The Top 10 Internet Security Vulnerabilities – A Primer


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This short course is designed to make you aware of the top 10 successful attacks that have been used against sites in the past couple of years. Hopefully, by addressing these vulnerabilities first, we eliminate some of the known holes present at most sites. These are NOT the only security weaknesses but is should give you a better handle on securing your systems
  • There aren’t a lot of system administrators with a wide range of experience in the job market. The Level One course that you will take as part of this course sequence is an attempt to address this weakness. There are a number of colleges and universities that are developing a System Administration set of courses but these courses will address the long term shortages only. Most sysadmins don’t have the time or luxury to get official training. Their training is by apprenticeship or OJT. Some vendors are now advocating the centralization of systems…this is what used to be known as the “mainframe” model  . The Sun Sunray terminal device is an example of this return to the past. It doesn’t solve the sysadmin issue though, A poorly trained sysadmin of a big system is just as bad as 50 untrained sysadmins in the field. The Prime Directive forces sysadmins to cut corners sometimes and this is where problems can compound themselves into serious vulnerabilities.
  • A small minority of hackers have the technical expertise to write some of the attack tools listed in the appendix. Their view is that anyone can write an attack tool but the art comes in how you package it and make it easy to use. Sites like,,, and others are examples of where one can download a wide variety of attacks toolsl. These sites make it easy for anyone who knows how to use a browser to get these tools. Fortunately, most of these people don’t know much more than how to use a browser but that will change soon. Use your favorite search engine and lookup “NT Hacking”, “Solaris hacking”, “ Netware Hacking”, “Windows 2000 hacking”. You’ll be surprised at the number of sites that have readily available tools.
  • A great reference paper that describes the buffer overflow attack is Dildog’s “ The Tao of Windows Buffer Overflow”. It’s available at The basic weakness is poorly designed code. Coders didn’t spend enough time debugging all possible error conditions. Dildog’s paper is easy to read and a must for anyone who used Microsoft products.
  • When you look at the Top 10 document, you’ll find it’s organized into the sections listed above. The Mitre Corp. has initiated a project to classify the vulnerabilities using a code called a CVE number. Think of the CVE number as a library catalog number. It’s a simple and effective way to ensure that a vulnerability definition means the same thing to different people. If vendors list the CVE that their particular tool addresses then this gives us a way to compare products and make an intelligent purchase.
  • The Top 20 list contains some extra information that can be used to protect your networks. One of the appendices contains a list of common ports to either block or monitor at your routers or firewalls. A number of freeware and commercial security scanners are now advertising compliance with the Top 20 list. Also, NIST (National Institute of Science & Technology) has a vulnerability database that can be used to get some more information on a particular vulnerability. The Top 20 list is tied into this database.
  • In the old days, internet hosts were listed in a file called /etc/hosts. This wasn’t a big file (remember, it was the early years of the net) and when a new system came online, its hostname and IP address was added to the file. You can see that with .2.5 million new hosts added to the net every month that this file is not practical to maintain. Forget updating it, try searching for something in it! Then you have to make sure EVERYONE has the same copy or else some sites won’t be able to connect to other sites. The Domain Name Service was designed to alleviate this problem and make hostname and IP address maintenance more manageable. The .com, .gov, .mil, .edu, .net and .org names that are so familiar to us evolved from this DNS project. The concept was quite simple. Since the Internet is a collection of networks, we would designate a set of machines to act as nameservers for their individual nets. Every network would have at least one nameserver to handle the mapping for its network. Nameservers don’t require frequent updates and this is the cause of some of the security problems we’ve seen.
  • Improperly configured nameservers can give a hacker all the names and IP addresses of internal systems. In some cases, this information can also include the OS and machine type. Hackers armed with this knowledge can then search the net for the specific attack tool and then target a specific machine inside your net. You should ensure that BIND is at current patch levels and versions. Nameservers are fairly static systems and so aren’t checked as frequently as a production or development system. As a result, a hacker could break into the system and the activity usually isn’t noticed until someone from the outside reports an attack originating from the nameserver system.
  • Most WWW server code contains examples of CGI-BIN scripts in the cgi-bin subdirectory. These examples are for illustrative purposes and were not written with any security in mind. Hackers have discovered that they can subvert these programs and cause them to run other programs. You should remove all of these examples from your production www server. There’s no need for them to be on the system. As always, you should always check to make sure your www server code is updated on a regular basis with the latest security patches.
  • lists www sites that have been compromised by hackers. It also shows what the modified www page looks like to the visitor. Take a look at a couple of them and ask yourself, “can my company afford this happening to it?”. Your www pages may be intact but the hackers may use your system to attack other sites. Gee, does this sound familiar?
  • RPC are the foundation of most client/server programs. The buffer overflow attack is one way hackers can force the RPC subsystem to run a program on the victim system. This programs typically installs a backdoor into the system which the attackers use later to log into the system.
  • This should sound like a broken record  but once again, the hacker can gain control of your system. The solutions are fairly simple and reasonable. If you don’t use the RPC service, disable it. Practically speaking, this isn’t a viable solution because just about every client-server program in existence uses RPC to transfer data. So, we go back to our tried and true solution---installing vendor maintenance and security patches.
  • IIS is the web server software found on most www sites deployed on Window NT and 2000 systems. Some of IIS’s components are vulnerable to a buffer overflow type of attack which lets the hacker gain full control of the system. Since the hacker can run remote commands on a compromised server, you can imagine the types of abuse that can happen. Obvious things include modifying the www page(s), disabling the server and launching an attack on a site. More subtle things include adding userids on the server, modifying Active Directory components and installing keystroke recorders on the server system.
  • .HTR file exploits are thought to be as common as RDS exploits. As always, proper vendor patch maintenance, monitoring of full disclosure sites such as and vendor security warning information provides the best method of correcting this flaw.
  • Sendmail is the master email program for a majority of the mail servers on the Internet. It is the program that actually processes and sends your email. It is Not the front end that you see when you invoke your email program (Eudora, Exchange, pine, elm, exmh). Sendmail has been constantly upgraded to correct bugs and add features. In the Early 90’s, older versions of sendmail were vulnerable to a variety of Exploits, the most common being our old friend, the buffer overflow. Since sendmail runs with root privilege, the consequences of it running an Unauthorized program can be quite severe. Some vendors grabbed a version of sendmail when they were developing their Own product and then failed to upgrade it in a timely fashion.
  • Yes, some vendors still ship Sendmail v5.65 which contains more holes than a screen door on a submarine. Most vendors are shipping their product with later versions but it is prudent to get the latest version of sendmail (currently v8.12) and install it on your server systems. The sendmail installation process has been refined considerably over the past decade and it is quite easy to build sendmail installation kits that can be used on your systems.
  • Sadmind is specific to Sun Solaris systems. It allows a sysadmin to remotely administer systems on a network. Lab sysadmins may use this tool to help them manage their systems remotely from a single system. It provides the way to let the sysadmin use the nice administration GUI’s over the network. The Network File Sharing (NFS) system is the mechanism that allows users to access directories remotely. The mountd program is the “driver” for mounting remote filesystems on Unix hosts. Early versions of sadmind and mountd are vulnerable to buffer overflow attacks. A successful buffer overflow attack on sadmind or mountd will give the hacker root access on the machine.
  • Gee, does this sound familiar? Hackers can get control of your system.
  • More and more computer systems are being connected to the Internet by cable modems, ADSL or other direct connect methods. This means that home systems are now vulnerable to attacks. One of the simplest methods of gaining information about a victim system is through a file sharing misconfiguration. Network neighborhood really MEANS the network and sometimes, people don’t realize the scope of the neighborhood. Disclosure of personal information is the biggest danger in this case. For example, Windows users may use Microsoft’s MSMoney program to manage their personal finances. If the file sharing access controls are set incorrectly, it is possible for someone else on the network to simply connect to the system and copy the MSMoney files to their machine.
  • The basic rule is simple. If you don’t use the service, don’t enable it. Turn off file sharing on your computer especially if you’re using a home computer system. If you must use file sharing, make sure you restrict access only to those people you know. Remember that anyone accessing your files who lets anyone on the net access THEIR files may put your information at risk. This could only happen if the person accessing your files copies them to their system which in turn allows someone else to access them.
  • You’re always told to make sure you have secure passwords for your manager or administrator account. What do you do when the system is installed for the first time? What is the administrator password? In the old days, vendors would set up a default password for the system. They assumed that you would change the password before the system went into production. Well, some people did just that but others didn’t for reasons ranging from laziness to “I thought that password was set up for me”. One of the first things hacker try is the list of default passwords for the admin or manager accounts. Some of the well-known ones are listed in the above slide. Remember, the first goal of the hacker is to gain access to the system, then they run a particular exploit against the system to gain administrator status. Why go through all that effort if the door is left open via a default password?
  • You should always check your systems for user accounts that have no passwords assigned to them. Always change your root/admin passwords from the defaults supplied by the vendor.
  • IMAP and POP (Post Office Protocol) are 2 email mechanisms that are commonly used by a lot of vendors. Eudora and SIMS are 2 examples of mail programs that use this protocol. Once again, there may be problems in the server code that handles email handled in these protocols.
  • Hackers may be able to bypass your firewalls through the mail servers on your systems. This gives them access to your internal systems. Their target may be the mail server itself.
  • The Simple Network Management Protocol is used by your network administrators and technicians to monitor the performance of your company network. It provides them with a way to map, identify and send commands to the individual components of your network. When you use the telephone to make a call, you really don’t know how many pieces of equipment handle your call. Well, the same thing happens with the network. There are machines called router, bridges, hubs, switch boxes, all of which enable a physical connection to be made between 2 systems trying to make a connection. All of these components can be monitored via SNMP. Well, how do you prevent someone from infiltrating the control structure of your network? The good news is that SNMP nodes are password protected. SNMP calls passwords “community strings”. The bad news is that these passwords are rarely set from the default password (remember Item 8?) and the default password is “private”.
  • By now, you should be able to guess the danger of a hacker knowing the SNMP password (community string). Yep, they can gain control of your network. Note that your data is relatively safe, it’s just the traffic flow of your network that’s in jeopardy. Think of what would happen if someone took over control of the traffic lights in a city. As always, make sure your network group has picked strong password (community strings) for ALL of the SNMP capable devices on your network.
  • Most of the successful attacks on Internet hosts have exploited a small number of security vulnerabilities. The Top 10 list describes those vulnerabilities and is designed to give you a starting place for evaluating your system and network security. There are literally thousands of vulnerabilities out there and this list hopefully will help you spend your limited security budget on the most effective tools.
  • In a way, it’s depressing that the Top 20 was list created. The original intent of the Top 10 list was to remove those vulnerabilities and replace them with new ones. Unfortunately, vendors and users are reluctant to change anything. So, the list now grows to 20…….
  • The Top 20 list is organized in a different fashion. The vulnerabilities are broken down by OS (Windows/Mac, Unix or both). We decided on this format in order to let you go to the section that applies to your environment. This list is valuable because the majority of successful attacks can be traced to vulnerabilities listed in this document. For example, CODE RED and NIMDA exploited vulnerabilities in the Windows section of the document.
  • Original Top 10 items are highlighted in orange
  • Top 10 items highlighted in orange.
  • Top 10 item #9 (IMAP, POP) is rolled into the sendmail vulnerability listed here.
  • In the old days, it took a lot of knowledge to install an OS correctly. As we’ve mentioned before, there are not a lot of skilled IT people in the marketplace today. Software vendors embarked on a campaign to make software installations easier to do. This effort would expand their customer base to the general public, thereby increasing sales, etc. The tradeoff in this effort is that the vendor makes assumptions about how you want to configure your system. They decided to “err” in favor of convenience rather than security. This was a valid strategy in the days before the Internet but a dangerous one for any computer connected to the Net. What this means is that your computer is installed with little or no security enabled on it. The vendor places the burden of securing your system on you. Of course, you need security training in order to secure your system.
  • Installation guidelines that contain a list of the services required on a computer are the best way to eliminate this vulnerability. The Center for Internet Security ( has a number of security benchmark documents for the various OS platforms that help eliminate unnecessary services from your machine. Do not use a system that hasn’t been modified after a vendor default installation.
  • When hackers are discovered on a machine, they tend to destroy as much data as they can in order to cover their tracks. Trojan attacks that deposit modified system binaries are another threat. You can use your backups to help find which files were modified or created during the attack.
  • The 9/11 attacks demonstrated the need for off site backup storage. Periodic verification of the backup is crucial to maintaining a good backup of your critical systems.
  • This vulnerability is directly related to the first one of the Top 20. When an OS is running unnecessary services, it’s going to be listening for connections on a wide range of ports. You want to limit the open ports to those used by your users or applications. In other words, you want to be able to correlate an open port with a running application on the machine.
  • The netstat command works under Windows and Unix systems. It lists the open ports but doesn’t list the application that is listening on that port. The lsof tool maps the port to an application running on Unix. The fport, filemon utilities do the same thing for Windows platforms. A critical audit item is to match the open ports to authorized applications running on the machine.
  • This is a CRITICAL item! You can prevent your site from being used in a Distributed Denial of Service (DDOS) attack against other sites if your routers are configured correctly. You can prevent some forms of electronic forgery using this technique. Bottom line: Do it!
  • See the Top 20 document for examples of how to implement the policies for CISCO routers.
  • If you don’t log anything, you can’t prosecute anyone. You can’t determine if you’ve been attacked. You can’t track your normal traffic. Logs are business records and should carry the same weight as any business record in your company. Logs need to be archived following your guidelines for business record retention.
  • The Unicode equivalents of / and are %2f and %5c respectively. You can represent these characters using “overlong” sequences which are technically invalid but effective nonetheless. IIS was not written to perform a security check on these overlong sequences. A hacker using an overlong Unicode sequence in a URL will bypass Microsoft’s security checks. If the directory being accessed is marked ‘executable’ then the hacker can run programs on the remote machine without having logged into it.
  • If you’re vulnerable, you’ll get a directory listing of the contents of the C: drive for the vulnerable server when you use the URL above. The solution is fairly simple: apply vendor patches.
  • There are two DLLs in question: idq.dll and .printer.dll. The idq exploit affects Windows 2000 Index Server 2.0 and Index Services for Windows 2000. The .printer exploit affects Window 2000 Server, Advanced Server, Server Data Center Edition with IIS 5.0 installed.
  • You should also use Group Policy to disable Web based printing on workstations. At a minimum, you must have SP2 installed on your systems.
  • Null sessions or anonymous logins allow an anonymous user to retrieve username or share information over the network from a target machine without authentication. It also allows a user or program to connect to the machine without authentication. It is a convenient way to determine whether the Administrator account has been renamed. The SYSTEM or LocalSystem (Windows 2000) account has unlimited privilege and this is why it is targeted by hackers. Try connecting to your system via a Null session by entering the following command: Net use \a.b.c.dipc$””/user:”” where a.b.c.d is the IP address of the target. If you get no reply to this command, your system is vulnerable. You should get a “connection failed” error message if your system isn’t vulnerable. You can also use the “Hunt for NT” tool from
  • There are a number of ways to protect your system. If your system is a Domain Controller, you can’t disable Null logins. You should set a registry key listed in the Top 20 document to limit the amount of information a hacker can glean.
  • This is another example of a vendor installation issue. Most Windows users will never use LAN Manager support, yet Microsoft stores LAN Manager password hashes by default on Windows NT and 2000 systems.
  • If you did a default installation of Windows, you are vulnerable because the hashes are created by default. You can disable LAN Manager unless it’s needed. You need to be careful if you still have older systems (Win9x) because these systems won’t use NTLMV2 with Microsoft Network Client. The Technet article listed above has a lot of useful information on how to correct this problem.
  • The r-commands are a classic example of temporary code living longer than planned. The command suite was developed as a temporary fix while the Telnet and FTP programs were being written. They were intended to disappear once Telnet and FTP were finished. It’s been over 25 years now since Telnet/FTP were finished and the R-commands are still being used on system. The concept of trusted systems works only if a) your network is isolated from the rest of the world b) your end users have no admin privileges on the local machine. Network appliance are any device that can be connected to the net. Some examples are laser printers, smart card readers and door lock systems, parking gates, and laboratory data acquisition equipment. Some software vendors use these tools to allow someone to access their device. CISCO routers use telnet (cleartext) to connect to the administrator port.
  • The Unix Line Printer control program is called LPD. This is primarily a Sun Solaris vulnerability issue. The Solaris LPD daemon is susceptible to a buffer overflow attack. If successful, the attacker gains root access to the system and we know what that means  .
  • As before, install the latest Sun patches from or the latest Linux packages from the Linux www sites.
  • This is a summary list of the common vulnerable ports. You should at a minimum monitor accesses to these ports. At best, you should block them either at the router or your personal firewall system that should be running on your machine. Remember blocking these ports does NOT mean you system is secure! It is simply another layer in your defense architecture.
  • Remember: closing the Top 20 holes will not guarantee your system or network is safe from hackers! It will help close the most common holes that exist today. Constant vigilance is the rule of the day. Think of the Top 10 list as an antiviral tool. It will close KNOWN holes but is vulnerable to NEW holes. Sometime later, there’ll be another version of the Top 10 list listing these newer vulnerabilities.
  • The Top 10 Internet Security Vulnerabilities – A Primer

    1. 1. The Top 10/20 Internet Security Vulnerabilities – A Primer Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 ITTIP Seminar Copyright 2001 R.C.Marchany 1
    2. 2. Introduction  This presentation is designed to give you a brief overview of the top 10 most critical Internet Security threats.  These aren’t the only threats….just the most common at the moment.  Hopefully, we’ll eliminate these threats and create a new list next year.  The Top 10 and Top 20 documents are in Appendix A of this presentation. ITTIP Seminar Copyright 2001 R.C.Marchany 2
    3. 3. Introduction  We’ll review the original Top 10 list first  We’ll review the new items in the Top 20  We’ll also provide a list of common ports to filter or monitor. ITTIP Seminar Copyright 2001 R.C.Marchany 3
    4. 4. Why Are We Vulnerable?  Computer systems and programs have become more complex in the past 25 years.  Quality control hasn’t been able to keep up due to market pressures, programming skill deficiencies, etc.  Most of these programs/systems are based on code that was never intended to be “production” quality.They were “proof of concept” programs that became the basis of production systems. ITTIP Seminar Copyright 2001 R.C.Marchany 4
    5. 5. So Many Systems, Not Enough Time…..  2.3 million hosts are connected to the Net each month. There aren’t 2.3 million sysadmins. Something has to give….  Unfortunately, it’s the sysadmin.  Not enough training, too many conflicting demands on their time.  The Prime Directive: Keep the system up!  Patch the system? When I have time…. ITTIP Seminar Copyright 2001 R.C.Marchany 5
    6. 6. Hacking = Rocket Science? Not!  Any good hacker can write the attack tool. The real skill is making so easy to use that a CEO could launch the attack.  There are lots of hacker WWW sites where you can get these tools. These sites try to outdo each other by designing the best, baddest, user- friendly site. ITTIP Seminar Copyright 2001 R.C.Marchany 6
    7. 7. Why Are the Attacks Successful?  We didn’t close all the doors because we’re too busy doing “real” stuff.  If the hackers got caught, we didn’t punish them. It would be too embarrassing to admit we got hit. Our Incident Response Plans were inadequate. ITTIP Seminar Copyright 2001 R.C.Marchany 7
    8. 8. Why Are the Attacks Successful?  The attack designers studied (cased) the target code carefully.  A lot of attacks are based on Buffer Overflows.  Example: a program expects 80 input characters max. You give it 5000 characters. How does the code handle it? ITTIP Seminar Copyright 2001 R.C.Marchany 8
    9. 9. Some Pointers About the Lists  Each item in the list is divided into 4 parts  A description of the vulnerability  The systems affected by the vulnerability  A CVE number identifying the vulnerability  Some suggested corrections ITTIP Seminar Copyright 2001 R.C.Marchany 9
    10. 10. Some Pointers about the Lists  What’s a CVE number?  CVE = Common Vulnerabilities & Exposures reference number that is used to uniquely identify a vulnerability.  It’s like the Dewey Decimal #’s that are used in the library. You can go to any library and find the same book using the same Dewey catalog number  CVE’s does the same for vulnerabilities. ITTIP Seminar Copyright 2001 R.C.Marchany 10
    11. 11. Some More Pointers about the Lists  Ports to block/monitor at the firewall are provided at the end of the Top 20 list.  Remember this only works for EXTERNAL attacks. Internal attacks need additional security measures. ITTIP Seminar Copyright 2001 R.C.Marchany 11
    12. 12. Some More Pointers about the Lists  Automated Scanning for the Top 20  SARA – freeware scanning tool designed specifically for this. See  Commercial scanners are becoming available.  Links to ICAT Vulnerability Index  Each entry is linked to the NIST ICAT indexing service. ICAT entries contain a short description of the vulnerability and other info. ITTIP Seminar Copyright 2001 R.C.Marchany 12
    13. 13. Item #1: BIND  All Internet systems have a hostname and an IP address.  Every home is known by its address and who lives in it. “hey, is that Randy’s house?” “Yeah, it’s at 24 Main St.”  “Randy’s house” = hostname  “24 Main St.” = IP address  BIND (Berkeley Internet Domain) maps hostnames to IP addresses.  It’s the set of “phone books” of the Internet. ITTIP Seminar Copyright 2001 R.C.Marchany 13
    14. 14. Item #1: BIND  Every network needs a couple of systems that run BIND. They’re called nameservers.  Old versions of BIND have security holes.The nameservers aren’t always up-to-date. They were when they were installed but that was years ago. It works so why fix it? Right? Wrong! ITTIP Seminar Copyright 2001 R.C.Marchany 14
    15. 15. Item #1: BIND  The Danger:  Hackers get full control of the nameserver and can use it for anything they want.  A Solution  Make sure your version is higher than BIND 8.2.2 patch level 5 ITTIP Seminar Copyright 2001 R.C.Marchany 15
    16. 16. Item #2: CGI Scripts  CGI = Common Gateway Interface  It’s the language that programmers use to display and read your input to a WWW based form.  Not everyone knows how to use it so WWW server vendors supply examples.  The examples have security holes in them. Some CGI programmers haven’t checked their code. ITTIP Seminar Copyright 2001 R.C.Marchany 16
    17. 17. The Second Item – CGI Scripts  All Web servers could be affected by this “feature”.  The Danger  Your WWW pages could be changed a la DOJ, CIA, FBI, Valujet.  Your WWW server could be used to attack other sites  A Solution  Remove unsafe CGI scripts from the WWW server ITTIP Seminar Copyright 2001 R.C.Marchany 17
    18. 18. Item #3: Remote Procedure Calls (RPC)  RPC allows a computer to run a program on another computer.  It’s used by computers that share files between them.  Many client – server systems depend on the use of RPC calls.  Unix systems (Solaris, AIX, HP- UX, Linux, Tru64, Irix) were primarily affected but any computer that uses the RPC subsystem is vulnerable ITTIP Seminar Copyright 2001 R.C.Marchany 18
    19. 19. Item #3: Remote Procedure Calls (RPC)  The Danger:  Older versions of RPC have security weaknesses that allow hackers to gain full control of your computer(s).  A Solution  Disable the RPC services if you don’t use them  Install the latest vendor patches ITTIP Seminar Copyright 2001 R.C.Marchany 19
    20. 20. Item #4: Microsoft Internet Information Server (IIS)  Windows NT and Windows 2000 Web servers use IIS to support web services.  IIS has a component called Remote Data Services (RDS) that could allow a hacker to run remote commands with administrator privileges.  Code Red, NIMDA ITTIP Seminar Copyright 2001 R.C.Marchany 20
    21. 21. Item #4: Microsoft Internet Information Server (IIS)  The Danger:  A hacker can run commands on another system without having to access it directly.  A Solution:  Read the Microsoft technical bulletins that describe how to fix the problem ITTIP Seminar Copyright 2001 R.C.Marchany 21
    22. 22. Item #5: Sendmail Weakness  Sendmail is one of the original Internet email programs.  It was a graduate programming project that was never designed to work in a “production” environment.  It became the defacto standard.  Pre-version 8.10 had security problems  Some vendors still ship Sendmail v5.65!  Most vendors shipped their systems with these older versions. ITTIP Seminar Copyright 2001 R.C.Marchany 22
    23. 23. Item #5: Sendmail Weakness  The 1988 Internet Worm exploited a problem in sendmail.There are a lot of systems that still run that version of sendmail. Why? It works!  The Danger:  Hackers can run commands on your systems without ever logging into your system. Hackers can take over your machine.  A Solution:  Update to the latest version of sendmail ITTIP Seminar Copyright 2001 R.C.Marchany 23
    24. 24. Item #6: sadmind and mountd  Sadmind is used by Solaris applications to run distributed sysadmin operations. It executes the request on the server from a client program. Sounds like RPC? It is.  Mountd controls file sharing across the network using NFS. This is the program that “attaches” a remote disk to your computer. ITTIP Seminar Copyright 2001 R.C.Marchany 24
    25. 25. Item #6: sadmind and mountd  The Danger:  Hackers can cause these programs to give them access to root. They can take over your machine.  This was one of the primary ways hackers used to set up the systems used in the recent DDOS attacks against Yahoo, CNN and other sites.  A Solution:  Install the latest vendor patches for sadmind and mountd. ITTIP Seminar Copyright 2001 R.C.Marchany 25
    26. 26. Item #7: Global File Sharing  You can share files between computers using tools like Network Neighborhood (Windows), AppleShare(Macintosh) or NFS(Unix).  By default, the access is read-write. ITTIP Seminar Copyright 2001 R.C.Marchany 26
    27. 27. Item #7: Global File Sharing  Anyone on the same network could access your files. In the old days, the network was small but now the network is the Internet so anyone anywhere in the world could access your files if you let them.  The problem is that you don’t always know that you’re letting them. ITTIP Seminar Copyright 2001 R.C.Marchany 27
    28. 28. Item #7: Global File Sharing  This is a real danger to homes that have direct connect modems.  The Danger:  People can get access to your personal data, for example, your checking account data (if you use MSMoney), your email, etc.  A Solution:  Make sure you know what you’re sharing.  Make sure you know who’s sharing the data with you. ITTIP Seminar Copyright 2001 R.C.Marchany 28
    29. 29. Item #8: User Accounts with No Passwords  Some systems come with demo or guest accounts with no passwords or well known passwords.  The initial/default password for VMS system manager account, SYSTEM was MANAGER. The initial password for the Field Service account, FIELD, was SERVICE. ITTIP Seminar Copyright 2001 R.C.Marchany 29
    30. 30. Item #8: User Accounts with No Passwords  People forgot to change these passwords.  The first thing hackers do is check to see if the defaults passwords were changed. Why waste a lot of effort if the door is unlocked? ITTIP Seminar Copyright 2001 R.C.Marchany 30
    31. 31. Item #8: User Accounts with No Passwords  The Danger:  Someone can get complete control of your system.  Someone can get access to your system via a general accounts and then run exploit tools on your systems to get full control of your system.  A Solution:  Change your root, administrator passwords before the systems goes into production.  Run a password checking program to discover who has weak passwords on your system. Do it before the hackers do! ITTIP Seminar Copyright 2001 R.C.Marchany 31
    32. 32. Item #9: IMAP, POP Vulnerabilities  IMAP and POP are two common email protocols that provide additional features to email users.  They allow users to access their email accounts from anywhere on the Internet. ITTIP Seminar Copyright 2001 R.C.Marchany 32
    33. 33. Item #9: IMAP, POP Vulnerabilities  Firewalls usually allow email using these services to pass through the firewall.  Quality control of the software is inconsistent most of the time. ITTIP Seminar Copyright 2001 R.C.Marchany 33
    34. 34. Item#9: IMAP, POP Vulnerabilities  The Danger:  Hackers can gain access to your internal network if they can subvert IMAP or POP mail server systems.  If successful, they gain complete control of your system.  A Solution:  Make sure you’ve installed the latest patches.  Run the services on your mail servers only. ITTIP Seminar Copyright 2001 R.C.Marchany 34
    35. 35. Item #10: SNMP Vulnerabilities  Simple Network Management Protocol (SNMP) is used by network managers to monitor the status, performance and availability of the network.  The Net Mgrs can remotely manage their routers, printers, systems using SNMP. ITTIP Seminar Copyright 2001 R.C.Marchany 35
    36. 36. Item #10: SNMP Vulnerabilities  SNMP has very weak authentication. Its default “password” is “private”.  Everyone knows this. ITTIP Seminar Copyright 2001 R.C.Marchany 36
    37. 37. Item #10: SNMP Vulnerabilities  The Danger:  Hackers can gain control of network devices such as routers. They could shut them down.  They can map your network w/o your knowledge.  A Solution:  Pick strong community strings (passwords) for your SNMP devices.  Make the MIBs read only. ITTIP Seminar Copyright 2001 R.C.Marchany 37
    38. 38. Summary  Most of the successful system and network attacks exploit a small set of vulnerabilities.  The Top 10 list briefly describes this set of vulnerabilities and gives you references to learning more about them.  More importantly, it gives you some suggested fixes for the problem.  Our individual security depends on our mutual security. ITTIP Seminar Copyright 2001 R.C.Marchany 38
    39. 39. The SANS/FBI Top 20 List If we had fixed the top 10, there wouldn’t be a top 20.  ITTIP Seminar Copyright 2001 R.C.Marchany 39
    40. 40. Top 20 List Organization  Vulnerabilities that affect all systems  Unix/Linux  Windows  Mac  Mainframes  Windows Vulnerabilities  Unix Vulnerabilities ITTIP Seminar Copyright 2001 R.C.Marchany 40
    41. 41. Top 20 Summary  General – Affects all Systems  G1: Default OS Installations  G2: Accounts with Weak or No Passwords  G3: Non-existent or Incomplete Backups  G4: Large Number of Open Ports  G5: Incorrect Ingress/Egress Packet Filtering  G6: Non-existent or Incomplete Logging  G7: Vulnerable CGI Programs ITTIP Seminar Copyright 2001 R.C.Marchany 41
    42. 42. Top 20 Summary  Windows  W1: Unicode Vulnerability  W2: ISAPI Extension Buffer Overflows  W3: IIS RDS Exploit  W4: Unprotected NETBIOS Shares  W5: Null Sessions  W6: Weak Hashing in SAM (LM Hash) ITTIP Seminar Copyright 2001 R.C.Marchany 42
    43. 43. Top 20 Summary  Unix  U1: RPC buffer Overflows  U2: Sendmail Vulnerabilities  U3: BIND  U4: R Commands  U5: LPD Buffer Overflow  U6: sadmind mountd Buffer Overflow  U7: Default SNMP ITTIP Seminar Copyright 2001 R.C.Marchany 43
    44. 44. G1: Default OS Installations  OS and application installs are not configured for security  Vendor Philosophy  Better to enable all functions than require the user to turn them on individually.  Convenience vs. Security: Who wins?  ITTIP Seminar Copyright 2001 R.C.Marchany 44
    45. 45. G1: Default OS Installations  System Impacted  All Unix, Linux, Windows, MacOS are vulnerable to some degree. Windows, SGI are more open than normal. ITTIP Seminar Copyright 2001 R.C.Marchany 45
    46. 46. G1: Default OS Installations  Are you vulnerable?  If you use default vendor installation programs then you are vulnerable.  Extra extra service/tool installed that is not needed is another window into your system. ITTIP Seminar Copyright 2001 R.C.Marchany 46
    47. 47. G1: Default OS Installations  How to protect?  Remove unnecessary software/services asap.  Install minimum then add. This can be automated using Minimum Installation guidelines.  Use the CIS Security Benchmark tools for your OS. ITTIP Seminar Copyright 2001 R.C.Marchany 47
    48. 48. G3: Non-existent, Incomplete Backups  Recovery from an incidents requires up-to- date backup.  Have you verified the backups actually work?  Offsite? 9/11 proved this.  How long does it take to RESTORE the data? What is the data xfer rate of your tape drives?  Systems Impacted  Any critical system ITTIP Seminar Copyright 2001 R.C.Marchany 48
    49. 49. G3: Non-existent, Incomplete Backups  Am I vulnerable?  Check backup procedures.  Is the backup interval acceptable?  Are the systems being backup up according to procedure?  Off site storage? Procedures?  Restoration tested and verified? ITTIP Seminar Copyright 2001 R.C.Marchany 49
    50. 50. G3: Non-existent, Incomplete Backups  How to Protect  Daily backups  Monthly backups should be verified. ITTIP Seminar Copyright 2001 R.C.Marchany 50
    51. 51. G4: Large Number of Open Ports  The more ports open, the more ways to get into the system.  Related to Default OS install vulnerability.  Systems Impacted  Any system that used a vendor default installation program. ITTIP Seminar Copyright 2001 R.C.Marchany 51
    52. 52. G4: Large Number of Open Ports  Am I vulnerable?  Use netstat command to list open ports.  Run a port scanner (nmap, Nessus) against your system.  Match open ports to legitimate services provided by the machine. If no match, then it’s an unnecessary service. ITTIP Seminar Copyright 2001 R.C.Marchany 52
    53. 53. G4: Large Number of Open Ports  How to protect myself  Unix: modify /etc/inetd.conf  Windows NT/2000 : use fport from to list the ports.  Windows XP: netstat –o command ITTIP Seminar Copyright 2001 R.C.Marchany 53
    54. 54. G5: Incorrect Ingress/Egress Router Filters  Description  IP spoofing hides the attacker.  Numerous attacks (Smurf, mail forgery) use this technique.  Systems Impacted  Unix, Windows, Mac, Routers ITTIP Seminar Copyright 2001 R.C.Marchany 54
    55. 55. G5: Incorrect Ingress/Egress Router Filters  Am I vulnerable?  Send a spoofed packet and see if it’s blocked and logged. ITTIP Seminar Copyright 2001 R.C.Marchany 55
    56. 56. G5: Incorrect Ingress/Egress Router Filters  How to Protect  Incoming packets must not have SRC of your internal network. It must have a DST of your internal network.  Outbound packets must have a SRC of your internal network. Outbound packets must not have a DST of your internal net.  No packet should have SRC/DST of a private address or address listed in RFC1918..  Block any source routed packet with IP options set ITTIP Seminar Copyright 2001 R.C.Marchany 56
    57. 57. G6: Non-existent, Incomplete Logging  Description  You can’t detect an attack if you don’t know what’s going on your network.  Logs are business records!  Systems Impacted  All system and network devices ITTIP Seminar Copyright 2001 R.C.Marchany 57
    58. 58. G6: Non-existent, Incomplete Logging  Am I vulnerable?  Are there logs for the critical assets?  How to Protect?  Set up local and central logging.  Save on CD or other Read-Only device. ITTIP Seminar Copyright 2001 R.C.Marchany 58
    59. 59. W1: Unicode – Web Server Traversal  Description  Unicode provides a unique number for every character regardless of the the platform, program or language.  You can send IIS a carefully constructed URL with an invalid Unicode sequence that will let an attacker see any file anywhere on the system.  You can run programs as well. ITTIP Seminar Copyright 2001 R.C.Marchany 59
    60. 60. W1: Unicode – Web Server Traversal  Systems Impacted  Windows NT 4.0 with IIS 4.0  Windows 2000 server with IIS 5.0 with no SP2  CVE-2000-0884 ITTIP Seminar Copyright 2001 R.C.Marchany 60
    61. 61. W1: Unicode – Web Server Traversal  Am I vulnerable?  Unpatched version of IIS? Yes!  Did you install MS00-057, MS00- 078, MS00-086, MS00-026, MS00- 044, SP2? Yes, then ok. ITTIP Seminar Copyright 2001 R.C.Marchany 61
    62. 62. W1: Unicode – Web Server Traversal  Enter: http://victim/scripts/..%c0%af../winnt/sys tem32/cmd.exe?/c+dir+c:  If you removed scripts dir, then it’ll fail. Replace scripts with whatever you named your script directory. ITTIP Seminar Copyright 2001 R.C.Marchany 62
    63. 63. W1: Unicode – Web Server Traversal  How to Protect  Install latest Microsoft patches. See bulletin/MS00-78.asp  Install IIS lockdown tool if you want.  Don’t use IIS for critical functions, IMHO. ITTIP Seminar Copyright 2001 R.C.Marchany 63
    64. 64. W2: ISAPI Extension Buffer Overflows  Description  Several ISAPI extensions are installed by default when you install IIS. This allows developers to extend IIS by using DLLs.  Several DLLs, idq.dll, have errors that allow buffer overflow attacks.  This lets an attacker take full control of your IIS server. ITTIP Seminar Copyright 2001 R.C.Marchany 64
    65. 65. W2: ISAPI Extension Buffer Overflows  Systems Impacted  Windows 2000 running Index Server 2.0, Indexing Service  Windows 2000 server, Adv. Server, Server Data Center Edition, Professional ITTIP Seminar Copyright 2001 R.C.Marchany 65
    66. 66. W2: ISAPI Extension Buffer Overflows  Am I vulnerable?  SP2 installed? No, then you are.  Installed MS01-023, MS01-033, MS01- 044, MS01-033, MS01-044, NT4.0 Security Roll-up Package? Yes, then ok.  How to Fix  Install latest patches from Microsoft.  Unmap unnecessary ISAPI extensions ITTIP Seminar Copyright 2001 R.C.Marchany 66
    67. 67. W5: Null Session Connections  Description  Null Session (anonymous login) lets you get info over the net about shares, etc. When 1 machine needs something from another, it uses the local SYSTEM (LocalSystem, W2K) account to open a null session to the remote system. Hackers can use Null logins to gain access to SYSTEM.  This has no password. ITTIP Seminar Copyright 2001 R.C.Marchany 67
    68. 68. W5: Null Session Connections  Systems Impacted  Windows NT 4.0, Windows 2000  Am I vulnerable?  Go to and click on the ShieldsUP link to see your system’s SMB exposure. ITTIP Seminar Copyright 2001 R.C.Marchany 68
    69. 69. W5: Null Session Connections  How to Protect  Needed for Domain Controllers  Block TCP/UDP 139, 445 on the network  Never allow Internet users to access any internal DC. ITTIP Seminar Copyright 2001 R.C.Marchany 69
    70. 70. W6: Weak Hashing in SAM  Description  LAN Manager passwords have very weak encryption.  LM passwords are truncated to 14 characters, padded with spaces to 14 characters, converted to all Upper case, split into 2 seven character pieces.  Crackers only have to do 2 upper case seven characters passwords. ITTIP Seminar Copyright 2001 R.C.Marchany 70
    71. 71. W6: Weak Hashing in SAM  Systems Impacted  Windows NT, Windows 2000  Am I vulnerable?  Running default installation of NT or W2K? Yes because LM is created by default. ITTIP Seminar Copyright 2001 R.C.Marchany 71
    72. 72. W6: Weak Hashing in SAM  How to Protect?  Disable LAN Manager  Use NTLMv2 (version 2 LM)  Read Technet article “ How to Disable LM Authentication on Windows NT [Q147706] ITTIP Seminar Copyright 2001 R.C.Marchany 72
    73. 73. U4: R Commands  Description  If a user logins from a trusted system, then no password is needed to gain access to your system.  rlogin, rsh, rcp  Used by Network Appliance vendors with no concept of security.  Systems Impacted  Any Unix/Linux system ITTIP Seminar Copyright 2001 R.C.Marchany 73
    74. 74. U4: R Commands  Am I vulnerable?  Look for .rhosts, /etc/hosts.equiv files. If there, then yes.  How to Protect  Disable r-command in /etc/inetd.conf.  Fire any one who wants to use it for they have no concept of security. ITTIP Seminar Copyright 2001 R.C.Marchany 74
    75. 75. U5: LPD  Description  The in.lpd program provides local printer services for Unix users.  It listens on port 515 for incoming requests but has a buffer overflow vulnerability allowing root access.  Systems Impacted  Solaris 2.6-8  Linux ITTIP Seminar Copyright 2001 R.C.Marchany 75
    76. 76. U5:LPD  Am I vulnerable?  Are you running unpatched version of lpd? Yes, then you are.  How to Protect  Install latest Solaris or Linux patches.  Disable print service in /etc/inetd.conf  Block access to port 515  Install TCP Wrappers, Portsentry ITTIP Seminar Copyright 2001 R.C.Marchany 76
    77. 77. Common Vulnerable Ports  Common ports probed/attacked  Block or log all access to these ports as necessary.  Login services  telnet: 23/tcp FTP: 21/tcp NetBIOS: 139/tcp  Ssh: 22/tcp r-commands: 512-514/tcp  RPC/NFS  Portmap/rpcbind: 111/tcp/udp  NFS: 2049/tcp/udp lockd: 4045/tcp/udp ITTIP Seminar Copyright 2001 R.C.Marchany 77
    78. 78. Common Vulnerable Ports  NetBIOS: 135/tcp/udp, 137/udp, 138/udp, 139/tcp, 445/t cp/udp  X-Windows: 6000-6255/tcp  DNS: 53/udp, LDAP: 389/tcp/udp  Mail  SMTP: 25/tcp POP: 109/tcp, 110/tcp  IMAP: 143/tcp  WWW  HTTP: 80/’tcp SSL:443/tcp ITTIP Seminar Copyright 2001 R.C.Marchany 78
    79. 79. Common Vulnerable Ports  Small Services  Ports < 20/tcp/udp, Time: 37/tcp/udp  Miscellaneous  TFTP: 69/udp finger: 79/tcp NNTP: 119/tcp  NTP: 123/tcp LPD: 515/tcp syslog: 514/udp  SNMP: 161/tcp/udp, 162/tcp/udp BGP: 179/tcp SOCKS: 1080/tcp  ICMP:  Block incoming echo requests, outgoing echo reply, time exceeded, destination unreachable. This breaks ping. ITTIP Seminar Copyright 2001 R.C.Marchany 79
    80. 80. Summary  You won’t eliminate all of your exposure by closing these 20 holes. Constant vigilance and awareness is the best defense.  The consequences of failure could drive your company out of business.  There’ll be another top 20 items to inspect in the future but at least we got rid of these items. ITTIP Seminar Copyright 2001 R.C.Marchany 80