| [March 07, 2005] |
 |
An Alert for the Nonprofit Industry: Management 2000 Inc. Issues First Report in Series to Assist Internet Users in Their Need for Protection
BURBANK, Calif. --(Business Wire)-- March 7, 2005 -- Management 2000 Inc.:
Introduction:
As the Information Security Division ("M2000/IS") of Management 2000 Inc., we help organizations manage and protect their information assets and IT Systems on a 24/7 basis. An enormously effective tool in that task is education via simple consumer-based threat and vulnerability overviews provided to organizations on their own systems. Educated organizations and consumers are much safer users and, as such, are truly the front line in the battle to protect their own or others' information.
To assist organizations and consumers with their need for protection, and in part as a response to recent newsworthy events of identity theft and information leakage from firms dealing with the public, M2000/IS is preparing a three-part series addressing three crucial, and often over-looked, industries.
This first report is provided below and will look at internet web sites that may have a large potential for use by malicious predators; specifically, sites that: (1) attract visits from children or (2) sites that handle financial transactions on-line. The intersection of these two groups of web sites is often nonprofit organizations, where opportunities to garner donations are expected, but with added particular interest, in one way or another, for young web surfers, the most vulnerable of users. From time to time, we are asked by organizations, in a variety of industries, to review the security of their sites. We are aware that our findings are more relevant when we examine multiple sites in the same industry as a comparison.
Our first article addresses the nonprofit industry. Our second article will focus on the independent insurance broker industry while the third and last report in our series will detail information security issues in our vast College and University systems.
This investigation, and the subsequent two yet to be written, will adopt the perspective of the basic, nontechnical user. Of course, at no time do we go beyond public access expected by the web site owner or any technical barriers to electronic trespass -- we are seeking to bring to light only the most obvious vulnerabilities at each of these web sites.
Report on Web Hosting Providers for the Nonprofit Industry:
In our vulnerability-based investigation of web sites, we found that the most critical common denominator is, perhaps not surprisingly, the company that "hosts" the web site. Typically, a nonprofit organization will choose not to maintain the technical expertise on-staff for internet interfaces, but will contract with a web development and hosting firm to build and maintain the web site. These web sites are crucial to the operation of the organization as they represent on-line the mission of the organization and are used for fundraising and advertising of other fundraising events.
Of particular interest, of course, are those sites that attract children and may extract from them certain personally identifiable information, and also sites that accept donations directly, since personally identifiable contact and financial information crosses the potentially open infrastructure of the internet in these cases. We chose, therefore, to focus our investigation on sites that meet both criteria simultaneously.
The Process:
Based on our survey of literature, and searches on various web search engines, we found a number of internet hosting providers that concentrate on nonprofit organizations. The most interesting of these for our investigations, based on size, web prevalence, and the profile of the client base, in alphabetical order, were: Convio (www.convio.com), eTapestry (www.etapestry.com), GetActive (www.getactive.com), and Kintera (www.kintera.com).
Our concern, in each case, is not primarily how funds and information are handled internally by the organization, since that would require adopting an insider's look at the information systems, but rather, we sought to answer the question, "Are there inherent, obvious risks in how these web sites are designed and/or used?"
Our approach to each of the nonprofits' web sites was quite open. We sought to emulate the average, nontechnical user. We allowed scripts to run and we accepted all proffered cookies. As the investigation proceeded, of course, we returned to each of the sites and managed these resources in a controlled manner to see how each of these technical capabilities was being used.
We performed the identical tasks on all four hosting firms. Using web search engines and other internet tools, we selected a representative sample of their clients to investigate. We visited each client web site and did a user-level analysis of how we might compromise nonprofit organization, donor, or user information from each of the sites (without actually doing so, of course!). We emphasize that we did not violate any computer systems during this investigation, as that would require permission and cooperation from the nonprofit organization or hosting provider companies. We simply used publicly available information at each of the sites to point toward known vulnerabilities for potential compromise.
The Results:
In this first phase of our examination, we found that all of the sites presented a professional appearance, and most appeared to function using standard html code and scripts, written to professional standards. However, we did identify one particular operational convention that was of concern for the security of the users of the Convio-hosted sites. The following is the result of our user-based, web site review: -0- *T Web Hosting Web Address Results Firm Convio www.convio.com Cookie-captured data accessible in certain public environments eTapestry www.etapestry.com No negative issues uncovered GetActive www.getactive.com No negative issues uncovered Kintera www.kintera.com No negative issues uncovered *T
The results suggest that the industry as a whole does a good job of protecting information. Remember, we did not perform an in-depth vulnerability analysis but rather a top-layer review so that we would not require approval from the organizations themselves. Let's now focus on the one company (Convio) that did have an issue.
Here is what we found. Presumably as a help to eliminate retyping of information, Convio's web sites used previously placed cookies to automatically fill in the users' information in forms of all types. This information was often even shared with related sites and their forms. While this is undoubtedly a small assistance to the average user who returns to its site to transact further business, there is no user authentication to ensure that the user at the keyboard on the return visit is, in fact, the individual whose information is being automatically displayed. For example, if a child enters his or her name, address, or school, a subsequent user (a potential pedophile, for example) would be able to discover this information simply be logging on the same site.
If the user is visiting these Convio-hosted sites from her or his home or privately held business computer, this may not be a problem (unless a co-worker drops by while they are out on an errand). But if access is obtained from a publicly available internet location (in say, a school, a library, an Internet Cafe, an airport, or a kiosk), and the cookie is instantiated, the next visitor to that web site, using that computer, will see all of the previous user's information. In the case of children, this security flaw is of extreme concern, since pedophiles will often stalk their prey for some period of time, and use such low-level tactics to gain information that will allow them to gain the trust of, or an advantage over, their relatively naive victim.
We must point out that, although this was a relatively high-level investigation, it is only reasonable to infer that if operational vulnerabilities such as these exist at the first phase investigation level, then a deeper investigation might well uncover vulnerabilities that are more significant. Typically, a full system analysis will identify vulnerabilities that are exploitable by employees, contractors (such as janitorial staff), customers (either walk-in or on-line), and outsiders. Our experience tells us that software developers that have left thoughtless vulnerabilities exposed to the public domain have exhibited similarly less thought in the structure and operations of their internal domains than software developers whose exterior exposure is seamless.
Recommendations:
It is clear that the knowledgeable user should be on guard against the abuse of cookies when visiting these Convio-hosted sites. This is particularly true when entering any individually identifiable or financial information into a web site form. The average internet user should not trust the system administrators of the visited sites to protect their information. Be careful of sites that are not careful in their use of cookies to manage your information.
When visiting an internet site where personally identifiable information will be submitted, and the site is suspect in its use of cookies, the knowledgeable user should not accept cookies and should not enter such information with any type of cookie in effect, such as we discovered with Convio's clients' web sites. For all other internet activity, the knowledgeable user should use cookies with care. We recognize that some web sites are designed so that they will not operate properly without cookies, and for such sites, we recommend that the average user take caution to make sure the vendor exercises proper discretion. More advanced users might choose to accept only cookies that last for the immediate session, i.e., "session cookies." If you do not know how to set your browser to manage cookies in this way, you should talk to the technical support team at your Internet Service Provider, or a technical expert.
The foregoing does not, of course, excuse responsible system administrators from exerting every effort to think of all the potential compromises of their site and then develop and implement systems to protect this information. As a very specific example, cookies should not be used to automatically fill in information for unauthenticated internet site visitors. Proper and rigorous management of cookies also should become standard operating procedure for all internet providers.
However, the entire foundation of the World Wide Web protocol is that it allows nontechnical people to use the internet. The many other protocols that traverse the internet (e.g., email, File Transfer Protocol (ftp), Wide Area Information Service (WAIS), et cetera) require some technical sophistication, or technically sophisticated software, to use properly and safely. They are not generally designed for the nonprofessional. The World Wide Web was designed specifically to bring the nonprofessional to the internet, with graphics, sound, and a visually interesting interface. It is unreasonable to expect the average web user to be technically sophisticated. It is particularly unreasonable to expect children to properly and rigorously manage cookies on their own behalf. While children may be naive, consider that even adults generally exhibit some "expectation of privacy" at such sites and will themselves fill-in a form in its entirety.
Therefore, our most important recommendation is to the system administrators of web-hosting providers. It is unsafe to program a web site that fills in a form, using cookies obtained from a previous visit, when the identity of the present user has not been verified by a robust identification method, or at least by a basic password authentication. This should be corrected immediately. No user should enter any personal information into such a site.
It is our recommendation to the end-user (or parents of an end-user) that they exercise caution with web sites that appear to use such cookie-based architecture to retain any personal and/or financial information.
As a service to the web users, the nonprofit industry, and these companies, we forwarded each of the four companies our findings to provide them an opportunity to make any changes they felt appropriate. You, as a user, will be the one to decide if their action is sufficient. Visit their sites and see for yourself.
It is our hope that this crucial and important use of the public internet will become safer and more worthy of the trust of the well-intentioned user through our efforts. Solid security for the nontechnical user and for children in particular requires constant vigilance on the part of all of the internet community.
[ Back To TMCnet.com's Homepage ]
|
INDUSTRIES
Activate Email 
Find Solutions for Enterprises, SMBs & Service Providers at the INTERNET TELEPHONY Conference and EXPO East, January 20-22, 2010. Miami, FL.
