Welcome!

Virtualization Authors: Jason Bloomberg, Pat Romanski, Dana Gardner, Liz McMillan, Maureen O'Gara

Related Topics: Linux, Security

Linux: Article

Top 10 Linux/Unix Internet Security Vulnerabilities

Top 10 Linux/Unix Internet Security Vulnerabilities
By Linux News Desk
Article Rating:
November 5, 2003 12:00 AM EST
Reads:
 20,744
What aspects of Linux operating systems are most often targeted by malicious hackers? The ten most commonly exploited vulnerable services in UNIX and Linux are, according to the SANS Institute :

  • U1 BIND Domain Name System
  • U2 Remote Procedure Calls (RPC)
  • U3 Apache Web Server
  • U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
  • U5 Clear Text Services
  • U6 Sendmail
  • U7 Simple Network Management Protocol (SNMP)
  • U8 Secure Shell (SSH)
  • U9 Misconfiguration of Enterprise Services NIS/NFS
  • U10 Open Secure Sockets Layer (SSL)

    The list was compiled by federal security agencies in the US, the UK, and Singapore, as well as leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute.

    "Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these vulnerable services," notes the SANS Institute. "Attackers are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities."

    The SANS list "is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws," notes the site, which welcomes suggestions from readers. For details on why these services are targeted as top vulnerabilities, and tips on improving security, see the SANS web site.

    • Published November 5, 2003 – Reads 20,744
    Copyright © 2003 SYS-CON Media, Inc. — All Rights Reserved.
    Syndicated stories and blog feeds, all rights reserved by the author.

    More Stories By Linux News Desk

    SYS-CON's Linux News Desk gathers stories, analysis, and information from around the Linux world and synthesizes them into an easy to digest format for IT/IS managers and other business decision-makers.

    Comments (1) View Comments

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    Most Recent Comments
    Arnnei Speiser 07/06/04 07:48:57 AM EDT

    It is a known fact today that the Internet Security is most vulnerable at the Login entry.
    No SSL or other protocols will prevail if your Password is exposed.
    The most secured and affordable methodology available today is the TFA (Two Factor Authentication) and OTP (One Time Password) generation.

    These methods cost a bundle with today Token system. That is the reason only VIPs or very secured sites offer this level of security to their clients.

    Change the Token system in a way that every organization can offer it to their customers, and you get a high level of security for everybody.

    Mega AS Consulting Ltd (www.megaas.co.nz) has developed a new CAT (Cellular Authentication Token) that follows that thought. It is a new concept that enables new services such as eAuthentication. The CAT runs on a cellular, does not require SMS or any type of communication and can be installed (one time OTA) by any Service’s client. It does not cost the user anything.

    With this in mind, Services can now offer the users the option to register to a secured OTP login, at their own time. The Service does not have to supply or manage the tokens. It is the users’ responsibility to join the secured service to secure his login.

    The eAuthentication Service takes this approach even further. Since the user can choose to join the secured Login of the Service, the company providing the service does not have to buy the Authentication package anymore, they get the users authenticated at Mega AS Consulting CAT Authentication server by implementing a simple API.

    This approach is new. It will change the whole industry and it is available now.