Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, May 20, 2005

Development pressures making a mockery of online security

Despite a series of high-profile online security blunders at leading retailers such as Argos and B&Q in recent years, companies selling online are still failing to train staff to look for bugs and glitches which could betray customer details or give rise to fraud.

While sophisticated hackers might always find a way into a system, many companies, such as the two mentioned above, are guilty of some basic failings which would have been discovered within minutes of penetration testing, according to a leading expert.

Dan Newman has been running one of the most popular certified ethical hacking courses for three years at the UK-based Training Camp and says he’s not seen a single student from an e-commerce company put forward to attend, while financial institutions, government departments and the military are well up on the need for penetration testing.  “We had one guy who worked for a retailer but he funded it himself because he was actually looking to move into a new job in a different sector,” said Newman.  While this doesn’t mean e-commerce sites have never honed their penetration-testing skills, Newman is confident he’d have seen some of them through his classroom at least, or heard of their efforts if such skills were commonly used in the online retail sector.

Newman walked Builder UK sister site silicon.com through a very basic ‘hack’ which simply involves changing cookies to access any number of customers’ details on one ecommerce Web site.  By doing so a hacker would be able to download paid-for documents from other users’ accounts with one keystroke.

Newman blames a lot of the failings on the pressures of the retail environment and on developers charged with getting functionality online in time to meet demand, rather than when it is ready.  “I used to be a developer and I used to make the same mistakes they do,” said Newman.  Newman said a lot of the time “they’re getting things out there as quickly as they can” without regard for security.  “Some Web sites are just bulging at the seams,” said Newman, referring to the multitude of security weaknesses just waiting to be exploited in the e-commerce sector.

Firebox.com is one online retailer happy to talk about its penetration testing.  “Our IT team regularly check all of our security and always start with anywhere there could be a potential problem and thankfully they have always been pleasantly surprised but you still have to test,” said the spokeswoman.  “I feel bad for a lot of companies who buy products from vendors who know nothing of security,” added Newman.

But just because e-tailers deal with a third party vendor doesn’t abdicate responsibility for carrying out their own thorough penetration testing.

http://uk.builder.com/webdevelopment/scripting/0,39026636,39247453,00.htm

Posted on 05/20
NewsPermalink