The Marketleap Report
Vol. 1 - Issue #3 - April 6, 2001

Who's Watching the Server? - Security and the Web 
By Keith Boswell

As the guardian of 40 million+ e-mail addresses and records of 3.5 billion transactions conducted by over 90 million households, DoubleClick is one of the largest collectors of consumer tracking information on the web.

DoubleClick also runs one of the leading online advertising networks, selling ad space for thousands of web sites. In the past week, they have been in the headlines three times - all for being compromised due to ill-intent hackers.

At first, DoubleClick denied there were any problems. However, some customers were unable to access their DoubleClick accounts. By Friday, DoubleClick issued a statement confirming a story from the Wall Street Journal that the company had shutdown some of its servers to investigate the attacks.

"While the attempt to access our systems appear to be mischievous in nature we take seriously any attempt to compromise the security of our systems," said Jules Polonetsky, the company's chief privacy officer, in the statement. "We do not believe that there has been any serious impact to our networks but we are working aggressively to ensure the integrity of our systems."

Each of the holes that the hackers were exploiting to enter their systems could have been sealed. Each break-in occurred because DoubleClick had not installed security patches to their Microsoft NT web servers that had been available for months. In DoubleClick's statement to the press, they mentioned that the patches would be applied now that they were aware of the vulnerability.

DoubleClick ensures the web community that they go to great lengths to protect consumer privacy from unethical commercial use. They do not appear prepared to defend that same information from criminals looking to steal it.

The lines between the two should be indistinguishable. We would never want criminals to have the information because of the monetary damage the information loss would cause. Yet DoubleClick is clearly more concerned with defending the information from those who would sell their lists to marketers. Are the marketers really more of a threat than the criminals?

In the past week, another security glitch occurred at Microsoft. Someone posed as a Microsoft employee and received two digital certificates from Verisign. Digital certificates are used with secure web transactions to prove the identity of the sender. They are meant to ensure you receive reliable downloads from secure sources.

In effect, someone has the ability to look just like Microsoft to an unsuspecting web user. That web user could download and then execute a piece of potentially damaging software code that they believe Microsoft created.

Microsoft was quick to issue a patch for the problem, but look to the example of large companies like DoubleClick that never follow up with patches to imagine how unsuccessful their notification might be.

If you want to gain an idea of just how bad the problem has become just listen to some of the findings from the CanSecWest security conference that wrapped up in Canada this week.

Lance Spitzner works as a security engineer for Sun Microsystems. He is also the founder of the Honeynet Project. The Honeynet Project places unprotected servers on the Internet set up with their operating systems default installation. They use these machines to understand the techniques that hackers use and to see how exposed default software settings leave web servers to attack.

On average, the machines they place on the Internet will be hacked within 8 hours. Hackers are now employing automated scanning software and "aware" worms that always travel the web looking for new residence. Compare that with computers connected through universities. They will often be under outside control within 45 minutes of being placed on the Internet.

Another highlight of CanSecWest was the unveiling of a new cloaking technique for software assaults on highly protected servers. Sophisticated defensive software has been written that searches for the patterns that emerge when hackers try to breach networks. The military, banking sector and other highly classified networks that sit behind a stone fortress of code employ this software to protect their assets.

The new technique allows a hacker to deceive the software looking for patterns. It fools the other software into not "seeing" the intrusion. By throwing a random pattern back at the protecting layer, the hacker is able to slip into the network and begin his assault without worry of being detected.

A survey by The Computer Security Institute found losses of $378 million from the 186 companies that were able to quantify their damage from computer crimes in 2001. The year isn't even half way over.

As business online continues to evolve, companies must take security seriously. Every company has locks on the doors of their offices. Some have sophisticated security systems to halt intruders from breaking in. But most don't have a single computer security expert on staff.

Until it, the hack that stops your business, happens.

With the amount of information that companies now share through the web, this seems unnerving. Intranets and extranets are especially sensitive because they contain intellectual property and details about client relationships. The file cabinet containing valuable data isn't readily accessible, so why is the entire network?

Companies must create the role of a Chief Security Officer. If you conduct business online, you at least need a diligent policing role that will ensure your machines are up to date with software patches. Beyond that companies must reassess and explore how they are connected to the various networks they do business through.

Your friends would have a field day if you told them your car was stolen because you left it unlocked while you went out to eat downtown. What will your customers and the media say when they find out your business is vulnerable and has been exploited? Confidence flushes down the drain faster than an awkward teen blushes. The damages could be minimal, but the perception is very real. If you aren't watching your web server, someone else already is.