[ Go to August 1996 Table of Contents ]

[ Return to Interactive Buyers' Guide ]

Cover Story
Safety on the Net
Protect Yourself from Hackers, Crackers and Outlaws

-- By David W. Methvin, Senior Technical Editor

They unleash viruses, steal or destroy your data, and break into your Web sites. So wax nostalgic if you'd like about the good old days, when the world was a friendly, trusting place and nobody had to "lock" their modems. But while you're reminiscing, make sure your data, your systems-and yes, even your family-are protected from the legions of hackers, crackers and outlaws spreading mayhem through cyberspace.

Not even the big guys are safe. WINDOWS Magazine editors were able to gain unauthorized access to the Web sites of companies like Price Waterhouse, Fidelity Investments, Marriott, Corel and Zenith Data Systems, getting in through common security holes that were documented months ago. See Web Insecurity Rampant.) There are easy fixes available for these holes, but these particular sites hadn't updated their software.

Hackers are still learning about other security holes that exist in many Web sites, allowing them to view unauthorized data. On the client side, programmers are discovering that the "secure" Java environment has its share of security holes that potentially allow Java applications to steal or destroy data. Malicious programmers can use the new language to write nasty viruses that execute when a Web page is downloaded. In fact, the global connectivity the Internet offers has provided a dangerously efficient mechanism for the spread of computer viruses.

No doubt about it-it's scary out there. But you don't have to let the pitfalls keep you away from the Web. Here are some guidelines for protecting your site, your computer and yourself.

Criminals can use the Web to compromise your privacy and steal your data. Fight back!

Holes in the Net

You may not be aware of the many risks you face if you run a Web server-or even if you use an Internet service provider's server. We used Digital's AltaVista search engine ( http://www.altavista.digital.com) to seek out pages that had specific security problems. We determined that there were in fact security holes by getting a list of files in the servers' directories. The search results were scary. In addition to the companies named above, dozens of sites worldwide were unprotected. (We must confess that WINDOWS Magazine's site had its share of security problems, too. See WinMag's Web Woes)

To prevent damage to files or information disclosure, we contacted the Webmasters at each site and informed them of the security holes. Each was asked to resolve the security problems before this article went to press. To further protect these sites, we have not divulged their specific URLs or the exact details of their security problems.

For example, one site allowed credit card purchases and used Secure HTTP (hypertext transfer protocol) to prevent the interception of information as it was sent across the Internet. But security holes may have left credit card information wide open to thieves once it reached the server.

In another case, a site run by a federal government agency, the General Services Administration, offered a database of payment information for government contractors. Vendors logged on with a user name and password, which was meant to allow them access only to their own payment information. However, security holes made it possible to slip into the server and obtain the complete database.

Only a few sites stored important data in unsecured locations. We didn't find any proprietary or valuable information on most of the compromised Web sites. An intruder might be able to delete files or crash the server, but it would be more an exercise in electronic vandalism than an opportunity to steal data.

Our findings point out the current state of Web security. If you or your company plan to do serious business on the Internet, you need to take a long, hard look at your defenses.

Maximum Security

If you run a Web site, you've got to stay at least one step ahead of the hackers. Here are a few of the most important security measures you can take:

  • Read security information on the Internet.
    This includes the World Wide Web Security FAQ at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html; the Computer Emergency Response Team (CERT) advisories at http://www.cert.org; the Computer Incident Advisory Capability security site at http://ciac.llnl.gov/; and the NT security issues list at http://www.somarsoft.com/. Check these locations often-you can bet the bad guys do.
  • Keep up with Web server updates.
    Vendors frequently issue software updates, but they rarely notify customers of them. Instead, they quietly post them to their Web sites. At times, software companies understate the importance of security patches-possibly because they're afraid of tipping off hackers. If your vendor issues a security-related patch, even one it claims is for an obscure problem, install it right away.
  • Be wary of CGI programs.
    The common gateway interface (CGI) is used by most server-side programs that process forms or access databases. It's also a common way for hackers to gain access to your Web server. If you write CGI programs, don't trust any parameters provided by a user, especially if they seem out of range or context. If, for example, you have a form that requires a phone number, only numbers should be filled in. If that's not the case, consider it a red flag. This sort of input needs to be validated thoroughly before being entered into a database, for example, or placed into a Web page. The URL security FAQ (mentioned above) provides more detail on these matters.
  • Clean out sample files and unwanted services.
    Most Web servers come with sample programs that show how to use CGI, along with other server features. If left in place, they can create opportunities for someone to break into your system. Also, many packages default to installing and enabling all their services such as file-transfer protocol (ftp). If you don't need to use them, delete the sample programs and disable the services.
  • Analyze your server logs.
    Web servers generate a log of server accesses. Certain files that come standard with server programs have known weaknesses that hackers can exploit. Use a search utility to look for suspicious CGI program use, such as out-of-range values or small numbers of accesses to files that don't currently exist on your server. This is often your first warning that someone is trying to break in. Don't ignore it.
  • Keep file permissions restrictive.
    Provide just enough access to individual directories so that the Web server software can read the files and authorized persons can update them. Web server software should not be run on a privileged administrative account, because anyone who manages to break in through a security hole will have complete run of the system. The Web server account should not have permissions to delete or write files, except in a few designated directories.

Browsers Beware

Click Here to see a 91.2KB bitmap image of artwork which goes with this article, entitled:

Click Here to see a 12.4KB bitmap image of artwork which goes with this article, entitled:
Think Hacking's a Hard Job?

Although security has been an issue for Web servers since their inception, it has only recently become an issue for Web browsers. Historically, viewing Web pages was safe on the receiving end, since a browser simply displayed HTML sent from the server.

Things changed with the launch of Netscape Navigator 2.0, which included two features that let Web authors execute programs on your PC. The first is Java, a full-fledged programming language similar to C++. The second, JavaScript, is a simple scripting language similar to HTML itself, with code embedded directly into the hypertext file.

The two features share similar monikers, but are actually very different in their capabilities. Java is the more powerful-and more dangerous-of the two. Java programs are retrieved from a Web server in much the same way that text and graphics are retrieved. Once a Java app gets to the browser, it is executed by a byte-code interpreter. The interpreter should theoretically enforce security restrictions, limiting what a program can do. In the past few months, however, developers have found more than a dozen security breaches in the Netscape Navigator 2.0 implementation of Java, listed at Netscape's Web site ( http://www.netscape.com).

Despite the widespread discussion of Java security problems, we found no examples of active system-attacking Java applications. A few sites ( http://whenever.cs.berkeley.edu/graffiti/ and http://www.math.gatech.edu/~mladue/HostileApplets.html, to name two) have academic examples that demonstrate the problem. It's possible that this has not yet become a serious issue for Web users. It's also possible that some unscrupulous Java developers are building applets that quietly read your hard disk and send information back to their Web servers. Most Web surfers wouldn't be able to report the attack because they would be unaware that they were under siege.

Recent Netscape updates fix only some of Java's security glitches. If you're concerned about the potential harm from Java applications, Netscape Navigator 2.0 lets you disable Java through its Options/Security Preferences dialog. For more on Java applets and security, check out the Javasoft Web site at http://www.javasoft.com/java.sun.com/sfaq/index.html.

Even larger numbers of Web surfers will be exposed to security risks when Microsoft releases Internet Explorer (IE) 3.0 later this year. IE 3.0 will support both Java and Microsoft's own OLE-based ActiveX controls. Unlike Java, ActiveX controls can be written directly in the native object code of the surfer's system. While this gives ActiveX much better performance than Java, it also means that ActiveX controls have none of Java's security restrictions. An ActiveX control can do anything on-or to-your system.

ActiveX is based on the technology that used to be called OLE. Though the modifications to OLE were relatively minor on the programming level, the new name reflects a quantum change in the technology's scope. Instead of linking files to an associated external application, ActiveX handles the document within the existing application.

Foil a Forger

Click Here to see a 79.7KB bitmap image of artwork which goes with this article, entitled:
Simple Security Hole

Microsoft is quite aware of the potential for abuse of ActiveX. The company advocates a solution based on digital signature technology. Digital signatures could just as easily be used for Java applications-since Java's built-in software "fences" don't keep hazards out-and other Internet information exchange as well.

With digital signatures, a file's creator "signs" the file using a private key known only to him. When the file reaches the recipient, the signature is checked against the public key for the file's creator. If the file has been modified by anyone or otherwise corrupted, the signature test will fail.

This technology is not new-digital signatures were first used with e-mail more than five years ago. Pretty Good Privacy (PGP )was the first shareware encryption program, and it's still the most popular. PGP is based on a mathematical algorithm that generates a pair of unique "keys" for every user: a "private" or "secret" key accessible only by the user, and a "public" key. A PGP-protected e-mail or file contains data encoded by the private key, which it then matches only if decoded by the public key. If the two do not match, the file might have been modified or forged.

Instructions for using PGP under Windows are available at http://www.ifi.uio.no/~staalesc/PGP/windows.shtml. A list of Windows PGP shells can be found at http://www.ifi.uio.no/~staalesc/PGP/utils.shtml.

Digital signatures could alleviate concerns about errant software. But to be effective, this technology needs to be universal, cheap and well-supported. Most software applications currently do not address or support digital signatures, and the few that can often do so in a rudimentary fashion. You can do the job with existing command-line software like PGP, but only if you're UNIX-savvy.

Three things need to be accomplished to ready digital signatures for the major leagues. First, programs such as e-mail must integrate digital signatures seamlessly in their interfaces. Second, companies must agree on a mechanism for disseminating their public keys in a way that users can be assured the keys are authentic. Third, and most importantly, users must be educated about digital signatures and how to use them.

Digital signatures ensure only that the signed software originated with the person or organization who signed it; there's still no guarantee that the software is free of viruses or bugs. This goes to the very heart of the digital signature controversy. Just as with a pen-and-ink signature, a digital signature is only as trustworthy as the person who uses it.

Accountability is a crucial issue. You must decide whom you will trust to provide you with bug-free, virus-free, secure files. Those companies, in turn, will be accountable for any file bearing their digital signature. Think of it as a form of "software shrink-wrap" that lends a product protection not normally seen on Web-accessible files. Files uploaded by anonymous parties, on the other hand, should be viewed with caution-if at all.

To Catch a Virus

Almost everyone who cruises the Internet regularly downloads files. The ability to transfer files through the Internet has already made a big difference in the way software is sold and distributed. At the very least, it has simplified the job of finding the latest drivers for your hardware.

With the ease comes a risk, however. You may download a computer virus along with that file, so it's a good idea to get antivirus software before you think you need it. You may already have viruses on your system without knowing it.

McAfee Associates offers a 30-day evaluation version of its antivirus software at its Web site ( http://www.mcafee.com/). Symantec sells the Windows 95 version of Norton AntiVirus on the Web ( http://www.symantec.com/). The company also has a version of Norton AntiVirus for Windows NT available for free download. Virus scanning software is also available from Dr. Solomon ( http://www.drsolomon.com/). Remember that software vendors update their virus lists as new ones are discovered. Many upload fresh versions of their virus databases to the Web, allowing you to update frequently.

Most people worry only about getting infected and never think about the consequences of infecting someone else. If you're going to give people software, check it for viruses! If you don't, you may find yourself in an embarrassing-or worse, a litigious-situation.

Until recently, the computer virus threat has been limited to executable program files. However, many new viruses now exploit the macro programming abilities that programs include in their own file formats. The most widely publicized macro virus to date is the Concept virus that affects Microsoft Word. According to Symantec ( http://www.symantec.com/avcenter/), five more Word macro viruses have been identified-some of which destroy data.

These viruses spread when Word automatically executes specially named macros as you open an infected document. If the Concept macro determines that it's on a new system-for example, if you receive a document in an e-mail message and open it with Word-it will copy itself to Word's default document template. All documents you create after this will be infected.

As a defense, you can use a viewer instead of the full application to open a new document. (See Safe Viewing) Other than that, the best solution is to keep your virus scanning software up to date.

One well-known "virus" has probably caused more wasted Internet traffic than any real virus. A couple of years ago, someone started circulating a warning about the "Good Times" virus that could be spread just by reading e-mail. It appears to have been created to parody the dire warnings about real viruses, such as Michelangelo. Some users took it seriously and posted the message on numerous online services and newsgroups. In some cases, in-house computer support workers e-mailed the warning to the entire staffs of large companies. The result was as bad as a real virus: It wasted both staff time and computer resources.

Digital Self-Defense

Click Here to see a 21.1KB bitmap image of artwork which goes with this article, entitled:
The World Wide Web Security FAQ

While it's inconvenient when your computer is brought down by a virus, it's much more serious when some aspect of cyberspace threatens you, your family or your pocketbook. There are plenty of stories about the Internet's dark side. Most focus on societal problems that have made their way to the Internet: pornography, stalking, theft, financial scams and other types of fraud. The Internet is just a new venue for these ills of society, and you should handle them the same way you do when they occur elsewhere.

Despite the hype about pornography on the Internet, it's generally a great place for kids. Web-site browsing is usually the safest activity; kids should avoid chat rooms or newsgroup discussions. The SafeSurf site ( http://www.safesurf.com/) is a terrific resource for protective parents. It has pointers to software that can keep your kids out of the seedy parts of the electronic village when you're not there to watch them.

If you create a Web page with information about you or your family, remember that anyone in the world can easily find that page using a powerful Web search engine. Alta Vista ( http://www.altavista.com/), Lycos ( http://www.lycos.com/) and others simplify this sort of research. Your address or phone number is just a few clicks away, thanks to Web-based directories like wyp.net ( http://www.wyp.net), Four11 (http://www.four11.com/) and Switchboard ( http://www.switchboard.com/).

The more information you reveal, the more the bad guys have to work with. For instance, if you note on your home page that you're in the early stages of Alzheimer's disease, someone may call requesting payment for a bill that you "must have forgotten." Mention that you have a child with severe medical problems, and everyone with a quack remedy or phony insurance will beat a path to your door. Even an innocent note on your home page about "taking that dream vacation in Europe this summer" could prompt a thief to visit your house and clean you out.

Be aware that a complete stranger can find out a lot about you through the Internet. Don't believe someone is on the up-and-up just because he has information about you.

If somebody contacts you asking for credit card numbers, bank account codes or passwords, there's a good chance it's a scam. In fact, hackers have a name for this sort of subterfuge: "social engineering." Not all of hackers' information theft is high-tech-some of them are quite adept at getting sensitive information over the phone, armed with no more than the information on your Web page.

You can make the Internet work for you as well. If you're approached by someone trying to make a sale, see what other people are saying about the product or service.

Post a question about it in appropriate newsgroups,and use Deja News ( http://www.dejanews.com/) to see what people have already said. Remember to take anything you read on the Internet with a grain of salt, since you won't always know the identity of a user posting a message.

Despite the many potential problems and security holes, most Internet users are basically honest. Staying safe on the Internet is the same as staying safe in a large city: Stay alert and take precautions. If you're careful, you'll reap the benefits of the Web without compromising your data, your system or your safety.

[ Go to August 1996 Table of Contents ]

[ Return to Interactive Buyers' Guide ]