Web Security, Privacy and Commerce, 2nd Edition

The World Wide Web has changed our world. More than half the people in the United States now use the Web on a regular basis. We use it to read today's news, to check tomorrow's weather, and to search for events that have happened in the distant past. And increasingly, the Web is the focus of the 21st century economy. Whether it's the purchase of a $50 radio or the consummation of a $5 million business-to-business transaction, the Web is where the action is.

But the Web is not without its risks. Hand-in-hand with stories of the Internet's gold rush are constant reminders that the 21st century Internet has all the safety and security of the U.S. Wild West of the 1860s. Consider:

• In February 2000, web sites belonging to Yahoo, Buy.com, Amazon.com, CNN, E*Trade, and others were shut down for hours, the result of a massive coordinated attack launched simultaneously from thousands of different computers. Although most of the sites were back up within hours, the attacks were quite costly. Yahoo, for instance, claimed to have lost more than a million dollars per minute in advertising revenue during the attack.

• In December 1999, an attacker identifying himself as a 19-year-old Russian named "Maxim" broke into the CDUniverse web store operated by eUniverse Inc. and copied more than 300,000 credit card numbers. Maxim then sent a fax to eUniverse threatening to post the stolen credit cards on the Internet if the store didn't pay him $100,000.^[1] On December 25, when the company refused to bow to the blackmail attack, Maxim posted more than 25,000 of the numbers on the hacker web site "Maxus Credit Card Pipeline."^[2] This led to instances of credit card fraud and abuse. Many of those credit card numbers were then canceled by the issuing banks, causing inconvenience to the legitimate holders of those cards.^[3] Similar break-ins and credit card thefts that year affected RealNames,^[4] CreditCards.com, EggHead.Com, and many other corporations.

  ^[1] http://www.wired.com/news/technology/0,1282,33539,00.html

  ^[2] http://www.cnn.com/2000/TECH/computing/01/10/credit.card.crack.2/

  ^[3] Including one of the authors of this book.

  ^[4] http://www.thestandard.com/article/display/0,1151,9743,00.html

• In October 2000, a student at Harvard University discovered that he could view the names, addresses, and phone numbers of thousands of Buy.com's customers by simply modifying a URL that the company sent to customers seeking to return merchandise. "This blatant disregard for security seems pretty inexcusable," the student, Ben Edelman, told Wired News.^[5]

  ^[5] http://www.wired.com/news/technology/0,1282,39438,00.html

• Attacks on the Internet aren't only limited to e-commerce sites. A significant number of high-profile web sites have had their pages rewritten during attacks. Those attacked include the U.S. Department of Justice, the U.S. Central Intelligence Agency (see Figure P-1), the U.S. Air Force, UNICEF, and the New York Times. An archive of more than 325 hacked home pages is online at http://www.antionline.com/.

Attacks on web servers are not the only risks we face on the electronic frontier:

• On August 25, 2000, a fraudulent press release was uploaded to the computer of Internet Wire, an Internet news agency. The press release claimed to be from Emulex Corporation, a maker of computer hardware, and claimed that the company's chief executive officer had resigned and that the company would have to adjust its most recent quarterly earnings to reflect a loss, instead of a profit. The next morning, Emulex's share price plunged by more than 60%: within a few hours, the multi-billion-dollar company had lost roughly half its value. A few days later, authorities announced the Emulex caper had been pulled off by a single person an ex-employee of the online news service, who had made a profit of nearly $250,000 by selling Emulex stock short before the release was issued.

• Within hours of its release on May 4, 2000, a fast-moving computer worm called the "Love Bug" touched tens of millions of computers throughout the Internet and caused untold damage. Written in Microsoft Visual Basic Scripting Language (VBS), the worm was spread by people running the Microsoft Outlook email program. When executed, the worm would mail copies of itself to every email address in the victim's address book, then destroy every MP3 and JPEG file that it could locate on the victim's machine.

• A growing number of computer "worms" scan the victim's hard disk for Microsoft Word and Excel files. These files are infected and then sent by email to recipients in the victim's address book. Not only are infections potentially started more often, but confidential documents may be sent to inappropriate recipients.

The Web doesn't merely represent a threat for corporations. There are cyberstalkers, who use the Web to learn personal information and harass their victims. There are pedophiles, who start relationships with children and lure them away from home. Even users of apparently anonymous chat services aren't safe: In February 1999, the defense contracting giant Raytheon filed suit against 21 unnamed individuals who made disparaging comments about the company on one of Yahoo's online chat boards. Raytheon insisted that the 21 were current employees who had leaked confidential information; the company demanded that the Yahoo company reveal the identities behind the email addresses. Yahoo complied in May 1999. A few days later, Raytheon announced that four of the identified employees had "resigned," and the lawsuit was dropped.^[6]

^[6] http://www.netlitigation.com/netlitigation/cases/raytheon.html

Even using apparently "anonymous" services on the Web may jeopardize your privacy and personal information. A study of the 21 most visited health-related web sites on the Internet (prepared for the California HealthCare Foundation) discovered that personal information provided at many of the sites was being inadvertently leaked to third-parties, including advertisers. In many cases, these data transfers were in violation of the web sites' own stated privacy policies.^[7] A similar information leak, which sent the results of home mortgage calculations to the Internet advertising firm DoubleClick, was discovered on Intuit's Quicken.com personal finance site.^[8]

^[7] http://admin.chcf.org/documents/ehealth/privacywebreport.pdf

^[8] http://news.cnet.com/news/0-1007-200-1562341.html