Standard & Poor's (S&P), a division of McGraw-Hill, knowingly exposed their customers to information security vulnerabilities through their SPComstock analyst service. The security vulnerabilities, originally discovered in January, allowed customers to break into any other customer networks via their MultiCSP turnkey Linux box.
The stock quote service, which is provided to customers through a leased line, provides stock quotes and news on dedicated circuits.
Market Impact
Standard & Poor's was notified of this problem in January, and did little to reconcile the many security holes. The problem was first reported to S&P by customer Kevin Kadow, Network Security Analyst for MSG.net, and has been further verified and researched by Stephen Friedl. According to inside sources, as of March, S&P was still shipping out insecure boxes that had been changed only by cosmetic differences.
Once bad guys get into the box by using one of the many security holes, there exists the possibility to:
* Illegally alter published interest rates
* Illegally alter equity fund data
* Illegally alter earnings and balance sheet information
* Illegally print phony news stories
* Illegally change published dividend rates
Figure 1. S&P, a division of McGraw-Hill lags their own index.
The egregious security holes allow you to break into other customer networks so that you can alter the information on their sites, and access their networks. There exists the possibility to change all the data that an investor or analyst might bank daily transactions and investments on.
The stock quote service, which is provided to customers through a leased line, provides stock quotes and news on dedicated circuits.
Market Impact
Standard & Poor's was notified of this problem in January, and did little to reconcile the many security holes. The problem was first reported to S&P by customer Kevin Kadow, Network Security Analyst for MSG.net, and has been further verified and researched by Stephen Friedl. According to inside sources, as of March, S&P was still shipping out insecure boxes that had been changed only by cosmetic differences.
Once bad guys get into the box by using one of the many security holes, there exists the possibility to:
* Illegally alter published interest rates
* Illegally alter equity fund data
* Illegally alter earnings and balance sheet information
* Illegally print phony news stories
* Illegally change published dividend rates
Figure 1. S&P, a division of McGraw-Hill lags their own index.
The egregious security holes allow you to break into other customer networks so that you can alter the information on their sites, and access their networks. There exists the possibility to change all the data that an investor or analyst might bank daily transactions and investments on.
No comments:
Post a Comment