Security gaps dot Internet landscape Personal info often at risk, experts say

By Frank James Washington Bureau February 12, 2000

WASHINGTON -- An on-line travel-services firm recently found a gaping security hole on a competitor's Web site. It exploited the weakness by copying customers' credit card numbers from its competitor's site.

Then the firm sought to discredit its competitor by showing that information to a corporation that both travel companies were wooing as a partner, according to David Rhoades, a computer security expert familiar with the January incident.

"Just another drive-by shooting on the information superhighway," said Rhoades, of Security Group in Atlanta, hired by the victimized firm to close the hole.

The ethics of such pilfering aside, that one company could reach through a hole in the Web and grab another's customer credit card database illustrates a problem afflicting e-commerce in the dot-com world, numerous security experts said.

Experts say that thanks to glitches or installation mistakes in security softwareor poor security measures in the first placethere are numerous insecure commercial Internet sites that allow access to financial and other personal information stored in Web sites' databases.

And there is no good way for consumers to know about the problem.

"Sadly, this is a lot more common than most people think," said Elias Levy, a security expert with SecurityFocus.com who says he has confirmed many instances of poor site security.

Despite last week's rash of denial-of-service assaults against several popular Internet sites, many e-commerce sites remain well-protected, and federal law limits a consumer's liability for charges made with a stolen credit card number. The greater threat, experts say, is identity theft.

"I do fear that my personal information and bank account information could be exposed," said Web security expert Stephen Cobb. The result, he explains, is that someone might impersonate him, unleashing a morass of bogus financial transactions that could ruin his credit rating and subjecting him to the difficult process of trying to untangle the mess.

At fault, say security experts, is a chronic shortage of computer specialists who are competent at protecting digitized information. And the Internet gold rush has led many companies to leap into electronic commerce without first placing the necessary defenses on their web sites.

Each day seems to bring another horror story: X.com, the on-line banking subsidiary of First Western National Bank, a small, nationally chartered Colorado bank, acknowledged a software flaw that allowed unauthorized transfers of money from any bank account in the United States into an X.com account.

At least one person exploited the bug until it was fixed, First Western officials admitted. The amounts of money involved were not significant, they said.

A New York City man placing an on-line order with DrugEmporium.com for vitamins was startled to see a Kentucky woman's credit card information pop up on his computer screen. The company rushed to repair the software quirk and said it was an isolated incident.

CD Universe, an on-line music retailer, admitted to an extortion attempt by someone claiming to be a teenage Russian hacker. The person demanded $100,000 for the names and credit card numbers of 300,000 CD Universe customers he said he was able to lift from the CD Universe Web site because of its poor security.

When the company rejected the blackmail attempt, the person posted many of the stolen credit card numbers on the Web. After CD Universe disclosed the problem, credit card companies canceled and reissued the cards of most of the consumers who had made purchases through the company.

MSNBC, the all-news cable channel, in January reported that a series of tips led it to confirm the existence of numerous insecure sites where anyone could gain access to customer credit card numbers and other personal information.

"In that one week (after the CD Universe incident) we found 10 or 12 sites that were wide open," said Levy of SecurityFocus.com.

Internet security experts said only a fraction of intrusions get reported because companies fear bad publicity will cripple the prospects for an Internet commerce boom.

"It is a big issue," said Carl Kessler, vice president of Tivoli Security, a subsidiary of IBM Corp. "Security is key to the adoption and expansion of e-business, and it's totally solvable today," because, he says, effective software solutions are available.

In the early days of e-commerce, most businesses feared hackers would capture credit card numbers and other confidential information during transmission. That fear has not materialized, since most sites engaging in financial transactions encrypt those communications.

Instead, problems more often occur in e-commerce sites that don't properly safeguard data collected.

At some smaller sites, Levy said, security was compromised because of oversights, such as choosing passwords that could easily be guessed, or not using passwords at all.

Other amateurish mistakes, according to computer security experts, involve using the same computers incoming Web traffic and for storing databases of customer credit card numbers or employee data such as Social Security numbers. Web traffic and databases should be handled by two different and, ideally, unlinked computers, experts say.

The size of the company doesn't always determine the sophistication of its Internet security. Scores of companies in financial services and manufacturing, including some that pride themselves on having installed sophisticated defenses, have asked Spectria InfoSec Labs, a computer security company based in Playa del Rey, Calif., to attempt to penetrate their barriers.

"So far, none of the systems we have been asked to test have prevented us from getting into their internal networks," said Cobb, Spectria's vice president of research and education.

Furthermore, the skill level needed to break in, on a scale of 1 to 5, was just a 2, Cobb said. And InfoSec Labs evaluators used only legal methods to accomplish their penetrations. Criminals and hackers have many more choices.

"So far, we're undefeated," Cobb said. "Those are facts, and people need to realize that."

Some of the problems are inherent in the Internet's structure: The vast network was built to make it relatively easy for computers to readily share information. Security was an afterthought.

For many software developers, security still is not a priority. Instead, the emphasis is on more features and making sure they work, experts said. For e-commerce sites to be successful, they must be very interactive.

When a customer visits an on-line bank site to get an account balance, the request goes to the database that contains the information.

"Those ... paths are what are vulnerable to attack, because the people who design the systems are not thinking security, they're thinking functionality," Cobb said.

Another common reason software developers don't catch potential security glitches is that competitive pressures are forcing them to get sites up and running before the software that drives them is ready.

"The problem is, everybody's trying to get rich quick, jumping on the Internet," said Rhoades of Meta Security. "Companies are desperately running to get onto the Internet, like lemmings running off the side of a cliff.

"No one is allowing the developers to take the time to build security in. You've got managers in some cases giving developers just 60 days for projects from start to finish, saying, 'We want to put up a site that accepts credit card applications. Build it quick, do it now and slap it up there."'

Problems bred by such haste could eventually lead federal policymakers to compel e-commerce companies to put more emphasis on security, experts predict.

For now, the Clinton administration is content to let Internet companies attempt to address the problems on their own. But Commerce Secretary William Daley has warned that if companies fail, pressure for legislative or regulatory action will increase.

E-commerce's security troubles are expected to get plenty of attention from a blue-ribbon advisory panel set up by the Federal Trade Commission to examine Internet-related security and privacy issues which met for the first time Feb. 4.

"We're going to have experts from all over the country on computer security issues talking about the best approaches that Web sites should follow in order to ensure security," said Jessica Rich, assistant director in the division of financial practices. "We want to study this and hear what people who are actually out there dealing with these issues are doing."

After last week's assaults, federal officials were urging businesses to install protective software and take other precautions. And sensitive government systems were being secured against potential attacks, Daley said Wednesday.

"Right now there is no surefire defense, but we are trying to take some steps," he said.

Tribune wire services contributed to this report.

http://www.chicagotribune.com/tech/economy/article/0,2669,ART-41907,FF.html

-- Martin Thompson (mthom1927@aol.com), February 12, 2000