..........................tutto molto giusto e sacrosanto, con me sfondi una porta aperta, quello scritto in rosso però non si può sentire ....... 
..... su Unix sono basati i mainframes che regolarmente gli hackers si divertono a sfondare .....
Non per far polemica:
Top Unix weaknesses include holes in the Apache Web server, file-transfer protocol (FTP), the Sendmail function and general Unix authentication (accounts with nonexistent or weak passwords).
Despite complaints that vendors are often slow or unresponsive to requests to patch security flaws, Clarke cautioned IT managers not to publicize security holes simply to embarrass vendors into action.
"Within hours, black-hat hackers would know about that vulnerability and use it," he said.
Rather, Clarke said IT managers should notify the Federal Computer Incident Response Center (FedCIRC) or the FBI.
But Jon McCown, senior technical director at Herndon, Virginia-based TruSecure, griped that many of the outlined security holes wouldn't be so exploited if not for many vendors' "set it and forget it" attitude.
"These problems are largely an outgrowth of informal and inconsistent administrative practice," he said. "Dealing with most of them is primarily a matter of getting your act together and configuring conservatively."
Officials acknowledged that the list only highlights the most common flaws and doesn't address security flaws in non-Microsoft or non-Unix systems.
"There's more to be done," said Alan Paller, SANS Institute's director of research. "This is not the end of the process."
In addition, the General Services Administration said it will create a working group to draft task-order specifications so federal agencies can test for the vulnerabilities.
Under the program, the GSA will alert agencies to vulnerabilities via e-mail and suggest ways to protect their systems until software patches are available.
"This will go a long way to help prevent more serious computer security incidents," said Sallie McDonald, an assistant commissioner at the GSA's Federal Technology Service.
One test case is NASA, where slightly
more than 24 percent of attempted hack attacks penetrated the system in the third quarter of 2000. By the end of 2001, after scanning and fixing system flaws, only a fraction of 1 percent of attacks were successful.
Several security firms also were on hand to announce products to combat the
security weaknesses outlined in the SANS/FBI top 20 list.
Companies offering software to scan systems for flaws included Qualys, which offers a free Web-based scan to detect vulnerabilities; Foundstone and Internet Security Systems (ISS), which sell security software; and Nessus and Advanced Research, which offer open-source scanning software available for free download.
