In the computing world, 2001 began in a rather chaotic manner -- with the four-day outage of key Microsoft servers last week, which shut down important Microsoft sites, including Hotmail. It didn't help matters that after that problem was fixed, another occurred shutting down some of the sites again on January 25.

The two separate problems outline a major fault in many companies -- a lack of attention to system security -- that according to the experts will lead to even more chaos on the Internet this year.

The first four-day outage was blamed on a glitch caused by the company's system administrators, which led to the creation of an Internet black hole.

The technical glitch cut off the company's domain name servers (DNS), which match up the domain name, such as www.hotmail.com, with the true numerical address of the site, called the Internet protocol (IP).

Computers on the Internet couldn't match up a Microsoft domain name with the corresponding IP address, held by the out-of-commission servers, and so couldn't locate the site.

The outage led security experts to state that the computing giant committed a cardinal error in network administration.

Many believe that Microsoft may have placed key domain name servers on a single network thus making it vulnerable.

Other major networks, including America Online, Yahoo and Disney, have backup servers on different networks, minimising a complete shutdown from an error or a hack attack. More than 38 percent of .com domain names use DNS servers that rely on a single network bottleneck, thus making them vulnerable to the same sorts of problems that hit Microsoft.

The second problem came after the first was solved.

Network attackers, wishing to make their name, overwhelmed Microsoft's connection to the Internet on January 25 causing traffic to the company's major Web sites to slow to a crawl.

A denial-of-service attack overloads a site's servers with a flood of data, effectively blocking surfers from accessing the site.

In Microsoft's case, the attack was aimed at hardware switches on the company's network that route data to the Web sites.

At the height of the attack, for two hours, as little as two percent of the requests for Microsoft Web pages were being completed. Many thought that the previous problem, the outages, might have given the hackers the clue that Microsoft was vulnerable because it didn't have backup routers.

Then this week PGP Security and Computer Emergency Response Team Coordination Center at Carnegie Mellon University announced they had discovered four flaws in DNS software used by most companies to identify servers holding web pages on the Internet.

The flaws could lead to DNS attacks such as the one that affected Microsoft.

The security experts encouraged companies to get updated software, which has the appropriate patches to plug the vulnerabilities (see http://www.cert.org/advisories). Here again is the major problem.

The patches and updates may be available, but very often companies and their system administrators fail to apply the patches.

Failing to responsibly patch computers led to 99 percent of the 5,823 Web site defacements (in which hackers put their own Web pages up in place of the real one) in 2000, up 56 percent from the 3,746 Web sites defaced in 1999, according to security group Attrition.org.

Fortune 1,000 companies lost more than $45 billion from the theft of proprietary information through in 1999, according to a study released by the American Society for Industrial Security and consulting firm PricewaterhouseCoopers.

The majority of the hacking incidents hit tech companies, with nearly 67 individual attacks and the average theft ringing up about $15 million in losses.

The lack of training was blamed in many preventable cases.

Companies simply aren't aware that they should be patching anything.

Security experts say the need for simple maintenance rather than new technology would address most security issues.

System administrators report that they have not corrected most known flaws because they simply do not know which of over 500 potential problems are the ones that are most dangerous, and they are too busy to correct them all, according to the Sans Institute.

"The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws,'' Sans states on its site.

The organisation has identified the ten most critical Internet security threats at http://www.sans.org/topten.htm.

Meanwhile an ongoing survey by PGP Securities found that 64 percent of those participating did a network security audit less than once a month, 91 percent didn't enforce periodic password changes, 97 percent didn't regularly update their security policies as new threats became known.

Yet 62 percent reported that their Web site content had been altered at least once by an unauthorised intruder.

Those figures are an indication that more chaos is about to happen, and will do more to hold back the Internet as a place of community and business, than any fears about credit card security.

Tech Tattle deals with topics relating to technology. Contact Ahmed at editor yoffshoreon.com or (33) 467901474.