September 29, 2000 - Bring On XML!
Sears Roebuck CIO, Jerry Miller, says XML will be adopted "a lot faster than we saw with EDI because it's so much easier. It's so much simpler. It's so much less expensive." Speaking at the National Retail Federation's conference this week, Miller confirmed that the GlobalNetXchange Sears is backing will go live in October, and will be enabled for supply chain transactions that are anticipated to account for $5 to $7 billion in annual business.
September 29, 2000 - Authentication Crucial For Network Security
Convicted computer hacker Kevin Mitnick, who now speaks to corporate meetings about security practices, told the Giga Research Infrastructures for E-Business Conference that authentication is a key component in keeping networks secure. His recommendations: Confirm that someone requesting information is who he/she claims to be before giving out information, and use different passwords for different systems.
September 22, 2000 - Patch for WindowsTM 2000 behind Firewall
eCommerce and other Web sites using Windows 2000 for behind-the-firewall applications may be susceptible to a bug that can cause the whole system - and the site - to go down in a denial-of-service attack. The vulnerability depends on the block ports the Web site firewall has been configured to use. According to a Microsoft Security Bulletin, malformed Remote Procedure Calls (RPC) can be sent to the server, causing it to fail. Machines sitting behind a firewall that block ports 135 to 139 and 445 are not affected, however. Microsoft says a forthcoming Windows 2000 Service Pack will provide preventative protection for the problem. Meanwhile, here's the patch.
September 19, 2000 - On-line Data-use Guidelines
The non-profit Privacy Foundation presented a new set of industry guidelines today to regulate the use of invisible technology that keeps tabs on eMarketplace users. The leads were presented at the Global Privacy Summit in Washington, D.C., hosted by the Privacy Foundation.
Technology guidelines state that a Web page or HTML-enhanced email that uses embedded images to transmit information to a remote computer when the page is viewed must display a clearly visible icon on the page. One way to accomplish this is via a display of Extensible Markup Language (XML) objects on an eMarketplace's HTML page:
Readers should be able to opt out of this type of data collection, says the group.
September 7, 2000 - Patch For WindowsTM 2000 Server Vulnerability
A problem in Windows 2000 could allow a user to launch a denial of service attack, disrupting operation of the server, and possibly the entire network. Using the vulnerability, a malicious user could corrupt information on an affected machine, with the effect of preventing the machine from participating in a network. If exploited against the domain controllers in a network, it could disrupt all network operations. Recovering from such an attack would be difficult, and likely would require that program and data files be restored from a backup tape, a timely procedure. An on-line solution has not been available until this week. Microsoft® has now posted a patch.
September 7, 2000 - Fix for ImailTM Windows NT Security Problem
If an eMarketplace's email server runs the Imail package for the Windows NT platform, the Ipswitch Imail server could allow an unauthorized party to send an attached file that, with harmful code, could breach the security of the email system. Ipswitch® has just released an upgrade that prevents the problem.
August 30, 2000 - Key Security Patent Expires
An important moment in on-line security will occur in September when RSA Security Inc.'s key patents, fundamental to most Internet security processes, expire. RSA's patents' encompass common standards for encryption and decryption as well as the initialization of public- and private-key pairs-all-important elements for secure transactions. What happens after the expiration will be nothing short of a watershed for the security industry. Observers predict the development of security tool kits engineered for performance and for specific markets, such as wireless, and the availability of many more security products in the United States.
August 30, 2000 - Digital Certificate Software Supports More eCommerce Platforms
Within the next week, RSA Security will unveil an upgraded version of its public-key infrastructure software. The KeonTM 5.5 suite will add support for digital certificates from multiple vendors and make it easier for security administrators to register users to receive certificates through an automated download process.
August 30, 2000 - Pretty Good Privacy Security Flaw
A security flaw in the latest versions of the popular PGP (Pretty Good Privacy) e-mail encryption software allows encrypted e-mail to be read by unauthorized third parties. The problem, described in a CERT advisory, reportedly arose from the inclusion of a "key escrow" feature added to PGP. PGP, which comes in commercial as well as free versions, is one of the most popular encryption programs for securing corporate e-mail. "Key escrow" refers to the process of creating and storing additional decryption keys, so that someone other than the intended recipient can decrypt a message or file. Today, Network Associates posted an advisory on how to deal with the problem.
August 30, 2000 - Security Flaw In Microsoft® Internet Information Server 5.0
The just-discovered flaw allows Web site owners to use special URLs to deliver malicious code via SHTML files to a remote client. Specific risks include reading the documents on Intranet servers inside a firewall, cookie theft, and if the user has put a Web site in the "Trusted sites" zones, other browser attacks can be launched. Microsoft is working on a fix for the firewall-intrusion problem. The cookie-theft issue is fixed by Microsoft FrontPage(tm) 2000 Server Extensions Release 1.2.
August 30, 2000 - Sun® Repairs Java Security Flaw
Security consultants have found a problem in Sun's Java Web server that could allow an external user to issue arbitrary commands on the system. The problem revolves around the administration client and Java server page tags. Sun has posted several patches for different operating platforms.
August 24, 2000 - Single Sign On Not Secure
Single sign on (SSO) authentication proxies may not provide the best protection for unauthorized access to information, says an on-line security expert. The risk is that if the password is stolen, an unauthorized user could obtain access to any of the systems being protected by the SSO, says Jamie Lewis, CEO of The Burton Group, in InternetWeek. Instead, he recommends a general purpose, system-wide sign on to a general class of information (or applications) with different levels of challenge for increasingly sensitive classes of information (or applications).
August 24, 2000 - Indicator of Web Regulations?
The way a state's Motor Vehicle Department treats information gathered on drivers' records could be an indicator of that state's privacy and on-line business regulatory leanings, says an on-line trust industry expert. According to Internet Alliance, an on-line industry trade association, 26 states do not sell personal information in drivers' records for marketing purposes.
August 12, 2000 - Cisco Router Vulnerability
Using Gigabit Ethernet Switches, as a number of eMarketplaces do, for routing information from the database to the server and then to the Internet makes the system vulnerable to attack. Cisco Systems says that a bug in the software running its routers that use those switches can result in information packets being vulnerable to hackers who want to access and maliciously change the site's access control lists (which grant permission to read privileged information). The bug also renders sites vulnerable to increasingly common denial-of-service attacks. Cisco is working on a patch.
August 12, 2000 - Security Problem With Adobe PDF
Malicious code can be embedded in Adobe Portable Document Format (PDF) documents that can deliver a virus to unsuspecting readers. Manuals and other documentation frequently sent as part of business-to-business communications are vulnerable. Adobe recommends users install the following patch for protection: ftp://ftp.adobe.com/pub/adobe/acrobat/win/4.x/ac405up2.exe
August 12, 2000 - Post-hack Lessons
Eweek Magazine recently set up a mock eCommerce site and invited hackers and security experts to defeat it. Now, with the final results in and evaluated, the editors offer a series of tips to lessen the likelihood your own site will be compromised. In this week's issue they present "lessons learned" in a series of tips. Key advice: establish a consistent system for checking the security of all tools and processes your eMarketplace uses.
August 8, 2000 - Windows NT® Anti-Spoofing Patch
Used to initiate denial-of-service attacks that can shut down or slow traffic on eMarketplace sites, spoofing is a major security problem for Internet commerce. Microsoft has just released a patch intended to lessen the vulnerability to an attack that can block access by authorized users to sites running on Windows NT.
August 8, 2000 - Authentication Solution For Mobile eCommerce
A new security venture has a biometric solution for wireless eCommerce authentication. Itrust, a new solution from biometrics security products vendor Identix, Inc., will provide eCommerce server-side authentication, validation, transaction management and content control services on a per-use basis. To work, biometric devices, such as fingerprint readers, are attached to mobile devices. Predictions are that mobile eCommerce, now a $US140 million market throughout the world by some estimates, will grow to $US6 billion within five years, driving the need for more on-line business trust services.
August 8, 2000 - Password Vulnerability Found In Lotus®, DominoTM
Dutch engineers have found a pair of security flaws in e-mail management programs Lotus NotesTM and Domino, which helps Web sites offer server-side applications, such as collaboration over Intranets and in eMarketplace sites. The vulnerabilities allow decryption of user passwords. Lotus representatives responded that the company was looking into the claims, but noted that newer versions of Domino, such as its just-released 5.04 version, offer greater security protection than older versions.
August 8, 2000 - Hacked? Sue!
A security expert at the CIA-funded computing security company In-Q-Tel advises that companies that have been hacked and can identify the source make an example and sue hackers for damages. A malicious hacker, "would probably spend more time encumbered by [being sued] than for any time served," says security consultant Dominique Brezinski. He endorses this strategy by noting that hackers are more sophisticated than law enforcement, and corporate eMarketplace security personnel shouldn't think law enforcement will prevent or solve their on-line security problems.