WASHINGTON — The FBI and the SANS Institute unveiled their assessment of the top 20 Internet security vulnerabilities for 2001. Most of the hacks exploit time-honored security holes.
“All are old vulnerabilities,” said SANS Director Alan Paller. “Theyre being attacked constantly.”
Security experts widely agree that the holes arent being effectively patched because system administrators are stretched too thin.
The security vulnerabilities include: USAPI extension buffer overflows, weak password protection, large number of open ports, common gateway interface programs, weaknesses in the Berkeley Internet Name Daemon program as well as holes in Sendmail, which runs most of the Nets mail systems. A full list and fixes can be found at www.sans.org/top20.htm.
“In the past, system administrators reported that they had not corrected many of these flaws because they simply did not know which vulnerabilities were most dangerous, and they were too busy to correct them all,” said the SANS survey. “Some vulnerability scanners search for 300 or 500 or even 800 vulnerabilities, thus blunting the focus system administrators need to ensure that all systems are protected against the most common attacks.”
The FBI posted a list of seven security tips to reduce break-ins (www.nipc.gov), including better password protection not leaving computers connected to the Net when not in use. As well, SANS announced it would offer a free security scanning service.