A Year Ago: Hackers' favourite security holes revealed

Time to stop script kiddies, says the SANS Institute. But will its list of the Top 10 hacking exploits do the trick?
Written by Robert Lemos, Contributor

First published: 09:53 Fri 02 Jun 2000

It's the 10 Most Wanted of cybersecurity. On Thursday, the System Administration, Networking and Security (SANS) Institute published a list of exploits most often used to gain illegal access to network servers.

The group hopes its "Ten Most Critical Internet Security Threats" list will help system administrators close the door on easy access to their servers by the Internet's equivalent of petty thieves and vandals.

"Many of the vulnerabilities on that list are well-known vulnerabilities that everyone knows about," said Sean Hernan, team leader for vulnerability handling at the Computer Emergency Response Team (CERT) Coordination Centre at Carnegie Mellon University and one of more than 40 contributors to the report.

By closing those holes, he said, companies "are protecting themselves against the largest number of intruders on the Internet, but also the least sophisticated -- what we call ankle-biters."

The SANS Institute started soliciting input from security experts in February, following the distributed Denial-of-Service attacks that downed more than eight major Web sites in a week. (See: Special report -- Web under attack.)

The entries on the list are the results of a consensus between almost 50 experts from companies, universities, and such government agencies as the National Security Agency and the Department of Defence. It is intended to give system administrators looking to secure their systems a place to start.

"There are a lot of system administrators out there that are aware that security holes exist in their systems," said Jim Magadych, security research manager with Network Associates and a contributor to the report, "but they see the alerts coming out daily and are overwhelmed by sheer numbers."

The Top-10 list gives administrators a set of priorities, said Alan Paller, director of research for the SANS Institute.

"This is probably 70 percent of the attacks occurring on the Internet," he said. "Even though (the list represents) 10 out of a large number of exploits, it's the majority of attacks." Each exploit on the list is followed by a description about how to close the security hole.

Once a system administrator has fixed these 10, however, the job is not over, continued Paller. "As soon as the first large organisation has fixed the first 10, we will release the next 10," he said.

Taking the No. 1 spot, a popular Internet service known as the Berkeley Internet Name Domain, or BIND, service is believed to have vulnerabilities that affect more than half of its installations.

Common gateway interface, or CGI, scripts designed to add interactivity to Web sites took the No. 2 position. In many Web servers, default installation of example CGI scripts leave servers open to exploitation.

The third most popular exploit takes advantage of functions called remote procedure calls, which allow one computer to execute programs on a second computer. The successful attack on US military systems during the Solar Sunrise incident exploited the RPC vulnerabilities on hundreds of military servers. Security flaws in mail services, Microsoft's Web software, and several others -- including administrators who forget to change their password or pick easily cracked passwords -- rounded out the top 10 list.

The list may become even more important in the future, said SANS's Paller, who believes that it may become a standard yardstick to measure whether a company is taking security seriously.

One example: Insurance rates may be set by whether a company has closed all the holes in the list. "The insurance industry may use this list as a foundation for whether the company can be insured," he said.

Such economic impact could move security from being an afterthought to a high priority.

Take me to the Cyber terrorism special

Take me to Hackers

What do you think? Tell the Mailroom. And read what others have said.

Editorial standards