Top hacker targets named

Internet Explorer, web apps and VoIP make the list...

By Dan Ilett, 15 November 2006 15:15

NEWS

Microsoft's Internet Explorer has been named one of the internet's top 20 hacker targets by a leading security organisation.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

The SANS Institute also said Microsoft Office and Windows Libraries and Services are some of the most vulnerable applications available on computers today.

But Microsoft was not alone in the annual list - Apple's Mac OS X was also catalogued, along with "configuration weaknesses" in Unix.

The list of the top 20 targets is written by members of the institute and security experts from the tech industry and government to indicate which network features could leave a company vulnerable to attack.

SANS also named web applications, P2P file-sharing software, media players, VoIP phones and people themselves as some of the easiest targets for hackers.

Rohit Dhamankar, chief scientist at TippingPoint and a SANS member, explained some current security theat trends. "We've seen a lot of zero-day vulnerabilities this year. The next big thing is the number of attacks on web applications. There's also continued growth in spear-phishing attacks from Asia and Eastern Europe."

Comments

There are 4 comments. Join the discussion

  1. 1. Richard Hillsdon MIAP FRSA

    Does it really need this kind of organisation and budget to tell us that, essentially, everything that is network connected in some way is vulnerable?

    I don't wish to put down the work they do but as IT professionals we all ought to know that and be aware of it. Not surprisingly the top of the list is full of all the things we use most!

    I've been telling my customers this for years, on a zero budget. Do people actually pay for someone to tell them this?

  2. 2. Graham Coles

    Also included is Mac OSX. Really? Why?

    A bunch of stupid comments like 'flaws in unix applications *MAY* be patched later than the originals' and 'The first viruses for Mac OSX were found in the last year'

    Actually there have been no viruses for macs as such. A couple of bits of proof of concept code like a worm that can't propogate to other systems and needs to be installed with an admin password and a virus attempt that couldn't make it out of a users home directory because it doesn't have permission and doesn't even work on powerpc architectures.

    How the hell does this nonsense make it into a TOP 20 list? I thought this was suppose to be a serious list indicating real, known threats for known services/applications with a high priority of actually happening.

    What do we get instead? Warnings that someone might not have patched an application (no idea which one, and I doubt if ordinary mac users would be using these command line apps anyway) that may or may not be vulnerable.

    This is little more than a 'state the bleeding obvious' list, I can't even take them seriously any more.

    Why not just say that any operating system in the world with the capability of connecting to a network MAY be vulnerable because it MAY contain applications which MAY not be updated as frequently, but we can't be sure. TOP 20 vulnerabilities my arse.

    No wonder the americans have to have cars that keep beeping to remind them to put their seatbelts on (they MAY have an accident while driving), put their lights on when its dark and remember to close the doors because you're not supposed to drive with them open(!).

    It's a pity that SANs are just wasting peoples time here; they would be providing a much more intelligent service by turning their website into a series of links to grown-up security sites that actually identify realistic, quantifiable threats and solutions that people can identify on their systems. All they have provided here is little more than a horoscope.

  3. 3. Peter Troxler

    The "SANS Institute" seems to me mainly a training outlet ... and it seems they have just discovered that there might be a market for mac user training???

    However they don't seem to have a clue what they are talking about ... or how stupid have you to be to list "Microsoft Office" under "Operating Systems" ...

  4. 4. Mark Hosey

    Doesn't all this apparently successful activity by hackers point to a lax attitude by software writers? Is it not about time for the introduction of a European standard that clearly defines acceptable levels of security that all software must attain before European marketing of those products.
    After all, every aperture in every building in Europe is filled with a product that meets minimum safety and security standards. Doors, glass, window frames, locks, bolts hinges, sealants etc all meet certain minimum standards.
    Well I consider my PC connection to be another front door on my house connecting it to the outside world. The last thing I want is some shoddy product on my PC that leaves me and my family vulnerable to criminal activity. How would you react if you bought a door with a non-compliant lock which, if banged hard enough popped open giving the world access to all your possessions? And how do you think the insurance companies would react? They wouldn't pay the insurance claim of course!
    So why do we blithely accept the equivalent low level of security with the software we buy. It's not as though the software writers can't make their products secure. Often they do, retrospectively by issuing bug fixes but they should be secure from day 1. Correctly drafted, controlled and audited standards can ensure that all of the common security flaws exploited by hackers but left there by amateur, lazy or incompetent writers, are reduced to manageable levels.
    Standards work for all other industries, so why not software, and why aren’t the insurance companies driving for it?

Post your comment

In order to post a comment you need to be registered and logged in.

Log in or create your silicon.com account below

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ