OT Web Security BBC

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread


Tuesday, 11 January, 2000, 17:42 GMT

Fresh web security scare

Many e-businesses are vulnerable to hackers because they share web servers, according to new research.

The research comes amidst news of a US internet heist, where a hacker stole hundreds of credit card details from e-commerce websites.

There is no evidence that the US hacker exploited the same weak spot, nCipher, who commissioned the research, said, but the incident highlights how vulnerable many websites are.

Hard storage

Many web servers use software to store the keys that allow access to data such as credit card numbers.

For this data to be secure, these keys should be stored on hardware as well, nCipher says.

"It has been accepted for over 30 years, that hardware is essential for adequate security of key data. In the rush to electronic commerce, that has been forgotten by many implementers of e-commerce systems," Alex van Someren, chief executive of nCipher said.

nCipher's research highlights how easy it is to find these keys, which allow access to the data.

Few e-businesses take the issue seriously, with the one exception being banks and financial institutions, who have had several years experience of key storage.

"The cash machine/ATM network has used hardware for key storage ever since it has been created," he added.

Cost to business

Those most at risk are small businesses who share web servers and hence rely on someone else to provide the hardware storage.

"(They) aren't e-commerce experts, who don't run their own servers, but rely on third party operators to maintain their business security," he said.

While as yet no breaches of security have been reported, nCipher warns that successful attacks leave no trace. Successful attackers can access past and present transactions.

Best practice

Mr Van Someren says that hardware key storage should become best practice and e-businesses should pressure service providers to offer it.

nCipher's research shifts the emphasis from the popular perception that data is at risk when it is en route through the internet.

The issue, Van Cameren says, is the "security when it gets to the end, who are you dealing with, and how careful they are with your data."

Some analysts have interpreted the research as a call for small businesses to stop sharing web servers. Others have welcomed the research.

"Research like this is vital in enabling our customers to understand the full range of possible threats to their systems," Scott Culp, security product manager of Microsoft said.

nCipher was founded in 1996 by Alex and Nicko Van Someren, and specialises in improving web security.

-- Martin Thompson (Martin@aol.com), January 12, 2000

Moderation questions? read the FAQ