Flaws in S&P service could put companies' data at risk

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-1933917.html?tag=st.cn.1.lthdne

By Paul Festa
Staff Writer, CNET News.com
May 24, 2000, 4:00 a.m. PT

Standard & Poor's is moving to shore up its service for providing
stock quotes and news amid accusations by security analysts that the
product is a wide-open door for network attacks.

S&P's ComStock is a subscription service that aggregates financial
information from more than 140 sources and distributes it by various
networks to terminals within client businesses. ComStock operates as a
separate unit of Standard & Poor's Financial Information Services;
S&P, in turn, is a division of McGraw-Hill.

S&P has assured its customers that it is going to beef up security
with ComStock and its client-side processor, called the MultiCSP. The
company says the security flaws should be inconsequential, as the
machines run on virtual private networks (VPNs) that should not permit
access between machines or from the Internet at large.

But two security consultants report that they've been able to do just
that: navigate between ComStock units in disparate organizations,
exploiting what they describe as flimsy security policies to
potentially gain virtually free reign over private computer networks.

Such access could prove disastrous for companies using S&P's system,
security analysts warn.

"If someone breaks into one of these boxes, they could do something as
simple as erase it," said Ryan Russell, manager of information systems
at Security Focus, which moderates the Bugtraq security mailing list
where two descriptions of S&P's security problems appeared. "A
malicious attacker could modify what stock quotes you're seeing, or
use this to attack the rest of your network. They could put a sniffer
on the network and monitor it for passwords."

S&P acknowledged several individual security lapses and said it would
move to fix them. But on the more salient issue of whether the VPN in
question--in this case one provided by Concentric--was permitting
access between machines and from the Internet at large, an executive
said the company was still investigating.

"If customers can reach from one endpoint to another, it's a concern,"
said David Brukman, vice president of technology for S&P's ComStock.
"That would be a Concentric concern....It's possible they have made a
mistake and let one customer see another."

Concentric could not immediately be reached for comment.

Not all of S&P's customers use the Concentric VPN for their ComStock
connectivity. Some use a satellite hookup, for instance; those
customers do not appear to be vulnerable to the security problem.

S&P's ComStock subscribers include "major online and corporate
communities," according to Brukman. He declined to name them.

One security analyst who reported the problem to Bugtraq lambasted S&P
for not securing its software sooner, noting that the initial Bugtraq
report ran in March. That report claims to have notified S&P of its
findings in January.

"It was shocking what I was able to do," said Stephen Friedl, a
software consultant in Tustin, Calif. "I was able to wander all over
the network, pop my head up in people's networks all over the world. I
was stunned. I made a list of two dozen machines I could see."

Beyond the security of the VPN, Friedl cited numerous security issues
with the computer terminal configured and provided by ComStock,
including the use of a badly outdated version of the Linux operating
system. ComStock uses Red Hat 5.1. In the two years since that version
came out, numerous security patches have come down the pike.

"There have been critical security patches that have been applied
since Red Hat 5.1," said Erik Troan, director of operating system
engineering for Red Hat. "If they haven't been keeping track, any
machine that has been running on the Internet for two years without an
update is going to be a big problem."

Red Hat 6.2 came out last month.

Other problems included easily guessed passwords, accounts not
protected by passwords, and the existence of idle applications with
their own share of security vulnerabilities.

In an email dated May 19 and forwarded to News.com, S&P sought to
reassure its subscribers that the ComStock security situation was
under control. The company also spelled out the security precautions
it would undertake.

"Knowing that the CSP would be located on a private 'trusted network,'
there was no immediate need to create a Linux machine with top
security measures instituted," read the email from Jack Gioffre,
product development manager for ComStock.

But citing the broader issue of Internet attacks and "the security
concerns of the ComStock client base," Gioffre pledged security
measures in which future products would remove unnecessary login
accounts, protect with passwords all accounts, remove unnecessary
applications, upgrade the operating system, change default passwords
for each unit, provide secure Telnet and FTP access to the units, and
offer firewalls.

In the meantime, S&P's critics are offering their own recommendations.

"If you have the misfortune of having a MultiCSP on your network, you
have my sympathy," security consultancy MSG.Net's Kevin Kadow wrote in
his Bugtraq alert. "If you can't live without their stock information,
it is possible to use the root holes to lock down the box as best you
can, then put it behind a firewall with just the CSP TCP port open
_inbound_ to the MCSP system from your hosts, or at least a router
with equivalent traffic filters.

"Then pray for the best," Kadow added.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".