| Telecom and Logistics Associates |
Security NEWs Service: TLAnews |
| publication: Christian ALT | 
TLAalert
Security Service |
| Telecom and Logistics Associates |
Security NEWs Service: TLAnews |
| publication: Christian ALT |
TLAalert
Security Service |
|
|
|
|
|
| 1. BIND is No. 1 |
| Taking the No. 1 spot, a popular Internet service known as the Berkeley Internet Name Domain, or BIND, service is believed to have vulnerabilities that affect more than half of its installations. |
| 2CGI are No. 2 |
| Common gateway interface, scripts designed to add interactivity to Web sites took the No. 2 position. In many Web servers, default installation of example CGI scripts leave servers open to exploitation. |
| 3. Remote procedure calls (RPC) are No. 3 |
| The third most popular exploit takes advantage of functions called remote procedure calls, which allow one computer to execute programs on a second computer. The successful attack on U.S. military systems during the Solar Sunrise incident exploited the RPC vulnerabilities on hundreds of military servers. |
| 4. RDS security hole in the Microsoft Internet Information Server (IIS). |
| Microsoft’s
Internet Information Server (IIS) is the web server software found on most
web sites deployed on Microsoft Windows NT and Windows 2000 servers.
Programming flaws in IIS’s Remote Data Services (RDS) are being employed
by malicious users to run remote commands with administrator privileges.
Other IIS flaws, such as .HTR files, are at least as common as exploits of
RDS.
Prudence dictates that organizations using IIS install patches or upgrades to correct all known IIS security flaws when they install patches or upgrades to fix the RDS flaw. |
| 5. Sendmail buffer overflow weaknesses, pipe attacks and MIMEbo, that allow immediate root compromise. |
| Sendmail is the program that sends, receives, and forwards most electronic mail processed on UNIX and Linux computers. Sendmail’s widespread use on the Internet makes it a prime target of attackers. Several flaws have been found over the years. In one of the most common exploits, the attacker sends a crafted mail message to the machine running Sendmail, and Sendmail reads the message as instructions requiring the victim machine to send its password file to the attacker’s machine (or to another victim) where the passwords can be cracked. |
| 6. sadmind and mountd |
| Sadmind allows remote administration access to Solaris systems, providing graphical access to system administration functions. Mountd controls and arbitrates access to NFS mounts on UNIX hosts. Buffer overflows in these applications can be exploited allowing attackers to gain control with root access. |
| 7. Global
file sharing and inappropriate information sharing via NetBIOS and Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on port 2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and 548. |
| These services
allow file sharing over networks. When improperly configured, they can
expose critical system files or give full file system access to any hostile
party connected to the network. Many computer owners and administrators use
these services to make their file systems readable and writeable in an
effort to improve the convenience of data access. Administrators of a
government computer site used for software development for mission planning
made their files world readable so people at a different government facility
could get easy access. Within two days, other people had discovered the open
file shares and stolen the mission planning software.
When file sharing is enabled on Windows machines they become vulnerable to both information theft and certain types of quick-moving viruses. A recently released virus called the 911 Worm uses file shares on Windows 95 and 98 systems to propagate and causes the victim’s computer to dial 911 on its modem. Macintosh computers are also vulnerable to file sharing exploits. The same NetBIOS mechanisms that permit Windows File Sharing may also be used to enumerate sensitive system information from NT systems. User and Group information (usernames, last logon dates, password policy, RAS information), system information, and certain Registry keys may be accessed via a "null session" connection to the NetBIOS Session Service. This information is typically used to mount a password guessing or brute force password attack against the NT target. |
| 8. User IDs, especially root/administrator with no passwords or weak passwords. |
| Some systems come with "demo" or "guest" accounts with no passwords or with widely-known default passwords. Service workers often leave maintenance accounts with no passwords, and some database management systems install administration accounts with default passwords. In addition, busy system administrators often select system passwords that are easily guessable ("love," "money," "wizard" are common) or just use a blank password. Default passwords provide effortless access for attackers. Many attackers try default passwords and then try to guess passwords before resorting to more sophisticated methods. Compromised user accounts get the attackers inside the firewall and inside the target machine. Once inside, most attackers can use widely-accessible exploits to gain root or administrator access. |
| 9. IMAP and POP buffer overflow vulnerabilities or incorrect configuration. |
| IMAP and POP are popular remote access mail protocols, allowing users to access their e-mail accounts from internal and external networks. The "open access" nature of these services makes them especially vulnerable to exploitation because openings are frequently left in firewalls to allow for external e-mail access. Attackers who exploit flaws in IMAP or POP often gain instant root-level control. |
| 10. Default SNMP community strings set to ‘public’ and ‘private.’ |
| The Simple Network Management Protocol (SNMP) is widely used by network administrators to monitor and administer all types of network-connected devices ranging from routers to printers to computers. SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP devices is "public", with a few "clever" network equipment vendors changing the string to "private". Attackers can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network, as well as the systems and devices attached to it. Intruders use such information to pick targets and plan attacks. |
Could Affect Insurance Coverage
The institute developed its report after consulting with almost 50 Internet security experts from a variety of government and private agencies. SANS officials admit, however, that it is far from a complete list. One recent survey by a British firm revealed that as many as 60 new computer vulnerabilities are found every month.
"The list could ultimately prove to be an important economic factor for e-commerce," said Paller. "The insurance industry may use this list as a foundation for whether the company can be insured."
Author information.
|
All information provided is of a general nature and is not
intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or
that it will continue to be accurate in the future. No one should act upon such
information without appropriate professional advice after a thorough examination
of the facts of the particular situation.
