SBC Web Hosting Flunks Security Basics

[InfoSec News <isn () c4i org>]

http://www.internetweek.com/breakingNews/showArticle.jhtml%3Bjsessionid=EIKMSOYNOFNR4QSNDBCCKICCJUMEKJVN?articleID=8800513

By David Strom 
April 21, 2003

If you are using SBC to host your Web site, you might want to think
about finding someone else. Your site may be at risk due to SBC's lack
of security.

The problem, which was brought to my attention by one of SBC's hosting
customers and since confirmed by the company, has to do with the
browser-based "control panel" application that users run to maintain
their sites. The level of potential exposure I think is high and
unfortunate.

There are several issues. First, the login process is done over an
ordinary, unsecured browser link, rather than over a secured (SSL) and
encrypted link. This means that anyone who monitors the path between
your browser and SBC's servers can highjack your password. SBC says,
"We understand that customers want the added sense of security that an
SSL-based control panel access method would provide. We are working to
implement a new login system that will operate using SSL. We
anticipate that it will be ready for customer use later this summer."  
That is unacceptable, given that they have heard about this for
several months. It should be fixed, pronto.

Second, while a secure connection would be nice, they go a step
further in terms of exposure and reveal the user's password in clear
text as one of the fields on the control panel's pages. This increases
the risk of an account being hijacked, because not only are customers
at risk when they log in, but now a hacker could monitor the SBC
network and collect numerous outbound passwords of many customers
quite easily. Plus, as my friend points out, since the password is
displayed as part of the page, anyone walking by your office can
easily see it. Again, this is unacceptable.

A third problem is that SBC sets a session cookie at login time and
doesn't provide any logout function. This means anyone with access to
your machine can log onto the site, even if you are no longer browsing
the control panel pages. Once you have logged in, you cannot prevent
further access without quitting the browser. My friend claims that SBC
should at least warn its customers that this is happening, but
doesn't. In fact, SBC has a privacy policy that contradicts this
practice, so you could argue that they are somewhat misleading.

When I brought this to the attention of SBC (which wasn't easy,
because there isn't any contact information on their Web site), they
spoke about many of the security practices that they have put in place
to protect their customers' data. All well and good, but these three
loopholes are big enough to negate all their other practices and drive
the virtual truck through. I told my friend to move to another hosting
provider as soon as possible. Clearly, SBC isn't really all that
interested in best security practices.

The problem with Web sites is that they are only as strong as their
weakest links. And when you use a hosting provider, you are at their
mercy in terms of the security policies that they choose to implement.

The security issues are compounded when you begin to take advantage of
more than just serving up static HTML pages, and get more involved in
implementing Web services and Web-based applications that take
advantage of databases, XML, and SOAP applications. This is because
you have applications that are communicating with the Web server, and
locking down these application-to-application pathways can become very
difficult and require a great deal of expertise.

Given that fairly large companies like SBC can't even deliver secure
static Web hosting, what are the chances that smaller companies can
step up to the task of securing these more complex situations? I'll
have more to say on this topic next week. In the meantime, if your
hosting provider isn't providing sufficient security, now is the time
to look around for someone who does.


David Strom, technology editor, VARBusiness, is a veteran
computer-industry journalist and consultant. This column is drawn from
Strom's own weekly newsletter, Web Informant, which was among the
first newsletters to publish following the appearance of the Internet
on business technologists' radar screens in the mid 1990s. Check out
his Web site.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.