[ISN] Weak security taints directory

From: InfoSec News (isnat_private)
Date: Tue Jun 19 2001 - 01:44:56 PDT

  • Next message: William Knowles: "[ISN] Cola competition hacked"

    [Not to encourge the masses, but I was able to register C4I.org rather
    easily through the Microsoft Passport side of the UDDI service and I
    should also note that the U.S.M.C. Department Headquarters C4I command
    is also listed by (hopefully) the U.S.M.C.  - WK]
    June 18, 2001
    A major industry effort to build an online directory of Web services
    for business is riddled with embarrassing security problems that have
    marred its arrival.
    Last month's launch of the Universal Description, Discovery and
    Integration directory, a Yellow Pages-style directory that lets
    businesses register their Internet services and capabilities online,
    was intended to drive support for Web services (see story). But lax
    security by UDDI founders IBM and Microsoft Corp. has permitted the
    Web-based directory to be populated with fake firms, false links and
    uninformed participants.
    For example, "Loud Speakers Inc." is registered as a Mountain View,
    Calif.-based firm run by John McLoud, whose public speakers talk at a
    level higher than 100 decibels. The UDDI also describes Loud Speaker's
    Web service as juju beads for "warding off evil spirits." The company
    isn't listed with directory assistance and can't be found on the Web.
    As for bad links, the UDDI listing for Oracle Corp. links to a
    pornography site, not a Web service.
    "Microsoft is aware that security is an issue," said Darryl Plummer,
    an analyst at Stamford, Conn.-based Gartner Inc. "As you open things
    up, you open up the door for security holes. They're trying to come up
    to speed in a public forum, and if large controls were in place, it
    wouldn't take off."
    Microsoft officials said controls for vetting companies that register
    in the UDDI directory would be discussed at a private conference for
    the registry's adviser group in Atlanta this week.
    But beyond the challenge of vetting registrants, the sponsors of the
    UDDI directory also appear to be facing another problem: uninformed
    directory members.
    Markle Stuckey Hardesty & Bott is listed in the UDDI directory. But
    David Hardesty, vice president of the Larkspur, Calif.-based
    e-commerce accounting firm, said he has no idea what the directory is
    and has no plans to introduce Web services at his company.
    "I have no recollection of registering," said Hardesty. "We haven't
    used it, and we don't know anything about it, but that's not to say
    that we didn't sign up for it. There are lots of things out there on
    the Web, but you just can't remember everything."
    Bob Gill, owner of Shrimp Landing, a seafood wholesaler in Crystal
    River, Fla., said he agreed to register after responding to an e-mail
    solicitation from IBM.
    But Gill said he doesn't see himself using or offering Web services
    from the company's one-page Web site.
    "I'm sticking my neck into an area for which I know nothing about,"
    said Gill. "First, I need to get my site up and running. Then I'll
    think about it."
    It may take years before the UDDI has much impact, but its proponents
    will need to demonstrate that it has value to end-user companies and
    not just technology vendors, said Ted Schadler, an analyst at
    Cambridge, Mass.-based Forrester Research Inc.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:04:35 PDT