WWW Security News from Cypherpunks, WWW-Security, and TBTF

by Mary Ellen Zurko

This month's WWW security news comes from cypherpunks (via Robert Hettinga's reposting service), www-security, and tbtf (Tasty Tidbit from the Technology Front).

Students at Berkeley showed how they could patch NFS binaries to disable security in programs like Netscape. They pointed out that endpoint security (the security of desktop machines) is just as critical to Internet security as secure protocols for transmission.

Community ConneXion ( http://www.c2.org/), an Internet ISP specializing in privacy, has added ecash and Java to its bounty list. They will provide a T-shirt to anyone who hacks the electronic cash system announced by Digicash bv and Mark Twain Bank (which, by the way, they also accept as payment for their services, offering a 5% discount for such payments). The Java promotion covers anyimplementation of Java (including Netscape's), as well as HotJava, Sun's Java-enabled browser. The Hack Java promotion was inspired by two bugs found in the alpha release of HotJava, one of which allowed applet's to set the browser's proxy, thereby allowing the adversay unlimited access to the browser's HTTP interactions. Digicash and Java join Netscape and Microsoft on C2's list. C2 is dedicated to enhancing the level of security available on the Internet through these promotions.

Mondex, which is producing stored-value smart cards for electronic commerce, is under fire. They have promoted this debit card as privacy friendly, anonymous, and cash-like. However, the project manager is quoted as saying that Mondex uses a full audit trail of all transactions. Promotional material claims this information is only available to the card holder. The complaint is at http://www.privacy.org/pi/activities/mondex/complaint.txt.

I was pleased to see someone on cypherpunks gush over "Network Security - PRIVATE Communication in a PUBLIC World" by Charlie Kaufman, Radia Perlman, and Mike Speciner, the way I do. It's a very well-written book, intuitive and lucid about all it's topics, including cryptographic protocols.

DejaNews ( http://dejanews.com) archives Usenet postings, and offers a "sophisticated system for retrieving 'author profiles' of the individuals who have posted messages." People who believe that it is an invasion of privacy are finally understanding what kind of information can be put together out of public postings.

With so much emphasis on confidentiality and authentication in Internet stories, it was good to see one with an emphasis on security auditing. Keith Dawson of tbtf posted a description of a Windows 95 security hole. He pointed out that machines connected full time to the Internet (without the protection of firewalls) are vulnerable to a feature that makes local drives available as network drives. Drives can be password-protected, but the combination of a lack of auditing and the fact that most humans don't choose passwords well shows that this feature offers little real security.

A bug in Netscape's second beta version of their LiveScript facility (their licensing of the Java technology) allowed an applet to send a list of all the URLs a browser had visited to any server that the same browser visits. Information sometimes stored in URLs includes the parameters to a search engine request.

Visa, Microsoft, and Spyglass announced a project to support credit card shopping on the World Wide Web, where Visa has agreed to cover losses if the software fails. I hope someone is transferring high-assurance software engineering techniques to this effort.