[ISN] Web sites get costly lesson in security

InfoSec News isn at c4i.org
Wed May 18 03:11:54 EDT 2005


http://www.asahi.com/english/Herald-asahi/TKY200505180108.html

The Asahi Shimbun
05/18/2005

A hacker attack that shut down the nation's top price comparison Web
site was a harsh and expensive lesson on the vulnerability of Internet
businesses.

Kakaku.com Inc. announced Monday that unlawful access to its computer
system forced it to close its Web site on Saturday.

The company found alterations in its programs and a virus that might
have been passed to some users' computers.

The online operator will lose about 40 million yen in revenue before
it replaces its server computers and restarts site operations next
Monday.

It projects 2 billion yen in sales for the year ended March.

Almost all of the company's revenue comes from its Web business in the
form of commissions paid by retailers that have their price lists
posted on the site.

The company compiles the price data and lists prices of specific
products and services so shoppers can easily find the best bargains.

The site covers products and services in 22 sectors, such as digital
home appliances, personal computers, insurance policies and rates for
telecommunication lines.

The shutdown has worrisome ramifications for the entire Internet
industry.

``If our Web site is suspended, it is the same as losing our head
office and all branches to a fire,'' an official of an online business
said.

Security measures are sometimes complex. At Yahoo Japan Corp.,
operator of the nation's largest portal Yahoo! Japan, no single
engineer can access all of the site's code. By limiting access even to
its own personnel, the company hopes to prevent damage to the whole
site by a hacker impersonating an authorized programmer.

An official at Internet Security Systems K.K. said some online
businesses do not expend adequate resources to ensure security because
they are continually enhancing their sites to accommodate growth.

Therefore, too little attention is given to detecting unauthorized
access.

Domestic sales of access detection products and services in fiscal
2005 are expected to be about 3 billion yen, far lower than the 40
billion yen in sales of anti-virus software.

In April, anti-Japan messages were uploaded to the Web site of a
Chinese unit of Sony Corp.

Square Enix Co., which operates the online video game Final Fantasy
XI, faced a cyber attack on the computer system and was forced to
temporarily suspend operation of the online service.

The Information-technology Promotion Agency has annually received
400-600 reports of unauthorized accesses at sites operated by
individuals and companies over the past few years.

In 2004, there were 594 reports, about 40 percent more than in 2003.  
Of those unauthorized accesses, 72 resulted in substantial damage,
including alteration of the site in 15 cases and falsification of
files in 21 cases, according to the independent administrative agency.

Kakaku.com said client users who accessed its site from Wednesday to
Saturday may have been infected with computer viruses.

The company has set up a Web site to inform users of the situation and
to provide information on countermeasures against the virus.

The virus infection surfaced on Wednesday when the company received an
e-mail message from a user reporting a virus warning that appeared
during legitimate access to the site.

About the same time, a company official detected tampering with the
site's programs.

The company also found that someone had illegally accessed data on
customers' e-mail addresses.

The site operator filed a complaint with the Tokyo Metropolitan Police
Department.





More information about the ISN mailing list