Information Security News mailing list archives
Online Trader Vaults Left Ajar
From: William Knowles <wk () C4I ORG>
Date: Fri, 27 Oct 2000 19:06:22 -0500
http://www.zdnet.com/intweek/stories/columns/0,4164,2645332,00.html By Lewis Z. Koch Special To Interactive Week October 26, 2000 2:37 PM PT It seems these days that the e-business "bankers" are leaving a cybersign on their Web vault doors saying, "Steal from us." Thieves are thieves, sure, but when do we start holding e-bankers responsible? Kevin Kadow, a mild-mannered young man in his 20s, takes his computer security responsibilities seriously. Kadow had been doing network security for an online trading firm that was paying thousands of dollars for the use of several Standard & Poor's ComStock machines providing real-time news and stock data. The trading firm, reasonably, wanted to know if the machines were secure. Kadow reported that the ComStock customer networks had so many security holes that it was possible, even easy, to do any of the following: * Alter real-time Nasdaq and Amex prices and Level-II market data * Alter published interest rates * Alter equity fund data * Alter earnings and balance sheet information * Publish phony news stories * Change published dividend rates And that was just for starters. The security holes Kadow identified also made it possible for bad guys to break into other S&P customers' networks. Kadow sums it up this way: "First, you could destroy anyone who relies on S&P data by destroying the trust customers had in them, and second, you could manipulate the market itself by feeding different data to different companies. People would buy and sell based on the information they were seeing, and you'd end up with a huge tilt in the market." Does that sound wildly speculative or far-fetched? Consider the unrelated but instructive case of Emulex. On Sept. 1, a bogus press release reporting that the company's chief executive had resigned and that its earnings would be restated was released to Internet Wire, then picked up - unverified and unchecked - by Bloomberg News and other news outlets. The result? Emulex suffered a $2 billion downturn in 15 minutes, thanks to a 23-year-old student determined to recoup his losses on the stock. Back in January, nine months before Emulex, Kadow sent a series of e-mails and faxes to The McGraw-Hill Companies and to one of its units, S&P, warning of the security flaws he had discovered. Kadow was careful to include his name, e-mail and phone number. After a month of silence, Kadow sent a notice to BugTraq, a Web site and mailing list that describes itself as "a full-disclosure moderated mailing list for the 'detailed' discussion and announcement of computer security vulnerabilities." Kevin was reluctant to engage in full disclosure because he felt what he had discovered could have a catastrophic effect on the financial community. He deliberately left out critical details, including the root password. No response from S&P or ComStock. Kadow felt the February post might have gone astray, so he posted to BugTraq again on March 24. "I was really surprised," Kadow said, "that nobody at S&P reads BugTraq; nobody at McGraw-Hill reads BugTraq." Finally, on May 17, months after Kadow's initial letter to S&P, California software consultant Stephen J. Friedl, after testing a client's ComStock machine, posted an angry note on BugTraq that disclosed the means of breaking into S&P's ComStock MultiCSP computer systems in 12 seconds, based on Kadow's research. The root password of the ComStock machine, unbelievably enough, was "c0mst0ck." The "killer" vulnerability, however, was not the ability to modify S&P's data, but the fact that MultiCSP machines could "talk to one another." Anyone with access to one subscriber's machine could hack into the system of another and get deep inside the ComStock customer network directly connected to its most sensitive and proprietary network servers. In his BugTraq post, Friedl noted that he had talked to Kadow. "[Kadow] told me he didn't want to give away everything (to allow people time to clean things up), but I intend to do so here. These machines are an unmitigated 'disaster' for security." Kadow had tried every way he knew to alert S&P/McGraw-Hill/ComStock without alerting the world, but without success. Kadow's May 25 post in BugTraq noted that ComStock had implemented "various revisions" of the machines after his previous March post. However, they shared a common password: "abcd1234." Some revision - even if they'd fixed some of the security flaws, they'd chosen a password any sensible computer security person would know to avoid like the plague! David Bruckman, vice president of technology at ComStock, said he wasn't aware that acknowledgment of Kadow's calls, letters or posts "was needed." He called the assertions of insecurity "greatly exaggerated" and seemed somewhat put out by what he suspected might be "unauthorized" research into ComStock machines, including the work done by Friedl. When pressed, Bruckman said he thought Kadow might have received a "thank-you letter," but when asked to produce a copy of it, he noted the thank-you might also have taken the form of a phone call. And there, for now, you have it: a microcosm of the state of Internet security in a - cracked - nutshell. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Online Trader Vaults Left Ajar William Knowles (Oct 30)