Government backs international anti-hack effort

An international anti-hacking study exposing the most common vulnerabilities exploited by hackers has received unequivocal backing from the British government as part of its efforts to protect the country's critical national IT infrastructure.

The research, published by the SysAdmin, Audit, Network, Security (SANS) Institute in Washington, shows the 10 flaws most commonly exploited by hackers in Microsoft Windows and the 10 most commonly exploited in Unix operating systems.

The list is published annually and this year revealed that the most problematic area for Microsoft is its web server, the Internet Information Service (ISS) server, and for Unix the Berkeley Internet Name Domain (BIND) DNS software.

The institute, with the US Department of Homeland Security, the Canadian Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP), as well as the UK government's National Infrastructure Security Co-ordination Centre, have produced advice on how to tackle the vulnerabilities. The results of the research can be found on the SANS Institute website.

A Home Office spokesman told silicon.com that the British wing of the anti-hack effort had been at the "forefront of development in the area, sharing expertise, knowledge and our experience in terms of what private companies and government departments have experienced".

He added that while the research would have trickle-down benefits for the average user, the research would be of most use to the high-level tech workers who are responsible for protecting the UK's national IT infrastructure from attack.

The US research body, however, views the research as a much more grass-roots enterprise, aimed at getting systems administrators to sort out their software issues. Allen Paller, director of research for the SANS Institute, said in a statement: "The [list] defines the set of network security vulnerabilities that are most commonly used by hackers to break into systems. They should be addressed by network administrators as quickly as possible."

Aside from the guidelines on how to correct the flaws, it seems that something more than confusion has come out of the research. As a result of the study, some areas in Microsoft IE and Outlook have been revised or added to.

Speaking in Washington, NISCC Director, Stephen Cummings said: "Our colleagues at the SANS Institute have been undertaking essential work and we have been pleased to add our own expertise. We have helped to produce descriptions and remedial advice…As a result of the work, a number of scanning tools are available for system and network administrators to use. There is no quick fix for beating vulnerabilities, but listing and highlighting those which are most exploited is a very good start."