The Back Door Into Cyber-Terrorism Report Says Security Flaws Give Hackers Easy Access June 2, 2000

By David Noack

BETHESDA, Md. (APBnews.com) -- Even when it comes to cyber-terrorism, there is a Top 10 list. But it's a hit parade you'd rather avoid.

A computer security cooperative says that successful hackers exploit a small number of flaws in security systems. A report released Thursday by the SANS Institute lists ones it believes are most common.

People who want to enter computers by the back door, possibly to damage systems or steal information, have software tools readily available online, programs that are becoming easier to use. But they get an assist from security-flawed software from manufacturers and information technology departments too busy to know which security holes to plug first.

"Most of the systems compromised in the Solar Sunrise Pentagon hacking incident were attacked through a single vulnerability," the report said.

Pentagon computers invaded

The Solar Sunrise incident began in February 1998, when the Pentagon detected several root-level intrusions into U.S. Air Force and Navy computer networks. These intrusions, which appeared to be organized, raised fears that hackers were working for governments trying to disrupt the military's Internet-based communications and gain unclassified material on U.S. plans and capabilities in the Persian Gulf.

The institute says that a related security flaw was exploited to break into computers used in recent denial-of-service attacks on commercial Web sites.

"Recent compromises of Windows NT-based Web servers are typically traced to entry via a well-known vulnerability. Another vulnerability is widely thought to be the means used to compromise more than 30,000 Linux systems," the study said.

Investigators say attackers use the path of least resistance to break in.

Scanning the Net

"They exploit the best-known flaws with the most effective and widely available attack tools," the report said. "They count on organizations not fixing the problems, and they often attack indiscriminately, by scanning the Internet for vulnerable systems."

Alan Paller, director of research at the SANS Institute, said 30 percent to 80 percent of all computer security attacks were tied to the various software and other flaws cited in the study.

He said part of the reason these security holes persist was related to the roughly 1.2 million new host computers being added to the Internet every month, a lack of security experts to plug the holes, the growing number of computer vulnerabilities -- now believed to be 800 -- and the lack of a priority list.

"The exploits will always be there and be growing. When the vendors take responsibility for making sure their customers actively know about the vulnerabilities and make updates as easy as anti-virus updates, we'll all be a lot safer," Paller said.

Old and new tricks

The top three security flaws are BIND, which stands for Berkeley Internet Name Domain, which allows you to write in the name of a Web site rather than a long string of numbers; CGI, or Common Gateway Interface, which provides interactivity in Web pages, such as data collection and verification, and so-called Remote Procedure Call (RPC) weaknesses that allow root compromises. RPC allows programs on one computer to execute programs on a second computer. It is widely used to access network services such as shared files.

Edward Skoudis, account manager and technical director at Global Integrity Corp., a computer security company, said the report lists a mixed bag of old and new hacker tricks.

"While some of the attacks are rather new, many of them, particularly weak CGI scripts and accounts without protected passwords have plagued the security industry for many years," Skoudis said.

He said the purpose of the study was to find the most common weaknesses so that companies and computer system administrators could better understand how to defend themselves.

Point-and-click attacks

"No real surprises," Skoudis said. "People not in the security industry may be surprised at the large number of sites that are vulnerable and the amazing ease of use of these attacks. The software for many of the attacks can be downloaded right from the Internet and launched with a simple command line, or even a point-and-click."

He said many of the security weaknesses have been around for years and that the rise in attacks on computers was caused by a number of trends.

"First, as the Internet population has skyrocketed, the average experience level of system administrators has plummeted," Skoudis said. "While some system administrators are experts at keeping their system running securely, many others are brand-new and have little experience securing systems."

Skoudis believes that administrators are overworked and don't always have the time to make security a top priority. In addition, the software tools to take advantage of these exploits are a point and click away.

'Script kiddies'

"The tools can be downloaded and run against a target by an attacker with no special talent or expertise. The exploits are often run by 'script kiddies' -- people with a lot of time looking to take over systems just for the joy of the attack," Skoudis said.

Eugene Spafford, a professor of computer science at Purdue University and an expert in computer security, said the report, which is a consensus of various computer security professionals, was aimed at prompting action to close the loopholes.

Spafford expects security problems to continue until software-makers make better products.

http://log.isyndicate.com/pscripts/hit/mvmeapwcvl%2526ixj.bwx_abwzqma.pt%2526pbbx%253a%252f%252feee.ixjvmea.kwu%252fvmeakmvbmz%252fqvbmzvmbkzqum%252f7555%252f51%252f57%252fkwuxcbmzpwtma5157_56.pbut%25258na%253dvid_jv_pwumxiom%25258na%253dqagv

-- Martin Thompson (mthom1927@aol.com), June 03, 2000

Answers

The top ten list itself with remedies is at http://www.sans.org/topten.htm

-- Vicki Fox (smithfox@mind.net), June 03, 2000.