The Internet is a cornucopia of information of every kind. One may find web pages dedicated to any thinkable of unthinkable subject. One of the reasons why is that it is so easy to publish information on the Internet. Anyone can write something about her favorite subject in a few minutes, and this is accessible from hundreds of millions of computers instantaneously. In most cases this is seen as one of the advantages of this technology.

On the other hand, there are disadvantages as well. It is as easy to publish information which may be illegal or offensive to most people as any other information. The Internet e.g. has in some circles a reputation for a place for pornographic material (only). However, pornography on the Internet is not the topic of this week's Security Information. We are going to look into the need for quality control of the information on the Internet based on a real-life case study.

Security hole in popular program - true or false?

Norman is headquartered in Norway which is where this case study takes place. 

Friday 21 January one of Norway's most read Internet news sites reported a security issue in a popular program for distributing and acquiring  MP3 music files. The source of this security issue was said to be a report from Reuters published on Yahoo! News. 

Norway's largest commercial TV station followed up this topic in several news reports during the week-end, including an interview with a security expert who warned about the dangers involved in using this program:

"I would guess that there are at least twenty-five to thirty thousand people who not only know how to do this, but also have the program needed." (WebMaster's translation)

Interestingly, no other security site, security mailing list or common hacker site had mentioned this at all.

The security issue was discussed heavily on a Norwegian security news group, on which several postings discussed the fact that the information about the security issue was not available anywhere else.

At 1331 hrs. CET time a message from the security expert was posted on this news group saying that the source from this security issue was a hoax and that there was no security problem in the program.

Lessons to learn

There are several lessons to be learned from this:

1. The most important is probably that even though information is available on the Internet, this does not mean that this information is necessarily true. One should always check the information from different sources before believing and/or forwarding the information.
2. If possible, one should quality control the information by testing. In many cases information about exploits in programs and operating systems are extensive so that it is possible to test the exploit.
3. Check if the information is from a reliable source. Even though it is easy to adopt a reliable web resource's design to ones personal pages by copying images and looks, it is more difficult to change the URL to the reliable source's URL. (Such URL spoofing was not done in the abovementioned Norwegian case.)

Per Olav Førland