Marketingweb.com: Internet Security for Small Business Interview - Lincoln Stein Internet Security Author and Expert

MARKETINGWEB.COM FORUM TRANSCRIPTS
INTERVIEW SERIES 1998 - 1999

WEB SECURITY FOR SMALL BUSINESS

Guest: Lincoln Stein, Author, Web Security: A Step-By-Step Reference Guide
Interviewer: Diane Watlov-Collins, President, MARKETINGWEB.COM
Date: April 21, 1999

Welcome to the MARKETINGWEB.COM Forum! The purpose of this Forum is to provide online discussion concerning the methods of Internet marketing.

** Marketingweb enters.

Marketingweb: Internet Marketing: Guest Speaker Series, April 21, 1999

Marketingweb: Topic - Web Security

Marketingweb: Our guest tonight is Lincoln Stein. Mr. Stein is the author of Web Security: A Step-By-Step Reference Guide, as well as the World Wide Web Security FAQ. He is a renowned authority on Internet security issues.

** LStein enters.

Marketingweb: Welcome, Lincoln.

LStein: Hi, here I am!

Marketingweb: Glad you could make it!

LStein:I am very happy to be here. Thanks for inviting me.

Marketingweb: Are you ready to get started?

LStein: Anytime

Marketingweb: What do you consider to be the greatest security risk to online businesses today?

LStein: Everyone is scared of a well-publicized security fiasco in which lots of customer information is compromised, or, heaven forbid people are defrauded en masse. If such an event succeeds in lowering consumer confidence in the security of the web the growing e-commerce movement might be stunted or nipped in the bud.

LStein: As it happens, C/Net is about to publish a story about massive shopping cart script problems. Dozens of freeware and commercial shopping cart programs contain bugs which end up making private customer information available to anyone on the web. You can find this confidential information just by searching for the right keywords in your favorite web search engine!!!!!!

LStein: This is the sort of thing that erodes the public's confidence in e-commerce. Unfortunately it happens a lot.

Marketingweb: Are you serious!?

LStein: Absolutely. The article will be out sometime this week. They've held off in order to give shopping cart authors some time to repair the damage.

Marketingweb: Could this lead to some serious law suits?

LStein: Thankfully, I'm not a lawyer. Also thankfully, I'm not one of the authors of one of the offending shopping cart programs.

LStein: In fairness, the problem is not only with the shopping carts, but with the webmasters who misconfigure the scripts.

Marketingweb: That should save a few heads.

LStein: It will certainly cause some finger pointing.

Marketingweb: Would you then say the problem was coding related or were the users not properly informed on how to upload or configure the program?

LStein: The basic flaw is that many shopping cart programs write out their results into a text file rather than into a database of some sort. Unfortunately, many webmasters made the mistake of having the text file written into the web document tree, where anyone can read it (provided they know the URL or can look it up in a search engine).

Marketingweb: Could this problem be fixed with a simple robots.txt?

LStein: No way. These days the search engines aren't respecting robots.txt, but instead using it as a guide to find where the "juicy" material is.

Marketingweb: I was afraid of that!

LStein: It's like responding to spam mail. As soon as you reply to the address that says "respond to take your name off the mailing list" they've nailed you!

Marketingweb: And then there is competitive corporate spidering (spying) of your site.

LStein: I wouldn't know about that ;-)

Marketingweb: Of course, in our case...the portals are competitors!

Marketingweb: The shopping cart security breach is a primary example of the online business nightmare.

Marketingweb: How can businesses protect themselves and their users?

LStein: The article, when it's published, will list six or so of the biggest offenders. The best thing to do would be to contact your shopping cart's vendor (or freeware author), and seek advice on what to do. Security holes are easy to introduce, and hard to identify without expert help.

Marketingweb: What are some of the possible security breaches in the following scenario?

Marketingweb: A company sells information over the Internet. The information is only available to clients who have paid for password access. Password access is controlled by a cgi script written in Perl 5. All password documents reside in a special html file.

LStein: Some security breaches affect the customer, and some affect the company.

LStein: Ways the company can lose:

LStein: - user shares his password with all his friends...

LStein: - user writes his password down on a piece of paper, puts it in his wallet, and his wallet is stolen. Password shows up on a BBS.

LStein: intruder installs a packet sniffer on the user's ISP, intercepts his password.

LStein: - intruder installs a packet sniffer on the user's ISP, steals the confidential documents, resells them

LStein: -server is broken into. confidential documents are stolen, vandalized or altered

LStein: - the CGI script that does the authentication contains a bug that allows users to get access to the documents without typing in a password (don't laugh, this happens frequently)

LStein: - the CGI script doesn't detect password guessing activity, allowing someone to write a script that guesses passwords by brute force.

LStein: Here are some ways the client can lose:

LStein: - Someone steals his password and then uses it to run up a huge bill.

LStein: - client uses same password for everything... including his e-mail

LStein: -user's machine is compromised by a virus hidden in an e-mail message, or a javascript page. This virus compromises his browser software and intercepts his password (this has happened too).

LStein: .... I think that's enough for now....

Marketingweb: You've given me plenty to think about!

Marketingweb: Can we back up for a moment?

LStein: Please.

Marketingweb: What is a packet sniffer?

LStein: A packet sniffer is a small program which intercepts all network traffic flowing across a machine. Sniffers are essential tools for network administration, but can be misused by hackers to intercept other people's conversations.

LStein: A favorite use of packet sniffers is to intercept passwords and confidential documents.

LStein: To install a packet sniffer, a hacker has to break into one of the computers used by the merchant or the client, or any computer on the path between the two...

LStein: For practical reasons, the favorite place to put a packet sniffer is on an Internet Service Provider's machine, because these are often poorly protected and LOTS of traffic goes through them.

Marketingweb: It almost sounds too simple.

LStein: One of my favorite demos was one that I did at the WWW6 conference in Santa Clara, CA. Down the hall from my security tutorial they had set up a bunch of Macintoshes connected to the Internet and people were browsing the web, reading e-mail, etc. I just plugged my laptop into the network at the podium, and was able to intercept all their traffic.

LStein: I recovered about a dozen passwords and usernames in the course of a minute, all while the audience was watching.

Marketingweb: I think we want you on our side!

LStein: Cable modems are bad too. Everyone in your neighborhood can listen in on you!

LStein: Let me modify that...

Marketingweb: Great! I'm on a cable connection!

LStein: SOME cable modem systems are like party lines. Others aren't.

Marketingweb: Please specify.

LStein: There are a variety of cable modem systems. Some broadcast network traffic to everyone in the area (that is, everyone connected to the same central switch), these are the risky systems. Other systems either encrypt communications, or are designed in such a way that the connection to the switch is private, and don't allow eavesdropping.

LStein: Unfortunately, the only way to find out what type you've got is to ask your cable company about it, or find a friendly hacker to check for you.

Marketingweb: That is very interesting. Can a company secure its information on the Internet?

LStein: A good way to secure information is to encrypt it at the sending end and decrypt it at the receiving end. This is one of the functions of Virtual Private Networks (VPNs).

LStein: Other encrypting products include: PGP (pretty good privacy), SSL (secure sockets layer), SET (secure electronic transactions), PPTP (Microsoft point to point tunneling protocol), and SSH (secure shell).

Marketingweb: How does a company make a choice on what to use?

LStein: Each of these systems is very different, and each has a different purpose. PGP is most useful for securing e-mail. SSL is good for securing web communications,

LStein: SET is good for credit card transactions, PPTP is good for dialins, and SSH is good for remote interactive sessions, like telnet.

LStein: The most general systems are VPNs, which basically open up a secure connection between two private intranets, merging the two intranets into one. The connection can go over the Internet safely because it is encrypted.

Marketingweb: Online businesses want to "track" their clients online as much as possible in order to determine how best to serve their product needs. How can a company do this effectively without invading the privacy of the customer/user?

LStein: The easiest way is not to collect identifying information, such as name, employer, or e-mail address. However most companies will need to collect this information, if only to fulfill orders. If so, it's a nice idea to collect the information in a way that is compliant with the European Privacy Directive, which is the first really comprehensive statement on electronic privacy rights.

LStein: The Directive calls for full informed consent by the user, the ability of a user to review his data record at any time, and the right to challenge the contents of the data record. It also forbids sharing personal information with other parties without obtaining full prior consent by the user.

LStein: This sort of thing leads ultimately to increased customer confidence, and is a good idea when dealing in the international market particularly.

Marketingweb: How well accepted is the Directive? Is it commonly used?

LStein: The Privacy Directive went into force in the European Community in October of 1998 and is completely in force there. One of the interesting things about the directive is that it makes it illegal for European states to do business with companies outside Europe that do not make "adequate" provisions to protect European citizens' privacy. Few American web sites are compliant with the directive. There haven't been any lawsuits yet, but the EC is engaged in a lot of discussion with the Clinton administration, and it's shaping up to be a major issue.

LStein: And you thought the banana wars were bad!

Marketingweb: Is there an organization which certifies your site as compliant? Is there a graphic that you display for recognition value?

LStein: There isn't one that I'm aware of. The Europeans want the U.S. to set up a governmental certifying agency, and the administration has resisted, for obvious reasons.

LStein: However, this does not negate the wisdom of reviewing the directive and trying to be compliant with it (and maybe even putting up a statement to that effect). It is mostly common sense, and is very reassuring to users.

Marketingweb: Would the Europeans consider this adequate provision?

LStein: It has not been tested.

LStein: I should add that there are agencies such as TrustE, which will certify sites as adhering to their privacy policies. However, none of these policies have been designed to be compatible with the privacy directive. But they're a start.

Marketingweb: I agree. Some major companies on the web state they will only conduct business with sites that have clearly stated privacy policies.

LStein: I think that privacy issues will become a major factor in e-commerce, particularly as the spam mail problem reaches critical levels.

Marketingweb: I agree. May we return to Intranets for a moment?

LStein: Certainly.

Marketingweb: Companies worry about Intranet security.

Marketingweb: What are some of the common problems associated with this scenario and how are they best addressed?

LStein: Is this the scenario in which a company is using the same web site for intranet and internet?

Marketingweb: Yes.

LStein: OK. Well the easiest way to avoid your intranet being compromised from an external threat (i.e. a hacker breaking in) is to use a well-configured firewall system. Put the external web site outside the firewall, and keep the intranet server inside the firewall. Putting both internal and external pages on the same server is asking for trouble.

LStein: If sales people on the road need access to the intranet, they can get it via dial-ins, or VPNs, or PPTP, or a number of other technologies.

LStein: The thing you don't want to forget is the insider threat. These are much more likely than the external threat, and are often more damaging. The disgruntled employee armed with a floppy disk is a formidable opponent, because he knows your systems, has access, and knows where to inflict the most damage.

Marketingweb: Other than never firing anyone...how do you handle this?

LStein: Good personnel management policies. And when someone needs to be fired, shut down his access quickly.

Marketingweb: Lincoln, you are an author and a guest lecturer. Do you offer services as a consultant as well?

LStein: I'm afraid I don't. I have a full-time job as a database developer for the human genome project, and I have my hands full as it is!

Marketingweb: When is you next lecture?

LStein: I'm giving a full-day tutorial in Boston next Wednesday (April 28) on advanced Perl programming for the Web. Then I'm giving a security tutorial at the 8th international World Wide Web conference in Toronto on May 11th.

Marketingweb: How can people sign up?

LStein: For the Perl tutorial, visit O'Reilly's Web site at http://www.ora.com and look for the tutorial programme. There is also a tutorial in Monterey, CA on May 6, which I will be giving.

LStein: For the WWW8 conference, see http://www.www8.org

Marketingweb: I'll go for the Monterey conference. Is there another book in the works?

LStein: I just published "Programming Apache Modules in Perl and C", with Doug MacEachern (O'Reilly and Assoc). It's a great book for anyone seeking to create high-performance Web pages for the Apache web server. I'm also working on a book called "Perl Client/Server Programming", which will be published by Addison Wesley sometime next year.

Marketingweb: We will get the word out to our Community!

LStein: Much thanks.

Marketingweb: You have given us some outstanding information, Lincoln. We appreciate your willingness to participate.

LStein: Any time. Good night!

Marketingweb: Good night!

**LStein exits.

**Marketingweb exits.