[ISN] Payroll firm pulls Web services, citing data leak

From: InfoSec News (isn@private)
Date: Wed Mar 02 2005 - 09:24:08 PST


http://news.zdnet.com/2100-1009_22-5595316.html

By Robert Lemos
CNET News.com 
March 1, 2005

Service provider PayMaxx shuttered additional parts of its online
payroll site this week, after a Web programmer continued to find holes
in the system.

PayMaxx's further closure of its Web services comes after a Web
programmer, Aaron Greenspan, discovered that the company's initial
attempt to block malicious access had fixed some flaws but left others
unresolved.

While still referring to the data leak as "limited in scope," the
online payroll processor closed down its PayView and Instant W2
services, the company said in a statement. The services will remain
down until PayMaxx has completed a thorough security analysis and
redesigned the site's architecture.

"We have sent all clients and key partners e-mails alerting them to
the situation, and we are contacting the companies we believe may have
been potentially affected by the hacking," PayMaxx said in a statement
sent to CNET News.com.

The dispute between PayMaxx and Greenspan, president of Web services
start-up Think Computer and a former PayMaxx customer, over the
security of the company's Web site continued this week. PayMaxx
referred to Greenspan as a "hacker," while the Web programmer
maintained that the security problem is far worse than divulged by the
payroll company.

The data leak comes at a time when several high-profile attacks have
Congress looking into further legislation to protect people's private
information. In February, data aggregator ChoicePoint warned that
almost 150,000 consumer files had been compromised by scam artists who
had set up fake companies to garner identity information. Last week,
financial services giant Bank of America alerted government workers
that backup tapes containing their information had gone missing.

Greenspan said he uncovered the problem with PayMaxx's Web site about
three weeks ago and tried to contact the company. He said PayMaxx did
not respond, so he posted a report detailing the flaws. That prompted
PayMaxx to shut down its Web service for retrieving W2 information.  
Greenspan continued to prod the site's security and discovered more
vulnerabilities this weekend, he said.

Greenspan said his attempts to find flaws in the site have been
motivated by protecting his own information, from when Think Computer
was a client of PayMaxx. "Think had an obvious interest in seeing that
the problem would be resolved properly since its own data was stored
in the affected systems," he said in an e-mail interview.

PayMaxx does not agree. The Web programmer has been far too intent on
poking holes in the company's systems and has "numerous inaccuracies"  
in his report, PayMaxx said in a statement. The company did not
specify which parts of his report were incorrect.

"We believe the hacker has violated federal law and we will take
whatever action is necessary to protect the interests of our clients
and our company," the company said.

PayMaxx has contracted an outside security company to test its Web
applications' security and has ordered additional hardware and
software to better detect intrusions, PayMaxx said in a statement.



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Wed Mar 02 2005 - 11:06:10 PST