Dark side of cyberlife
By Sandeep Junnarkar
Staff Writer, CNET News.com
May 2, 2002, 3:30 AM PT
The technology consultant was concerned about the security of his personal information stored in Yahoo's so-called digital wallet, a product that keeps login names, credit card numbers and shipping addresses for automatic online transactions.
"No one can prevent break-ins, and eventually there will be a break-in," Wilder said.
Wilder's sentiments epitomize the fears that many consumers harbor about keeping critical information in online wallets. Their concerns are well-founded: Security experts say that such services may present some of the weakest links among the various technologies used to safeguard private information, including data used for online banking.
The issue is likely to escalate as industry powerhouses such as AOL Time Warner, Microsoft, IBM and Sun Microsystems rely on digital wallets as the keys to the kingdom of Web services, the next generation of highly personalized Internet commerce for individuals and companies. The thinking is that consumers and businesses will store vital information in so-called authentication technologies for everything from online payments to communication.
A grand plan, but one with a major Achilles' heel for online banking and other secure transactions. Even if financial institutions are as secure as Fort Knox, hackers might still be able to tunnel in through a Web services hole.
"Web services absolutely will create new security weaknesses. These services are not being designed by bankers," said James Molini, chief executive of security firm Brink's Internet Security and a former executive for data security at First USA Bank. "Many services we see, especially those built by smaller firms, are not actually built using real financial security people. As a result, they don't really know how to even comply with federal regulation sometimes regarding the security of their system."
Because the move to Web services technology is just beginning, security plans are far from complete.
Even those who have never used the Internet to bank, trade stocks or shop could be vulnerable because the type of information typically used to gain access to accounts can be stored in systems with various levels of security. For example, an employer may keep such records as Social Security numbers, birth dates, addresses and family members' names in human resource files managed by an outside company.
Therein lies the greatest threat: A hacker or rogue insider could mine this information from other databases and use it to break in to a bank account without setting off any alarm bells at the financial institution beforehand. Data transmitted between two companies are usually encrypted, security experts say, but the databases on either end of the pipes are not.
Those concerns are part of the reason that Microsoft is rethinking its consumer Web services plan, called .Net My Services. The plan originally called for Microsoft to serve as the primary host for consumers' private information, but potential partners and privacy advocates criticized that idea because of Microsoft's frequent security problems with its products and Web sites.
Financial institutions have long been reluctant to allow technology companies to become the security gateway and repository of their customers' assets and personal information. That is one reason the high-tech industry is redoubling efforts to create security standards.
In April, Sun named two of its pre-eminent researchers to new, high-ranking security posts. The responsibilities in those positions will include creating safeguards for Web services standards group the Liberty Alliance Project, which the company formed along with AOL Time Warner and others as a counterweight to Microsoft. Around the same time, Microsoft, VeriSign and IBM said they were teaming to create encryption guidelines for Web services.
Although Citigroup and Bank One plan to use Passport authentication as only one phase of a multistep security process, critics warn that Microsoft does not have the best track record when it comes to security in general. In February, just one day after Microsoft released a software tool that could be used to create Web services, security specialists discovered a flaw that could have allowed developers to unknowingly write vulnerable programs.
"As every service offered by Microsoft becomes part of the .Net scheme, a single vulnerability in a user's accounts in one of these services gives skilled cybercriminals access to all of the other services," a security researcher known as Obscure said in an interview with CNET News.com.
In an article last year, Obscure described a way to breach Passport's authentication process by fooling the system into sending the hacker a "session cookie"--a small piece of code sent by Web sites to a person's computer used to recognize and authenticate returning visitors. Obscure showed how to exploit "cross-site scripting," a common vulnerability that could allow a hacker access to all of a customer's account transactions. The victim could click a seemingly trusted link that the hacker has embedded with malicious code, thereby revealing his or her credentials to the hacker.
"The issues outlined in my Microsoft Passport paper are still a reality," Obscure said. "Although the specific examples I describe in my paper have been patched by the Microsoft security team, from time to time we see new reports on security lists such as Bugtraq and Vuln-Dev of similar examples making use of the same issues described in my paper."
Bugtraq listed several cross-site
scripting and malicious JavaScript exploits in April.
"Many of these vulnerabilities allow for rogue Web sites to steal the cookies and modify the content in the victim's browser," said David Ahmad, the moderator of Bugtraq, one of the leading mailing lists
Computer worms and viruses also present a major threat. Take the case of a set of worms now on the loose across the Web that allow an attacker to seize control of someone's MSN Messenger session by running malicious code. Microsoft has released patches for the "Js.CoolNow" and "JS_MENGER.GEN" worms, but they continue to infect systems that have not been repaired.
"As long as people are using Windows-based machines that are vulnerable to attack, doing authentication on a large scale is a bad idea," said Aviel Rubin, a security researcher at AT&T Labs.
Microsoft is by no means the only company creating technologies that may prove vulnerable to attack. In March, Bugtraq issued an advisory that Sun's Java Virtual Machine--a component of Java that converts the programming language into something the computer can understand--had a major vulnerability.
According to Bugtraq, it was possible for a certain type of Java code to perform an illegal function without detection and, in the process, allow a hacker to hijack a Java Virtual Machine used by someone else. Java is an integral part of Sun's Web services plans.
Cracks have been found in IBM's technologies as well--two as recently as April. According to Bugtraq, flaws in a particular module in one of IBM's Informix databases could be exploited to weaken security and expose sensitive information.
In addition, hackers could exploit some systems running Oracle's application server with a "buffer overflow" attack that unleashes malicious code. In this kind of attack, a hacker overloads a system with characters, some of which run code that allows the attacker to hijack a machine.
Although the flawed IBM and Oracle products are not unique to Web services, they can be used as building blocks for these technologies. More holes have been reported about Microsoft's products than for those of its competitors, but Ahmad said this does not necessarily mean that rival technologies are more secure, particularly for the young Web services business.
"The fewer number of vulnerabilities is not indicative of their security," he said. "Perhaps their software has not been scrutinized enough yet."
In the meantime, consumers may be signing up for authentication services that they don't even want. A new study by research firm Gartner showed that the majority of those who signed up for Passport did so as a requirement to use services like Hotmail and MSN Messenger, not to conduct financial transactions.
Many consumers were unaware that they had signed up for an authentication service at all. But that may change as they learn of the inherent security risks in such technologies.
Ari Schwartz, associate director at the Center for Democracy & Technology, a consumer advocacy group, said consumer awareness will rise as security invasions continue. "As you aggregate more information, it becomes a honey pot for hackers," he said.
