A security lapse on the Web site of Auckland-based distributor Renaissance has provided a graphic reminder to companies moving into electronic commerce -- make sure security measures are watertight. The hole, which had probably existed since late last year, allowed any Renaissance customer to gain access to other customers' records.
Ironically, the news comes only a week after 29 companies partaking in the Computerworld 1000 Survey said they felt their systems were secure.
The hole was discovered by a Renaissance dealer, who says before it was plugged, users of the site could access, read and print any invoice of any Renaissance customer simply by changing a number at the end of the URL. "Renaissance prides itself on its e-commerce system, but security isn't a strong point on its site. If you want to find out what your competition is paying for iMacs or any other product, the door is wide open," says the dealer, who doesn't want to be identified.
Renaissance wasn't aware of the problem until [ital]Reseller News[ital] brought it to the company's attention last week. Renaissance operations manager John Hayson says it has now been fixed.
Hayson doesn't know how long the security hole existed, but says it could have been there from late last year, when customers gained the ability to access their invoices from the site.
"Nobody pointed it out to me until you did, so we weren't aware of it at all," he says. "Security on the Internet remains our paramount concern and we try our best to provide the best security, but when something as new as e-commerce is launched, there are bound to be some problems."
He points out that any customer who did manage to access another customer's information wouldn't have been able to do so accidentally. "It had to be intentional because he or she would need to have a high level of understanding of the browser," he says.
However, the dealer who alerted Reseller News to the security lapse says its discovery was accidental and that he had no intention to expose private or sensitive information.
Wellington-based reseller Graham Chiu, of CompKarori, who launched an attack on distributor Web sites last year saying they were too slow, says the Renaissance lapse calls into question the security of sensitive information like credit card details. Also, this is new and we don't have robust enough technology nor the level of expertise for security needed for e-commerce," Chiu says.
Dan Morrison, a senior Internet programmer with Web developers Helios Communications, says that hacking into a site is always possible for those who know what they're doing.
"A firewall is good for restricting access to a Web site, but security problems may not necessarily originate from unwanted or uninvited visitors," he said.
"Once people have access to an intranet, it can be relatively simple for them to move throughout the whole system. One solution is to uniquely identify each user's PC when they start a session and to check that all subsequent requests from that session come from the same PC. This is done by using an IP number valid for that session only. A fully encrypted secure server will usually handle this automatically," Morrison added.
Shayne Bates, managing director of electronic security firm SP Bates & Associates, says, "when a security breach occurs on a site, the site owner is usually unaware that it's happened." He says people are busy putting in firewalls but they don't put monitoring systems into place.
Axon ComputerTime managing director Matt Kenealy is directly critical of the Renaissance site, saying Axon decided not to use the site because it didn't feel it was sound. "We had to reject it because at the time we didn't feel the site was good enough for what we wanted," says Kenealy.
Bill Armour, Wellington-based chief financial officer of ComputerLand, is similarly unimpressed, saying it would be a major concern if the integrity of his company's information was compromised.
According to Eagle Technology financial controller Nigel Dearns: "I would be very concerned if our company's information was compromised in any way."
The managing director of Auckland-based Logical Systems Daven Naidu says if Renaissance wants resellers to do business with it online, it should provide them with complete security.