Hack forces security audit at Morningstar Canada

From...

By Jaikumar Vijayan

(IDG) -- Morningstar Inc.'s Canadian subsidiary is being forced to spend thousands of dollars on a security audit to reassure users about the safety of its investment-research Web site after a hacker claimed that he had broken into the unit's servers and accessed confidential customer information.

Officials at Toronto-based Morningstar Canada said the unit doesn't maintain any private information on the Web site, making the security concerns a moot point. But an e-mail campaign launched by the hacker last week had the potential to damage the company's credibility, said Morningstar Canada CEO Scott McKenzie. As a result, the Canadian operation is hiring an unidentified Web security firm to assess and audit its security capabilities.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Global Crossing employee data exposed on Web Hidden viruses can circumvent server-based protection Visual Studio .Net first to pass new MS security audit Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Morningstar Canada sells software for use in analyzing the performance of mutual funds and also markets performance data directly to investment managers at large companies. The unit's Web site, which gets about a million hits monthly, is run on a different system than the one used by its Chicago-based parent company, according to McKenzie.

Noam Eppel, a 21-year-old part-time teacher and Web consultant who lives in Toronto, sent e-mails to several popular security mailing lists claiming that there's a lack of security on Morningstar Canada's Web site. The e-mails contained examples of purportedly confidential customer information that Eppel claimed he had been able to easily access from the site. The information included names, passwords and stock portfolio data that allegedly belonged to two Morningstar customers.

But McKenzie said the company doesn't keep confidential customer records, credit card information or anything that is remotely sensitive. The Web site lets registered users create and store profiles for running "what-if" scenarios on stocks they may own, but McKenzie said the profiles aren't even encrypted. Instead, they're stored in clear-text format because they don't require any level of protection, he said.

"The innocuous information that [Eppel] obtained would only be useful if he had physical access to our computers, which are housed behind firewalls in a highly secure off-site location," said Tim Gilbert, Morningstar's chief technology officer. Even then, any damage would have been only to Morningstar's own systems and not to any customer data, because there is none, he said.

"The information that Mr. Eppel obtained from our site was not acquired by hacking into our database, but rather by sniffing our clear-text network traffic," Gilbert said.

The e-mail campaign was prompted by Morningstar Canada's refusal to hire Eppel, McKenzie claimed.

Eppel denied that he had applied for a job at Morningstar. According to Eppel, his investigation of Morningstar's site began after he discovered unsolicited probes coming from the company's network while working on a client's servers. Eppel said he went public with the information only after Morningstar Canada refused to act on repeated warnings about the alleged problem.

"Morningstar is saying their security's fine, but now they have to spend a sizable amount of money to prove it is so," said Eric Hemmendinger, an analyst at Boston-based Aberdeen Group Inc. "What they should've done is perform an internal assessment when they first heard of this and [then] informed customers if there had been a problem. It is better to release such information yourself rather than wait for someone else to do it."