Antagonistic forces could be listening in on your network and intercepting sensitive personal communications, according to a security advisory issued recently by independent online security firm and think tank L0pht Heavy Industries.
A hacker — or cracker, in currently correct terms — can essentially sit in between a user and an end host, in what is called a “man in the middle” attack, acting as a proxy to receive unencrypted data. L0pht says that the hole may permit third parties to reroute and modify traffic or launch “denial of service” attacks.
A Hole in your OS?
The security vulnerability — affecting Windows 95, Windows 98, the Sun Microsystems and Solaris operating systems — involves what’s known as the ICMP Internet Router Discovery Protocol (IRDP), which determines the route computers use to connect to the Internet. IRDP, according to L0pht, is turned on by default in Windows 95 and Windows 98 systems, but remains enabled even after the user has shut it off.
Free Your System and the Rest Will Follow
L0pht has indicated that, with the exception of a “denial of service” scenario, an attacker would have to be inside a network in order to use the exploit to compromise data, confidential or otherwise. E-Commerce operations and those using broadband modems are urged to check with the manufacturer of their operating systems (OS) to see if the software they are using is vulnerable and if a fix is available.
According to a ZDNet report, L0pht — known more widely as an “underground” security firm or “hacker group” — delayed a public announcement at Microsoft’s request. At press time, Microsoft — as well as Solaris and Sun — had not yet posted a patch or any related information at its Security Advisor page.
Addressing a firestorm of criticism regarding the security of its products, Microsoft (Nasdaq: MSFT) recently left a Web server with a beta version of Windows 2000 and the embattled Internet Information server (IIS) outside its firewall, openly inviting members of the hacking community to crack it. The test site is still available. Security experts and other interested parties are invited to try to crack the Windows 2000 security system.
IDC: E-Commerce Security Holes Also Create Legitimate Opportunities
International Data Corp. (IDC) recently released a report indicating the intrusion detection and vulnerability assessment software market will reach $980 million by 2003.
The report — “Plugging the Holes in eCommerce: The Market for Intrusion Detection and Vulnerability Assessment Software, 1999-2003” — indicates that 1998’s $136 million mark represented a 135% jump from the previous year. 1999’s total will be double the 1998 figure.
“Building reliable, dependable and secure e-commerce sites requires massive investments,” commented Abner Germanow, a senior analyst with IDC’s Internet security research program. “Successful attacks can destroy the most critical aspect of e-commerce — trust.”
“Ensuring the maintenance of trust,” added Germanow, “is one of the primary functions of intrusion detection and vulnerability assessment products.”