SANS: Cybercriminals targeted popular applications, network systems in 2005
- By Michael Arnone
- Nov 22, 2005
In 2005, cybercriminals launched massive attacks on two largely undefended fronts in cyberspace, leaving government and industry more vulnerable than they have been in years to data theft and security breaches.
That’s the sobering conclusion of the SANS Institute’s latest update to its 20 Most Critical Internet Security Vulnerabilities in 2005 report. The institute is a training and education organization for security professionals.
Ten of the vulnerabilities were in cross-platform applications installed on millions of systems, including backup software, antivirus software, database software and media players. Three affected network operating systems that control routers, switches and other devices that form the Internet’s backbone.
In the past 12 months, those new types of attacks represented 65 percent of the worst threats, up from none in 2004.
The institute, the U.S. Computer Emergency Readiness Team and Britain’s National Infrastructure Security Co-ordination Centre announced the findings today in London.
“Flaws in these programs put critical national and corporate resources at risk and have the potential to compromise the entire network,” said Rohit Dhamankar, leader of the SANS Institute team and a security architect at 3Com’s TippingPoint, in a statement.
“The bottom line is that security has been set back nearly six years in the past 18 months,” said Alan Paller, director of research at the SANS Institute, in an e-mail message. “Six years ago, attackers targeted operating systems, and the operating system vendors didn’t do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching. Here we go again.”
Because those vendors don’t automatically patch their products, customers who don’t update their e-mail systems through the vendors might not learn of the programs’ vulnerabilities, Paller said.
In addition, if customers who use the programs for archiving purposes don’t update them, they are putting their stored data, which is often the most important to an organization, at risk, he said.
Cybercriminals have released scores of automated harvesters on the Internet to hack systems and steal data, Paller said. Massive attacks can last for weeks or months and steal an organization’s data multiple times.
This year, attacks on network operating systems made international news, particularly Chinese hackers’ success in penetrating U.S. government systems and stealing military secrets, including future command and control information.
Since 2003, attackers have infiltrated Defense Department networks by exploiting vulnerabilities in hardware and software. They installed Trojan horses that at times have allowed them to come and go as they please without getting caught.
To make it onto the Top 20 list, vulnerabilities must meet four criteria:They must affect a large number of users.
Most systems must lack patches against them.
They must allow remote, unauthorized users to control affected systems.
There must be enough information about them on the Internet for attackers to exploit them.