Freelance Writing Jobs | Today's Articles | Sign In

Articles
Writers
 
Browse Sections
Home Computer Security

Computer Security Weekly, April 26, 1999


Hope none of you got caught by CIH today. Of course, if you are reading this, you didn't ...
IE5 has a fancy new feature. When you add a Web site to your "Favorites" list, you can download a graphic called "favicon.ico" that becomes an icon against the item in your list. Of course, this information can be captured, thus revealing information about you to the Web site owner. Possibly a minor breach of privacy, but over time they could possibly build up quite a file on you.

Others, however, can search for and target these sites, and then attack them to download usage logs, login information, and even information about referring sites. A RISKS-FORUM Digest reader found two such sites in a very short time, and the search, and retrieval of information, could be automated.

Tips from Microsoft

The BUGTRAQ mailing list has been very busy over the past week discussing e-commerce systems, and particularly "shopping cart" functions, that do not hold user information confidential. A number of companies sell easily installable e-commerce systems for small businesses. The problem does not seem to lie in vulnerabilities in the shopping programs themselves, but in the lack of attention "e-tailers" may give to setup of the security functions. Improperly setup systems can give away full information on shoppers, including name, address, phone, and credit card numbers ...
eBay, the online auction house, allows users to post an HTML description of the item to be sold. This allows users to put formatting into the ad. Trouble is, it also allows users to put scripting into the ad. The scripting can, of course, contain anything. One user wrote "eBayla," a proof of concept script that gets the bidders information, by spoofing a legitimate request from eBay, and sends it to the seller.

The really scary part is that eBay considers this to be perfectly OK, and seems to have no intention of addressing the issue.

Outlook 98 parses the Reply-To address on email, and presents the user with only the "personal" part of the field, hiding the full email address. Unfortunately, this allows an outside user to create a very simple spoof address, pretending to be an internal user from the corporate net. In addition, replies sent also appear to be going to an internal user, while really firing off across the net.

Microsoft's position is that this is a failure of SMTP, ignoring the fact that the spoof is obvious on most other mail systems.

The copyright of the article Computer Security Weekly, April 26, 1999 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, April 26, 1999 in print or online must be granted by the author in writing.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic

;