More Online Security Woes For FBI's Data Firm

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174003.html

By Brian McWilliams, Newsbytes
ALPHARETTA, GEORGIA, U.S.A.,
28 Jan 2002, 2:29 PM CST
 
A week after plugging a severe security hole at its main Web site,
database firm ChoicePoint has been stung with the discovery of major
vulnerabilities at another of its Internet properties.

According to security experts, the latest flaw potentially enabled
remote attackers to take complete control of The LienGuard System, a
ChoicePoint service for banks and other customers in the financial
services industry.

ChoicePoint, which had year 2000 sales of $593.5 million, provides
information about individuals and companies to the FBI, Department of
Justice, insurance firms and other clients, according to its Web site.

A page at the vulnerable site, located at http://www.lienguard.com,
claimed the service allowed ChoicePoint customers to log in through a
"highly secure" system and to access a database of legal documents
maintained by ChoicePoint.

Before it was patched this afternoon by ChoicePoint, the site, which
runs Microsoft's Internet Information Server (IIS) software, was
vulnerable to several widely known security exploits, including one
that enables attackers to run operating system commands on the server.

A patch for the hole, referred to as the "Double Decode" flaw, was
released by Microsoft last May. The vulnerability was exploited by the
Nimda worm, which spread widely last September.

Another flaw at the LienGuard site, which also has been closed, was
originally reported to ChoicePoint today by Kitetoa, a group of
security enthusiasts in France. The hole potentially enabled visitors
to view the source code to the site's Active Server pages and could
have enabled attackers to obtain the user identification and password
used to access the server's back-end database.

ChoicePoint spokesperson James Lee said there was no indication that
anyone had exploited the security flaws at the site, which he said was
recently launched and was being used by only a small number of what he
termed "test" customers.

"For any company to be vulnerable to these kinds of problems,
especially after the wide coverage the recent IIS worms received, is
irresponsible," said David Litchfield, managing director of Next
Generation Security Software. Litchfield was part of the team credited
last March by Microsoft for discovering the Active Server
vulnerability in IIS.

The report of new Internet security flaws at ChoicePoint follows the
discovery last week by Kitetoa of a security vulnerability at the data
firm's main Web site, Choicepoint.net. That flaw in ChoicePoint's
configuration of the Lotus Domino Web server enabled unauthorized
intruders to view internal company documents such as marketing reports
and work-in-progress reports.

ChoicePoint said that data gathered on behalf of its clients - such as
background screens, pre-employment drug tests, military history checks
and insurance fraud investigations - were not exposed by the security
gaffe at the Choicepoint.net site.

Lee said today that ChoicePoint intends to hire an outside consultant
to review the security at all of its Internet properties.

According to a spokesperson for the Electronic Privacy Information
Center (EPIC), the recent security flaws at ChoicePoint illustrate the
security risks of having "profilers" like ChoicePoint maintain
sensitive data on behalf of the government.

"The risks to personal privacy include not only illegal or
inappropriate employee access to the information, but also outsiders
who wish to collect profiling information," said Chris Hoofnagle, EPIC
legislative counsel.

According to Lee, the data housed at the LienGuard site was public
information available from other sources.

Earlier this month, EPIC filed a lawsuit against the U.S. Justice and
Treasury Departments seeking more information about their contracts
with ChoicePoint and a competitor, Experian.

ChoicePoint is the latest high-profile database company to have its
security practices exposed by Kitetoa. Last year, DoubleClick, the
online ad giant, acknowledged Kitetoa's report that attackers had
placed a back-door program on the company's Web server and had viewed
files on another server hosting its Abacus Online database.

Litchfield said the vulnerabilities at LienGuard.com could have been
easily located through the use of the many free or commercial
vulnerability assessment scanners available.

"Having an effective security patching process in any organization is
a must," he said.

NGSSoftware is at http://www.nextgenss.com

ChoicePoint is at http://www.choicepoint.com

Kitetoa is http://www.kitetoa.com

LienGuard is at http://www.lienguard.com

EPIC is at http://www.epic.org



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.