Return-Path: <sentto-279987-4398-1012317893-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 29 Jan 2002 07:27:08 -0800 (PST) Received: (qmail 2828 invoked by uid 510); 29 Jan 2002 15:24:39 -0000 Received: from n34.groups.yahoo.com (216.115.96.84) by all.net with SMTP; 29 Jan 2002 15:24:39 -0000 X-eGroups-Return: sentto-279987-4398-1012317893-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.166] by n34.groups.yahoo.com with NNFMP; 29 Jan 2002 15:24:53 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_3); 29 Jan 2002 15:24:52 -0000 Received: (qmail 4697 invoked from network); 29 Jan 2002 15:24:52 -0000 Received: from unknown (216.115.97.172) by m12.grp.snv.yahoo.com with QMQP; 29 Jan 2002 15:24:52 -0000 Received: from unknown (HELO red.all.net) (12.232.72.98) by mta2.grp.snv.yahoo.com with SMTP; 29 Jan 2002 15:24:52 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0TFPpg21297 for iwar@onelist.com; Tue, 29 Jan 2002 07:25:51 -0800 Message-Id: <200201291525.g0TFPpg21297@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 29 Jan 2002 07:25:51 -0800 (PST) Subject: [iwar] [fc:More.Online.Security.Woes.For.FBI's.Data.Firm] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit More Online Security Woes For FBI's Data Firm By Brian McWilliams, Newsbytes, 1/28/02 <a href="http://www.newsbytes.com/news/02/174003.html">http://www.newsbytes.com/news/02/174003.html> A week after plugging a severe security hole at its main Web site, database firm ChoicePoint has been stung with the discovery of major vulnerabilities at another of its Internet properties. According to security experts, the latest flaw potentially enabled remote attackers to take complete control of The LienGuard System, a ChoicePoint service for banks and other customers in the financial services industry. ChoicePoint, which had year 2000 sales of $593.5 million, provides information about individuals and companies to the FBI, Department of Justice, insurance firms and other clients, according to its Web site. A page at the vulnerable site, located at http://www.lienguard.com, claimed the service allowed ChoicePoint customers to log in through a "highly secure" system and to access a database of legal documents maintained by ChoicePoint. Before it was patched this afternoon by ChoicePoint, the site, which runs Microsoft's Internet Information Server (IIS) software, was vulnerable to several widely known security exploits, including one that enables attackers to run operating system commands on the server. A patch for the hole, referred to as the "Double Decode" flaw, was released by Microsoft last May. The vulnerability was exploited by the Nimda worm, which spread widely last September. Another flaw at the LienGuard site, which also has been closed, was originally reported to ChoicePoint today by Kitetoa, a group of security enthusiasts in France. The hole potentially enabled visitors to view the source code to the site's Active Server pages and could have enabled attackers to obtain the user identification and password used to access the server's back-end database. ChoicePoint spokesperson James Lee said there was no indication that anyone had exploited the security flaws at the site, which he said was recently launched and was being used by only a small number of what he termed "test" customers. "For any company to be vulnerable to these kinds of problems, especially after the wide coverage the recent IIS worms received, is irresponsible," said David Litchfield, managing director of Next Generation Security Software. Litchfield was part of the team credited last March by Microsoft for discovering the Active Server vulnerability in IIS. The report of new Internet security flaws at ChoicePoint follows the discovery last week by Kitetoa of a security vulnerability at the data firm's main Web site, Choicepoint.net. That flaw in ChoicePoint's configuration of the Lotus Domino Web server enabled unauthorized intruders to view internal company documents such as marketing reports and work-in-progress reports. ChoicePoint said that data gathered on behalf of its clients - such as background screens, pre-employment drug tests, military history checks and insurance fraud investigations - were not exposed by the security gaffe at the Choicepoint.net site. Lee said today that ChoicePoint intends to hire an outside consultant to review the security at all of its Internet properties. According to a spokesperson for the Electronic Privacy Information Center (EPIC), the recent security flaws at ChoicePoint illustrate the security risks of having "profilers" like ChoicePoint maintain sensitive data on behalf of the government. "The risks to personal privacy include not only illegal or inappropriate employee access to the information, but also outsiders who wish to collect profiling information," said Chris Hoofnagle, EPIC legislative counsel. According to Lee, the data housed at the LienGuard site was public information available from other sources. Earlier this month, EPIC filed a lawsuit against the U.S. Justice and Treasury Departments seeking more information about their contracts with ChoicePoint and a competitor, Experian. ChoicePoint is the latest high-profile database company to have its security practices exposed by Kitetoa. Last year, DoubleClick, the online ad giant, acknowledged Kitetoa's report that attackers had placed a back-door program on the company's Web server and had viewed files on another server hosting its Abacus Online database. Litchfield said the vulnerabilities at LienGuard.com could have been easily located through the use of the many free or commercial vulnerability assessment scanners available. "Having an effective security patching process in any organization is a must," he said. NGSSoftware is at http://www.nextgenss.com . ChoicePoint is at http://www.choicepoint.com . Kitetoa is http://www.kitetoa.com . LienGuard is at http://www.lienguard.com . EPIC is at http://www.epic.org . ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST