BOSTON (05/26/2000) - Alleged security flaws in an online service offered by a unit of Standard & Poor's Financial Information Services highlight the risks companies sometimes face as they use the Web to connect with external partners.
Stephen Friedl, an independent security consultant in Tustin, California, this week reported security problems with S&P's ComStock service to BugTraq, a widely distributed security mailing list. S&P Comstock is a subscription service that aggregates financial information from more than 140 sources and pumps it to Linux-based clients that sit at each subscriber's location.
The problem is that a lack of adequate security controls on those boxes -- and, more important, on one of the virtual private networks (VPN) that they're hooked up to -- makes it relatively easy for crackers to gain access to the networks of some other ComStock subscribers, Friedl said. An earlier report on the problem was posted on BugTraq in March.
Such access would give intruders the freedom to snoop around other subscribers' systems and networks, Friedl said. He claimed that while conducting a security audit for a ComStock subscriber, he exploited the vulnerability and detected the networks of other subscribers to show how easy it was to do.
Not all S&P ComStock subscribers are vulnerable. The problem affects only those hooked up to a VPN belonging to San Jose-based Concentric Network Corp.
David Brukman, vice president of technology at S&P Comstock, acknowledged that the firm's Linux-based client-side processors could be relatively easy to hack into. But since the systems are hooked to a secure VPN, "they are not designed to be as secure as devices that would be on a public network," Brukman said. He challenged Friedl's assertion that the holes in the VPN allowed hackers to access systems belonging to other subscribers.
"It is possible that at some point in the past, the consultant may have found some flaw in the network, but the latest audit indicates the network is secure," Brukman said. S&P is shoring up security on its client-side processors and following up with the network provider to ensure total security in the future, he added.
Concentric declined to comment on the matter.
Incidents such as this highlight the need for companies to protect themselves not just against crackers, but also from the security lapses of business partners they are connected with over the Web, said Ryan Russell, manager of information systems at SecurityFocus.com. The San Mateo, California-based firm moderates BugTraq.
"The main problem is that you are extending the trust of your enterprise to somebody else, who may have a very different idea of protection," Russell said.
"Whether it is a link with a supplier, service provider or a business partner, you need to treat it as a hostile entity" from a security perspective.