Technology Evaluation Centers

Standard & Poor's Exposes Customers' Security

L. Taylor - 6/21/2000

Event Summary

Standard & Poor's (S&P), a division of McGraw-Hill, knowingly exposed their customers to information security vulnerabilities through their SPComstock analyst service. The security vulnerabilities, originally discovered in January, allowed customers to break into any other customer networks via their MultiCSP turnkey Linux box.

The stock quote service, which is provided to customers through a leased line, provides stock quotes and news on dedicated circuits.

Market Impact

Standard & Poor's was notified of this problem in January, and did little to reconcile the many security holes. The problem was first reported to S&P by customer Kevin Kadow, Network Security Analyst for MSG.net, and has been further verified and researched by Stephen Friedl. According to inside sources, as of March, S&P was still shipping out insecure boxes that had been changed only by cosmetic differences.

Once bad guys get into the box by using one of the many security holes, there exists the possibility to:

  • Illegally alter published interest rates

  • Illegally alter equity fund data

  • Illegally alter earnings and balance sheet information

  • Illegally print phony news stories

  • Illegally change published dividend rates

Figure 1. S&P, a division of McGraw-Hill lags their own index.

The egregious security holes allow you to break into other customer networks so that you can alter the information on their sites, and access their networks. There exists the possibility to change all the data that an investor or analyst might bank daily transactions and investments on.

User Recommendations

Just because a leading brand-name offers what appears to be a reputable product, don't assume that they have taken due diligence when it comes to security. When purchasing any service or hardware device, make sure you change all the default passwords before using the box or service on the network.

  • If you are the owner of one of these boxes, the first thing you should do is change the default passwords and make sure that all accounts are passworded. At the very minimum, select a password that has at least eight characters, and has mixed case characters in them, making sure that the password does not include any dictionary listed words.

  • The local administrator of this box should shut down all network services that are not needed. The best thing to do would be to contact your S&P account representative and ask them what network services the Comstock product actually requires.

  • Remove the /etc/issue file that reveals current system information about the box that could be obtained during reconnaissance scans by bad guys.

  • Put your Comstock box behind a firewall. Setup your firewall to block all outbound traffic. This will keep your Comstock box from being used as a launch pad for stolen software (warez) and other nefarious network activity.

  • Put an intrusion detection system between your border routers and firewall in order to detect unsavory network activity before affects your network.

Glossary

warez: A term used by software pirates use to describe a cracked game or application that is made available to the Internet, usually via FTP or telnet, often the pirate will make use of a site with lax security.

Widely used in cracker subcultures to denote cracked version of commercial software, that is versions from which copy-protection has been stripped.