Hackers leave IBM door ajar for two years

Failure by systems administrators to make a basic change to vital encryption technology or keep their server patched may have left hundreds of websites vulnerable to cyber-criminals, according to IBM.

Written by Ian Lynch

vnunet.com, 12 Mar 2001

Failure by systems administrators to make a basic change to vital encryption technology or keep their server patched may have left hundreds of websites vulnerable to cyber-criminals, according to IBM.

In February 1999 hackers discovered a specially formatted URL that could list all the accounts, and their encrypted passwords, of websites running certain IBM software prompting IBM to issue a fix later that year. However, a posting to the security industry mailing list Bugtraq last month claimed the software's encryption key could be broken if left on the default setting.

Now, two hackers have posted code on the web that, used in tandem with the customised URL, busts open IBM's encryption and leaves every account on the targeted website wide open to abuse.

IBM confirmed the problem in a posting to Bugtraq on Thursday. The firm warned that websites running IBM's WebSphere Commerce Suite 4.1 and NetCommerce 3.2 are at risk if they have not installed patches made available last month.

However, security experts say it is wrong to simply blame system administrators, and that poor installation documentation and risk identification procedures may equally be at fault.

Neil Barrett, security consultant with Information Risk Management, commented: "This reads very like the Microsoft SQL blank password problem, where there is an issue regarding what the software actually does compared to how the installation documentation reads."

Barrett also said that although IBM was quick to release patches for its ecommerce software, installing them could be expensive.

He told vnunet.com: "IBM is very responsive to any problems with its ecommerce software, making patches available quickly. However, these patches often require a reboot to install, thus resulting in costly service disruption as usually this type of software is mission critical to a busy website.

"Administrators, who after all are being paid to ensure the system runs as efficiently as possible, may decide to wait for the next scheduled maintenance period to install the patches. This leaves a window of opportunity for the more competent hackers, not script kiddies, to exploit the issue.

"My personal opinion is that IT security staff should be brought into the decision making loop to help identify which patches need to be installed immediately and which can wait."

Tags:

reader comments

related articles

UK government sites take Poizon

UK government websites have been the latest targets in a series of attacks by a hacking group known as PoizonB0x. 21 Mar 2001

 

Hackers steal military source code

US government contractor Exigent Software Technology has admitted that unidentified hackers broke into a restricted military computer system and stole the source codes controlling satellite and missile guidance systems. 15 Mar 2001

IBM ships new WebSphere server

IBM has begun shipping a new version of its WebSphere application server that includes support for web services protocols and standards. 15 Mar 2001

Experts warn of new hacking tool

Security experts have warned of a new release of the infamous SubSeven backdoor program, just hours after the appearance of a new version of the program that spawned the Kournikova virus. 13 Mar 2001

Russian mafia hackers loot ebusinesses

Lax IT managers have been blamed for a series of attacks on US ecommerce sites and online banks, thought to have been carried out by hackers connected to the Russian mafia. 09 Mar 2001

Customer details exposed in e-tailer hack

The credit card details of 98,000 customers may have been compromised in a web hack branded as "horrifying" by a leading security analyst. 06 Mar 2001

Network managers rapped over lax security

Network managers have been ignoring warnings to download a Microsoft security patch and have been hammered by hackers over the last few weeks as a result. 01 Mar 2001

Security

Public sector web sites at risk from illicit links

Hundreds of ac.uk and gov.uk web sites have had links posted on them to pornography and illegal drug sites 15 Jun 2009

Cyber-crime

Criminals keep PCs under surveillance

Attacks on PCs launched with military precision 24 Sep 2008

Communications

Top 10 articles, 24 April 09

Joint Strike Fighter project hacked, Nokia dual-mode handset arrives in UK and Pirate Bay protests 24 Apr 2009

related whitepapers

today's top stories

Ecommerce

What does Windows 7 mean for Microsoft?

With the sting of Vista still fresh, Redmond has to make next Windows work 10 Jul 2009

Management

A smarter way to use BI

Getting the most from business intelligence systems requires not only careful management on the part of IT leaders, but also the committed involvement of decision-makers across the organisation 08 Jul 2009

Mainstream Matters

The truth behind the Google/Microsoft/NHS rumours

Before Monday 6 July, did you know that Google and Microsoft had services for storing health records? Thanks to an article in... 10 Jul 2009

Management

Quenching a thirst for IT modernisation

A substantial restructure at soft drink supplier Nichols -­ purveyor of Vimto - ­led the company to update its software to Sage 1000 to replace its in-house application. This resulted in the streamlining of the IT department and an opportunity to customise the system 08 Jul 2009

Management

How Satyam cleaned up its act

Chief executive CP Gurnani tells Angelica Mari why Tech Mahindra opted to keep the Satyam brand after it bought the scandal-hit services firm, and explains what the deal means for existing and prospective customers 09 Jul 2009

> More news

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

More available - click 'submit' to view

Existing User

Newsletter user login:

Advertisement

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

White papers

Search white papers

Top categories

VPN, Extranet and Intranet Solutions

WAN/ LAN Solutions

Network Security

Interoperability-Connectivity

Grid/ Utility Computing

Latest poll

Will Google Chrome OS be a genuine alternative to Windows?

Will Google Chrome OS be a genuine alternative to Windows?

Tell us your views on the new operating system rivalry

View poll results

> More polls

Latest audio and video articles

network cablesVideo

How to maximise the value of your IT networking investment

A panel of experts discuss networking strategies that deliver real value to business 03 Jul 2009

green footprintsVideo

How to manage enterprise energy use - and the role IT can play

A panel of experts explore how firms can get to grips with their carbon footprint and make smarter use of energy 01 Jul 2009

> More audio and video

Latest in-depth articles

Google ChromeAnalysis

Lack of enterprise appeal takes shine off Chrome OS

Enterprise buyers unlikely to ditch Windows for Chrome OS in the near term, say experts 09 Jul 2009

Satyam CEO CP GurnaniNews

How Satyam cleaned up its act

Chief executive CP Gurnani tells Angelica Mari why Tech Mahindra opted to keep the Satyam brand after it bought the scandal-hit services firm, and explains what the deal means for existing and prospective customers 09 Jul 2009

> More in depth articles

Advertisement

Primary Navigation