Black holes expose Web weakness

Cold chills should have gone down the spine of any company with a Website after the announcement last week of a security hole in a popular Microsoft Web server program, Internet Information Server. It followed only days after similar flaws were uncovered in Web server software manufactured by Netscape and O'Reilly.

If you are reading this, have a Website, and don't know what I am talking about, this is especially aimed at you.*

The hole allows Web users to access potentially sensitive information passwords, material in databases, credit-card information, transaction details directly from an affected Website, simply by adding on a sequence of characters to the end of a Web page address, or URL (uniform resource locater). The characters cause the server,

which must be running the Windows NT operating system, to offer the data creating the page, rather than the page itself. Sometimes that data includes embedded passwords for the system. Or, it might have instructions for the programs running behind the site like transaction software for ecommerce and the programs can give access to database information held on individuals.

Microsoft posted a fix for the problem over a week ago, yet many Irish sites are still open and unprotected. Midweek, I had no problem downloading files from various Irish Web locations, including some semi-state agencies.

Far too many organisations, especially smaller ones, take security for granted. In a digital world, this is a grave mistake, especially if you are welcoming outsiders into your company computers via the Web. But as Websites become ubiquitous, small to medium companies want internal and external online networks.

Often they want to administrate these themselves, and buy a server-in-a-box application to run a site in-house. Others get their Web design company or Internet service provider to host the site. But how technically adept are the people looking after your site? How willing were they to take shortcuts when setting up the site?

For the most part, the recent software security holes should hardly affect anyone not if the site is designed properly without passwords stuck into site files, and using proper restrictions. Of course, most developers never imagined Web-users would be able to see the normally-hidden files revealed by the hole. But that's no excuse for weak site structure.

Then there's the question of how people use the software they buy. One London Web developer estimated this week that 90 per cent of people including systems administrators overseeing technology departments in large companies simply installed software and left it running on the default settings. The default settings typically have few security controls and are more easily hacked.

Small companies are especially likely to use default settings. In addition, they often lack a person much less a team with IT expertise. Chris Davey, technical director at Dublin Web developers Oniva, calls this "the big-system, small-system divide". Small companies want the power of high-end operating systems like Unix, but can't handle the complexity of managing them.

So they are tempted by Windows NT, which is simpler to use. But they lack the knowledge to mind the digital shop in an informed way. This simplicity lulls many into relying on the software to look after itself. The rash of server security holes has exposed the foolishness of that assumption.

* (If you are unaware even now of the flaw, and your Website is running on Windows NT, check immediately to see if your software is affected. If it is, you or your systems administrator can download the patch from the appropriate Website for Microsoft, the fix is at www.microsoft.com/security. If your site is hosted elsewhere, contact the host. If they don't know about this problem, move your site elsewhere.)