Bugtraq mailing list archives
Re: Standard & Poors security nightmare
From: friedl () MTNDEW COM (Stephen J. Friedl)
Date: Wed, 24 May 2000 10:22:11 -0700
At 12:44 PM 5/17/2000 -0700, I wrote:
Standard & Poor's ComStock division sells a MultiCSP system that provides realtime stock quotes and news, and this was the subject of a BugTraq posting in February 2000 by Kevin Kadow (this link a copy posted in March):
As many of you know, this has hit CNet http://news.cnet.com/news/0-1005-200-1933917.html The journalist really is not terribly savvy on technology, and early on I was really concerned that he wouldn't get the point (he was focussed on the bad/default-password issue). However, this guy dug in and did his research and totally got it right. Kudos to Paul Festa at cnet.com. What I found in working on this issue is that S&P really believed that the Concentric network was a private one, and apparently S&P's CTO told the journalist flat out that one customer can't get to another customer via the VPN. This turns out not to be true, but if it really was a private network, then the security vulnerabilities of the Linux box would be nearly moot. So the VPN is the issue, and it looks like S&P is trying to blame Concentric for this. Of course, it's always possible that Concentric has done it wrong, but if S&P didn't do regular audits *or* if they ignored repeated attempts to point this out, then the onus is squarely on them. Numerous people have told me that they tried very hard to get this reported, and I even had A Very Close Friend leave a voicemail and email on the CTO's direct line two weeks ago that included all the details. When we got nothing in response, I posted to BugTraq. Now I see firsthand what "spin" is. What I have repeatedly heard in private email is that S&P customer service is very friendly and want to help, but they just don't get it. Anyway, a couple of hours before this all hit the fan, I was forwarded a letter received from S&P to their customers regarding steps on the security front. It follows this note. A tip of the white hat to Kevin Kadow for his initial reporting of this on BugTraq that got this rolling, and his help after the fact. Steve The note from S&P follows. ---------------------------------------------------------------------------- -------- From: jack_gioffre () standardandpoors com To: {customer} Subject: Standard & Poor's ComStock Security Letter Dear {customer}, Standard and Poor's ComStock is committed to providing the highest quality product and services to its clients. With this in mind, ComStock has developed the multi-user CSP which provides clients easy access to the quote server and gives the ComStock technical support team the ability to maintain and manage the remote CSP product over the Concentric virtual private network (VPN). The initial ability to do this meant that ComStock was required to keep the system open. Knowing that the CSP would be located on a private "trusted network", there was no immediate need to create a Linux machine with top security measures instituted.
From the network perspective, Concentric and ComStock implemented the
network by design with conscientious security strategies set forth. Although the Bay routers on the Concentric network are Internet accessible, to the best of our knowledge, the public Internet traffic cannot access the private network nor can the private network packets exit to the public Internet. Facing the threat of repeated Internet attacks, causing denial of service to many well-know sites, and the security concerns of the ComStock client base using the multi-user CSP, ComStock will be implementing enhanced security measures on this product platform. This will be done over a period of time as new product releases are introduced. It is important to understand that 'security is a process' and is something that is not achieved as a final goal. We therefore view security as a way of setting up, maintaining, and running a system, a network, or an environment. To better make the ComStock multi-user CSP more secure than it is today, we will be implementing a series of changes which include but are not limited to the following: 1) Remove unnecessary login accounts; 2) Password protect all accounts; 3) Remove any daemons not necessary for the operation of the CSP product; 4) Upgrade to the latest Operating System releases which offer enhanced security features; 5) Change default passwords for each unit shipped; 6) Offer secure telnet and FTP access to the product; 7) Install a firewall or other forms of IP filtering; and 8) Implement other measures as required. These methods will be applied over a period of time until ComStock reaches the level of security necessary for the product and clients' needs. ComStock and Concentric will continue to evaluate and modify the multi-user CSP and network security aspects as required. This process can only be enhanced by each participant remaining security conscience and to follow any recommended guidelines to ensure a safe and secure product environment. Sincerely, Jack Gioffre Product Development Manager Standard & Poor's ComStock 600 Mamaroneck Avenue Harrison, NY 10528 ---------------------------------------------------------------------------- -------- Stephen J. Friedl / Software Consultant / Tustin, CA / 714-544-6561
Current thread:
- Re: Standard & Poors security nightmare, (continued)
- Re: Standard & Poors security nightmare Richard Seaman, Jr. (May 21)
- Re: Standard & Poors security nightmare Crispin Cowan (May 20)
- "gdm" remote hole Chris Evans (May 21)
- Re: "gdm" remote hole Katherine M. Moussouris (May 22)
- fdmount buffer overflow Arend-Jan Wijtzes (May 22)
- Re: fdmount buffer overflow Greg Olszewski (May 22)
- About VNC Patrick Oonk (May 24)
- Re: fdmount buffer overflow Tomasz Grabowski (May 24)
- Re: fdmount buffer overflow Matt Wilson (May 24)
- Re: fdmount buffer overflow Greg Olszewski (May 22)
- Gauntlet Firewall Vulnerability Elias Levy (May 22)
- Re: Standard & Poors security nightmare Stephen J. Friedl (May 24)
- Re: Standard & Poors security nightmare Warren Young (May 23)
- Re: Standard & Poors security nightmare Kevin Kadow (May 25)