June 21, 2000
Standard & Poor's (S&P), a division of McGraw-Hill, knowingly exposed
their customers to information security vulnerabilities through their
SPComstock analyst service. The security vulnerabilities, originally discovered
in January, allowed customers to break into any other customer networks
via their MultiCSP turnkey Linux box.
stock quote service, which is provided to customers through a leased line,
provides stock quotes and news on dedicated circuits.
Standard & Poor's was notified of this problem in January, and did little
to reconcile the many security holes. The problem was first reported to
S&P by customer Kevin Kadow, Network Security Analyst for MSG.net, and
has been further verified and researched by Stephen Friedl. According
to inside sources, as of March, S&P was still shipping out insecure boxes
that had been changed only by cosmetic differences.
bad guys get into the box by using one of the many security holes, there
exists the possibility to:
alter published interest rates
alter equity fund data
alter earnings and balance sheet information
print phony news stories
change published dividend rates
1. S&P, a division of McGraw-Hill lags their own index.
egregious security holes allow you to break into other customer networks
so that you can alter the information on their sites, and access their
networks. There exists the possibility to change all the data that an
investor or analyst might bank daily transactions and investments on.
Just because a leading brand-name offers what appears to be a reputable
product, don't assume that they have taken due diligence when it comes
to security. When purchasing any service or hardware device, make sure
you change all the default passwords before using the box or service on
you are the owner of one of these boxes, the first thing you should
do is change the default passwords and make sure that all accounts
are passworded. At the very minimum, select a password that has at
least eight characters, and has mixed case characters in them, making
sure that the password does not include any dictionary listed words.
local administrator of this box should shut down all network services
that are not needed. The best thing to do would be to contact your
S&P account representative and ask them what network services the
Comstock product actually requires.
the /etc/issue file that reveals current system information about
the box that could be obtained during reconnaissance scans by bad
your Comstock box behind a firewall. Setup your firewall to block
all outbound traffic. This will keep your Comstock box from being
used as a launch pad for stolen software (warez) and other nefarious
an intrusion detection system between your border routers and firewall
in order to detect unsavory network activity before affects your network.
A term used by software pirates use to describe a cracked game or application
that is made available to the Internet, usually via FTP or telnet, often
the pirate will make use of a site with lax security.
used in cracker subcultures to denote cracked version of commercial software,
that is versions from which copy-protection has been stripped.