PPT - Department of Computer Science, Purdue University
SANS Top-20 Internet Security
• W1. Internet Explorer
• W2. Windows Libraries
• W3. Microsoft Office
• W4. Windows Services
• W5. Windows Configuration Weaknesses
• M1. Mac OS X
• U1. UNIX Configuration Weaknesses
• Network Devices
– N1. VoIP Servers and Phones
– N2. Network and Other Devices Common
• Security Policy and Personnel
– H1. Excessive User Rights and Unauthorized Devices
– H2. Users (Phishing/Spear Phishing)
• Special Section
– Z1. Zero Day Attacks and Prevention Strategies
W1. Internet Explorer
• Unpatched or older versions of Internet Explorer contain
multiple vulnerabilities that can lead to memory
corruption, spoofing and execution of arbitrary scripts.
The most critical issues are the ones that lead to remote
code execution without any user interaction when a user
visits a malicious webpage or reads an email.
• These flaws have been widely exploited to install
spyware, adware and other malware on users' systems.
• The VML zero-day vulnerability fixed by Microsoft patch
MS06-055 was widely exploited by malicious websites
before the patch was available.
W2: Windows Libraries
• These libraries usually have the file extension DLL or
OCX (for libraries containing ActiveX controls).
• During the past year, several windows libraries were
reported to have critical vulnerabilities. In a number of
cases, exploit codes were discovered before patches
were available (zero-day).
• In December 2005, a vulnerability (CVE-2005-4560) was
reported in the Graphics Rendering Engine: when
handling specially crafted Windows Metafile (WMF)
images, it could cause arbitrary code to be executed. A
patch was not available until early January 2006 .
W3. Microsoft Office
• Vulnerabilities in these products can be exploited via the
following attack vectors:
– malicious Office document in an email message.
– hosts the document on a web server or shared folder. Note that
IE automatically opens Office documents. Hence, browsing the
malicious webpage or folder is sufficient for the vulnerability
– runs a news server or hijacks a RSS feed that sends malicious
documents to email clients.
• A large number critical flaws were reported last year in
MS Office applications. A few of them were exploited at a
W4. Windows Services
• Several of the core system services are exposed through
named pipe endpoints accessible through the Common
Internet File System (CIFS) protocol, well known
TCP/UDP ports and in certain cases ephemeral
• When exploited, these vulnerabilities afford the attacker
the same privileges that the service had on the host.
• Critical vulnerabilities reported within the past year:
– Server Service (MS06-040, MS06-035)
– iRouting and Remote Access Service (MS06-025)
– Exchange Service (MS06-019)
W5 Windows Configuration
• 1. User Configured Password Weaknesses
• 2. Service Account Passwords
– Non-system Service accounts need passwords in
• 3. Null Log-on
– null sessions have allowed anonymous users to
enumerate systems, shares, and user accounts.
M1. Mac OS X
• The majority of the critical flaws discovered in the past
year fall into six different categories:
– ImageIO - Vulnerabilities in this framework could potentially affect
many different applications.
– Wireless - A critical vulnerability in Mac OS X's wireless network
subsystem allows physically-proximate attackers to gain
complete control. Attack can occur even if that system was not
part of the same logical network as the attacker. Additional flaws
were discovered in the Bluetooth wireless interface
subsystem, with similar results.
– Virus/Trojan - The first viruses and trojans for the Mac OS X
platform were discovered in the past year.
U1. UNIX Configuration
• Most Unix/Linux systems include a number of
standard services in their default installation.
– These services, even if fully patched, can be the
cause of unintended compromises.
• Of particular interest are brute-force attacks
against command line access such as
SSH, FTP, and telnet.
– It is important to remember that brute forcing
passwords can be a used as a technique to
compromise even a fully patched system.
C1 Web Applications
• Applications such as Content Management Systems
(CMS), Wikis, Portals, Bulletin Boards,
• Every week hundreds of vulnerabilities are being
reported in these web applications, and are being actively
• The number of attempted attacks every day for some of
the large web hosting farms range from hundreds of
thousands to even millions.
– PHP Remote File Include
– SQL Injection
– Cross-Site Scripting (XSS)
– Cross-site request forgeries (CSRF)
– Directory Traversal
C2. Database Software
• Use of default configurations with default user
names and passwords.
• Buffer overflows in processes that listen on well
known TCP/UDP ports.
• SQL Injection via the database's own tools or
web front-ends added by users.
• Use of weak passwords for privileged accounts
• 37 CVE entries on Oracle since October 2005
C3. P2P File Sharing Applications
• The P2P networks themselves may be attacked
by modifying legitimate files with
malware, seeding malware files into shared
directories, exploiting vulnerabilities in the
protocol or errors in coding, blocking (filtering)
the protocol, denial of service by making the
network function slowly, spamming and identity
attacks that identify network users and harass
C4. Instant Messaging
• Recent attacks include new variations in the
establishment and spread of botnets, and the use of
compromised instant messaging accounts to lure users
into revealing sensitive information.
– Malware -- Worms, viruses, and Trojans transferred through the
use of instant messaging.
– Information confidentiality -- Information transferred via instant
messaging can be subject to disclosure
– Network -- Denial of service attacks; excessive network capacity
utilization, even through legitimate use.
– Application vulnerabilities -- Instant messaging applications
contain vulnerabilities that can be exploited to compromise
C5. Media Players
• Vulnerabilities allow a malicious webpage or a media file
to completely compromise a user's system without
requiring much user interaction. The user's system can
be compromised simply upon visiting a malicious
• CVE entries over the past year
– RealPlayer and Helix Player (7)
– iTunes (3)
– Winamp (3)
– Quicktime (12)
– Windows Media Player (3)
– Macromedia Flash Player (2)
C6. DNS Servers
• During the past year, the following types of attacks
have been carried out by botnets against DNS
– Recursion Denial of Service Attacks: A Botmaster publishes
a large DNS record in a compromised DNS server or in a
DNS server set up for this purpose. The botmaster then
directs the botnet to send small UDP/53 queries to public
recursive name servers with a forged return address pointed
at the targeted victim. This effect can be amplified further by
making the DNS records larger than a typical UDP/53
response packet, thus forcing a TCP/53 transaction.
– Spoofing Authoritative zone Answers: The botmaster
establishes a fake web site (phishing site) on a compromised
web server. The botmaster then directs the botnet to listen
for requests and spoof DNS replies for a particular zone with
an answer pointing to the compromised web server.
C7. Backup Software
• During the last year a number of critical backup
software vulnerabilities have been discovered.
These vulnerabilities can be exploited to
completely compromise systems running backup
servers and/or backup clients. An attacker can
leverage these flaws for an enterprise-wide
compromise and obtain access to the sensitive
backed-up data. Exploits have been publicly
posted for some of these flaws, and these
vulnerabilities are getting exploited in the wild.
C8. Security, Enterprise, and
Directory Management Servers
• Directory Servers
• Monitoring Systems
• Configuration and Patch Systems
• Spam and Virus Scanners
N1 VoIP Servers and Phones
• Various products such as Cisco Unified Call
Manager , Asterisk and a number of VoIP
phones have been found to contain
vulnerabilities that can either lead to a crash or a
complete control over the vulnerable
server/device. By gaining a control over the VoIP
server and phones, an attacker could carry out
VoIP phishing scams, eavesdropping, toll fraud
or denial-of-service attacks.
N2. Network and Other Devices
Common Configuration Weaknesses
• N2.2.1 Default SNMP Community Strings
Default and often a hard-coded community string
continues to be an issue with networking
• N2.2.2 Default Accounts, Passwords, Encryption
Keys, and Tokens
N2.2.3 Unnecessary Services
N2.2.4 Unencrypted and Unauthenticated
H1. Excessive User Rights and
• Unwary users can be enticed to do unsafe things. Clever
users can find unsafe ways to get things
done, unintentionally exposing the company to attack.
• H.1a Unauthorized and/or infected devices on
– A rogue wireless access point, a personal laptop, a router or PC
secretly connected to an open ethernet port by a visitor, a USB
• H.1b Excessive User Rights and Unauthorized
H2. Users (Phishing/Spear Phishing)
• Password/PIN Phishing
• VoIP phishing
• Spear Phishing
– highly targeted
– Spear phishing has become one of the most
damaging forms of attacks on military organizations in
the US and other developed countries.
Z1: Special Section: Zero Day
Attacks and Prevention Strategies
• While the risks of zero day vulnerabilities in popular
applications and subsequent exploitation have been
discussed for several years, zero day attacks saw a
significant upward trend in 2006. A zero day vulnerability
occurs when a flaw in software code has been
discovered and exploits of the flaw appear before a fix or
patch is available. If a working exploit of the vulnerability
is released into the wild, users of the affected software
are exposed to attacks until a software patch is available
or some form of mitigation is taken by the user.
Coming Attractions …
• December 5:
– Database Security, guest lecture by