- Email: [email protected]
RealNames warns customers of hack attack
reports
CERT issues ‘cross-site scripting’ warning Barbara Gengler Several US computer security experts have issued a joint warning about a security threat that allows hackers to launch malicious programs on a Web site or capture information a person volunteers on a Web site, without the user’s knowledge. The programs are being distributed by special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh. The threat, called ‘cross-site scripting’, involves dangerous computer code that can be hidden within harmlesslooking links to popular Internet sites. The links can be E-mailed to victims or published to online discussion groups and Web pages. CERT said Web developers and users should be aware that the scripts could be used to expose restricted parts of a company’s local networks, such as their intranets, to attackers from the Internet. According to CERT, what you receive from a Web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly
send you bad data, unwanted pictures and programs (malicious scripts) to compromise the data. “We haven’t had any direct reports to CERT because it would be difficult to detect”, said Bill Pollack, team leader for technical communication at CERT. “But we’ve been working to understand the problem and give people information as a proactive measure to mitigate the risk.” CERT pointed out that among the ways users can potentially expose Web browsers to malicious scripts include following untrusted links in Web pages, Email messages or newsgroup postings; using interactive forms on an untrustworthy site and by viewing dynamically generated pages that contain content developed by anyone but yourself. Pollack pointed out the most significant impact of the vulnerability can be
avoided by disabling all scripting languages. But he added that even with the scripting disabled, attackers may still be able to influence the appearance of content provided by a legitimate site by embedding other HTML tags. CERT is working with technology vendors such as Cisco Systems, AT&T, Network Solutions, NASA and other security experts on a long-term, comprehensive solution. The group has published an advisory containing more details about the problem, its impact and ways to handle it. CA-2000-02 is available from www.cert.org/advisories/CA-200002.html. The advisory has been published jointly by the CERT Coordination Center, DoD-CERT, the Department of Defense Task Force for Computer Network Defense ( JTF-CND), the Federal Computer Incident Response Capability (FedCIRC) and the National Infrastructure Protection Center (NIPC). CERT has also posted a document describing short-term solutions. ‘Understanding Malicious Content Mitigation for Web Developers’, provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.
RealNames warns customers of hack attack
working from China. He also said creditcard companies have been notified of the security breach and, so far, noone has reported any fraud associated with the RealNames break-in.
Barbara Gengler
“It was just a wake-up call saying, hey, I’m here.”
A company that provides a service that converts complex Web addresses into simple keywords has warned users that a recent hacking attack into one of its databases may have compromised credit-card information belonging to as many as 15 000 customers. RealNames CEO Keith Teare said the company discovered the intruder when user searches for company names were suddenly all routed to www.188.net, a site written entirely in Chinese. “I think it’s probably just random”, Teare said. “It was just a wake-up call saying, hey, I’m here.” The company sent Emails to customers with this message: 6
“Within the first 24 hours we have identified a situation that may have resulted in our customer information database being compromised, including customer credit card information.” Teare said a security audit showed someone has gained access to the frontend of the company’s system and admitted the intruder, who is believed to be
The company said although there was no evidence of any adverse effects on customers, as a precaution, it has assigned new password and login information to each of its members and added new firewall security. Furthermore, RealNetworks has notified federal authorities of the breach and enlisted security firm Internet Security Systems (ISS) to conduct an audit. The intrusion appears unrelated to a series of denial-of-service attacks
reports launched in early February against prominent Web sites including Yahoo, eBay and Buy.com. Denial-of-service attacks disable a site by bombarding it with a high volume of information requests in a short period of time, which cause the site to crash. RealNames is an online service that helps mostly business customers drive traffic to their Web sites. RealNames’ system swaps simple keywords for complicated Web addresses, making navigation easier for end users. Users can type the keywords straight into a URL field and be taken directly to the site. Customers pay an annual fee for
each keyword they register with RealNames. Teare was optimistic that the attack against his company, along with the rise in denial-of-service attacks reported,
“credit-card companies have been notified of the security breach and, so far, noone has reported any fraud associated with the RealNames break-in”
No arrests yet in hack attack John Sterlicchi Nearly a month after hackers shut down some of the most popular Internet sites in the US there has still been no arrests. “The challenges to apprehending the suspects are substantial. Despite these challenges, I am optimistic that the hard work of our agents, analysts and computer scientists...will in the end prove successful”, Michael Vatis, the FBI’s director of National Infrastructure Protection Center, told a joint hearing of US Congress crime subcommittees in late February. Unconfirmed reports had the FBI closing in on a couple of suspects codenamed ‘mafiaboy’ and ‘coolio’. The FBI received help from authorities in Canada in its bid to track down mafiaboy. Royal Canadian Mounted Police in February questioned executives at Montreal-based service provider Internet Direct about a former subscriber, who used that name. However, Stanford University systemsoftware developer David Brumley, who is assisting in the investigation, said that mafiaboy is a false lead. He said that the culprit was based in the US and an arrest was imminent. Several days after he made that statement there was still no announcement
from the FBI, which reportedly has agents from 17 offices working on the case.
“President Clinton wanted to ensure that the private sector was doing all it could to protect itself against attacks” It was Monday, 7th February that several of country’s largest Internet sites, including Yahoo, Amazon.com, CNN.com, eBay.com, Buy.com, ETrade Group, Excite.com and ZDNet received massive amounts of data requests that overloaded their systems and shut them down for several hours. Last week high-tech executives travelled to Washington to meet with President Clinton, who had organized a summit to discuss Internet security. More than 25 security experts from companies including AT&T, Cisco, MCI Worldcom, Intel and Microsoft attended
would not undermine the public’s confidence in the Internet. “ While it will have the effect of undermining the confidence of a small number of inexperienced users, in the long term I don’t think it will have a great deal of impact for most people”, Teare said. RealNames has formed partnerships with search engines AltaVista and LookSmart and is incorporated into Internet Explorer. Its customers include Amazon.com, Barnes&Noble, Federal Express and Visa among its 25 000 customers.
the meeting Tuesday. President Clinton said, “I think it was an alarm. I don’t think it was Pearl Harbor.” He was referring to the Japanese attack on 7th December 1941, which killed nearly 2300 Americans. President Clinton wanted to ensure that the private sector was doing all it could to protect itself against attacks and he wanted support for the $2 billion he has in his budget this year to protect the government’s computer infrastructure. High-tech officials are against new laws regulating the Internet. “At this time, we do not ask Congress for new laws in the area of Internet security”, Charles Giancarlo, a senior vice president at Cisco Systems, told the crime subcommittee hearing.
“Cooperation — not regulation or legislation — will ensure that the Internet remains secure and at the same time open to the broadest possible public access” “Cooperation — not regulation or legislation — will ensure that the Internet remains secure and at the same time open to the broadest possible public access”, he told the lawmakers. 7
CERT issues ‘cross-site scripting’ warning Barbara Gengler Several US computer security experts have issued a joint warning about a security threat that allows hackers to launch malicious programs on a Web site or capture information a person volunteers on a Web site, without the user’s knowledge. The programs are being distributed by special links embedded on sites, according to an advisory issued by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh. The threat, called ‘cross-site scripting’, involves dangerous computer code that can be hidden within harmlesslooking links to popular Internet sites. The links can be E-mailed to victims or published to online discussion groups and Web pages. CERT said Web developers and users should be aware that the scripts could be used to expose restricted parts of a company’s local networks, such as their intranets, to attackers from the Internet. According to CERT, what you receive from a Web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly
send you bad data, unwanted pictures and programs (malicious scripts) to compromise the data. “We haven’t had any direct reports to CERT because it would be difficult to detect”, said Bill Pollack, team leader for technical communication at CERT. “But we’ve been working to understand the problem and give people information as a proactive measure to mitigate the risk.” CERT pointed out that among the ways users can potentially expose Web browsers to malicious scripts include following untrusted links in Web pages, Email messages or newsgroup postings; using interactive forms on an untrustworthy site and by viewing dynamically generated pages that contain content developed by anyone but yourself. Pollack pointed out the most significant impact of the vulnerability can be
avoided by disabling all scripting languages. But he added that even with the scripting disabled, attackers may still be able to influence the appearance of content provided by a legitimate site by embedding other HTML tags. CERT is working with technology vendors such as Cisco Systems, AT&T, Network Solutions, NASA and other security experts on a long-term, comprehensive solution. The group has published an advisory containing more details about the problem, its impact and ways to handle it. CA-2000-02 is available from www.cert.org/advisories/CA-200002.html. The advisory has been published jointly by the CERT Coordination Center, DoD-CERT, the Department of Defense Task Force for Computer Network Defense ( JTF-CND), the Federal Computer Incident Response Capability (FedCIRC) and the National Infrastructure Protection Center (NIPC). CERT has also posted a document describing short-term solutions. ‘Understanding Malicious Content Mitigation for Web Developers’, provides a technical overview of the problem and describes steps that Web developers can take to protect their Web pages from being used by developers of malicious scripts.
RealNames warns customers of hack attack
working from China. He also said creditcard companies have been notified of the security breach and, so far, noone has reported any fraud associated with the RealNames break-in.
Barbara Gengler
“It was just a wake-up call saying, hey, I’m here.”
A company that provides a service that converts complex Web addresses into simple keywords has warned users that a recent hacking attack into one of its databases may have compromised credit-card information belonging to as many as 15 000 customers. RealNames CEO Keith Teare said the company discovered the intruder when user searches for company names were suddenly all routed to www.188.net, a site written entirely in Chinese. “I think it’s probably just random”, Teare said. “It was just a wake-up call saying, hey, I’m here.” The company sent Emails to customers with this message: 6
“Within the first 24 hours we have identified a situation that may have resulted in our customer information database being compromised, including customer credit card information.” Teare said a security audit showed someone has gained access to the frontend of the company’s system and admitted the intruder, who is believed to be
The company said although there was no evidence of any adverse effects on customers, as a precaution, it has assigned new password and login information to each of its members and added new firewall security. Furthermore, RealNetworks has notified federal authorities of the breach and enlisted security firm Internet Security Systems (ISS) to conduct an audit. The intrusion appears unrelated to a series of denial-of-service attacks
reports launched in early February against prominent Web sites including Yahoo, eBay and Buy.com. Denial-of-service attacks disable a site by bombarding it with a high volume of information requests in a short period of time, which cause the site to crash. RealNames is an online service that helps mostly business customers drive traffic to their Web sites. RealNames’ system swaps simple keywords for complicated Web addresses, making navigation easier for end users. Users can type the keywords straight into a URL field and be taken directly to the site. Customers pay an annual fee for
each keyword they register with RealNames. Teare was optimistic that the attack against his company, along with the rise in denial-of-service attacks reported,
“credit-card companies have been notified of the security breach and, so far, noone has reported any fraud associated with the RealNames break-in”
No arrests yet in hack attack John Sterlicchi Nearly a month after hackers shut down some of the most popular Internet sites in the US there has still been no arrests. “The challenges to apprehending the suspects are substantial. Despite these challenges, I am optimistic that the hard work of our agents, analysts and computer scientists...will in the end prove successful”, Michael Vatis, the FBI’s director of National Infrastructure Protection Center, told a joint hearing of US Congress crime subcommittees in late February. Unconfirmed reports had the FBI closing in on a couple of suspects codenamed ‘mafiaboy’ and ‘coolio’. The FBI received help from authorities in Canada in its bid to track down mafiaboy. Royal Canadian Mounted Police in February questioned executives at Montreal-based service provider Internet Direct about a former subscriber, who used that name. However, Stanford University systemsoftware developer David Brumley, who is assisting in the investigation, said that mafiaboy is a false lead. He said that the culprit was based in the US and an arrest was imminent. Several days after he made that statement there was still no announcement
from the FBI, which reportedly has agents from 17 offices working on the case.
“President Clinton wanted to ensure that the private sector was doing all it could to protect itself against attacks” It was Monday, 7th February that several of country’s largest Internet sites, including Yahoo, Amazon.com, CNN.com, eBay.com, Buy.com, ETrade Group, Excite.com and ZDNet received massive amounts of data requests that overloaded their systems and shut them down for several hours. Last week high-tech executives travelled to Washington to meet with President Clinton, who had organized a summit to discuss Internet security. More than 25 security experts from companies including AT&T, Cisco, MCI Worldcom, Intel and Microsoft attended
would not undermine the public’s confidence in the Internet. “ While it will have the effect of undermining the confidence of a small number of inexperienced users, in the long term I don’t think it will have a great deal of impact for most people”, Teare said. RealNames has formed partnerships with search engines AltaVista and LookSmart and is incorporated into Internet Explorer. Its customers include Amazon.com, Barnes&Noble, Federal Express and Visa among its 25 000 customers.
the meeting Tuesday. President Clinton said, “I think it was an alarm. I don’t think it was Pearl Harbor.” He was referring to the Japanese attack on 7th December 1941, which killed nearly 2300 Americans. President Clinton wanted to ensure that the private sector was doing all it could to protect itself against attacks and he wanted support for the $2 billion he has in his budget this year to protect the government’s computer infrastructure. High-tech officials are against new laws regulating the Internet. “At this time, we do not ask Congress for new laws in the area of Internet security”, Charles Giancarlo, a senior vice president at Cisco Systems, told the crime subcommittee hearing.
“Cooperation — not regulation or legislation — will ensure that the Internet remains secure and at the same time open to the broadest possible public access” “Cooperation — not regulation or legislation — will ensure that the Internet remains secure and at the same time open to the broadest possible public access”, he told the lawmakers. 7