Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

SANS Institute Warns of Attack Shift 80

JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."
This discussion has been archived. No new comments can be posted.

SANS Institute Warns of Attack Shift

Comments Filter:
  • by someone1234 ( 830754 ) on Tuesday November 22, 2005 @04:48PM (#14095148)
    What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.
  • New shift? (Score:3, Funny)

    by Junior J. Junior III ( 192702 ) on Tuesday November 22, 2005 @04:49PM (#14095151) Homepage
    We've been living with Outlook/Exchange Server for this long... is the worst REALLY ahead of us?
  • by 8127972 ( 73495 ) on Tuesday November 22, 2005 @04:50PM (#14095168)
    ......the worst vunerablity was being in range of Ballmer's chair.
  • Symantec (Score:4, Interesting)

    by mysqlrocks ( 783488 ) on Tuesday November 22, 2005 @04:53PM (#14095215) Homepage Journal
    The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.

    That must be embarrassing for a company that sells security products themselves.
    • Re:Symantec (Score:4, Insightful)

      by someone1234 ( 830754 ) on Tuesday November 22, 2005 @05:05PM (#14095340)
      That must be embarrassing for a company that sells security products themselves.

      No, that must be profitable.

    • Embarrasment, maybe for a time - but if hackers attack security software instead of other apps, maybe it means that security software actually works in protecting these.
      • but if hackers attack security software instead of other apps, maybe it means that security software actually works in protecting these

        Interesting theory but the product in question, Veritas BackupExec, is not a security product. To Symantec's credit this is a software product they purchased but it still has the Symantec name on it.
    • All hardware and software products have flaws. Show me who made a perfect product that never had problems. The important part is how fast and the support of fixing those issues.
    • Over the past six months I have seen several customer computers coming into our shop for repair which all had infected/disabled anti-virus programs running in the task bar. At first it was shocking and ironic to see this. Now it is just plain funny.
  • Link to list (Score:5, Informative)

    by UnderAttack ( 311872 ) * on Tuesday November 22, 2005 @04:54PM (#14095221) Homepage
    the actual top 20 list can be found here: http://www.sans.org/top20 [sans.org]
  • shares? (Score:5, Funny)

    by gcnaddict ( 841664 ) on Tuesday November 22, 2005 @04:54PM (#14095222)
    " Microsoft shares"

    Microsoft shares? Did I read that right?
  • Crackers need care and feeding. When they can no longer get what they need from maturing operating systems the move on. In other words, nothing to see here. move along.
  • Coding practices (Score:5, Insightful)

    by Dekortage ( 697532 ) on Tuesday November 22, 2005 @04:56PM (#14095242) Homepage

    From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.

    While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".

    • Re:Coding practices (Score:4, Interesting)

      by Anonymous Coward on Tuesday November 22, 2005 @07:01PM (#14096471)
      I disagree, that's like saying an airplane will fall out of the sky if you forget one little thing.

      You know how the people who make airplanes avoid this type of situation? They double-check. They triple-check. They fire people who can't do a good job and hire ones who can. They actually, you know, *try*. Can you honestly say the same thing for the average coder?

      If you have a network app, and it accepts a finite language of bytes, just how hard is it to secure this? Not very hard. Either you can do it, or your app is too complex, and you need to simplify it.

      I don't think software with security holes should *ever* be "the norm". That's a dangerous way of thinking. It just makes software worse and worse. I have no problem with calling any software with holes the result of "bad coding practices". Including my own.

      Every single time a flaw is discovered, it's a failure. It's not business as usual. Just because it happens a lot in our industry doesn't change that.
      • You know how the people who make airplanes avoid this type of situation? They double-check. They triple-check. They fire people who can't do a good job and hire ones who can.

        As one who is currently building and airplane, I'd like to say that this is only Step 1.

        Step 2. You devise back-up systems, or design the system so that a failure is contained and won't matter. The electric trim system is backed up by a manual trim system. If the alternator fails, you have enough battery to run at least 3hours (time
    • Re:Coding practices (Score:3, Interesting)

      by Billosaur ( 927319 ) *
      All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".

      Bad coding can take on many forms. The single hardest thing to get people to do is sanity-check data. I work in Perl and I swear by the -T switch (taint mode) because it forces me to verify that data passed in from the real world is in fact valid and doesn't contain any surprises. Now mind you, it can lead to some ugly-looking regexs, but if you're writing a CGI that calls fo

    • It seems to me like the biggest problem is not bounds-checking arrays. That's bad coding.
  • by pmike_bauer ( 763028 ) on Tuesday November 22, 2005 @04:56PM (#14095250)
    Sony, looking to expand its product line, is selling the new $sys$Attack package to hackers.

    Sharp criticism for this product inspired Sony to offer $sys$CounterAttack, $sys$Peekaboo, and $sys$Shields to private induhviduals and security experts.

    A $sys$spokes-person for Sony, who wishes to remain anonymous, says these products are the precurser to the $sith$ branded products that will ensure peace and justice in the galaxy.
    • Clearly he means to remain $sys$anonymous, right?

      As much as I laughed at your post, i remembered that "microsoft and symantec were consulted to ignore the rootkit," meaning they knew damn well what it was and their lawyers advised them to feign ignorance for fear of fisticuffs with Sony.

      Now Microsoft and Symantec are going to hang out together and tell us what the new threats are? I wish I could be there to voice concerns over the "private backroom deal for corporate interests" attack vector. It's an

  • by yagu ( 721525 ) * <yayagu.gmail@com> on Tuesday November 22, 2005 @04:58PM (#14095276) Journal

    I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).

    There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.

    In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:

    • Microsoft and their global domination of IT and their abysmal track record around security. Microsoft has proclaimed loudly their ongoing dedication to improving and eventually fixing their security flaws but there is little to show for their efforts. Microsoft, however, has not suffered greatly from this.
    • The complementary side, or the "consumers". I don't blame them as they see the world typically today through Microsoft colored glasses. They don't know of many alternatives, they don't know much about alternatives of which they're aware, and they don't much care because, "Nobody ever got fired for choosing Microsoft." (Remember when that was IBM?)

    No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.

    • You are wrong on both counts and you are spreading FUD.

      The global warming threat is far from confirmed. There is overwhelming evidence to the contrary. And there have been catastrophic events to the Internet (not including the AOL invasion (ok, karma whore cheap shot. Laugh, it's supposed to be funny)). Remember Slammer, Melissa, and a handful of other fast moving worms that took out large portions of the network for several hours at a time? That was pretty catastrpohic. However, let's also remember that
      • I think if you'd read my post, you'd see I explicitly stated:

        not making any endorsement or criticism about the Global Warming debate, btw

        I was merely mentioning the behavior of the general populace is similar around both ongoing debates.

        As for your contention that the internet catastrophe's have already happened, you pointed out some things that created inconvenience for many, but the net effect of those "events" were hardly catastrophic as you astutely pointed out in your next (but contradicting your po

    • "Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems."

      You say this as though there is some dereliction of duty among the IT folks. There are people (http://www.antiphishing.org/ [antiphishing.org], http://www.openantivirus.org/ [openantivirus.org]) working on these things. In their spare time too--right? It's quite apparent that your gripe is with M$ and the the general population that has bought into the monopoly, but there's only so much you can do with 6 billion Elvis


    • In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet.

      Well, I'd say we've either already had those catastrophes, or the Internet isn't vulnerable to what we think of as a catastrophe. When I think of catastrophe, I think of something that happens in a short period of time and causes wisespread damage that takes months to cleanup.

      So.. either the various virus outbreaks, p
  • by punxking ( 721508 ) on Tuesday November 22, 2005 @04:59PM (#14095285)
    Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others

    Thank goodness I'm protecting my well-patched XP system with Norton and a Linksys router, so I'm safe!
    This levee is rock-solid baby!
  • by hal9000(jr) ( 316943 ) on Tuesday November 22, 2005 @05:00PM (#14095298)
    SANS Top 20, November 22, 2005 [sans.org] is here.

    This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq [neohapsis.com], Full Disclosure [neohapsis.com], or VulnWatch [neohapsis.com], this is incredibly old news.

    I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.
  • How is this list [sans.org] even really an annual top 20? They just list off the standard set of security deficiencies to be expected when using each platform. I was expecting something with a little more specificity to help me understand how things are changing.

    Nice to see, though, that the only Unix problems they talk about are misconfigurations. This isn't really accurate, but nice to see anyway.

  • by Anonymous Coward on Tuesday November 22, 2005 @05:01PM (#14095309)
    I've had various Chinese hosts hammering on my SSH door for at least seven months with no end in sight. I understand that it isn't a "sexy worm" but rather, a simple brute force password guessing attack but, I rarely see any mention of it anywhere.

    Who's behind these attacks and what's being done to put an end to them? I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door.
    • The funny thing is, I see people complain about these all of the time, but I don't get any of them. I don't respond to pings, my SSH is on a non-standard port, and I allow public-key authentication only.

      Over the past couple of days however, I have been watching my firewall logs, and 99.8% of dropped packets are from the Middle East or Asia. Out of those they seem to be split 10/90 - 10% are spam that take advantage of the messenger service in Windows, and the other 90% are worms targeting exploits foun
    • http://fail2ban.sourceforge.net/ [sourceforge.net] is my friend, make it yours.
    • "I'm tired of seeing Slashdot headlines about "poor Chinese people behind the Great Firewall" when they don't seem to be having any trouble hammering on my SSH door." Fat, stupid, rich Americans go abroad and piss people off. Therefore, all Americans must be fat, stupid and rich. Do we see the fallacy here? They *aren't the same people,* guy. I don't want to shock you or anything, but I hear China has a fairly good-sized population! More seriously, tho, realize that like any good Comcast or Roadrunner
      • I apologize to all the eyes that were harmed from trying to read my previous comment. In penance I shall now cross mine 'til they stay that way like my mother warned me they would.
    • Not only SSH, but also various web attacks. I'm seeing everything from blog hits to at least 30 variations of PhpMyAdmin. This is on a server that runs neither (and is, in fact, Zope behind Apache).
    • Strange most of mine come from Europe,

      Guess it depends on the net block you are on.

      I have heard that most attacks orginate in the US. and use other servers as proxies. But I have no real evidence.

    • On linux, I use iptables with some rate limiting rules on "NEW" connections to only allow x number of connections per y minutes from any host:

      # setup recent state list
      /sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name SSHLIST --set
      # hitcounter rule - send to DUMP table if matching
      /sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name SSHLIST \
      --update --seconds 600 --hitcount 4 -j DUMP

      That pretty much stops any brute force attac

    • There is a rather good tool available here: http://www.hexten.net/sw/pam_abl/ [hexten.net] I think it is already in the 'extras' list of fedora (if you use that). The connection actually doesn't get dropped, so the attacker does not know if his 'guess' was actually processed. It can protect all pam authorized services.
  • by FishandChips ( 695645 ) on Tuesday November 22, 2005 @05:37PM (#14095679) Journal
    These bulletins are extremely helpful in their wealth of detail but they also give a misleading impression. The impression is that "vulnerabilities" are like the weather and beyond all human control.

    One way of reducing the risk of vulnerabilities is to impress on those who'd exploit them that they are highly likely to be caught and if caught will get shitcanned bigtime. I'd wager that the top 100 bad boys in Europe and the USA could be put out of action in a week with a combination of legal moves and political lobbying. It always puzzles me why the combined weight of the IT industry and all its billions are completely unable to do this. Maybe they figure that if you've already got the reputation of a dung-encrusted fly you won't sink any lower if you look the other way, sigh and pass the buck to the little guy at the end of the chain while getting on with the day job of busting grannies for drm violations and trying to patent air.

    I'm grateful for these reports from SAN and others. They remind me that IT industry deserves no support at all until it is prepared to take responsibility for the consequences it creates.
    • The impression is that "vulnerabilities" are like the weather and beyond all human control.

      I think this is one of the messages that SANS is trying to get out - that these vulnerabilites are TREATED like weather by many companies and are NOT controlled in a systematic way.

      So, SANS releases a very famous list of the "top 20 volnerabilities" this quarter - its a well thought out and well researched list. I think your beef is unjustified, I say with respect.

  • SANS (Score:3, Interesting)

    by Heembo ( 916647 ) on Tuesday November 22, 2005 @05:41PM (#14095707) Journal
    SANS is pretty hard core, and they do not say such things lightly.In fact, SANS is well know for pissing on ANYONE who is insecure, politics be damned. SANS has made a LOT of industries upset at them, and that is exactly why I trust them for security news and advice. Plus, their training classes (security centric) are the best in the industry. If you want a happy-feel-good company, go elsewhere, SANS does not play nice. If you want the best security info, SANS news and training is THE BEST.
  • Most of the security establishment is focused on patching holes *after* they're discovered. This goes for application/product vendors as well as the security companies that are tasked with protecting those assets. The reasoning goes something along the lines that the sooner you patch your systems, the sooner you are safe from the "bad guys".

    The problem is that many of the vulnerabilities have been sitting there for YEARS before they're discovered by the establishment. Take Blaster for example... how long wa
  • This correlates with research published by others earlier this year [yankeegroup.com]. [Disclaimer: I know the author.]
  • I take a different view on this. Attackers started with the easiest, most common target(s) and are just moving down the list. The OS is the most widespread type of software easily attackable but the ease of attack has decreased to the point where it is greater payoff to attack the next software on the list. At which point they will spend a few years cleaning up and the attacks will keep moving.

    What worries me is the ability of attackers to do real-time attacks on a service. To hit a system that they k

  • by theCat ( 36907 ) on Tuesday November 22, 2005 @06:17PM (#14096047) Journal
    The hardware and IOS vulns may not be entirely new, but the *interest* in them probably is. We've gone from recreational hacking that produced interesting viruses to organized crime looking at ways to make money. When the mob gets involved, you can bet they'll take any route they can, all the time.

    IMO hardware vulns are best used to extort businesses, and are no good for terrorism. The DOS, which used to be seen as a tool for revenge, is now used as a tool for extortion. Being able to shut down some business' router, and keep it down, is in the end far more effective than trying to build a small army of bots to packet flood the same router. Master Sun Tzu reminds us: "Therefore those who win every battle are not skillful... those who render others' armies helpless without fighting are the best of all."

    That's the science of Internet Warfare.
  • I can't be the only one who misread the title and thought the flaming-bag-of-poo-ding-dong-run had been made into an online exploit.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...