An Alert for the Nonprofit Industry: Management 2000 Inc. Issues First Report in Series to Assist Internet Users in Their Need for Protection.BURBANK, Calif. -- Management 2000 Inc.: Introduction: As the Information Security Division ("M2000/IS") of Management 2000 Inc., we help organizations manage and protect their information assets and IT Systems on a 24/7 basis. An enormously effective tool in that task is education via simple consumer-based threat and vulnerability overviews provided to organizations on their own systems. Educated organizations and consumers are much safer users and, as such, are truly the front line in the battle to protect their own or others' information. To assist organizations and consumers with their need for protection, and in part as a response to recent newsworthy news·wor·thy adj. news·wor·thi·er, news·wor·thi·est Of sufficient interest or importance to the public to warrant reporting in the media. news events of identity theft and information leakage Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. For example, when designing an encrypted instant messaging network, a network engineer without the capacity to crack your from firms dealing with the public, M2000/IS is preparing a three-part series addressing three crucial, and often over-looked, industries. This first report is provided below and will look at internet web sites that may have a large potential for use by malicious predators; specifically, sites that: (1) attract visits from children or (2) sites that handle financial transactions on-line. The intersection of these two groups of web sites is often nonprofit organizations Nonprofit Organization An association that is given tax-free status. Donations to a non-profit organization are often tax deductible as well. Notes: Examples of non-profit organizations are charities, hospitals and schools. , where opportunities to garner donations are expected, but with added particular interest, in one way or another, for young web surfers, the most vulnerable of users. From time to time, we are asked by organizations, in a variety of industries, to review the security of their sites. We are aware that our findings are more relevant when we examine multiple sites in the same industry as a comparison. Our first article addresses the nonprofit industry. Our second article will focus on the independent insurance broker industry while the third and last report in our series will detail information security issues in our vast College and University systems. This investigation, and the subsequent two yet to be written, will adopt the perspective of the basic, nontechnical user. Of course, at no time do we go beyond public access expected by the web site owner or any technical barriers to electronic trespass trespass, in law, any physical injury to the person or to property. In English common law the action of trespass first developed (13th cent.) to afford a remedy for injuries to property. -- we are seeking to bring to light only the most obvious vulnerabilities at each of these web sites. Report on Web Hosting Making a Web site available on the Internet. Many ISPs host a few personal Web pages for an individual at no additional cost above the monthly service fee, but the address is subordinate to the ISP; for example, www.friendlyisp.com/pat_smith. Providers for the Nonprofit Industry: In our vulnerability-based investigation of web sites, we found that the most critical common denominator common denominator n. 1. Mathematics A quantity into which all the denominators of a set of fractions may be divided without a remainder. 2. A commonly shared theme or trait. is, perhaps not surprisingly, the company that "hosts" the web site. Typically, a nonprofit organization will choose not to maintain the technical expertise on-staff for internet interfaces, but will contract with a web development and hosting firm to build and maintain the web site. These web sites are crucial to the operation of the organization as they represent on-line the mission of the organization and are used for fundraising and advertising of other fundraising events. Of particular interest, of course, are those sites that attract children and may extract from them certain personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. , and also sites that accept donations directly, since personally identifiable contact and financial information crosses the potentially open infrastructure of the internet in these cases. We chose, therefore, to focus our investigation on sites that meet both criteria simultaneously. The Process: Based on our survey of literature, and searches on various web search engines A Web site that maintains an index and short summaries of billions of pages on the Web, Google being the world's largest. Most search engine sites are free and paid for by advertising banners, while others charge for the service. , we found a number of internet hosting providers that concentrate on nonprofit organizations. The most interesting of these for our investigations, based on size, web prevalence, and the profile of the client base, in alphabetical order, were: Convio (www.convio.com), eTapestry (www.etapestry.com), GetActive (www.getactive.com), and Kintera (www.kintera.com). Our concern, in each case, is not primarily how funds and information are handled internally by the organization, since that would require adopting an insider's look at the information systems, but rather, we sought to answer the question, "Are there inherent, obvious risks in how these web sites are designed and/or used?" Our approach to each of the nonprofits' web sites was quite open. We sought to emulate the average, nontechnical user. We allowed scripts to run and we accepted all proffered cookies. As the investigation proceeded, of course, we returned to each of the sites and managed these resources in a controlled manner to see how each of these technical capabilities was being used. We performed the identical tasks on all four hosting firms. Using web search engines and other internet tools, we selected a representative sample of their clients to investigate. We visited each client web site and did a user-level analysis of how we might compromise nonprofit organization, donor, or user information from each of the sites (without actually doing so, of course!). We emphasize that we did not violate any computer systems during this investigation, as that would require permission and cooperation from the nonprofit organization or hosting provider companies. We simply used publicly available information at each of the sites to point toward known vulnerabilities A bug in software that has been identified. It typically refers to bugs that have been used for malicious purposes. For example, bugs in Web server, Web browser and e-mail client software are widely exploited by attackers. for potential compromise. The Results: In this first phase of our examination, we found that all of the sites presented a professional appearance, and most appeared to function using standard html code and scripts, written to professional standards. However, we did identify one particular operational convention that was of concern for the security of the users of the Convio-hosted sites. The following is the result of our user-based, web site review:
Web Hosting Web Address Results
Firm
Convio www.convio.com Cookie-captured data accessible in
certain public environments
eTapestry www.etapestry.com No negative issues uncovered
GetActive www.getactive.com No negative issues uncovered
Kintera www.kintera.com No negative issues uncovered
The results suggest that the industry as a whole does a good job of protecting information. Remember, we did not perform an in-depth vulnerability analysis In information operations, a systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such but rather a top-layer review so that we would not require approval from the organizations themselves. Let's now focus on the one company (Convio) that did have an issue. Here is what we found. Presumably pre·sum·a·ble adj. That can be presumed or taken for granted; reasonable as a supposition: presumable causes of the disaster. as a help to eliminate retyping of information, Convio's web sites used previously placed cookies to automatically fill in the users' information in forms of all types. This information was often even shared with related sites and their forms. While this is undoubtedly a small assistance to the average user who returns to its site to transact An earlier e-commerce system for the Web from Open Market that included order capture and secure order fulfillment using credit cards, ecash and other payment systems. It included customer service and subscription administration capabilities as well as an integrated database for reporting further business, there is no user authentication See authentication. to ensure that the user at the keyboard on the return visit is, in fact, the individual whose information is being automatically displayed. For example, if a child enters his or her name, address, or school, a subsequent user (a potential pedophile pedophile Forensic psychiatry A person with pedophilia; there are an estimated 500,000 pedophiles in the world. See Child prostitution, Megan's law, Pedophilia. , for example) would be able to discover this information simply be logging on the same site. If the user is visiting these Convio-hosted sites from her or his home or privately held business computer, this may not be a problem (unless a co-worker drops by while they are out on an errand er·rand n. 1. a. A short trip taken to perform a specified task, usually for another. b. The purpose or object of such a trip: Your errand was to mail the letter. 2. ). But if access is obtained from a publicly available internet location (in say, a school, a library, an Internet Cafe The high-tech equivalent of the coffee house. However, instead of playing chess or having heated political discussions, you browse the Internet and discuss the latest technology. CDs, DVDs, games and other "cyber stuff" are also generally available. , an airport, or a kiosk), and the cookie cookie File or part of a file put on a Web user's hard disk by a Web site. Cookies are used to store registration data, to make it possible to customize information for visitors to a Web site, to target Web advertising, and to keep track of the products a user wishes to is instantiated, the next visitor to that web site, using that computer, will see all of the previous user's information. In the case of children, this security flaw is of extreme concern, since pedophiles will often stalk stalk (stawk) an elongated anatomical structure resembling the stem of a plant. allantoic stalk their prey for some period of time, and use such low-level tactics to gain information that will allow them to gain the trust of, or an advantage over, their relatively naive victim. We must point out that, although this was a relatively high-level investigation, it is only reasonable to infer that if operational vulnerabilities such as these exist at the first phase investigation level, then a deeper investigation might well uncover vulnerabilities that are more significant. Typically, a full system analysis will identify vulnerabilities that are exploitable by employees, contractors (such as janitorial staff), customers (either walk-in or on-line), and outsiders. Our experience tells us that software developers that have left thoughtless vulnerabilities exposed to the public domain have exhibited similarly less thought in the structure and operations of their internal domains than software developers whose exterior exposure is seamless. Recommendations: It is clear that the knowledgeable user should be on guard against the abuse of cookies when visiting these Convio-hosted sites. This is particularly true when entering any individually identifiable or financial information into a web site form. The average internet user Internet user n → internauta m/f Internet user Internet n → internaute m/f should not trust the system administrators of the visited sites to protect their information. Be careful of sites that are not careful in their use of cookies to manage your information. When visiting an internet site where personally identifiable information will be submitted, and the site is suspect in its use of cookies, the knowledgeable user should not accept cookies and should not enter such information with any type of cookie in effect, such as we discovered with Convio's clients' web sites. For all other internet activity, the knowledgeable user should use cookies with care. We recognize that some web sites are designed so that they will not operate properly without cookies, and for such sites, we recommend that the average user take caution to make sure the vendor exercises proper discretion. More advanced users might choose to accept only cookies that last for the immediate session, i.e., "session cookies." If you do not know how to set your browser to manage cookies in this way, you should talk to the technical support team at your Internet Service Provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. , or a technical expert. The foregoing does not, of course, excuse responsible system administrators from exerting every effort to think of all the potential compromises of their site and then develop and implement systems to protect this information. As a very specific example, cookies should not be used to automatically fill in information for unauthenticated internet site visitors. Proper and rigorous management of cookies also should become standard operating procedure standard operating procedure Medtalk A technique, method or therapy performed 'by the book,' using a standard protocol meeting internally or externally defined criteria; a formal, written procedure that describes how specific lab operations are to be performed. for all internet providers Internet provider - Internet Service Provider . However, the entire foundation of the World Wide Web protocol is that it allows nontechnical people to use the internet. The many other protocols that traverse the internet (e.g., email, File Transfer Protocol A communications protocol used to transmit files without loss of data. A file transfer protocol can handle all types of files including binary files and ASCII text files. See Kermit, Zmodem and FTP. (ftp), Wide Area Information Service (WAIS (Wide Area Information Server) A database on the Internet that contains indexes to documents that reside on the Internet. Using the Z39.50 query language, text files can be searched based on keywords. Information resources on the Internet are called "sources. ), et cetera ET CETERA. A Latin phrase, which has been adopted into English; it signifies. "and the others, and so of the rest," it is commonly abbreviated, &c. 2. Formerly the pleader was required to be very particular in making his defence. (q.v. ) require some technical sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. , or technically sophisticated software, to use properly and safely. They are not generally designed for the nonprofessional non·pro·fes·sion·al n. One who is not a professional. non  pro·fes . The World Wide Web was designed specifically to bring
the nonprofessional to the internet, with graphics, sound, and a
visually interesting interface. It is unreasonable to expect the average
web user to be technically sophisticated. It is particularly
unreasonable to expect children to properly and rigorously manage
cookies on their own behalf. While children may be naive, consider that
even adults generally exhibit some "expectation of privacy" at
such sites and will themselves fill-in a form in its entirety.Therefore, our most important recommendation is to the system administrators of web-hosting providers. It is unsafe to program a web site that fills in a form, using cookies obtained from a previous visit, when the identity of the present user has not been verified by a robust identification method, or at least by a basic password authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. . This should be corrected immediately. No user should enter any personal information into such a site. It is our recommendation to the end-user (or parents of an end-user) that they exercise caution with web sites that appear to use such cookie-based architecture to retain any personal and/or financial information. As a service to the web users, the nonprofit industry, and these companies, we forwarded each of the four companies our findings to provide them an opportunity to make any changes they felt appropriate. You, as a user, will be the one to decide if their action is sufficient. Visit their sites and see for yourself. It is our hope that this crucial and important use of the public internet will become safer and more worthy of the trust of the well-intentioned user through our efforts. Solid security for the nontechnical user and for children in particular requires constant vigilance VIGILANCE. Proper attention in proper time. 2. The law requires a man who has a claim to enforce it in proper time, while the adverse party has it in his power to defend himself; and if by his neglect to do so, he cannot afterwards establish such claim, the on the part of all of the internet community. |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion