Hackers leave IBM door ajar for two years

Failure by systems administrators to make a basic change to vital encryption technology or keep their server patched may have left hundreds of websites vulnerable to cyber-criminals, according to IBM.

In February 1999 hackers discovered a specially formatted URL that could list all the accounts, and their encrypted passwords, of websites running certain IBM software prompting IBM to issue a fix later that year. However, a posting to the security industry mailing list Bugtraq last month claimed the software's encryption key could be broken if left on the default setting.

Now, two hackers have posted code on the web that, used in tandem with the customised URL, busts open IBM's encryption and leaves every account on the targeted website wide open to abuse.

IBM confirmed the problem in a posting to Bugtraq on Thursday. The firm warned that websites running IBM's WebSphere Commerce Suite 4.1 and NetCommerce 3.2 are at risk if they have not installed patches made available last month.

However, security experts say it is wrong to simply blame system administrators, and that poor installation documentation and risk identification procedures may equally be at fault.

Neil Barrett, security consultant with Information Risk Management, commented: "This reads very like the Microsoft SQL blank password problem, where there is an issue regarding what the software actually does compared to how the installation documentation reads."

Barrett also said that although IBM was quick to release patches for its ecommerce software, installing them could be expensive.

He told vnunet.com: "IBM is very responsive to any problems with its ecommerce software, making patches available quickly. However, these patches often require a reboot to install, thus resulting in costly service disruption as usually this type of software is mission critical to a busy website.

"Administrators, who after all are being paid to ensure the system runs as efficiently as possible, may decide to wait for the next scheduled maintenance period to install the patches. This leaves a window of opportunity for the more competent hackers, not script kiddies, to exploit the issue.

"My personal opinion is that IT security staff should be brought into the decision making loop to help identify which patches need to be installed immediately and which can wait."