Schneier on Security

Last point clarified for anyone in HMG:

'No copying millions of peoples private information to a DVD.'

Doh!

Dom

I wish the article would differentiate between "Operating systems" and "Microsoft Operating systems" when they make sweeping statements on trends, e.g.:

"""These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets."""

Has anyone every heard of a non-Microsoft-Windows botnet?

I also don't get the distinction between "Open Source" and "Custom build" applications. Software can be either, neither or both.

Sometimes SANS reports are as brilliant and insightful as Gartner ones.

AC writes "Has anyone every heard of a non-Microsoft-Windows botnet?"

Well, Agobot is cross-platform. And there are a number of botnets built from compromised Linux machines, primarily 0wn3d through SSH brute-force tools.

Solaris is also a popular botnet target, and to a lesser extent, FreeBSD.

"Well, Agobot is cross-platform"

I thought that the original was cross-platform, but that the yield on non-Windows machines was so small the later variants became Windows-only. Or am I confusing that with another botnet?

@ Bruce,

Your comment about passwords,

"The default configurations for many operating systems and services continue to be weak and continue to include default passwords. As a result, many systems have been compromised via dictionary and brute-force password guessing attacks in 2007!"

You did not mention the "new vector" for password attacks,

Which is harvest passwords from on line third party systems with weak security, that users of a more secure system are known to access. Then try the passwords or their structure against the more secure system.

I.e. you know that Jeniffer Parsons is the PA to the MD of MegaCorp Investments.

1) You know that the general format for a login at Mega is the first name initial appended to the surname.

2) You also know that the general structure of the email addresses at Mega are Fname.Lname@mega.com

3) So you Google around and low and behold you find she has posted on a small social site advertising a pair of size six red court shoes.

4) After a quick check with an exploit tool you get hold of a file with her hashed/encrypted password for the social site in it.

4) You google the hash or check it on a rainbow table site to get the plain text.

5) You try loging in with what you have found.

Due to "Human Nature" a lot of people use the same password on many systems or one passed on fairly obvious modifications to a root.

The result is likely that you will get into Mega Corps system fairly easily or to her on line bank account etc.

In response to the password issue, I think it's clear that passwords must go. They're simply not good method of authentication anymore. The requirements to make them strong also make them difficult for users to remember. Alternative methods for user authentication (biometrics, tokens, smart cards, etc.) have to start being employed.

"Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year."

I'm feeling as though this is an obligatory gibe at something other than MegaSoft. I would imagine that the *majority of vulnerabilities being discovered *would be found in OSS and the like, primarily because we're allowed to endless amounts of peer review across a large amount of varying levels of experience and expertise. What also seems likely is that these vulnerabilities (if announced) were likely rectified far quicker than any found in closed source applications (although this is a bit of a sweeping generalization).

Of course that may just be my own bias rhetoric, but I do know this: my department would rather pay 100,000 / year for some garbage, patchwork of an application (and trust me, that is 1st hand experience talking now, no bias needed) rather than install an open source application that is tried and true over years of open peer review... for free, and things like this statement above only perpetuate the FUD they already have regarding OSS, which I think is incredibly unfounded.

Shane - excellent comments. This is about SANS making money off of Tippingpoint, and Tippingpoint getting press to make leads to sell product. This is about SANS.org - the FOR PROFIT company - increasing Paller's wealth.

Some items of software expect to have administrative privileges on the user's system. Along these lines, the following may be of interest:

Hall of Shame
http://www.pluralsight.com/wiki/default.aspx/Keith.HallOfShame

Hall of Shame Honorees for Admin Rights
http://www.threatcode.com/admin_rights.htm

When developing software for the Windows platform, there is the issue of how to avoid the need for administrative privileges.
http://nonadmin.editme.com/DevelopingAsNonAdmin