Outlook and IE have different problems, in my mind. Outlook is bad because the attack can be pushed directly to you, but, for the most part, you can prevent the attack through configuration of the server to not pass on attachments with certain extentions or even mostly procedurally by not opening such attachement (though, IIRC, one bug didn't require you to make that mistake). With IE, an attack is harder: you have to control part of the network that the person you want to attack voluntarily goes to, but there is little you can do from a system or procedural perspective beyond keeping up with patches.

        One thing to note is that keeping up with patches is not enough for securely using IE. Microsoft has had a bad track record for not providing a proper patch until the bug is fully exposed, so there are constantly windows where you are vulnerable. For example, there is presently a bug in the certificate software that allows a man-in-the-middle attack on an SSL connection, making the authentication useless (you are just as vulnerable to an attack with or without it). Because of this I wouldn't online bank with it.

        Yet dispite this, Outlook has had a worse track record for security attacks in the wild. Many outlook vectored viruses have done things such as emailing random documents from your disk. It wouldn't take much to take these viruses and modify them to find and send Money or Quicken files to a foreign email address.
        • Microsoft has had a bad track record for not providing a proper patch until the bug is fully exposed

          Very much agreed. Of course, if people would just stop disclosing vulnerabilities then it wouldn't be a problem. Right?

          Yes, that was heavy sarcasm.

          For example, there is presently a bug in the certificate software that allows a man-in-the-middle attack on an SSL connection

          Been fixed, allegedly, under all supported browsers and OS's. I saw the patch for my system last time I did an update (and I'm doing another one tonight). And I'm pretty sure my system is near the bottom tier for support at this point.

          there is little you can do from a system or procedural perspective beyond keeping up with patches

          That's true for all systems on all OS's. Or is Slapper just a figment of the Internet's imagination?

          Not even gonna touch Outlook. I use it at work under duress, and refuse to at home. Oh, and there's a new virus out there that's doing pretty much what you suggest - it's gathering private information (including keystrokes) and emailing the data back to some email address. It's using vulnerabilities that have been patched for over a year now, but, surprise, not everyone has updated.

          • >there is little you can do from a system or procedural perspective beyond keeping up with patches

            That's true for all systems on all OS's. Or is Slapper just a figment of the Internet's imagination?


            My comments were related to your discussion of how IE was the only client software on the list, and your surprise that Outlook didn't make the list. My comments followed a discussion of a configuration solution and procedural solution to the problem of Outlook viruses. I don't see why you would ask me if that statement is true for all systems on all OSes since I already provided a counter example. I don't see the relevance of Slapper, as, AFAIU, it infects server software.
      • Well, look also at W5 - anonymous logon null sessions. And, while we're at it, weak LM hashing (W6).

        By default, every windows box has both available. I haven't tried it lately, but there have been times when uninstalling SMB from a windows box has been far more difficult than uninstalling IE. Furthermore, for the most part, IE needs to be used in order to compromise your system. Don't use it, and you're (somewhat) more safe. (Of course, there are a lot of MS applications that will happily use it for you, so you're still screwed...)

        But, if you install NT, 2K, or XP, you've got null sessions available as soon as you boot the box, before you even touch the keyboard.

        Reference SMBDie - QED.
      • I could be running a totally unpatched client that's vulnerable six ways to Sunday, but if I don't surf to your site (or open a local infected file with the client) then I can't be infected.

        True, but keep in mind that since Outlook/Outlook Express use IE to render HTML content, email is an attack vector for a lot of IE vulnerabilities. For example, check out the Technical Details sections of these [microsoft.com] two [microsoft.com] security bulletins. This is pretty significant, as "open[ing] a local infected file" becomes very easy for the average user to do without realizing it.
      • by tqbf ( 59350 ) on Thursday October 03, 2002 @09:02PM (#4384814) Homepage
        You say "if I don't surf to your site... then I can't be infected". It almost sounds like you believe you have some control over whether your browser will hit his evil web page. Could it be that you actually think that both Internet routing and the DNS are hard to subvert?

        Clientside security is still a joke. Clients get attention in the places where they "asynchronously" give up control to foreign command, like embedded scripts in email and virtual machines for things like Java. But the overwhelming majority of client code was designed assuming that it interacts in good faith with the rest of the world.

        The flood of server-side vulnerabilities will slow. Desktop environments will get more and more homogenous. The payoff for writing a single exploit will grow. You should expect not only to see more client-targetting attacks, but also more attacks leveraging the ancient and festering weaknesses in global Internet routing and in DNS.

        Consider that today, Internet routing is being subverted with some regularity to play pranks on IRC and to hijack address space for spamming. These are high-risk, low-reward enterprises. It's only a matter of time before smarter people figure out how to use the same tricks to more productive ends.

      • If you are using IE, your computer is vunerable to numerous security breaches

        Yes. If you're not downloading security updates.


        "2 October 2002: There are currently 20 unpatched vulnerabilities." [pivx.com] - tho it looks like that's counting a few that are patched in 6 but not 5.5, which is rather strange. I mean why would you keep 5.5 if you're patching everything?
  • by devphil ( 51341 ) on Thursday October 03, 2002 @05:50PM (#4384038) Homepage
    Two years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty, which followed a year later, to prioritize their efforts so they could close the most dangerous holes first.

    And if memory serves, the Unix list is exactly the same, with perhaps the exception of Apache. The r* services, sendmail, yep, all still there. Who in their right mind uses r* and sendmail on anything connected to the public internet?

    Anyone correct me on whether the others have changed? They all look familiar to me.

    • take a look

      http://www.sans.org/top20/top20_Oct01.htm is the list from 2001

      http://www.sans.org/topten.htm is the list from 2000

    • Maybe that's good, that they have to fish all the way to the r* services to flesh out a top-10 list.

      OTOH, I wonder if next year Lindows will be on the list, with our favorite practice of running users as root.
    • by sporty ( 27564 ) on Thursday October 03, 2002 @06:52PM (#4384347) Homepage
      Who in their right mind uses r* and sendmail on anything connected to the public internet?

      Actually, as the article pointed out, sendmail hasn't had any serious problems in the past 2 years. Quite frankly, it's quite powerful and its default install is kinda simple to use except (except!) for that stupid map command to build virtual users, access tables and the likes.

      It's not the end of the world if you use it, just like it's not the end of the world if you use proftpd.
      • >Quite frankly, it's quite powerful and its default
        >install is kinda simple to use except (except!)
        >for that stupid map command to build virtual
        >users, access tables and the likes.

        This doesn't have to be all that difficult either. Red Hat, for example, has the init script rebuild those files automatically for you when you run the init script. Just add the entries you need, and type: /sbin/service sendmail reload

        Matt
      • What's not simple about "makemap hash access access" ?
    • Sendmail is still widely used in production mail systems, and over the last few years, its security reputation has improved considerably. I'm personally a qmail guy, but there are a number of commercial plugins available for sendmail that allow it to do virus or spam filtering, which remains the reson why sendmail is still quite prevalent on larger production systems.
  • Why... (Score:3, Interesting)

    by bsDaemon ( 87307 ) on Thursday October 03, 2002 @05:52PM (#4384044)
    ...is Apache listed as #2 under UNIX? It's not exactly bug-rittled doom-ware like IIS. A few mistakes every now and then hardly qualifies for a #2 rateing. it's not like, 50 new exploits are found a month or something. and as for RPC at #1...you get what you ask for.
    • It's +ACM-2 because of it's prevalance. There's a helluva lot of +ACo-nix boxen running Apache out there - while many may be patched up - a lot aren't.

      Everything below it (except maybe SSH - they should be tied for second, IMO) is either relatively uncommon or an old old old vulnerability.

      Apache on Unix isn't +ACM-2 because it's bug-riddled doom-ware - it's because it's +ACo-comparitively+ACo- bad.

      I'd take it as a mark of honor that the Unix world's second biggest vulnerability isn't that big of a vulnerability after all. ;)
    • IIS has 25 CVE entires, Apache has 30 CVE entries.

      now, granted it is EASIER to find vunerabilities in Apache, but the numbers (both CVE and number of servers than run Apache) are probably why it is rated so high.
    • Misconfiguration (Score:4, Insightful)

      by Kris Warkentin ( 15136 ) on Thursday October 03, 2002 @06:02PM (#4384116) Homepage
      Not only is Apache very widely deployed, it is also quite easy to misconfigure it. If you read the article, they're not talking about software insecurities alone: they're talking about misconfiguration and bad management of machines. For example, weak/non-existant passwords is on both lists.

      They're not saying that Apache is insecure but rather that it is a potential risk if the admin is not sufficiently competent.
      • You've hit the nail on the head:

        "but rather that it is a potential risk if the admin is not sufficiently competent."

        You see, if the admin is a groking wizard with luser hate-filled eyes, whatever box he installs will be Fort Knox, regardless of the OS.

        Take your typical $36k/yr MCSE admin, and any system they setup will be like grated cheese.

        It's called experience, savvy, knowledge, tenacity, and not a little geekiness. And it's worth money.

        So, if you're a CIO and you don't want your company name to appear on the marketplace section of the Wall Street journal under the heading "Hacker steals 50,000 credit cards from..." then pay your good admins, even if they look like they're sleeping in meetings, even if their tie rotation schedule becomes glaringly apparent.

        Security is like seatbelts. The instant you need it it's too late to put it on. You have to put it on before.

        Good admins: When it looks like they are not doing anything, that when they've done everything right.

        Oh, and that list for windows: If you didn't already know all of that by heart, there's no chance in hell you'd get anywhere near production servers at our company.

        And now for something ot: There was a story a few days ago here about what would happen to the DNS system if the root servers for .com etc were misconfigured, replicating the misconfiguration accross all DNS servers... Eerily, see WorldCom's troubles today...
    • I would guess for two reasons. One, the bad-logic assumption that some folks make that, just because it isn't Windows, one doesn't have to be as concerned about keeping up-to-date with the patches. Sort of like the last item being weak passwords. It's not the system itself that's extremely insecure, as much as that some percentage of users fail to do all they can to secure it.

      The other might be... well, it is a UNIX list, and it would be quite a hunt to find anything for UNIX that -is- quite as bad as IIS.
    • Misconfigured webservers. Formail.pl, things run using suexec, and other problems are the #1 way to get into a system using a webserver. Chunked encoding and OpenSSL are just core problems, the fact is that most people don't know how to configure it at all.

      Obviously there is a large enough portion to support spammers, otherwise I'd not be getting so many requests for formail.pl in my logs (always set to email from some aol.com email address, most recently f2@aol.com, and sending to another fake address, most recently phishtank@yahoo.com, with a subject of my server name and a body of "w00t").
    • There aren't that many true vulnerabilities for IIS either.

      Don't forget that entire waves of worms starting from Code Red were targetted solely at one single vulnerability (which was actually patched a couple of months before Code Red actually struck).
    • Installed user base.. Apache is everywhere, and a single remote root exploit can cause havok across 3/4 the Internet...
  • by Anonymous Coward on Thursday October 03, 2002 @05:52PM (#4384049)
    They left Outlook and it's derivatives off the Windows list. Nevermind the root VBS cause.

    But they seem to have really had to reach to get 10 for Unix.

    Man... how much did this 'study' cost?
  • Social Engineering (Score:5, Insightful)

    by akiy ( 56302 ) on Thursday October 03, 2002 @05:54PM (#4384059) Homepage
    They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.

    If you can get the information that you want (eg passwords) from a person who knows the information, all the patches in the world won't protect your network...
    • by Gurp ( 7581 )
      They forgot to list one of the most obvious ways of breaching computer security measures: social engineering.

      Not forgot, deliberately left out. This document is limited in scope to only Windows and Unix vulnerabilities.

      If they had tried to make this more encompassing (say, by including physical security or common weaknesses in operational processes) the document would be so long no one would read it.

  • by Nailer ( 69468 ) on Thursday October 03, 2002 @05:55PM (#4384070)
    At the end of the document, you'll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistake

    This seems like a really bad idea. Giving people a list of port they should block traffic to implies that they needn't properly lock down their rulesets properly, andd have accept as the default policy.
  • Not again (Score:5, Insightful)

    by The Bungi ( 221687 ) <thebungi@gmail.com> on Thursday October 03, 2002 @05:58PM (#4384086) Homepage
    Item 'W10 Windows Scripting Host' lists the 'solution' to be removing WSH. This is about as useful as removing Perl from a Unix box - it's not viable. The WSH is an important tool and the knee-jerk "let's get rid of it!" reaction will eventually be more trouble than not given how many other Microsoft and third-party software requires it. Also, the WSH is only a hosting implementation. The VBScript and JScript interpreters are not removed when you disable the WSH.

    Plus, you don't even need to spend on AV software from snake oil vendors.

    All that's needed is to make the 'Edit' command the default in the registry for all types of WSH-recognized extensions, such as .js and .wsh. Unfortunately the default is 'Open', which executes the script.

    Once you do this you can simply sit there and watch the script worms hit - the only thing you'll see are instances of Notepad all over the place (with the code, to boot). Quite funny (in a sick sort of way).

    • Re:Not again (Score:4, Interesting)

      by airrage ( 514164 ) on Thursday October 03, 2002 @06:06PM (#4384136) Homepage Journal
      WSH is an important tool, but it's only the command interpreter, it's the code that's sent to it and how it executes that truly the problem.

      But the most overlooked part of Windows 2000 and above is Microsoft's implementation of the Windows Management Instrumentation (WMI) API. With this interface an admin can script against any Microsoft Class and has full rights to change, modify, stop, start, etc. The box is yours. And it's installed by default!

      Currently, it's a little under the radar, so many are unaware of it's implementation, but remote scripting is completely available and documented, just need the first exploit to overcome the security context and Houston we have a problem.
    • Do you have a full list of those extensions, or do I need to dig through the "File Types" list?
      • I did this a while ago when my roomate-at-the-time was sharing one of my computers. Workes really well. Since then I've thought it would be cool to have an OE/Outlook virus that would do this and mail itself on. Thus, all the people who do click these damn things will get infected and never have that problem again, while the people who don't click them don't really need the protection anyway.

        Sorry, don't have the list.
      • Re:Cool idea (Score:3, Informative)

        by The Bungi ( 221687 )
        .js
        .wsh
        .wsf
        .vbs
        .wsc (this one is not a problem IIRC, but check it. It's a "script component" and can't be executed directly)
        .jse

        If you have ActivePerl installed (recent build) you might want to do the same to the .pl extension, just in case.

    • > the knee-jerk "let's get rid of it!" reaction will eventually be more trouble than not

      What we need is a greater knee-jerk reaction. A few months ago I got rid of WSH using "format c: /q /u". Now running OSX on new iMac, and old PC is a lovely Linux firewall. I think the top 10 Windows problems might not bother me now. ;)

  • by rhysweatherley ( 193588 ) on Thursday October 03, 2002 @05:58PM (#4384087)
    ... the script kiddie who's been banging on my firewall for the last two weeks would just give up and go away, I'd be a happy camper.

    Free Clue: if you didn't get in on the first 2000 tries, go waste someone else's bandwidth!

    • by derF024 ( 36585 ) on Thursday October 03, 2002 @06:26PM (#4384224) Homepage Journal
      have some fun with ipchains and the "mirror" directive. all of a sudden, to him, your machine will appear to be an exact duplicate of his. maybe he'll even root his own machine in the process :-P
  • by MavEtJu ( 241979 ) <<gro.ujtevam> <ta> <todhsals>> on Thursday October 03, 2002 @06:01PM (#4384104) Homepage
    Version number hiding is not the way to go. And let me explain why: Nimda / Code Red. ISS only. Certain versions of ISS only. And do you think that the virus checks for the HTTP Server-string before it sends it payload? No way. Brute force. Just send the exploit and check later if it was successfull. I have the logs of my Apache webservers to show this behaviour.

    Same with the bugbear[sp] worm at this moment. "Check all the shares on the system. Found one! Let's copy to there." Zwoooosh there goes another sheet of paper through the printer.

    For administrative purposes, being able to find out what version of software is running is essential. In a company with tens of locations and thousands of computers, nobody will be able to keep a list of software installed on all these things, let alone keep track of the versions.
    A weekly scan by the corperate IT department and they know what MTAs and versions are there, what FTP servers and version, what DNS servers and versions are there. An update is released? Just inform the right people (i.e. the LAN administrators, not the people who own these servers). An exploit has become known? At least you know how vulnerable you are instead of panicing and trying to get (obsolete) lists from all over the place.

    So yeah, version number hiding doesn't reduce the attackrate but does reduce the ability to act.
  • I thought it was kind of amusing, the list being broken up into 2 catagories. Without a doubt, the highest number of vunerabilities are on the Windows side, especially in IE and VBScript. But lets not forget that Apache isnt immune either.. and for that matter, who can forget the infamous sendmail vunerability, and also dont forget misconfigured sendmails from our friends in the East are what allow so many of those cute spam messages we all love so much to get to us. And hell, I can remember stealing password lists with a nice PHP vunerability for years (goes to show that once you get used to an attack, you stick with it).luckily with IDS systems like Snort (http://www.snort.org) companie can monitor attacks as they happen (be sure to compare the size of the Web-Vunerabilities and Virus Rules files with the others...). But either way, the higher count is definitly on the Windows side.
  • I have to disagree with their evaluation of item W10, Windows Scripting Host [sans.org]. They're essentially blaming it for improper use by mail clients (I never heard of anything other than Outlook or Outlook Express having problems with .vbs scripts run through WSH -- Word macros, while VB, are not VBScript, and don't go through WSH. IE embeds vbscript and jscript, again not through WSH, so while I guess you could download a .vbs, you'd have to be a moron to tell it to run automatically). Sure, they do include the line, "While administrators should always keep applications like browsers, mail clients and productivity suites patched and updated, patching these applications to eliminate their susceptibility to a particular worm is an incomplete (and no better than reactive) solution to the risks posed by scripting," but that's paramount to suggesting all scripting is bad. Would it be bash's fault if mutt auto-ran .sh extensions? Or would it be perl's fault if mutt did the same thing with .pl extensions? No, it wouldn't, so to fault WSH for Outlook/OE problems is pretty ludicrous.


    WSH is a very useful tool when used properly, just as bash or perl are very useful when used properly. Misuse by one or several applications does not mean the tool itself is at fault. A better thing to blame would be running as administrator (in NT-based Windows systems) full-time, rather than as a non-admin user. Again, this is directly parallel to running as root 24/7 in a unix system. You wouldn't do it there, so why do it in Windows? (Win9x is dead, let it rest in peace.)

    • by lugonn ( 555020 )
      A better thing to blame would be running as administrator (in NT-based Windows systems) full-time, rather than as a non-admin user

      Given that Win doesn't have group ownership for files, it really doesn't matter if your running as admin or guest. You can still use WSH as a guest and be able to fuck with system files, you just can't play with the registry...nice security model, it doesn't exist for files on Win systems.

      Perl on the other hand can't mess with files if the UID for the process doesn't have permission to...ooohhh, file security.

      • by Osty ( 16825 )

        Given that Win doesn't have group ownership for files, it really doesn't matter if your running as admin or guest. You can still use WSH as a guest and be able to fuck with system files, you just can't play with the registry...nice security model, it doesn't exist for files on Win systems.

        You'd be right, if your system is using FAT16/32, though why you'd ever use that on an NT-based system (note my comment about NT-based Windows systems, and Win9x being dead), I don't know. Use NTFS, setup proper permissions (should be setup by default, if you installed using NTFS), and you have a better ACL system than the default user/group/other UNIX permission system (yes, I know various unices have better ACL systems, and various filesystems for Linux do as well, but most people use ext2 at the moment, which just does ugo by default -- you can add patches that do real ACLs, but last I checked that wasn't part of 2.4).


        Just taking a quick look of C:\Windows on my XP system, I see:

        • Administrators group has full permissions
        • Power Users group has modify, read&exec, list folder contents, read, and write permissions (missing "special permissions")
        • SYSTEM has full control
        • Users (which is where you should normally be running) has read&exec, list folder contents, and read permission. No modify, no write.

        So how is it, again, that Windows doesn't have group ownership?
  • by funwithBSD ( 245349 ) on Thursday October 03, 2002 @06:04PM (#4384125)
    the "Slashdot Effect" DOS did not make the top 20.

  • W10 (Score:2, Funny)

    by Tablizer ( 95088 )
    Top 10 Windows Vulnerabilities:

    1. Windows
    2. Windows
    3. Windows
    4. Windows
    5. Windows
    6. Windows
    7. Windows
    8. Windows
    9. Windows
    10. Windows
  • by Zspdude ( 531908 ) on Thursday October 03, 2002 @06:16PM (#4384179) Homepage
    The user. Windows OR Unix.
  • by NineNine ( 235196 ) on Thursday October 03, 2002 @06:24PM (#4384213)
    They're all security holes, if they aren't patched. Very few of the things that they listed aren't completely patchable (yes, including IIS). Keep up with the patches, and don't do stupid things, and you'll be fine.
    • That was more or less the point of the list. To point out the top 10 POTENTIAL security problem areas. Lazy admins could make great strides by merely keeping tabs on these top 10 items alone.

      It seems incredable to me too that anyone with the title of "administrator" could NOT already be doing this, but then there is reality.
  • FTP? (Score:2, Insightful)

    by GigsVT ( 208848 )
    So what to do with FTP?

    The openSSH sftp client really sucks, it's barely usable, no frills, almost seems like a "proof of concept" as it were. It gets the job done, barely.

    So our customers need to upload files. With FTP in IE and Netscape and Mozilla, they can drag and drop the files into the browser and log in and send the files.

    Another option is to use HTTP PUT, but since our clients are uploading 50 meg files, no progress feedback is a killer there. Is there some open source client-side-java-pretty-HTTP-PUT-uploader out there? Even then you have to have your clients have Java installed, something that can't really be counted on.

    Other options.... Put putty on the site and make them install it and use sftp.. Not an ideal option, but somewhat workable.

    So where is the drop in replacement for FTP? Why isn't anyone working on this?
  • by hardaker ( 32597 ) on Thursday October 03, 2002 @06:45PM (#4384322) Homepage
    Here's a note I just sent to their web master (they had no other place to send "comments"):

    Overall the top20 list is a good summary as always.

    However, I can't believe the lack of knowledge about at least the SNMP portion of it. SNMP *used to use* clear-text community strings in the first and second versions of the protocols. The following statement, along with others in the section:

    'SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough...'

    Is spreading simply incomplete information. At a minimum, it should be suggested that all users upgrade their SNMP enabled software to version 3 compliant SNMP agents and to disable the version 1 and version 2 SNMP protocols. All of the major network vendors, as well as software vendors implement the v3 protocol so there is very little excuse for not using it (and, worst case you can deploy v3->v1 proxies near v1-devices to minimize the transmision distance of clear-text v1 community strings). *Please* change the wording to suggest that people upgrade their equipment to SNMPv3 compliant software, which will take care of at least the insecure problems with the protocol.
    • Mod parent up.

      I completely agree, but they been sent similar infomation before and they were clueless, and I mean clueless. Quite disappointing.
      Makes me lose faith in the rest of their list.
      But maybe they will listen to you Wes.
      • Well, the sad thing is that you'd think SANS would have gotten it right. At least checked it with people who knew something. They're just one of those organizations that I thought I could trust. Which means, most other people also think they can trust them.

        Which, um, I guess means "trust no one, mannnnnn".
  • I think its rather interesting that bind was included on this list, especially ironic because it was listed as number "9". Bind 8 did have a terrible security reputation, but all of the bind 9 releases have been essentially bug-free. I believe there have been one or two denial-of-service exploites released, but nothing that would bring the internet's name services crashing down. Additionally, bind 9 has the ability to run as the permissions of another user -and- in a chroot'd environment, which makes the box worthless to the attacker even if they are able to break in (can we say "ls: command not found").
  • Users and administrators.

    Either base system can be secure or as full of holes as your mother. Apply the relevant patches in a timely manner, and you're mostly ok (so far).

    Clueful users do not generally get rooted. In either system.
  • We had to install a virus checker on our Unix boxes at work. In the manual they ask the question 'Why a virus checker for Unix?'. Their reply was 'because of all the Windows viruses'. Seems they thought it a good idea to catch them before they got to the Windows boxes. They are the professionals, I have to believe them.
  • I love W5... (Score:3, Interesting)

    by tlambert ( 566799 ) on Thursday October 03, 2002 @08:10PM (#4384644)
    I love W5. It implies that the vulnerability is the leakage of information to an intruder.

    It seems to me that, since it points out the the scans are often run as "System" by the legitimate users, then by properly crafting a response to an inquiry, and puttting my machine out there, the real vulnerability is to the systems, like the domain controllers, which scan (potentially trojaned) remote machine, without dropping "System" priviledge first.

    It seems to me that an exploit using SAMBA source code ought not to be that hard to write...

    -- Terry
  • by darkonc ( 47285 ) <stephen_samuel@b ... m ['gre' in gap]> on Thursday October 03, 2002 @08:10PM (#4384648) Homepage Journal
    In the article, it says:
    Nearly all Linux systems and many other Unix systems come with Apache installed and often by fault enabled.

    Although I presume that they meant to say 'by default enabled', I (like many others) feel that it is an error to have most facilities enabled by default. Thus the default is IMHO a fault.

    I would much rather have various facilities disabled by default, with easily-accessible tools which enable those facilities (and give appropriate security warnings). Manufacturers, like sun, who ship machines with everything and their dogs enabled should be hung by their toes and beaten mercilessly with burnt-out '286s.
    The standard defence that most of these systems ship to sites with well-traind sysadmins who know what to disable is silly. If a site has well-trained sysadmins, then they should know how to enable the required facilities. Sites without well trained sysadmins probably don't have good security, either, and most desparately need to have all of those holes covered when the system ships.

    For admins who care more about getting a system running easily than they do about security, vendors like sun could have a program (named 'goahead-shootme') that enables all facilities just like the old (de)fault had it. Better yet, of course, would be a simple menu-driven / GUI program that allowed you to turn on/of various facilites and daemons (and possibly even provided an explanation of why). -- Bastille Linux comes to mind...

  • by billstewart ( 78916 ) on Thursday October 03, 2002 @09:30PM (#4384914) Journal
    Microsoft keeps thinking up new and interesting blatantly stupid security holes - bashing them is too easy, and getting them fixed it too hard, so I'll stick to bashing Unix systems and applications, which are not only expected to know better, but also to be able to fix things. Most of these weaknesses are the same fundamental weaknesses that have been around for decades The Morris Worm was almost 15 years ago.....
    • Buffer Overflows! If people are going to insist on using C to write important applications, they need to use libraries that check input properly if they're not going to do the job themselves! This is about the most basic bug you learn to avoid when you learn arrays, and C's pointers don't give you protection so you're warned to do it yourself where you need it.
    • Not Checking Input for Validity! This is about the second lesson in CS100 classes, or was back when I took them - Never Never Never trust that your program has been given correct input, especially input that cares about size and type.
    • Not checking for Cleverly Malicious Domain-Dependant Input - OK, some kinds of input checking go beyond the basics, but at least make sure not to let users provide input that uses ".." in directory paths or lets unauthorized people store important data.
    • Running things are ROOT that don't critically need to - Mail doesn't need to run as root just to deliver mail to mailboxes - group permissions with the application running as group mail works just fine. Web Servers doesn't need to be root, and DNS doesn't need to be root, and Printer Daemons don't need to be, and most ftp servers don't need to be (a few might). SSH probably does, but there may be ways to work around that.
    • Operating Systems that force applications to user root privileges - TCP and UDP well-known ports shouldn't need root permissions to run them, except perhaps in very special cases, and forcing them to have root permissions increases the probability that an inadequately-written application will be running as root instead of chroot-jailed.
    • Applications writing over their own configuration files - if you take advantage of operating system permissions, that reduces your need to defend against cleverly malicious input. Be careful out there, and use them.
    • Applications that force users to use too-short passwords - 8-character passwords have been obsolete for years. Even if you let users pick wimpy ones, at least don't *force* them to.
    That's certainly not everything, but it's an appallingly high fraction. Making sure applications don't run as root doesn't prevent things like mail viruses or web server viruses from flooding the net with bogus emails, but it makes it harder, and reduces the potential damage. At least practice enough basic hygiene that attackers have to be careful, creative, and hardworking....
  • I like this quote:

    Web administrators too often conclude that since Microsoft's Internet Information Server (IIS) is exceptionally prone to compromise (see W1. Internet Information Server), the open-source Apache web server is completely secure. While the comparison with IIS may be true, and although Apache has a well-deserved reputation for security, it has not proved invulnerable under scrutiny.

    It amazes me how often these vulnerabilities are caused by things that they teach in beginning programming classes, like bulletproofing your code.

  • snmp and userids (Score:3, Informative)

    by Sabalon ( 1684 ) on Thursday October 03, 2002 @10:41PM (#4385144)
    C'mon...the snmp one should be thrown off the unix list. Winders has snmp, and network devices have snmp. Just because you can do snmp stuff with Unix doesn't make it a unix vulnerability anymore than a windows one.

    As for userid's and passwords - I've seen equally week NT setups - even more common for people to use no passwords on NT, since Win clients are connecting. As for tracking what a user is doing - ps anyone? Lets see you track what an authenticated user can do with RPC on a windows network.
  • Shatter exploit? (Score:2, Informative)

    by DaPhoenix ( 318174 )
    Shatter Exploit? [tombom.co.uk]? Come on. This exploit is worse than any of the ones listed.

    Those other flaws are weak in comparison to one where someone can own your university network.
  • 2002-10-03 13:22:59 Most critical internet security vulnerabilities (articles,security) (rejected)

    The register points to [theregister.co.uk] the 2002-09-27 SANS/FBI top 20 most critical internet security vulnerabilities [sans.org]. 2000 [slashdot.org]'s top vulnerability, BIND weaknesses, dropped to Unix number 3 last year [slashdot.org], and number 9 this year.

In the future, you're going to get computers as prizes in breakfast cereals. You'll throw them out because your house will be littered with them.

Working...