X

Dark side of cyberlife

Services catering to consumer demands for convenience are rising all over the Web, but they may pose some of the weakest security links of all.

9 min read
 
Cracking the nest egg




 
Dark side of cyberlife
By Sandeep Junnarkar
Staff Writer, CNET News.com
May 2, 2002, 3:30 AM PT

Buy all three parts of this exclusive report in PDF for $19.95.
Alec Wilder was livid when he realized that the only way to pay for Yahoo's e-mail forwarding service was to sign up for the company's electronic payment system.

The technology consultant was concerned about the security of his personal information stored in Yahoo's so-called digital wallet, a product that keeps login names, credit card numbers and shipping addresses for automatic online transactions.

"No one can prevent break-ins, and eventually there will be a break-in," Wilder said. Registered reasoning "I feel as though I have no security right now."

Wilder's sentiments epitomize the fears that many consumers harbor about keeping critical information in online wallets. Their concerns are well-founded: Security experts say that such services may present some of the weakest links among the various technologies used to safeguard private information, including data used for online banking.

The issue is likely to escalate as industry powerhouses such as AOL Time Warner, Microsoft, IBM and Sun Microsystems rely on digital wallets as the keys to the kingdom of Web services, the next generation of highly personalized Internet commerce for individuals and companies. The thinking is that consumers and businesses will store vital information in so-called authentication technologies for everything from online payments to communication.

A grand plan, but one with a major Achilles' heel for online banking and other secure transactions. Even if financial institutions are as secure as Fort Knox, hackers might still be able to tunnel in through a Web services hole.

"Web services absolutely will create new security weaknesses. These services are not being designed by bankers," said James Molini, chief executive of security firm Brink's Internet Security and a former executive for data security at First USA Bank. "Many services we see, especially those built by smaller firms, are not actually built using real financial security people. As a result, they don't really know how to even comply with federal regulation sometimes regarding the security of their system."

Because the move to Web services technology is just beginning, security plans are far from complete. But the rush to join the hypercompetitive online services field could create ideal circumstances for hackers to exploit relatively untested products, especially those that rely on existing technologies that have already been proven weak in security.

Even those who have never used the Internet to bank, trade stocks or shop could be vulnerable because the type of information typically used to gain access to accounts can be stored in systems with various levels of security. For example, an employer may keep such records as Social Security numbers, birth dates, addresses and family members' names in human resource files managed by an outside company.

Therein lies the greatest threat: A hacker or rogue insider could mine this information from other databases and use it to break in to a bank account without setting off any alarm bells at the financial institution beforehand. Data transmitted between two companies are usually encrypted, security experts say, but the databases on either end of the pipes are not.

Those concerns are part of the reason that Microsoft is rethinking its consumer Web services plan, called .Net My Services. The plan originally called for Microsoft to serve as the primary host for consumers' private information, but potential partners and privacy advocates criticized that idea because of Microsoft's frequent security problems with its products and Web sites.

"If banks expose their financial services as Web services, it means the entire chain has to be secure all the way from the client to the registry to the back end," said Ravi Balakrishnan, who represented a Fortune 100 technology company in several organizations dealing with Web service standards organizations. "How can a bank trust a Web service is not creating a weak link into its systems at any point along the way?"

Financial institutions have long been reluctant to allow technology companies to become the security gateway and repository of their customers' assets and personal information. That is one reason the high-tech industry is redoubling efforts to create security standards.

In April, Sun named two of its pre-eminent researchers to new, high-ranking security posts. The responsibilities in those positions will include creating safeguards for Web services standards group the Liberty Alliance Project, which the company formed along with AOL Time Warner and others as a counterweight to Microsoft. Around the same time, Microsoft, VeriSign and IBM said they were teaming to create encryption guidelines for Web services.

Weighty wallets Microsoft, the most prominent proponent of Web services, has signed up some notable partners for its Passport technology--the identification system needed to use many of its Web services. In March, Citigroup agreed to use the technology for password protection, online authentication and messaging services. Bank One also agreed to use the Microsoft product in December.

Although Citigroup and Bank One plan to use Passport authentication as only one phase of a multistep security process, critics warn that Microsoft does not have the best track record when it comes to security in general. In February, just one day after Microsoft released a software tool that could be used to create Web services, security specialists discovered a flaw that could have allowed developers to unknowingly write vulnerable programs.

"As every service offered by Microsoft becomes part of the .Net scheme, a single vulnerability in a user's accounts in one of these services gives skilled cybercriminals access to all of the other services," a security researcher known as Obscure said in an interview with CNET News.com.

In an article last year, Obscure described a way to breach Passport's authentication process by fooling the system into sending the hacker a "session cookie"--a small piece of code sent by Web sites to a person's computer used to recognize and authenticate returning visitors. Obscure showed how to exploit "cross-site scripting," a common vulnerability that could allow a hacker access to all of a customer's account transactions. The victim could click a seemingly trusted link that the hacker has embedded with malicious code, thereby revealing his or her credentials to the hacker.

"The issues outlined in my Microsoft Passport paper are still a reality," Obscure said. "Although the specific examples I describe in my paper have been patched by the Microsoft security team, from time to time we see new reports on security lists such as Bugtraq and Vuln-Dev of similar examples making use of the same issues described in my paper."

Bugtraq listed several cross-site scripting and malicious JavaScript exploits in April.

"Many of these vulnerabilities allow for rogue Web sites to steal the cookies and modify the content in the victim's browser," said David Ahmad, the moderator of Bugtraq, one of the leading mailing lists dedicated to reports of software vulnerabilities. "This opens up a wide range of possible attacks against Passport, .Net and any other Web-based systems."

Computer worms and viruses also present a major threat. Take the case of a set of worms now on the loose across the Web that allow an attacker to seize control of someone's MSN Messenger session by running malicious code. Microsoft has released patches for the "Js.CoolNow" and "JS_MENGER.GEN" worms, but they continue to infect systems that have not been repaired.

"As long as people are using Windows-based machines that are vulnerable to attack, doing authentication on a large scale is a bad idea," said Aviel Rubin, a security researcher at AT&T Labs.

Microsoft is by no means the only company creating technologies that may prove vulnerable to attack. In March, Bugtraq issued an advisory that Sun's Java Virtual Machine--a component of Java that converts the programming language into something the computer can understand--had a major vulnerability.

According to Bugtraq, it was possible for a certain type of Java code to perform an illegal function without detection and, in the process, allow a hacker to hijack a Java Virtual Machine used by someone else. Java is an integral part of Sun's Web services plans.

Cracks have been found in IBM's technologies as well--two as recently as April. According to Bugtraq, flaws in a particular module in one of IBM's Informix databases could be exploited to weaken security and expose sensitive information.

Key technologies could tighten bank security
Jeanne Capachin, research director of E*Financial Services, Meridien Research

Oracle's 9i application server, software that runs many e-commerce sites and online services, has also had its share of security problems. Bugtraq reported in February that two glitches in the software's programming could allow an attacker to gain access to some critical source code and content. In both cases, a hacker could find private information such as database IDs and passwords.

In addition, hackers could exploit some systems running Oracle's application server with a "buffer overflow" attack that unleashes malicious code. In this kind of attack, a hacker overloads a system with characters, some of which run code that allows the attacker to hijack a machine.

Although the flawed IBM and Oracle products are not unique to Web services, they can be used as building blocks for these technologies. More holes have been reported about Microsoft's products than for those of its competitors, but Ahmad said this does not necessarily mean that rival technologies are more secure, particularly for the young Web services business.

"The fewer number of vulnerabilities is not indicative of their security," he said. "Perhaps their software has not been scrutinized enough yet."

In the meantime, consumers may be signing up for authentication services that they don't even want. A new study by research firm Gartner showed that the majority of those who signed up for Passport did so as a requirement to use services like Hotmail and MSN Messenger, not to conduct financial transactions.

Many consumers were unaware that they had signed up for an authentication service at all. But that may change as they learn of the inherent security risks in such technologies.

Ari Schwartz, associate director at the Center for Democracy & Technology, a consumer advocacy group, said consumer awareness will rise as security invasions continue. "As you aggregate more information, it becomes a honey pot for hackers," he said.

Back to intro

 


People in the know give advice for lowering your risks when using wallet and other online services.

James Molini, CEO of Brink's Internet Security:

"If you have a cable modem or DSL, get a firewall. Use either a firewall box that protects your entire network or use software on every PC. Then make sure that you have updated virus protection at all times. More than 10,000 home PCs are already remotely controlled by hackers.

"Get a separate credit card for all of your online shopping and keep a low limit on that card. Cards used online are at least twice as likely to be stolen as cards kept in your wallet.

"Find out who you are dealing with before you shop or give out your personal information. Many of the Web sites out there aren't covered by U.S. consumer-protection laws. You need to protect yourself."

Obscure, an independent security researcher:

"It is best to only give out your real name and information when absolutely required. This means making use of a pseudo-identity when filling out forms on Web sites.

"Keeping the Web browser up-to-date is very important. Attackers have a wide variety of exploits--especially for Internet Explorer--to choose from."

Hale Guyer, a special investigator and member of the Illinois Attorney General's Task Force on Internet Crime and Child Exploitation:

"Make sure that you check your credit card statement every month to make sure there are no unauthorized charges, and be sure to promptly dispute any if found in a timely manner--not very 'geekish,' but the best advice."

Laura Koetzle, security analyst at research firm Forrester:

"Consumers need to be aware of legislative issues around privacy protection. As voters, they should pay attention to and vote for people who have the right ideas about data privacy and protection."

Ari Schwartz, associate director at the Center for Democracy and Technology:

"If you have a broadband connection, it is essential to make sure that you have updated firewall protection.

"Read the privacy policies of sites you visit. If they are written in legalese or you don't trust them...don't shop there. And let them know why."

Christopher Payne, Microsoft vice president of the .Net Core Services Platform:

"Consumers and small businesses should look for mature, stable companies that have been operating high-scale services for some time."

Stanton McCandlish, technology director and online activist at the Electronic Freedom Foundation:

"Convenience comes at much too steep a price. Basically avoid using those ID authentication systems. There's not much more you can do today but to not participate.

"The best solution doesn't exist yet: Full cookie-management abilities are built into the browsers themselves. Only increased user pressure on Microsoft, Netscape and other browser makers can make this happen. You may wish to contact the company that makes your browser software and demand these essential features in the next version."