Technology | Top 20 computer threats unveiled

Sat Oct 9 13:33:55 PDT 2004

<http://news.bbc.co.uk/2/low/technology/3727692.stm>

The BBC

Saturday, 9 October, 2004, 11:41 GMT 12:41 UK

 Top 20 computer threats unveiled The yearly hit parade of hackers'
favourite security vulnerabilities has been published.

 Issued by the respected Sans Institute, the Top 20 list helps
organisations find out if they are closing the most commonly exploited
loopholes.

 With more than 2,500 software vulnerabilities found every year many
organisations need help to know which ones to tackle first.

 The list includes loopholes found in both Windows and Unix/Linux software.

 Big hitter

"It's a first things first list," said Alan Paller, head of the Sans
Institute, a non-profit group which trains and certifies computer security
professionals.

 "It can be very helpful for people that are trying to fix their
vulnerabilities."

 He told BBC News Online that it was the list of the vulnerabilities
hackers were attacking now.

 TOP 10 WINDOWS

 1. Web servers & services
 2. Workstation service
 3. Windows remote access services
 4. Microsoft SQL server
 5. Windows authentication
 6. Web browsers
 7. File-sharing applications
 8. LSAS
 9. E-mail programs
 10. Instant messaging

 Each entry in the Top 20 mentions a category of software and the
accompanying report fleshes out individual vulnerabilities and what
organisations can do to close these holes.

 Almost 60% of the loopholes listed this year were in the 2003 Top 20 list.
Mr Paller said this was because only half of all organisations bother to
patch their systems.

 "These vulnerabilities are like little diseases that you cannot wipe out
if 50% of people do not have the vaccine," he said.

 Mr Paller said we will only see significant changes in the Top 20 when
organisations get to the point of finding and fixing vulnerabilities
automatically.

 Shrinking holes

 Gerhard Eschelbeck who studies vulnerabilities for online security firm
Qualys said: "It gives people a benchmark to measure themselves against."

 TOP 10 UNIX/LINUX

 1. Bind domain name system
 2. Web server
 3. Authentication
 4. Version control systems
 5. Mail transport services
 6. Simple Network Management Protocol (SNMP)
 7. Open secure sockets layer (SSL)
 8. Misconfiguration of enterprise services
 9. Databases
 10. Kernel

 He said that better information about vulnerabilities popular with the
virus writing and hacking communities can help organisations protect
themselves.

 "The underground knows this data very well," he said. "We want to level
the playing field here between the guys that have the data and the bad
intentions and the people that need to know about this so they can do their
job effectively."

 Mr Eschelbeck's work on vulnerabilities shows that every 21 days, on
average, the number of web-facing systems vulnerable to a particular
loophole shrinks by 50% as people patch machines.

 For internal machines, such as the PCs on workers' desktops, the number
shrinks 50% every 62 days.

 This difference, said Mr Eschelbeck, comes about because of the sheer
number of PCs have on desktops and the time it takes to scan them and see
which vulnerabilities they are hosting.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'