For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
Possible S&P Security Holes Reveal Risks of E-Commerce
or
Other Security Stories
|
|
|
|
May 29, 2000 (Computerworld) -- Alleged security flaws in an online service offered by a unit of Standard & Poor's Financial Information Services highlight the risks companies sometimes face as they use the Web to connect with external partners.
Stephen Friedl, an independent security consultant in Tustin, Calif., last week reported security problems with S&P's Comstock service to Bugtraq, a security mailing list.
S&P Comstock is a subscription service that aggregates financial information from more than 140 sources and pumps it to Linux-based clients that sit at each subscriber location.
The problem is that a lack of adequate security controls on those boxes - and, more important, on one of the virtual private networks (VPN) they're hooked up to - makes it relatively easy for hackers to gain access to the networks of some other Comstock subscribers, said Friedl. An earlier report on the problem was posted on Bugtraq in March.
Freedom to Snoop
Such access would give intruders the freedom to snoop around other subscribers' systems and networks, Friedl said. He claimed that while conducting a security audit for a Comstock subscriber, he exploited the vulnerability and detected the networks of other subscribers to show how easy it was to do.
Not all S&P Comstock subscribers are vulnerable. The problem affects only those hooked up to a VPN belonging to San Jose-based Concentric Network Corp.
David Brukman, vice president of technology at S&P Comstock, last week acknowledged that the firm's Linux-based client-side processors could be relatively easy to hack into.
But since the systems are hooked to a secure VPN, "they are not designed to be as secure as devices that would be on a public network," Brukman said. He challenged Friedl's assertion that the holes in the VPN allowed hackers to access systems belonging to other subscribers.
"It is possible that at some point in the past, the consultant may have found some flaw in the network, but the latest audit indicates the network is secure," Brukman said. S&P is shoring up security on its client-side processors and following up with the network provider to ensure total security in the future, he added.
Concentric declined to comment on the matter.
Need for Protection
Incidents such as this highlight the need for companies to protect themselves not just against hackers, but also from the security lapses of business partners they are connected with over the Web, said Ryan Russell, manager of information systems at SecurityFocus.com. The San Mateo, Calif.-based firm moderates Bugtraq.
"The main problem is that you are extending the trust of your enterprise to somebody else, who may have a very different idea of protection," Russell said. "Whether it is a link with a supplier, service provider or a business partner, you need to treat it as a hostile entity" from a security perspective.
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
 |
|
All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Long Tail Supplier Collaboration - What's In It For You? 
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Analysis: Why Hewlett-Packard wants EDS
- Hackers hijack a half-million sites in latest attack
- HP in talks to buy EDS for up to $13B
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits 
|
Computerworld Technology Briefing: An open-source path to optimal virtualization Looking for a virtualization strategy that offers both the flexibility and reliability to meet the demands of mixed-source environments? Look no further than the fast-emerging open virtualization approach backed by some of the biggest names in enterprise computing. Together they are pointing the way toward higher data center performance without higher costs.Download this briefing
|
 In SecurityThere's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied |
 |
 |
Layered Security Solutions
Although basic network security issues have changed very little over the past decade, the
network security landscape has changed dramatically. Today's IT professionals still have the
primary responsibility of protecting the confidentiality of corporate information, preventing
unauthorized access, and defending the network against attacks. Security experts and analysts agree that a security solution comprised of multiple layers is the best defense against today's increasingly sophisticated attacks.Download this white paper
|
Universal Threat Management - Because Conventional UTM is Not Enough!
This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection.Download this white paper |
Selecting the Right Threat Management Solution
This short demo will guide you through key considerations for selecting a solution to manage threats on a network. Learn about the popularity of Unified Threat Management (UTM), and how it fits into an overall security solution. Explore critical elements of a network-wide solution for multisite and large network-size deployments and identify the four key features of a threat management solution.View this demo
|
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
