SANS Warns of Attack Shift to Apps, Network Devices


An increase in the number of holes in software applications and network devices like routers and switches is allowing malicious hackers to gain access to sensitive systems, including government and military systems, according to the SANS Institute.


SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. Critical holes in computer backup and antivirus applications, as well as switch and router platforms, are enabling a new wave of attacks that is shifting attention from holes in operating systems like Microsoft Corp.'s Windows, Web and e-mail servers, SANS said. Software vulnerability scanning and better patching are the best way to address the holes, SANS said.

The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. As in past years, the SANS Top 20 contains warnings about security holes in Windows and popular Internet applications like the Internet Explorer Web browser and Outlook Express e-mail program.

However, Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines.


Enterprises have been preoccupied with operating system and Internet threats and have ignored the threat posed by holes in software applications by major vendors, according to Alan Paller, director of research at SANS.

For example, computer backup systems are rich targets for attack because they collect sensitive information from other systems and also must be accessible to enterprise systems that they manage, said Paller.

The SANS Institute's Internet Storm Center recorded a sharp spike in Internet scans for systems running the Veritas BackupExec software, which is now sold by Symantec, after a crop of high-risk holes were announced in June, according to Johannes Ullrich, CTO of SANS ISC.

"Everybody needs to have access to the backup server to do backups. It's a critical service," he said.

Automated hacking tools that lowered the technical bar for attacking Web and e-mail servers have been modified to target applications, said Paller from London, where SANS was planning to announce the Top 20 list with representatives of the UK's NISCC (National Infrastructure Security Co-Ordination Center).

The stakes for patching holes in software are getting higher, SANS said. "The business of stealing data for extortion and resale is a multibillion dollar business," Paller said.




More here:
http://www.eweek.com/article2/0,1895,1892115,00.asp