[iwar] [fc:More.Online.Security.Woes.For.FBI's.Data.Firm]

From: Fred Cohen (fc@all.net)
Date: 2002-01-29 07:25:51
Next message: Fred Cohen: "[iwar] [fc:Computer.Attacks.On.Companies.Up.Sharply]"
Previous message: Fred Cohen: "[iwar] [fc:Digital.Bloodlines.Make.JSF.A.Different.Breed]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200201291525.g0TFPpg21297@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 29 Jan 2002 07:25:51 -0800 (PST)
Subject: [iwar] [fc:More.Online.Security.Woes.For.FBI's.Data.Firm]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

More Online Security Woes For FBI's Data Firm

By Brian McWilliams, Newsbytes, 1/28/02
<a href="http://www.newsbytes.com/news/02/174003.html">http://www.newsbytes.com/news/02/174003.html>

A week after plugging a severe security hole at its main Web site,
database firm ChoicePoint has been stung with the discovery of major
vulnerabilities at another of its Internet properties.

According to security experts, the latest flaw potentially enabled
remote attackers to take complete control of The LienGuard System, a
ChoicePoint service for banks and other customers in the financial
services industry.

ChoicePoint, which had year 2000 sales of $593.5 million, provides
information about individuals and companies to the FBI, Department of
Justice, insurance firms and other clients, according to its Web site.

A page at the vulnerable site, located at http://www.lienguard.com,
claimed the service allowed ChoicePoint customers to log in through a
"highly secure" system and to access a database of legal documents
maintained by ChoicePoint.

Before it was patched this afternoon by ChoicePoint, the site, which
runs Microsoft's Internet Information Server (IIS) software, was
vulnerable to several widely known security exploits, including one that
enables attackers to run operating system commands on the server.

A patch for the hole, referred to as the "Double Decode" flaw, was
released by Microsoft last May. The vulnerability was exploited by the
Nimda worm, which spread widely last September.

Another flaw at the LienGuard site, which also has been closed, was
originally reported to ChoicePoint today by Kitetoa, a group of security
enthusiasts in France. The hole potentially enabled visitors to view the
source code to the site's Active Server pages and could have enabled
attackers to obtain the user identification and password used to access
the server's back-end database.

ChoicePoint spokesperson James Lee said there was no indication that
anyone had exploited the security flaws at the site, which he said was
recently launched and was being used by only a small number of what he
termed "test" customers.

"For any company to be vulnerable to these kinds of problems, especially
after the wide coverage the recent IIS worms received, is
irresponsible," said David Litchfield, managing director of Next
Generation Security Software. Litchfield was part of the team credited
last March by Microsoft for discovering the Active Server vulnerability
in IIS.

The report of new Internet security flaws at ChoicePoint follows the
discovery last week by Kitetoa of a security vulnerability at the data
firm's main Web site, Choicepoint.net. That flaw in ChoicePoint's
configuration of the Lotus Domino Web server enabled unauthorized
intruders to view internal company documents such as marketing reports
and work-in-progress reports.

ChoicePoint said that data gathered on behalf of its clients - such as
background screens, pre-employment drug tests, military history checks
and insurance fraud investigations - were not exposed by the security
gaffe at the Choicepoint.net site.

Lee said today that ChoicePoint intends to hire an outside consultant to
review the security at all of its Internet properties.

According to a spokesperson for the Electronic Privacy Information
Center (EPIC), the recent security flaws at ChoicePoint illustrate the
security risks of having "profilers" like ChoicePoint maintain sensitive
data on behalf of the government.

"The risks to personal privacy include not only illegal or inappropriate
employee access to the information, but also outsiders who wish to
collect profiling information," said Chris Hoofnagle, EPIC legislative
counsel.

According to Lee, the data housed at the LienGuard site was public
information available from other sources.

Earlier this month, EPIC filed a lawsuit against the U.S. Justice and
Treasury Departments seeking more information about their contracts with
ChoicePoint and a competitor, Experian.

ChoicePoint is the latest high-profile database company to have its
security practices exposed by Kitetoa. Last year, DoubleClick, the
online ad giant, acknowledged Kitetoa's report that attackers had placed
a back-door program on the company's Web server and had viewed files on
another server hosting its Abacus Online database.

Litchfield said the vulnerabilities at LienGuard.com could have been
easily located through the use of the many free or commercial
vulnerability assessment scanners available.

"Having an effective security patching process in any organization is a
must," he said.

NGSSoftware is at http://www.nextgenss.com 
.

ChoicePoint is at http://www.choicepoint.com 
.

Kitetoa is http://www.kitetoa.com .

LienGuard is at http://www.lienguard.com 
.

EPIC is at http://www.epic.org .

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Computer.Attacks.On.Companies.Up.Sharply]"
Previous message: Fred Cohen: "[iwar] [fc:Digital.Bloodlines.Make.JSF.A.Different.Breed]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST