Computer Security Weekly, Sep.3. 2000


We've told you before that Web based email accounts have a security weakness: generally there are no limits on the number of attempts to guess an account password. A Swiss system recently was a little more insecure than that: Sunrise left an internal utility open to public access, allowing anyone to look up usernames and passwords. Actually, the problem is somewhat more important than free email: Sunrise provides free Internet access. At least 700 accounts are known to have been accessed.

Part of the problem here, though, is weak security design. There is no reason to store or make passwords accessible in plain text. The person who reported this on the RISKS-FORUM Digest noted other security design flaws in various Sunrise systems, including plain text submissions of passwords via unsecured Web pages.

Yet another problem with Hotmail. Two problems, actually.

A ComputerWorld story notes that Hotmail is having some problems with Buddy Lists. When somebody stops using a name, and someone else registers it, the new user has access to the Buddy Lists that the old user was on.

That, however, is only to be expected, and one wonders why Hotmail never thought of the problem. (Quiet those people at the back yelling "Because they're owned by Microsoft!") Of more importance is the fact that Hotmail even allows the reuse of old names. This is fraught with perils of all kinds.

(As one example, once upon a time I did some work for an ISP, and, because of that, had an account called, say, rslade@isp.com. In the fullness of time, I did some work for a startup company. Their Internet service was hosted by my old ISP: all accesses to company.com were, in fact, directed to isp.com. So when they assigned me the new rslade@company.com address, the first time I went to get my mail, I got a bunch, several years old, that had been sent to rslade@isp.com after I left.)

http://www.computerworld.com/cwi/story/0...

Eudora used to have two versions: a free version, and a more fully featured commercial version. Now they have three: a full commercial version, a free version with limited functions, and a free version with a full feature set but also with ads showing at the bottom of the screen. The "ad" version of Eudora silently contacts a server on teh net in order to download the ads that are being shown. Eudora refuses to say what other information is being exchanged, but there could be all kinds of data flowing back to Qualcomm as a result. Technical support told one user that a line in the .INI file would turn off the net accesses: it didn't.

(It may not stop the net accesses, but you can stop the display of

The copyright of the article Computer Security Weekly, Sep.3. 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, Sep.3. 2000 in print or online must be granted by the author in writing.

Go To Page: 1 2

Articles in this Topic    Discussions in this Topic