A venture capital company is in dispute with software supplier
Lotus over allegations that some versions of Lotus Notes software
contain a serious potential security weakness.
The venture capital company, which has asked not to be named,
claimed that an apparent loophole in Lotus Notes R5 could allow
unauthorised people to access its financial databases without a
password.
The two companies were in dispute this week after Lotus dismissed
the problem as a simple configuration error - a suggestion that the
venture capital company denies.
The company contacted Lotus after its IT director Oliver Forder
discovered that he could view replica copies of the company's Lotus
Notes databases on employees' laptop computers without a
password.
The apparent problem, which affects copies of Lotus Notes R5
running on a Windows 2000 server, could have potentially serious
consequences, said Forder.
"Being a venture capital company, we have confidential information
which, if it leaked out to the stock market or to competitors,
would be very serious," he said.
Forder is concerned that the alleged loophole could allow
unauthorised people to access replica copies of databases carried
by staff on their mobile computers.
"More than half of my organisation work on laptops. If a laptop is
lost, anyone could access the data," he said.
But Lotus this week dismissed the alleged problem as a
configuration error by the company.
In an e-mail to Computer Weekly, Lotus support engineer Osama
Abusham said, "There really is no security breach of any kind." He
added that it was possible to secure replica databases by selecting
the appropriate option within the software.
But Forder said Lotus had misunderstood the problem. He quoted a
warning message found among the encryption options in Lotus Notes
which, he said, supports his case: "This database can be opened
locally without a user ID if someone gains physical access to this
computer. For example, if this database is on a laptop which is
lost, anyone who finds the computer can open the database without
the password to your user ID."
Forder attempted to report the problem to the Lotus helpline last
week but said Lotus refused him permission to speak to an analyst
because he had not taken out a service contract.
A Lotus spokesman said that all security breaches should be
referred to an analyst automatically.
For security reasons Computer Weekly has withheld details of the
technique used to view the files.
Bill Goodwin
bill.goodwin@rbi.co.uk