The FBI Top 20 Flaws Exploited by Internet Hackers

The FBI on Monday released a list of the top 20 computer security vulnerabilities most likely to leave the Internet vulnerable to attacks from hackers. Since Sans.org is being swamped by visitors looking for the list, we have placed it here for your convenience...

Top 20 Computer Vulnerabilities

General vulnerabilities

1. Default installs of operating systems and applications
2. Accounts with no passwords or weak passwords
3. Non-existent or incomplete backups
4. Large number of open ports
5. Not filtering packets for correct incoming and outgoing addresses
6. Non-existent or incomplete logging
7. Vulnerable CGI programs
8. Unicode vulnerability (Web Server Folder Traversal)
9. ISAPI extension buffer overflows
10. IIS RDS exploit (Microsoft Remote Data Services)
11. NETBIOS — unprotected Windows networking shares
12. Information leakage via null session connections
13. Weak hashing in SAM (LM hash)

    Unix-based vulnerabilities

14. Buffer overflows in RPC services
15. Sendmail vulnerabilities
16. Bind weaknesses
17. R Commands
18. LPD (remote print protocol daemon)
19. sadmind and mountd
20. Default SNMP strings

FBI Lists Top Computer Risks

Agency Notes Common Flaws Exploited by Internet Hackers

The items on the list include general vulnerabilities and known security holes in the Windows and UNIX operating systems that are most often exploited by malicious coders, according to the System Administration, Networking, and Security Institute (SANS), a non-profit organization that helped the FBI compile the list.

"The majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list," SANS said in a prepared statement.

"These few software vulnerabilities account for the majority of successful attacks, simply because attackers are opportunistic — taking the easiest and most convenient route," SANS said. "They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems."

According to the FBI and SANS, vigilance in patching these known security holes would have prevented such well-publicized Internet virus outbreaks as the Code Red worm and the recent attacks from the Nimda worm.

Common Security Lapses

Among the most common security errors listed are using an installation program to install system software without removing unnecessary services or installing all security patches. Often users will forget to patch applications they don't use, inadvertently creating a convenient security hole for hackers to infiltrate, SANS said.

Weak passwords were also cited as a common security problem among corporations.

"Easy to guess passwords and default passwords are a big problem, but an even bigger one is accounts with no passwords at all," SANS said. "In practice, all accounts with weak passwords, default passwords, and no passwords should be removed from your system."

Leaving too many ports open for users to connect to your system can often also prove a fatal mistake, SANS said. The group recommends keeping the least number of ports open on a system necessary for it to function properly.

The FBI/SANS list also specifically addressed vulnerabilities in Microsoft's Internet Information Services server software. A glitch in the IIS software allows hackers to send a server a carefully constructed URL that will in effect allow them to take over the machine.

The Center for Internet Security (CIS) has developed guidelines for setting up and tools for testing secure configurations of Solaris and Windows 2000 available at cisecurity.org.

Simple Security Measures

The FBI's National Infrastructure Protection Center, the agency's cyberwatchdog, has released a list of seven simple measures computer users can take to step up security on their machines:

Use strong passwords. Choose passwords that are difficult or

impossible to guess. Give different passwords to all accounts.

Make regular backups of critical data. Backups must be made at least once each day. Larger organizations should perform a full backup weekly and incremental backups every day. At least once a month, the backup media should be verified.

Use virus protection software. That means three things: having it on your computer in the first place, checking daily for new virus signature updates, and then actually scanning all the files on your computer periodically.

Use a firewall as a gatekeeper between your computer and the Internet. Firewalls are usually software products. They are essential for those who keep their computers online through the popular DSL and cable modem connections but they are also valuable for those who still dial in.

Do not keep computers online when not in use. Either shut them off or physically disconnect them from Internet connection.

Do not open email attachments from strangers, regardless of how enticing the Subject Line or attachment may be. Be suspicious of any unexpected email attachment from someone you do know because it may have been sent without that person's knowledge from an infected machine.

Regularly download security patches from your software vendors