SANS Institute releases a new Top 20 list of Internet vulnerabilities

SANS Institute releases a new Top 20 list of Internet vulnerabilities

America's war on terrorism will produce a cyber backlash, the State Department's CIO warned.

'When the attack starts, you're going to see some of these terrorist countries striking back from cyberspace,' said Fernando Burbano, who also is assistant secretary of State for IRM.

That is bad news for systems administrators already struggling against the recent onslaught of Internet worms, said Alan Paller, director of research at the SANS Institute in Bethesda, Md.

'The Internet is not ready to withstand a major attack,' Paller said at a news conference for the release of SANS' updated list of the most critical security vulnerabilities. The list, which expands last year's top 10 vulnerabilities to 20, accounts for the majority of successful hacker attacks, he said.

The list is a cooperative effort of industry and government security experts. The threats are in three categories: those affecting Microsoft Windows systems, Unix systems and all systems. Paller said none of last year's top 10 vulnerabilities have been retired. Details of the vulnerabilities can be found at the SANS Web site, at

  • Default installation of operating systems and applications

  • Weak passwords

  • Incomplete backup of data

  • Unneeded ports left open

  • Packets not filtered for correct incoming and outgoing addresses

  • Incomplete logging of network activity

  • Vulnerable Common Gateway Interface programs.

  • Windows:
  • Vulnerability in the Unicode Standard allowing Web servers to be hacked through a faulty URL

  • Internet Services Application Programming Interface buffer overflows

  • Internet Information Server Remote Data Services exploit

  • Unprotected networking shares

  • Null session connections

  • Weak default password protection in LAN Manager.

  • Unix:
  • Buffer overflow in remote procedure call services

  • Sendmail vulnerabilities

  • Berkley Internet Name Domain weaknesses

  • R command weakness for connecting to remote systems

  • Remote print control daemon

  • Sadmind and mountd buffer overflows

  • Default Simple Network Management Protocol settings.

  • About the Author

    William Jackson is a Maryland-based freelance writer.


    • Records management: Look beyond the NARA mandates

      Pandemic tests electronic records management

      Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

    • boy learning at home (Travelpixs/

      Tucson’s community wireless bridges the digital divide

      The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

    Stay Connected