Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Standard & Poors security nightmare

From: friedl () MTNDEW COM (Stephen J. Friedl)
Date: Wed, 24 May 2000 10:22:11 -0700

At 12:44 PM 5/17/2000 -0700, I wrote:

Standard & Poor's ComStock division sells a MultiCSP system that provides
realtime stock quotes and news, and this was the subject of a BugTraq
posting in February 2000 by Kevin Kadow (this link a copy posted in March):


As many of you know, this has hit CNet

         http://news.cnet.com/news/0-1005-200-1933917.html

The journalist really is not terribly savvy on technology, and early on
I was really concerned that he wouldn't get the point (he was focussed on
the bad/default-password issue). However, this guy dug in and did his research
and totally got it right. Kudos to Paul Festa at cnet.com.

What I found in working on this issue is that S&P really believed that the
Concentric network was a private one, and apparently S&P's CTO told the
journalist flat out that one customer can't get to another customer via
the VPN. This turns out not to be true, but if it really was a private
network, then the security vulnerabilities of the Linux box would be
nearly moot.

So the VPN is the issue, and it looks like S&P is trying to blame Concentric
for this. Of course, it's always possible that Concentric has done it wrong,
but if S&P didn't do regular audits *or* if they ignored repeated attempts to
point this out, then the onus is squarely on them.

Numerous people have told me that they tried very hard to get this reported,
and I even had A Very Close Friend leave a voicemail and email on the CTO's
direct line two weeks ago that included all the details. When we got nothing
in response, I posted to BugTraq.   Now I see firsthand what "spin" is.
What I have repeatedly heard in private email is that S&P customer service
is very friendly and want to help, but they just don't get it.

Anyway, a couple of hours before this all hit the fan, I was forwarded a
letter received from S&P to their customers regarding steps on the security
front. It follows this note.

A tip of the white hat to Kevin Kadow for his initial reporting of this
on BugTraq that got this rolling, and his help after the fact.

Steve

The note from S&P follows.

----------------------------------------------------------------------------
--------
  From: jack_gioffre () standardandpoors com
  To: {customer}
  Subject: Standard & Poor's ComStock Security Letter

Dear {customer},

Standard and Poor's ComStock is committed to providing the highest quality
product and services to its clients.  With this in mind, ComStock has developed
the multi-user CSP which provides clients easy access to the quote server and
gives the ComStock technical support team the ability to maintain and
manage the
remote CSP product over the Concentric virtual private network (VPN).  The
initial ability to do this meant that ComStock was required to keep the system
open.  Knowing that the CSP would be located on a private "trusted network",
there was no immediate need to create a Linux machine with top security
measures
instituted.


From the network perspective, Concentric and ComStock implemented the

network by
design with conscientious security strategies set forth.  Although the Bay
routers on the Concentric network are Internet accessible, to the best of our
knowledge, the public Internet traffic cannot access the private network
nor can
the private network packets exit to the public Internet.

Facing the threat of repeated Internet attacks, causing denial of service to
many well-know sites, and the security concerns of the ComStock client base
using the multi-user CSP, ComStock will be implementing enhanced security
measures on this product platform.  This will be done over a period of time as
new product releases are introduced.  It is important to understand that
'security is a process' and is something that is not achieved as a final goal.
We therefore view security as a way of setting up, maintaining, and running a
system, a network, or an environment.

To better make the ComStock multi-user CSP more secure than it is today, we
will
be implementing a series of changes which include but are not limited to the
following: 1) Remove unnecessary login accounts; 2) Password protect all
accounts; 3) Remove any daemons not necessary for the operation of the CSP
product; 4) Upgrade to the latest Operating System releases which offer
enhanced
security features; 5) Change default passwords for each unit shipped; 6) Offer
secure telnet and FTP access to the product; 7) Install a firewall or other
forms of IP filtering; and 8) Implement other measures as required.  These
methods will be applied over a period of time until ComStock reaches the level
of security necessary for the product and clients' needs.

ComStock and Concentric will continue to evaluate and modify the multi-user CSP
and network security aspects as required.  This process can only be enhanced by
each participant remaining security conscience and to follow any recommended
guidelines to ensure a safe and secure product environment.

Sincerely,
Jack Gioffre
Product Development Manager

Standard & Poor's ComStock
600 Mamaroneck Avenue
Harrison, NY 10528
----------------------------------------------------------------------------
--------

Stephen J. Friedl / Software Consultant / Tustin, CA / 714-544-6561
Previous By Date Next
Previous By Thread Next

Current thread: