ISSUE 516: The high tech office- Sept
14 1999
ALAN ZISMAN
Paranoia about the Net is a justifiable reaction
They say that just because you're paranoid
doesn't mean no one is out to get you.
A bit of paranoia seems justifiable as we get more
reliant on the Internet for carrying out our business. Here's one
week's worth of evidence:
* A Bulgarian hacker, Georgi Gun-
inski, announced the discovery of a problem with Microsoft's
new Internet Explorer 5 Web browser. According to Guninski, who has
found
security problems with Microsoft products in the past, this security
hole allows Web pages to plant harmful programs onto users' computers.
(Take a deep breath -- there's no evidence that anyone is exploiting
this "feature" -- yet.)
* Another Microsoft problem was unveiled, this one
potentially effecting millions of Windows 95 and 98 users, receiving
e-mail with the company's Outlook or Outlook Express software, as well
as users of Eudora. Texas-based Rice University's Dan
Wallach describes the problem as "the Melissa virus, but even
worse." The flaw in Micro-
soft's Java support allows hackers, according to a Microsoft security
bulletin, to "create, delete or modify files on the user's computer,
reformat the hard drive, copy data to or from a Web page or take other
desired action." Unlike most viruses, which are included in e-mail
attachments, these attacks can be encoded directly into an e-mail
message, so simply viewing the message can trigger the attack.
Microsoft quickly responded, posting a fixed version
of its Java Virtual Machine on its Web site (www.
microsoft.com/Security/Bulletins/MS99-031.asp). Alternatively, Java
can be disabled in Outlook, using that program's Internet Options.
* Online bookseller Amazon.com, while claiming
to respect the privacy of individuals, is releasing "Purchase Circle"
data, showing the buying habits of groups of people. Since a Purchase
Circle could be made up of, for example, employees of your company,
such data could reveal your company's plans, as indicated by the books
your employees purchased.
Amazon, responding to criticism, has said that
information about individuals and individual companies will be removed
from the database upon specific request. As well, the company notes
that it does not compile information on groups smaller than 200 people.
* RSA Data Security announced that an
international team of re-
searchers has successfully broken the code used to secure Internet
credit card transactions. These transactions are encoded using 512-bit
encryption, the strongest level of coding that the U.S. government
allows to be exported. RSA suggests that Internet transactions should
use the more powerful 768-bit coding, but they note that it took the
code-breakers seven months, using 292 computers, to break the existing
code.
* Hotmail, with 50 million customers, is the
largest free e-mail service. It was recently forced to an-
nounce that a flaw in its programming allowed presumably private mail
to be read. Simply by typing in a Hotmail user's name, anyone on the
Web could read that user's mail with no password needed. All that was
required was access to a short script that has begun to be widely
distributed over the Internet.
Microsoft, the owner of Hotmail, claims to have fixed
this problem as soon as it was discovered, briefly shutting down
Hotmail servers and automatically redirecting users of the script to
Microsoft's security area.
There are a few steps you can take, if these events
worry you. First, remember that e-mail is never really private. Many
businesspeople use free, Web-based e-mail services such as Hotmail for
messages that they don't want to send via their company's e-mail
system. Be aware that such services can be vulnerable.
You may want to check at www.
ziplip.com, a free service promising to work with your existing
e-mail software, scrambling, locking and shredding your messages, to
make them
"snoop-proof." When you send a message via Ziplip, the recipient does
not receive your message. Rather they get a link to a Web site, where
they can access your message. The actual message stays encoded at all
times and therefore relatively safe from prying eyes (unless they're
able to assemble 300 computers and spend seven months to decrypt it,
apparently).
Alternatively, public-key encryption, using products
such as PGP (Pretty Good Privacy, www.pgp.
com), offer individuals the option to encrypt their own e-mail,
though this requires distribution of your public-key to your recipients
so that they can read your messages. PGP encryption is included as an
option in Eudora Pro e-mail (not the free, Eudora Light version).
Services such as Anonymizer (www.anonymizer.com)
offer a mix of free and pay options to make Web browsing and e-mail
anonymous.
Microsoft's Web browser relies on Active X, a
technology that seems to be especially vulnerable to security problems.
Internet Explorer users can turn off Active X. In the browser's
Internet Options, go to the Security tab and set it for the highest
level of security. This will also restrict so-called cookies, a
technique where Web sites can deposit information on your computer
without your knowledge, in some cases collecting information about your
Web activities at the same time.
If you want to be an Amazon.com customer but opt out
of purchase
circles, e-mail no-purchase-circles@
amazon.com. *
|