Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/6/2011
06:52 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Nasdaq Hack. Lots of Questions. Few Answers

According to a news report this weekend, hackers breached web-based applications owned by the NASDAQ. How deep did the attacks go, and who was behind them?

According to a news report this weekend, hackers breached web-based applications owned by the NASDAQ. How deep did the attacks go, and who was behind them?A news story from The Wall Street Journal reported that attackers had penetrated, on multiple occasions, the computer networks of the company that runs the Nasdaq Stock Market. According to the story federal investigators are working to uncover the criminals. The Nasdaq trading platform was not affected, the story claimed. The story was based on unnamed sources.

It wasn't the Nasdaq stock market that the attackers were after it turns out, but information from the boards of directors of publicly traded companies. To get that, it was their Web-based collaboration platform – Directors Desk – that was the target.

This statement from Nasdaq says that the company detected suspicious files on U.S. servers and determined: that our web facing application Directors Desk was potentially affected. We immediately conducted an investigation, which included outside forensic firms and U.S. federal law enforcement. The files were immediately removed and at this point there is no evidence that any Directors Desk customer information was accessed or acquired by hackers.

The The Wall Street Journal, in a follow-up story, reported that the exchange will be run as usual for trading on Monday.

According its own Web site, Directors Desk is used by 10,000 directors at Fortune 500 sized companies. That's a trove of information, so no shocker the system was targeted.

The Nasdaq OMX was no slouch when it comes to security, either:

Operational Security

Our policies comply with the ISO27001 security standard, providing multiple levels of protection to guard our clients' confidential data against undesired access. The ISO27001 standard includes employee background screening; policies that restrict physical and logical access to classified information; management of information systems; firewalling; intrusion detection; risk assessment; and guaranteed destruction of expired data.

Application Security

Directors Desk provides multiple layers of security to protect our clients' most vital corporate records.

User authentication is tightly controlled through "strong passwords," fully encrypted transport, procedures surrounding account activation, and encryption of all service level passwords in the system.

Role-based security protocols control which content is available to each user upon logging in.

Network and host-based Intrusion Detection Systems (IDS) protect all hardware and applications in the Directors Desk server farm

Complying with security standards, having good authentication and authorization systems in place is great. So are IDS systems. But no matter how many layers of security are in place, what matters is how well it's all orchestrated together. That's why lists of standards being adhered to, as well as security technologies in place don't really tell us much about how secure an organization is.

So far, not much information about this hack. Hopefully, Nasdaq is correct, and no customer information was stolen. But we still don't know who was behind the attack, and can only assume that it was board secrets that the attackers sought.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14190
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to achieve Regex Denial of Service via user-supplied regex in EyeQL. The affected versions are before version 4.8.4.
CVE-2020-29074
PUBLISHED: 2020-11-25
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user.
CVE-2020-14191
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...