A house of cards

After a recent announcement that more than 1 million credit cards have been stolen and more than 40 e-commerce sites have been victimized, you're probably wondering: Why haven't e-commerce organizations learned their lessons?

Are you ready to give up the convenience of ordering goods online for the security of your credit-card information?

After the recent announcement that more than 1 million credit cards have been stolen and more than 40 e-commerce sites have been victimized, you're probably wondering: Why haven't e-commerce organizations learned their lessons? Why are they still being victimized as a result of known vulnerabilities?

I'm not going to make excuses for security managers. There's simply no excuse for a vulnerability attack. But the reason you keep hearing about these attacks is because no organization can keep up with the number of patches issued by Microsoft. They simply don't have enough people on site to keep up with Microsoft's knowledge base. Every day, there's some new patch, whether it's for a font problem or a macro glitch.

Hey, I feel for these security managers. I can't even keep on top of changing the oil in my car, much less a daily bombardment of bugs that have to be patched on hundreds of Web servers. But a missed oil change is not as bad as a missed patch. It only takes one vulnerability to open an entire database of credit card numbers to a persistent cracker.

The National Infrastructure Protection Center identified several vulnerabilities of which the attackers were taking advantage. Microsoft has issued patches for nearly all of them, some as early as 1998. The various holes, if not patched, could allow an attacker to execute shell commands on an IIS system, access and execute commands on a SQL server, or run system commands on a Web server. If a company takes e-commerce seriously, it should dedicate a few people to keeping track of all the patches in Microsoft's knowledge base. Sure, Microsoft should be selling software that will protect you. But come on, no product is perfect. And if you're unable or unwilling to spend the money to do this, maybe it's time to start thinking about open-source products like the Apache Web server. Just keep in mind that you're going to have to keep up with the patches for those products, too.

Don't be content with denial. Either be vigilant about online security or re-think your business model. If you can't do the former, then why are you even bothering to conduct online transactions?

As consumers, if you're concerned about the safety of your personal information and credit cards on Microsoft Web servers, you can take steps to protect yourself. Run a search on www.netcraft.com to see what Web server your vendor is using. A search on Amazon.com, one of the busiest e-commerce sites in the world, reveals that it's running Stronghold Web server 2.4.2 and Apache Web server 1.3.5 on Linux. If you're comfortable with that, then order away. If you're not, get in your car and drive to a bookstore.

With the recent spate of online security incidents, you can rest assured: Brick and mortar stores aren't going anywhere anytime soon.