Websites selling goods and services to consumers have been having a hard time of it lately, with many closing at the end of their first round of funding. A number of reasons have been put forward for the "dot bomb" failures, and prominent among them is reticence on the part of the consumer to trust the Internet with their credit card numbers.
A recent report by the SANS (System Administration, Networking, and Security) Institute proves that consumer fears are well founded. SANS is a co-operative research and education organisation through which more than 96,000 system administrators, security professionals and network administrators share the lessons they are learning and find solutions to challenges.
On Thursday, March 8th, SANS revealed that a group of Eastern European hackers has spent the last year systematically exploiting known Windows NT security weaknesses in order to steal customer data. In all, more than a million credit card numbers have been stolen from a total of more than 40 locations.
Windows NT 4.0 is one of the main operating systems in use by Web servers worldwide, and a number of security holes have been identified since this version first came on the market. These holes enable malicious users to gain access to databases containing credit card numbers - and possibly other sensitive information.
The vulnerabilities of Windows NT have been known for years. Machines running Microsoft Internet Information Service (IIS), with the Remote Data Service enabled, allow unauthorised users to execute shell commands on the system as a privileged user. Microsoft responded to this by posting tranches of code called "patches" to the Internet, where systems administrators could download them for free.
The hacking problem has arisen because those responsible for the vulnerable Web servers are not maintaining them properly. Others claim that Microsoft does not do enough to publicise its patches because, by doing so, it highlights deficiencies in their product.
Many people whose credit card numbers have been stolen are unaware of it, largely because no purchases have been made using their particulars. Instead, the hackers have preferred to base their criminal model on the protection racket.
Once they have retrieved the credit card number lists and other necessary information such as expiry dates and customer addresses, they e-mail the company from whom they have stolen the information and in- form them of what they have in their possession - usually sup- plying some form of proof.
They then claim that they are the only people who have the technical expertise to prevent others from hacking the site. If the victim company is not co-operative in making payments or hiring the group, the hackers' communications become more aggressive. They assure the victim that some "other" group is liable to publish the information, or start to make online purchases of goods and services.
Some companies have paid up, and unsurprisingly there is some evidence that the stolen information is at risk whether or not the hacked site's owners co-operate with the intruders' demands. The FBI has decided to take the unprecedented step of releasing forensic information from an on-going investigation because of the potentially large impact of the intrusions upon the American economy.
The US National Infrastructure Protection Center (NIPC) has issued an updated advisory document that includes specific file names that may indicate whether or not a system has been compromised. If you have an NT Server, and you find any of these files, you should contact the Garda. You should also make a report online to the NIPC incident centre. The file names are ntalert.exe, sysloged.exe, and any "dot exe" files preceded by any of the following numbers: 20, 21, 25, 80, 139, 1433, 1520 or 26405.
It is important to stress that these intrusions cannot occur on a typical home PC. Only machines that are running Windows NT Server software and are connected to the Internet are at risk.
The Center for Internet Security will make available a tool with a short download-time that you can use to check your system for these vulnerabilities. The Center's tools are normally available only to their members, but under the present circumstances they have decided to make the diagnostic tool available free to anyone who needs it, at www.cisecurity.org.
These intrusions will undoubtedly further erode the confidence of consumers in trading over the Internet using their credit cards. In response, the credit card companies are coming up with new business models to increase consumer confidence.
American Express, for instance, has come up with a system of disposable credit card numbers. An Amex cardholder can log into a secure site to get one of these use-once-and-discard numbers and then use it to make an online purchase. As it can be used only once, the number cannot be stolen and used to make further purchases.
Online merchants who allow Visa cards for purchases on their sites must comply with a set of 10 rules, one of which requires them to be up to date with all patches.
People seem to be quite willing to give their card number by phone to another person to book, say, a theatre ticket, despite the obvious inherent dangers - but they are more reluctant to divulge the information to a machine over an online network.
And rightly so. Despite all the Internet e-commerce hype, credit card holders have shown what has proven to be well-founded scepticism.
Fintan Gibney is an IT Consultant with SmartForce.gibney@ireland.com
www.nipc.gov/incident/cirr. htm NIPC Incident Centre
www.sans.org/newlook/ home.htm System Administration, Networking & Security Institute home page