Flaws in S&P service could put companies' data at risk
Standard & Poor's is shoring up its service for stock quotes and news amid accusations by security analysts that the product is a wide-open door for network attacks.
S&P's ComStock is a subscription service that aggregates financial information from more than 140 sources and distributes it by various networks to terminals within client businesses. ComStock operates as a separate unit of Standard & Poor's Financial Information Services; S&P, in turn, is a division of McGraw-Hill.
S&P has assured its customers that it is going to beef up security with ComStock and its client-side processor, called the MultiCSP. The company says the security flaws should be inconsequential, as the machines run on virtual private networks (VPNs) that should not permit access between machines or from the Internet at large.
But two security consultants report that they've been able to do just that: navigate between ComStock units in disparate organizations, exploiting what they describe as flimsy security policies to potentially gain virtually free reign over private computer networks.
Such access could prove disastrous for companies using S&P's system, security analysts warn.
"If someone breaks into one of these boxes, they could do something as simple as erase it," said Ryan Russell, manager of information systems at Security Focus, which moderates the Bugtraq security mailing list where two descriptions of S&P's security problems appeared. "A malicious attacker could modify what stock quotes you're seeing, or use this to attack the rest of your network. They could put a sniffer on the network and monitor it for passwords."
S&P acknowledged several individual security lapses and said it would move to fix them. But on the more salient issue of whether the VPN in question--in this case one provided by Concentric--was permitting access between machines and from the Internet at large, an executive said the company was still investigating.
"If customers can reach from one endpoint to another, it's a concern," said David Brukman, vice president of technology for S&P's ComStock. "That would be a Concentric concern....It's possible they have made a mistake and let one customer see another."
Concentric could not immediately be reached for comment.
Not all of S&P's customers use the Concentric VPN for their ComStock connectivity. Some use a satellite hookup, for instance; those customers do not appear to be vulnerable to the security problem.
S&P's ComStock subscribers include "major online and corporate communities," according to Brukman. He declined to name them.
One security analyst who reported the problem to Bugtraq lambasted S&P for not securing its software sooner, noting that the initial Bugtraq report ran in March. That report claims to have notified S&P of its findings in January.
"It was shocking what I was able to do," said Stephen Friedl, a software consultant in Tustin, Calif. "I was able to wander all over the network, pop my head up in people's networks all over the world. I was stunned. I made a list of two dozen machines I could see."
Beyond the security of the VPN, Friedl cited numerous security issues with the computer terminal configured and provided by ComStock, including the use of a badly outdated version of the Linux operating system. ComStock uses Red Hat 5.1. In the two years since that version came out, numerous security patches have come down the pike.
"There have been critical security patches that have been applied since Red Hat 5.1," said Erik Troan, director of operating system engineering for Red Hat. "If they haven't been keeping track, any machine that has been running on the Internet for two years without an update is going to be a big problem."
Red Hat 6.2 came out last month.
Other problems included easily guessed passwords, accounts not protected by passwords, and the existence of idle applications with their own share of security vulnerabilities.
In an email dated May 19 and forwarded to News.com, S&P sought to reassure its subscribers that the ComStock security situation was under control. The company also spelled out the security precautions it would undertake.
"Knowing that the CSP would be located on a private 'trusted network,' there was no immediate need to create a Linux machine with top security measures instituted," read the email from Jack Gioffre, product development manager for ComStock.
But citing the broader issue of Internet attacks and "the security concerns of the ComStock client base," Gioffre pledged security measures in which future products would remove unnecessary login accounts, protect with passwords all accounts, remove unnecessary applications, upgrade the operating system, change default passwords for each unit, provide secure Telnet and FTP access to the units, and offer firewalls.
In the meantime, S&P's critics are offering their own recommendations.
"If you have the misfortune of having a MultiCSP on your network, you have my sympathy," security consultancy MSG.Net's Kevin Kadow wrote in his Bugtraq alert. "If you can't live without their stock information, it is possible to use the root holes to lock down the box as best you can, then put it behind a firewall with just the CSP TCP port open _inbound_ to the MCSP system from your hosts, or at least a router with equivalent traffic filters.
"Then pray for the best," Kadow added.