Computer Knowledge Newsletter – August 1997 Issue

In This Issue:

Virus News

No major virus alerts or hoaxes reported this past month. Some will worry about the Hare virus in September, but it will be mostly hype. One expert says that your chance of seeing the Hare virus is about as good as winning a state lottery with one ticket. Just use any good anti-virus program and ignore the hype.

General Security

You are going to start hearing a lot about technology called “push” if you have not already. Push is supposed to make the internet easier for you by feeding you content based on your desires. This saves you the need to go out and find the news; it will come to you. Just fill out a profile and sit back. PointCast was one of the first push sites and now contains a number of channels you can subscribe to (it’s much like TV). The newest updates of the big two browsers will have push technology built into them, and both Netscape and Microsoft have contracted with multiple providers.

Push isn’t bad. The main problem is that it isn’t any sort of standard. Indeed, most push techniques are hacks of current limited HTML technology with all its flaws. JavaScript and other techniques are used to basically request periodic updates from the server providing the feed. So, basically, in order to receive push material you have to activate those features on your browser–and it’s those features that still have security problems. Keep that in mind when you consider a push source.

Are you the manager of a small or mid-sized network? Secure Computing reports that many companies with small and medium-sized networks “have yet to implement network security solutions.” And, many of these networks are connected to the internet, making them extremely vulnerable. The problem is that most of these networks are managed by non-professional staff and original defaults installed by the maker of the the network software have rarely been changed. Further, security upgrades are often either ignored or not even known about. Two thirds of these networks don’t use any kind of firewall. If you fall into this category, you might want to consider taking another look at your network security.

And, to show you that even the whole internet is vulnerable to rather simple problems, at 2:30am (Eastern) on 17 July an operator keyboard error created a partial blackout of the entire internet, some of which lasted up to 36 hours. Mail was interrupted; some even lost. The problem started when a Network Solutions operator released improperly formatted internet lookup tables for the .COM and .NET domains. While found relatively soon, the bad table had propagated across the internet and the problem could not be resolved until a new table with correct information also propagated across the internet to replace the bad one. At the height of the problem something like 40% of the E-mail bounced or simply went into the bit bucket, never to be seen again. The day before a major fiber cable was cut in Los Angeles and a major power outage took down much of the MAE West internet exchange point for a short time; both causing slow (or no) access for a period. Mid-July was not a good time for the internet.

Yet another bug related to Java and Microsoft has reared its head. Java is supposed to establish a “sandbox” for running applets downloaded from web sites (the sandbox metaphor is used because applets can do what they want within the box but not get outside of it). Apparently, there is a bug in the Microsoft Java Virtual Machines for Windows 3.1, Windows 95, and NT. Under special conditions it seems that a Java applet running in Internet Explorer could access a different internet connection than the one the applet came from and write to your local hard disk (a no-no under Java rules). Microsoft acknowledges the problem but says it only occurs with image files. Other researchers are not so certain. While Microsoft sorts things out, standard caveats apply: turn off all the extra stuff unless you are specifically at a site you know you can trust.

Several newspapers report that subscribers of America Online recently received E-mail apparently from AOL’s chief of Member Services, entitled “Important AOL Information.” The letter is supposed to have given an update on AOL’s efforts to improve its service. At the end was a URL to a letter from AOL Chairman Steve Case, in which readers were asked to give their name, address, home phone, and credit-card number to update AOL’s new computers. As you might expect the link went to a cracker’s database. Bottom line: NEVER give your credit card number (or other important information) to anyone who asks for it if you have not initiated the call or link.

General Information

Last month we talked a bit about hate groups. Early this month, in Germany, a law banning neo-Nazi information and sexually explicit information went into effect. The law penalizes any organization making such material available and any provider that allows it to exist on their system or pass through their system, even if the material originated outside of Germany. It should be interesting to watch this progress.

Year 2000 problems continue to make the news, but as a sign of things to come C|Net has reported that the first lawsuit over problems caused by software not working beyond 1999 has been filed: “Mark Yarsike and Sam Katz, owners of Produce Palace International in Warren, Michigan, said they are tired of losing business due to the problem, and have filed a lawsuit against cash register maker Tec-America and its local service vendor, All American Cash Register Incorporated, seeking $10,000, plus damages, interest, costs, and attorney’s fees. The problem, according to Yarsike and Katz, is that their cash registers cannot recognize the year 2000 as a valid credit card expiration date. They said that between April 30, 1996 and May 6, 1997 their registers crashed 105 times when they attempted to ring up sales billed to credit cards expiring in 2000.”

The credit reporting bureau Experian (formerly TRW Information Systems & Services) started an experiment in selling credit reports over the web. For a fee plus enough private information to identify you the company was willing to make your credit report available to you over a secure internet connection. But, when Experian employees (mostly) started to access the system they suddenly started to get other people’s credit reports. Needless to say, the site was shut down the next day. (Other, less public agencies have been selling such reports over the web and continue to do so.)