Does this site look plain?

This site uses advanced css techniques

Unixwiz.net - Software Consulting Central

Standard & Poor's ComStock Security Letter

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

Just before the CNet story on S&P started brewing, a BugTraq reader (and S&P customer) forwarded me a letter from S&P to their customer base claiming that they would deal with the security issues involved. I believe that they are mistaken in their belief that the private 172.x.x.x network doesn't "leak" to the public internet -- I am fairly certain I have seen evidence to the contrary -- but clearly they Get The Point and at least intend to do the right thing.

This is the letter unedited except to remove the customer reference:

From: jack_gioffre@standardandpoors.com
To: {customer}
Date: 24 May 2000
Subject: Standard & Poor's ComStock Security Letter

Dear {customer},

Standard and Poor's ComStock is committed to providing the highest quality
product and services to its clients.  With this in mind, ComStock has developed
the multi-user CSP which provides clients easy access to the quote server and
gives the ComStock technical support team the ability to maintain and manage the
remote CSP product over the Concentric virtual private network (VPN).  The
initial ability to do this meant that ComStock was required to keep the system
open.  Knowing that the CSP would be located on a private "trusted network",
there was no immediate need to create a Linux machine with top security measures
instituted.

From the network perspective, Concentric and ComStock implemented the network by
design with conscientious security strategies set forth.  Although the Bay
routers on the Concentric network are Internet accessible, to the best of our
knowledge, the public Internet traffic cannot access the private network nor can
the private network packets exit to the public Internet.

Facing the threat of repeated Internet attacks, causing denial of service to
many well-know sites, and the security concerns of the ComStock client base
using the multi-user CSP, ComStock will be implementing enhanced security
measures on this product platform.  This will be done over a period of time as
new product releases are introduced.  It is important to understand that
'security is a process' and is something that is not achieved as a final goal.
We therefore view security as a way of setting up, maintaining, and running a
system, a network, or an environment.

To better make the ComStock multi-user CSP more secure than it is today, we will
be implementing a series of changes which include but are not limited to the
following: 1) Remove unnecessary login accounts; 2) Password protect all
accounts; 3) Remove any daemons not necessary for the operation of the CSP
product; 4) Upgrade to the latest Operating System releases which offer enhanced
security features; 5) Change default passwords for each unit shipped; 6) Offer
secure telnet and FTP access to the product; 7) Install a firewall or other
forms of IP filtering; and 8) Implement other measures as required.  These
methods will be applied over a period of time until ComStock reaches the level
of security necessary for the product and clients' needs.

ComStock and Concentric will continue to evaluate and modify the multi-user CSP
and network security aspects as required.  This process can only be enhanced by
each participant remaining security conscience and to follow any recommended
guidelines to ensure a safe and secure product environment.

Sincerely,
Jack Gioffre
Product Development Manager

Standard & Poor's ComStock
600 Mamaroneck Avenue
Harrison, NY 10528