Agency lists top 10 security threats

That's the philosophy behind a list of the 10 most critical Internet security threats published by the System Administration, Networking and Security Institute (SANS), a research and education organization.

The institute's list includes the software vulnerabilities most frequently used to gain unauthorized access to computer networks. SANS, which claims more than 96,000 systems administrators, security professionals and network administrators as members, also offers ways to correct the problems.

A number of recent hacking incidents have put systems administrators on guard as hacker attacks become more sophisticated and more prevalent.

Earlier this year, e-commerce giants eBay, Amazon.com and Buy.com, portal giant Yahoo, news site CNN.com, and online trading sites E*Trade and Datek reported attacks that rendered their sites largely inaccessible. The FBI was a target of a similar attack that shut down its Web site for more than three hours Feb. 18 when vandals overwhelmed it by transmitting false signals.

With its list, SANS aims to help systems administrators identify the security vulnerabilities that it says should be eliminated "immediately" to thwart attacks.

At the top of the institute's list are attacks aimed at directory services, specifically the Berkeley Internet Name Domain (BIND). The institute said BIND, among the most widely used implementations of Domain Name Service--a sort of Internet phone book--allows people to locate systems on the Internet by name without having to know specific Internet Protocol (IP) addresses.

According to a survey conducted last year, roughly 50 percent of all DNS servers connected to the Internet are running vulnerable versions of BIND, the institute said.

Second on the list are Common Gateway Interface (CGI) programs, a standard that lays down the rules for running external programs on Web pages. Many Web servers come with sample CGI programs installed by default, making them vulnerable to hacker attacks.

According to the SANS report, hackers are known to break into vulnerable CGI programs to vandalize Web pages, steal credit card information, and set up back doors to enable future intrusions, even if the CGI programs are "secured."

Third on the list are intrusions targeting shared files on network systems. Hackers have been known to take advantage of a function called Remote Procedure Calls (RPC), which allows programs on one computer to "talk" to programs on another computer. The SANS report cited last year's hacker attacks on U.S. military computer systems, which exploited RPC flaws found in several U.S. Defense Department systems.

The report also noted Internet security flaws in file-sharing programs, popular email programs and user IDs or password access. Some administrators either forget to change a default password or don't have time to change the default password installed on their systems, the report said; most "demo," or "guest," passwords are widely known, which makes this vulnerability possibly the easiest way for a hacker to attack a computer system.

Alan Paller, director of research at the SANS institute, said that to limit these severe attacks, administrators simply need to fix the flaws.

"This isn't rocket science," said Paller. "The majority of these flaws are in systems that are being run by people who don't have a clue" on how to protect their systems.

Paller said the top 10 list resulted from a consensus of representatives nationwide who do the most "clean up" after an attack occurs, including the FBI, the National Security Agency, university-based technology research departments and the CERT Coordination Center.

For the most part, Paller added the industry is seeing much more "automated" hackers. "One hacker with one tool can look at 10,000 systems," he said. "(Hackers) aren't necessarily getting smarter, but hacker tools are getting much more sophisticated."