- Email: [email protected]
UK report blows government internet security sky high
Security ViewdDr. Bill Hancock
promises that can automatically be interpreted by a Web browser or other software using a promising technology called the platform for privacy preferences, or P3P Consumers today must manually find a company’s online privacy statement, if one exists, and read through legalese to determine what personal information a Web site might be harvesting, such as their name, E-mail address or even favorite authors or clothing sizes. Using the new technology, a customer’s Internet browser could review a company’s promises electronically, then issue a warning only if it can’t find a privacy statement or if the Web site wants more information than a consumer has indicated a willingness to disclose.
how to encourage Internet consumers to use the new privacy technology until Web sites begin to offer electronic promises, that can be understood by the technology “What we’re trying to do here is build a foundation”, said Saul Klein, a group program manager at Microsoft. “We’re not saying that we think this is the answer to self-regulation.” Hurdles remain for the technology, including a legal battle with Seattle-based Intermind Corp., which earlier this year won a patent important to P3P. Intermind has said it is willing to license the technology to other companies for a reasonable price. “Good software patents are expensive, and we were way ahead of the curve”, said Drummond Reed, the company’s chief technology officer.
But widespread use of the technology is at least months away, in part because of a bitter patent dispute and because it almost certainly will require the tens of millions of people on the Internet to install new browser software. “This is going to get a lot of the system up to speed quickly”, saidTara Lemmey, executive director of the San Francisco-based Electronic Frontier Foundation.
The World Wide Web Consortium, the Internet standards body over the new privacy technology, said the group is “looking seriously . . . at the validity and applicability of this patent”. “Even the threat that one company’s patent could stand in the way of many months of collective work causes us serious concern”, said Daniel Weitzner, head of the group’s technology and society division.
Both the Clinton administration and Congress have threatened the industry with tough new privacy laws - possibly by year’s end - unless companies can adequately regulate themselves over ways they collect customer information across the Internet. And the European Union already has passed laws that prohibit the transfer of personal information about its citizens without their consent to any outside country. The White House is negotiating to see how those laws might affect US businesses.
The technology also must be built into the next generation of Internet browser software before consumers can use it. Many people continue using older browser versions years even after the latest become available. “This is hardly the great white hope of solving the privacy problem if the time to propagate it is measured in years”, said Jason Catlett of Junkbusters Corp., a New Jersey-based privacy group. Microsoft and the Electronic Frontier Foundation said they will propose changes in a key specification controlled by the Web consortium, which would allow online merchants to use their new digital tools.The toolkit to create an electronic privacy policy will be available at: http://privacy. linkexchange.com .
“The technology they’re announcing probably isn’t the final answer, but it’s a real positive step”, said Rick White, who headed the Internet Caucus when he was a congressman from Washington state. “I’m not certain that technology will solve all the problems there are some gaps you might have to fix in a legislative way.” The latest move is the industry’s answer to what it describes as a frustrating chicken-and-egg problem:
286
UK Report Blows Government Internet Security Sky High A report just published by NTA Monitor, the Internet
Computers & Security, Vol. 18, No. 4
security testing firm, has revealed that British government Internet systems are wide open to attack and abuse. The damning report says that users at almost half of all government E-mail sites in the UK have the confidentiality of their mail jeopardized because their Internet mail servers are using software package versions with known security risks. According to Deri Jones, security services manager with NTA, the report highlights the ongoing need for organizations to maintain constant vigilance in keeping their systems up to date and fully secured. It also, he said, demonstrates that many government organizations are not testing their security on a regular basis. The testing analyzed the 689 Internet domains within the “gov.uk” name space, which NTA says includes central government departments, local government, and a number of governmental organizations. After discounting doma in s where no Internet E-mail systems had been set-up, or which were not reachable during the tests, the survey reported on 345 live Email servers. According to NTA, its computers ran live tests across the Internet using a subset of the firm’s Regular Monitor security testing service, which is used by over 100 European corporations for annual, quarterly or monthly testing of Internet security. The testing ran between November 1998 and this month, highlighting that, of the sites reached, 31% are using software versions with known security problems, and 32% are using Sendmail, of which 43% are flawed versions. According to the report, the majority of NT E-mail server insecurity is caused by the use of old or unpatched versions of Microsoft Exchange 11% use it, of which 45% are flawed. Interestingly, the report found that almost 100% of users of the Borderware mailer (part of the Borderware firewall) are using versions up toV5 which are flawed due to use of predictable sequence numbering. According to Jones, the results obtained in NTA’s latest survey are actually on a par with the results seen from other online security surveys.
“In addition, from testing of our own clients across a wide range of business sectors, in 80% of cases we find there are substantive differences between security intentions and security achieved”, he said. Jones said that this is true even with organizations that have, on and are paper at least, taken “due care and attention” using good security products in a well designed topology. According to Jones, security is an area where the weakest link in the chain undermines the whole thing.“The variety of known risks within the range of old and flawed versions of E-mail software packages found enable hackers to crash systems, or to access confidential information within E-mail messages and even to take control of the machines altogether and launch further attacks into data systems deep within corporate networks”, he said. According to Jones, it appears from the survey that many organizations are not taking regular steps to ensure that all of their security perimeter components are up to date with the latest patches. “The problems are particularly serious now that many more governmental organizations are moving to ‘electronic government’ initiatives where Internet becomes a central part of the activity”, he said. Jones argues that, whether a department has just spent money on security for an Internet or a government secure intranet project, or is just about to, then there is a strong case for having the network gateway security perimeter thoroughly tested. “It’s the best investment of Al500 ($2,500) of real world security possible”, he said.
Risks to Security Growing as Fast as Numbers of Systems When the Melissa E-mail virus hit recently, the spotlight was cast on data security. In a recent survey from market researchers at IDC, IT executives said that data security risks are growing almost as fast as the Internet. IDC found that the worldwide Internet security software market grew 67% in one year, from 1996 revenues of $1.2 billion to 1997 sales of
287
promises that can automatically be interpreted by a Web browser or other software using a promising technology called the platform for privacy preferences, or P3P Consumers today must manually find a company’s online privacy statement, if one exists, and read through legalese to determine what personal information a Web site might be harvesting, such as their name, E-mail address or even favorite authors or clothing sizes. Using the new technology, a customer’s Internet browser could review a company’s promises electronically, then issue a warning only if it can’t find a privacy statement or if the Web site wants more information than a consumer has indicated a willingness to disclose.
how to encourage Internet consumers to use the new privacy technology until Web sites begin to offer electronic promises, that can be understood by the technology “What we’re trying to do here is build a foundation”, said Saul Klein, a group program manager at Microsoft. “We’re not saying that we think this is the answer to self-regulation.” Hurdles remain for the technology, including a legal battle with Seattle-based Intermind Corp., which earlier this year won a patent important to P3P. Intermind has said it is willing to license the technology to other companies for a reasonable price. “Good software patents are expensive, and we were way ahead of the curve”, said Drummond Reed, the company’s chief technology officer.
But widespread use of the technology is at least months away, in part because of a bitter patent dispute and because it almost certainly will require the tens of millions of people on the Internet to install new browser software. “This is going to get a lot of the system up to speed quickly”, saidTara Lemmey, executive director of the San Francisco-based Electronic Frontier Foundation.
The World Wide Web Consortium, the Internet standards body over the new privacy technology, said the group is “looking seriously . . . at the validity and applicability of this patent”. “Even the threat that one company’s patent could stand in the way of many months of collective work causes us serious concern”, said Daniel Weitzner, head of the group’s technology and society division.
Both the Clinton administration and Congress have threatened the industry with tough new privacy laws - possibly by year’s end - unless companies can adequately regulate themselves over ways they collect customer information across the Internet. And the European Union already has passed laws that prohibit the transfer of personal information about its citizens without their consent to any outside country. The White House is negotiating to see how those laws might affect US businesses.
The technology also must be built into the next generation of Internet browser software before consumers can use it. Many people continue using older browser versions years even after the latest become available. “This is hardly the great white hope of solving the privacy problem if the time to propagate it is measured in years”, said Jason Catlett of Junkbusters Corp., a New Jersey-based privacy group. Microsoft and the Electronic Frontier Foundation said they will propose changes in a key specification controlled by the Web consortium, which would allow online merchants to use their new digital tools.The toolkit to create an electronic privacy policy will be available at: http://privacy. linkexchange.com .
“The technology they’re announcing probably isn’t the final answer, but it’s a real positive step”, said Rick White, who headed the Internet Caucus when he was a congressman from Washington state. “I’m not certain that technology will solve all the problems there are some gaps you might have to fix in a legislative way.” The latest move is the industry’s answer to what it describes as a frustrating chicken-and-egg problem:
286
UK Report Blows Government Internet Security Sky High A report just published by NTA Monitor, the Internet
Computers & Security, Vol. 18, No. 4
security testing firm, has revealed that British government Internet systems are wide open to attack and abuse. The damning report says that users at almost half of all government E-mail sites in the UK have the confidentiality of their mail jeopardized because their Internet mail servers are using software package versions with known security risks. According to Deri Jones, security services manager with NTA, the report highlights the ongoing need for organizations to maintain constant vigilance in keeping their systems up to date and fully secured. It also, he said, demonstrates that many government organizations are not testing their security on a regular basis. The testing analyzed the 689 Internet domains within the “gov.uk” name space, which NTA says includes central government departments, local government, and a number of governmental organizations. After discounting doma in s where no Internet E-mail systems had been set-up, or which were not reachable during the tests, the survey reported on 345 live Email servers. According to NTA, its computers ran live tests across the Internet using a subset of the firm’s Regular Monitor security testing service, which is used by over 100 European corporations for annual, quarterly or monthly testing of Internet security. The testing ran between November 1998 and this month, highlighting that, of the sites reached, 31% are using software versions with known security problems, and 32% are using Sendmail, of which 43% are flawed versions. According to the report, the majority of NT E-mail server insecurity is caused by the use of old or unpatched versions of Microsoft Exchange 11% use it, of which 45% are flawed. Interestingly, the report found that almost 100% of users of the Borderware mailer (part of the Borderware firewall) are using versions up toV5 which are flawed due to use of predictable sequence numbering. According to Jones, the results obtained in NTA’s latest survey are actually on a par with the results seen from other online security surveys.
“In addition, from testing of our own clients across a wide range of business sectors, in 80% of cases we find there are substantive differences between security intentions and security achieved”, he said. Jones said that this is true even with organizations that have, on and are paper at least, taken “due care and attention” using good security products in a well designed topology. According to Jones, security is an area where the weakest link in the chain undermines the whole thing.“The variety of known risks within the range of old and flawed versions of E-mail software packages found enable hackers to crash systems, or to access confidential information within E-mail messages and even to take control of the machines altogether and launch further attacks into data systems deep within corporate networks”, he said. According to Jones, it appears from the survey that many organizations are not taking regular steps to ensure that all of their security perimeter components are up to date with the latest patches. “The problems are particularly serious now that many more governmental organizations are moving to ‘electronic government’ initiatives where Internet becomes a central part of the activity”, he said. Jones argues that, whether a department has just spent money on security for an Internet or a government secure intranet project, or is just about to, then there is a strong case for having the network gateway security perimeter thoroughly tested. “It’s the best investment of Al500 ($2,500) of real world security possible”, he said.
Risks to Security Growing as Fast as Numbers of Systems When the Melissa E-mail virus hit recently, the spotlight was cast on data security. In a recent survey from market researchers at IDC, IT executives said that data security risks are growing almost as fast as the Internet. IDC found that the worldwide Internet security software market grew 67% in one year, from 1996 revenues of $1.2 billion to 1997 sales of
287