E-Commerce Security Advisories Go Unheeded

In an environment charged with a major China espionage scandal, and electronic attacks on the official Web sites of the White House, the Senate, and the FBI, the issue of online security remains a critical one.

E-commerce sites aren’t being spared from recent waves of security breaches, though they could be doing more to immunize themselves, according to some security experts.

Whether staying vigilant about the latest software updates — and the occasional patch — or taking the time to read security advisories, experts believe that solutions do exist — if IT departments are willing to invest the time and effort to seek them out.

Cold Fusion Compromise

L0pht, an independent online security site, recently disclosed that a full month after it had posted an advisory regarding a security problem with the Allaire Cold Fusion Server, sites are still being attacked.

For example, the official Web site of the State of Vermont was the victim of a hack attack that changed site. The resulting damage featured the phrase, “so how does it feel to be owned?” — along with some other unpleasant messages left by the perpetrator(s) “Hackfactor X.” The damage is still available for viewing at attrition.org.

The Power of Full Disclosure

Originally disclosed in the December 25, 1998 issue of Phrack Magazine, the problem involves the online documentation, which is installed by default. According to Phrack, the vulnerability allows web users to not only view files anywhere on the server, but delete other data and upload potentially executable files.

L0pht, in the process of conducting merely “a cursory survey,” found that “many large corporate and e-commerce sites using Cold Fusion” were vulnerable. Allaire has posted a fix on their Web site, and users can access detailed fix information online through L0pht as well.

Another recent and more widely reported security problem announced by L0pht involves Microsoft’s Internet Information Server (IIS) 4.0. According to the group’s advisory, transaction logs and other customer information such as credit card numbers, shipping addresses and purchase information in text files stored on servers could be compromised.

Administrators will need to change security settings in order to fix the problem. L0pht feels that its policy of “full disclosure” has been effective, as in the case with Microsoft, to force companies to publicly disclose vulnerabilities.

Entrust No One?

Entrust Technologies, Inc. (Nasdaq: ENTU), in an apparent move to challenge VeriSign, Inc. (Nasdaq: VRSN), recently announced the establishment of Entrust.Net, a new company that will offer secure e-commerce transaction management.

Entrust, known for its business-to-business Internet security software, hopes to become a leader in providing secure Web Site solutions.