The inadequate security on sites run by many Application Service Providers (ASPs) leaves their customers' confidential data wide open to attack.
Acting on a tip off, Network News and experts in VNU's European Labs investigated a variety of large and small ASPs which claimed to be secure. Although we are unable to name sites due to legal restrictions, we confirmed that on a high proportion of sites a hacker could easily bypass poorly configured security settings to bring up a Windows start menu. From here it would be possible to call up data files, access REGEDIT or upload viruses.
These ASPs, which act as hosts providing 'apps on tap' for companies that don't want to manage their own software, used Microsoft NT Windows Terminal Server Edition, Citrix Metaframe or Winframe.
Vicky Reddington, technical marketing manager of Citrix, said that ASPs could bolt down security if they configured Citrix or Microsoft software correctly. "Users can be restricted to use published applications only, so they can't go to explore or the command prompt," she said.
Deri Jones, managing director of security tester NTA Monitor, said ASPs setting up demos with inadequate security was a common and growing problem.
"People set up demo sites outside the firewall which can be breached. Vulnerable boxes can be controlled and used as a bridgehead into the network," he said.
Ex-hacker turned Tiger Security consultant, Mathew Bevan, said the growing number of ASPs effectively made hacking easier: "Kiddies will have a go at ASPs, because hacking them doesn't involve C programming or shell commands," he said.
IDC predicts the ASP market will be worth $5bn by 2003.
For more stories see this week's issue of Network News UK
Dust storm on Titan only the third Solar System body where such storms have been observed
New technique could enable quantum computers to scale-up to millions of qubits
Systrom and Krieger taking time off "to explore our curiosity and creativity"
Comcast's £29.7bn winning bid more than twice the £13.7bn Rupert Murdoch valued Sky at just eight years ago