Hacker group causes Lotus security pain

A leading hackers group has turned its fire on Lotus, sparking a review of the security procedures for accessing essential databases in the company's groupware product Domino.

The US group L0pht, which has previously exposed failings in other vendors' products, last week highlighted a default security setting which could make Domino Web servers vulnerable to hackers.

Lotus was forced to respond and issued a notice on its Website admitting to the problem. However, it said: 'This isn't a problem with Domino as much as a problem with Domino configurations on individual sites.' Lotus told users to change their default setting and released a step-by-step guide on how to do this.

Lotus User Group chairman Simon Moores warned that the loophole exposed by L0pht would allow hackers to access confidential data, or prevent legitimate users from accessing systems. He said human error was often to blame.

Moores explained that often people would forget to change access privileges after installing a new site or modifying an existing intranet site by making it open to the public.

Lotus was last week considering whether to set the default to no access, which would force users to alter the settings.

Independent security consultant John Silltow said: 'L0pht are not just regarded as good, but as sure. When L0pht speaks people in the security and protection business tend to listen.'

L0pht says its mission is to research and document security flaws in the Internet infrastructure.