Online Trader Vaults Left Ajar

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/intweek/stories/columns/0,4164,2645332,00.html

By Lewis Z. Koch Special To Interactive Week
October 26, 2000 2:37 PM PT

It seems these days that the e-business "bankers" are leaving a
cybersign on their Web vault doors saying, "Steal from us." Thieves
are thieves, sure, but when do we start holding e-bankers responsible?

Kevin Kadow, a mild-mannered young man in his 20s, takes his computer
security responsibilities seriously. Kadow had been doing network
security for an online trading firm that was paying thousands of
dollars for the use of several Standard & Poor's ComStock machines
providing real-time news and stock data. The trading firm, reasonably,
wanted to know if the machines were secure.

Kadow reported that the ComStock customer networks had so many
security holes that it was possible, even easy, to do any of the
following:

* Alter real-time Nasdaq and Amex prices and Level-II market data

* Alter published interest rates

* Alter equity fund data

* Alter earnings and balance sheet information

* Publish phony news stories

* Change published dividend rates

And that was just for starters. The security holes Kadow identified
also made it possible for bad guys to break into other S&P customers'
networks.

Kadow sums it up this way: "First, you could destroy anyone who relies
on S&P data by destroying the trust customers had in them, and second,
you could manipulate the market itself by feeding different data to
different companies. People would buy and sell based on the
information they were seeing, and you'd end up with a huge tilt in the
market."

Does that sound wildly speculative or far-fetched? Consider the
unrelated but instructive case of Emulex. On Sept. 1, a bogus press
release reporting that the company's chief executive had resigned and
that its earnings would be restated was released to Internet Wire,
then picked up - unverified and unchecked - by Bloomberg News and
other news outlets. The result? Emulex suffered a $2 billion downturn
in 15 minutes, thanks to a 23-year-old student determined to recoup
his losses on the stock.

Back in January, nine months before Emulex, Kadow sent a series of
e-mails and faxes to The McGraw-Hill Companies and to one of its
units, S&P, warning of the security flaws he had discovered. Kadow was
careful to include his name, e-mail and phone number.

After a month of silence, Kadow sent a notice to BugTraq, a Web site
and mailing list that describes itself as "a full-disclosure moderated
mailing list for the 'detailed' discussion and announcement of
computer security vulnerabilities."

Kevin was reluctant to engage in full disclosure because he felt what
he had discovered could have a catastrophic effect on the financial
community. He deliberately left out critical details, including the
root password. No response from S&P or ComStock. Kadow felt the
February post might have gone astray, so he posted to BugTraq again on
March 24.

"I was really surprised," Kadow said, "that nobody at S&P reads
BugTraq; nobody at McGraw-Hill reads BugTraq."

Finally, on May 17, months after Kadow's initial letter to S&P,
California software consultant Stephen J. Friedl, after testing a
client's ComStock machine, posted an angry note on BugTraq that
disclosed the means of breaking into S&P's ComStock MultiCSP computer
systems in 12 seconds, based on Kadow's research. The root password of
the ComStock machine, unbelievably enough, was "c0mst0ck."

The "killer" vulnerability, however, was not the ability to modify
S&P's data, but the fact that MultiCSP machines could "talk to one
another." Anyone with access to one subscriber's machine could hack
into the system of another and get deep inside the ComStock customer
network directly connected to its most sensitive and proprietary
network servers.

In his BugTraq post, Friedl noted that he had talked to Kadow.
"[Kadow] told me he didn't want to give away everything (to allow
people time to clean things up), but I intend to do so here. These
machines are an unmitigated 'disaster' for security."

Kadow had tried every way he knew to alert S&P/McGraw-Hill/ComStock
without alerting the world, but without success. Kadow's May 25 post
in BugTraq noted that ComStock had implemented "various revisions" of
the machines after his previous March post. However, they shared a
common password: "abcd1234." Some revision - even if they'd fixed some
of the security flaws, they'd chosen a password any sensible computer
security person would know to avoid like the plague!

David Bruckman, vice president of technology at ComStock, said he
wasn't aware that acknowledgment of Kadow's calls, letters or posts
"was needed." He called the assertions of insecurity "greatly
exaggerated" and seemed somewhat put out by what he suspected might be
"unauthorized" research into ComStock machines, including the work
done by Friedl. When pressed, Bruckman said he thought Kadow might
have received a "thank-you letter," but when asked to produce a copy
of it, he noted the thank-you might also have taken the form of a
phone call.

And there, for now, you have it: a microcosm of the state of Internet
security in a - cracked - nutshell.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".