Every year about this time security practitioners awaken to see that the jolly man in the red suit from marketing has jammed their email inboxes across the globe with the proverbial "top ten" lists for the next year.
So, to play a bit of a spin on this theme I have opted to publish my own top ten list for 2014. This is my take on the top vulnerabilities that I will see as issues for this coming calendar year.
- BIND weaknesses: nxt, qinv and in.named allow immediate root compromise.
- Vulnerable CGI programs and application extensions (e.g., ColdFusion) installed on web servers
- Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk), rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root compromise
- RDS security hole in the Microsoft Internet Information Server (IIS)
- Sendmail buffer overflow weaknesses, pipe attacks and MIMEbo, that allow immediate root compromise
- sadmind and mountd
- Global file sharing and inappropriate information sharing via NFS and Windows NT ports 135->139 (445 in Windows2000) or UNIX NFS exports on port 2049. Also Appletalk over IP with Macintosh file sharing enabled.
- User IDs, especially root/administrator with no passwords or weak passwords
- IMAP and POP buffer overflow vulnerabilities or incorrect configuration
- Default SNMP community strings set to ‘public’ and ‘private’
Some pretty little monsters there, no?
What's that? Seems like nothing new in the zoo? DNS, email, file shares, overflows and default configurations persist. That is exactly the point I'm trying to make. Every year we see predictions on the security issues that we need to tackle and we seem to repeat ourselves over and over again.
That list should look dated to some of you. To put a fine point on this issue I should note that the above list was pertaining to security issues from ISACA and was published in 2000.
Let me say that again for effect...2000.
On February 15, 2000, thirty Internet experts met with President Clinton to identify actions needed to defeat the wave of distributed denial of service attacks and to keep the Internet safe for continued growth. One of the resulting initiatives was a project to develop a community-wide consensus list of the most often exploited vulnerabilities. Fortytwo people from all parts of the Internet community worked together to reach consensus on the top priority threats. This document presents their findings along with detailed instructions on how to eliminate those vulnerabilities.
For distributed denial of service issues I could pull out the vendor card and say "buy Akamai" but, that would be too obvious and self serving. What I want to say is, why are we still here 13 years later? Is there an unconscious love of inertia that keeps us running in place?
With an absence of sane defined repeatable processes we seem destined to continually tread the hamster wheel of pain (h/t Andrew Jaquith). Step 4 of the hamster wheel is as follows, "Fix the bare minimum (but in a vigorous, showy way). Hope problems go away". For some strange reason we seem to remain stuck at this point. I want to impart so nugget of wisdom that will help us move beyond this point but, I'm admittedly at a loss on how we fix this longstanding problem.
Remind me again, what's the definition of insanity?
(Image used under CC from smip.co.uk)