The scale was a bit of a surprise though - 40 US websites, along with some yet unrevealed number of non-US sites, had been broken into and information on more than a million credit cards was stolen. CNN pointed to an FBI advisory memo for the details. The memo is a bit terse, but reveals the break-ins have been going on for a while, have all been on Windows NT servers, and the perpetrators are not exploiting new security holes. They are using holes that Microsoft fixed as long ago as 1998!
It's bad enough that more and more websites are using the same software - it's almost as if there's a concerted effort to ensure that the maximum number of sites will be vulnerable when a new security hole is found.
It's even worse when the site operators cannot even keep the software up-to-date. In this case, Microsoft made the patches available for free.
Here are sites with tens or hundreds of thousands of customer records on their servers, many doing millions of dollars a year in e-commerce transactions and they can't get around to applying free security fixes?
(You can find out if your site is one of the tardy ones by getting a soon-to-be-released, free scanning tool from The Center for Internet Security).
Where have the security people at these sites been? Where have their auditors been? I've watched the Harvard internal auditors in action reviewing web servers, and one of the first things they do (after checking to be sure there are no accounts on the server that do not have passwords) is to verify that the software is fully up-to-date. It shouldn't take someone with a lot of clues to figure out that this should be done.
There seems to be empirical evidence that the number of clues in the world about any given topic is a constant and as the number of practitioners of that topic rises, the average clue density goes down. And e-commerce is a rather big thing these days.
If we cannot depend on the site operators having any idea how to run a website securely, what chance do we have? The only one I can think of is a court finding that website operators who commit these sorts of lapses (and their auditors who do not identify such lapses) should be legally liable for the cost of everyone recovering from their stupidity - along with substantial punitive damages.
Disclaimer: Harvard, an arms merchant for lawyers, has not expressed an opinion on this situation.
Bradner is a consultant with Harvard University's University Information Systems. Send email to Scott Bradner.