|
|
|
By David W. Methvin
What are the prospects for crime on the World Wide Web? Speaking at the recent Information Security Conference, Mark D. Rasch, director of information security law at Science Applications International Corp., put it this way: "The bad news is that nobody will get serious about cybercrime until there is a serious global catastrophe. The good news is that there will be a serious global catastrophe."
And judging from our own survey of security on the Web, that catastrophe could be just around the corner. Using information gleaned from vendors as well as security alerts on the Web itself, we were able to find glaring security gaps virtually across the board.
Some of the gaps we identified were on educational and personal pages, but others were on sites from such blue-chip sources as IBM, Fidelity Investments, Price Waterhouse, Marriott and Zenith Data Systems. Flaws there could have far-reaching implications for a large number of clients. Actually, in the spirit of full disclosure, we should point out that our own virtual home, the WinMag Web site, showed room for improvement as well.
The security flaws we found would allow anyone with a Web browser to get complete lists of files on the Web server's disks, or copy the contents of files. In some cases, these problems would permit outside users to delete or modify files as well. (For more details, see Safety on the Net in this issue.)
When informed about these security lapses, the Webmasters of these sites sounded grateful for the warning but were reluctant to go on the record about the problem. Most insisted that their Web sites did not contain any sensitive or proprietary data that could compromise their customer base.
The sheer number of sites we identified as having security problems made it difficult to check the veracity of such claims. But at least one site offered retail purchases through a credit card. In other words, it's possible that credit card information could have been obtained by exploiting this site's security holes.
Since this field is still evolving, those charged with running Web sites clearly have an unenviable task. "It's overwhelming to keep track of every vulnerability in a system," said Ira Winkler, director of technology for the National Computer Security Association. "The staff is usually overworked and doesn't have the time to fully research security issues."
And like all aspects of the Web, security issues are changing quickly. Microsoft has posted two security-related patches to its Internet Information Server since the product was shipped in March; in April, O'Reilly & Associates included one in the upgrade to its WebSite package. The very pace of change runs counter to the if-it-ain't-broke-don't-fix-it philosophy that most sites use to decide whether to upgrade.
Poor documentation and a lack of information from vendors doesn't help, either. For example, the Windows NT technical notes at Netscape's Web site (http://home.netscape.com) don't clearly explain easy solutions to configuration problems that commonly cause security holes.
Jeff Treuhaft, director of security at the browser and server software provider, indicated that the problems we identified had already been fixed in version 2.0 of Netscape's server. Yet we didn't see that fact documented on the company's site, which makes it unlikely that users running previous versions would even be aware of the problem. That is, of course, until a problem occurs.
|
|
|