OpenBSD Journal

SANS Top 20 Internet Vulnerabilities

Contributed by Dengue on from the cause-10-wasn't-enough dept.

The SANS Institute has updated their Top 10 list. In fact, the state of internet security is so poor, it's now a Top 20 list . Ouch.

(Comments are closed)

  1. By Anonymous Coward () on


    'Large numbers of open ports'
    is one of the top vulnerabilities?
    Running services that you don't need/don't even
    know what they do maybe is.
    But running servers is what a network is about,
    and _not_ a security risk in first place.

    1. By pf incident () on

      services should be correct to the function they are to serve. excessive services, such as many default installs have, would then not be a correct implementation.

      if you don't need portmap, why run it? if you don't need ntp why run it? if you don't need chargen why run it? if you don't need daytime or inetd, why run it?

      running necessary and correctly configurated servers may be what the net is about, but there is no reason for excessive portage dude.

  2. By Marc Espie () on

    ... assuming you run OpenBSD, of course.

    Already the first comment says that `most vendors' enable lots of unneeded services at first install... well, OpenBSD doesn't.

    The second comment is about weak passwords and user security. Well, OpenBSD insists that root HAS a password even before you reboot.

    We have disabled rlogin, telnet, and other services ever since we got ssh working and patent-free...

    Of course, there are still interesting security issues, but if most of the Unix `community' worries about these issues, well... we're light-years ahead of the curve, aren't we ?

  3. By Anonymous Coward () on

    Thought you guys might like a chuckle here, apologies for anyone who's blood pressure goes through the roof.


    Brian Valentine, Microsoft's senior vice president at its Windows division, told Reuters: "With the virus attacks of late ...and how vicious those attacks have been... it's incumbent on Microsoft, being in the leadership position we're in, to help drive forward the industry in this area."

    1. By Anonymous Coward () on

      That's just double-speak.

      Read it this way:

      "Considering how screwed our customers have been recently ...and I mean we -really- fucked up big time if someone can hose us with BASIC scripts attached in e-mail for christsakes... we -need- to start plugging holes as fast as we can before we start losing money, otherwise we aren't going to be top dog and we'll to lose customers and market share faster than you can say "0wn3d j0", therefore, we need to play major fucking catchup before the stock price drops."

    2. By seth arnold () on

      Before bashing microsoft too much, consider this: they are strongly pushing C#. C# provides bounds checking on arrays and strings. There goes a huge percent of buffer overflows. I bet C# has a more sane printf/scanf input/output system, so there goes format bugs.

      By making a transition to a language that solves most of their problems for them, Microsoft stands a chance of becoming one of the more secure vendors -- once they re-write everything in C#.

      They are looking at drastically cleaning up their code through a new language. Most people wait for their buffer overruns to show up on bugtraq. OpenBSD at least looks for problems proactively -- but not proactively enough to rewrite all tools in a language that does the work for them.

      Just keep this in mind next time you hear someone bash microsoft about security. They might not be real secure today, or tomorrow, but in a few years time, they stand a good chance of being far ahead of other people still using C for everything.

      Cheers! :)

      1. By Rupert Pigott () on

        Well... I was more posting the thing so you could laugh at the guys weasel language...

        "being in the leadership position we're in, to help drive forward the industry in this area"

        That quote was actually part of a plug for XP - they're selling it locked down apparently. The list of measures they are taking with XP are pretty much a subset of what the OpenBSD team have done.

        Hence the "drive forward the industry in this area" struck me as punchline to a sick joke.


      2. By Patrick Myers () on

        Microsoft is pushing C# because they can't push Java. Looking at C# code it is very to Java with only a few keywords changed. Don't pat M$ on the back too hard for, once again, stealing an idea and pushing it as their own.


      3. By Marc Espie () on

        Yeah right.

        How many ways can you spell `snake oil' ?

      4. By Vincent Labrecque () on

        The problem is with people coding too fast, not the language they do stupid things in, IMO.

        I'm pretty sure stupid programmers will be able to build new types of security holes with C#

        1. By Rupert Pigott () on

          They'll probably just design the holes in...

          Just like I've seen in several investment banks. They really do have minimal-tending-to-zero clue about security at application level.

          Just to compound it, pretty much every production box I saw in those enivronments had a million and one network services which were not needed etc...

          Oh, they didn't use SSH, they used telnet and ftp exclusively. "Why should we use SSH, our firewalls keep us safe !". I even had that same line of argument from someone developing CGI scripts... I think the fact is : Few people cares, including the people paid to care.

          I'm wondering how many web development courses teach basic security... None bar webserver configuration I'll bet.

          You see these folks, "security consultants", probably have great looking resumes. But they don't seem to have very good experience, whereas I'm lucky enough to have learnt a lot from the OpenBSD commmunity.



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]