T 3.38 Errors in configuration and operation

Configuration errors arise when parameters and options with which a program is started are set incorrectly or incompletely. This includes access rights which are laid down incorrectly. Operational errors are not only incorrect for individual settings, but IT systems or applications are handled incorrectly. An example of this is starting programs which are not necessary for the purpose of the computer but could be misused by a perpetrator.

Examples of current configuration or operation errors are saving passwords on a PC on which software from the Internet is run without being checked (such software was used in the spring of 1998, for example, to spy out T-Online passwords), or loading and implementing defective ActiveX Controls. These programs, one of whose tasks is to make WWW sites more attractive through dynamic contents, are run with the same rights that the user has - they can therefore delete, alter or send data at will.

Many programs which were intended to relay data in an open environment without restrictions can, in the case of false configuration, provide potential perpetrators with data that they can misuse. In this way, for example, the finger service can inform them how long a user has already been sitting at a computer. This also includes WWW browsers which transmit a series of information to the WWW server whenever a query is made (e.g. the version of the browser and the operating system in use, the name and the Internet address of the PC). In this context, cookies should also be mentioned. These are files in which the operators of WWW servers store data concerning the WWW user in the user's computer. This data can be called up when the server is next visited and be used by the operator of the server to analyse the server's WWW sites that the user has already visited.

The use of a Domain Name System (DNS), which is responsible for transcribing an Internet name such as rechner1.universitaet.de into the corresponding numeric address, is a further source of danger. On the one hand, an incorrectly-configured DNS enables you to query a large quantity of information regarding a local network. On the other hand, perpetrators can send forged IP numbers by taking over the server, enabling them to control all data traffic.

A great threat is also posed by executable contents in E-mails or web pages. This is known under the name content security problem. Files that are downloaded from the Internet can contain a code which is implemented without consulting the user when they are just "viewing". This is the case, for example, for macros in Winword files and was exploited to produce what are known as macro viruses. Even new programming languages and programming interfaces such as ActiveX, Javascript or Java, which were developed for applications in the Internet, also have the potential to cause damage if the control function is used incorrectly.