Our Full-Service B2B Marketing Program Delivers Sales-Ready Leads Click to Learn More!
Welcome Guest | Sign In
Rakuten Super Logistics

E-Commerce Security Advisories Go Unheeded

By Matthew Beale
Jun 2, 1999 12:00 AM PT

In an environment charged with a major China espionage scandal, and electronic attacks on the official Web sites of the White House, the Senate, and the FBI, the issue of online security remains a critical one.

E-Commerce Security Advisories Go Unheeded

E-commerce sites aren't being spared from recent waves of security breaches, though they could be doing more to immunize themselves, according to some security experts.

Whether staying vigilant about the latest software updates -- and the occasional patch -- or taking the time to read security advisories, experts believe that solutions do exist -- if IT departments are willing to invest the time and effort to seek them out.

Cold Fusion Compromise

L0pht, an independent online security site, recently disclosed that a full month after it had posted an advisory regarding a security problem with the Allaire Cold Fusion Server, sites are still being attacked.

For example, the official Web site of the State of Vermont was the victim of a hack attack that changed site. The resulting damage featured the phrase, "so how does it feel to be owned?" -- along with some other unpleasant messages left by the perpetrator(s) "Hackfactor X." The damage is still available for viewing at attrition.org.

The Power of Full Disclosure

Originally disclosed in the December 25, 1998 issue of Phrack Magazine, the problem involves the online documentation, which is installed by default. According to Phrack, the vulnerability allows web users to not only view files anywhere on the server, but delete other data and upload potentially executable files.

L0pht, in the process of conducting merely "a cursory survey," found that "many large corporate and e-commerce sites using Cold Fusion" were vulnerable. Allaire has posted a fix on their Web site, and users can access detailed fix information online through L0pht as well.

Another recent and more widely reported security problem announced by L0pht involves Microsoft's Internet Information Server (IIS) 4.0. According to the group's advisory, transaction logs and other customer information such as credit card numbers, shipping addresses and purchase information in text files stored on servers could be compromised.

Administrators will need to change security settings in order to fix the problem. L0pht feels that its policy of "full disclosure" has been effective, as in the case with Microsoft, to force companies to publicly disclose vulnerabilities.

Entrust No One?

Entrust Technologies, Inc. (Nasdaq: ENTU), in an apparent move to challenge VeriSign, Inc. (Nasdaq: VRSN), recently announced the establishment of Entrust.Net, a new company that will offer secure e-commerce transaction management.

Entrust, known for its business-to-business Internet security software, hopes to become a leader in providing secure Web Site solutions.

How do you feel about the latest wave of automation fueled by tech advances?
It's happening much too quickly, and too many jobs are at stake.
Automation means progress -- it's inevitable.
It depends on the quality of the systems and how they're used.
Automation fosters ignorance by taking over too many human tasks.
Automation frees people from boring, mind-numbing jobs.
Rakuten Super Logistics