News & Information for Technology Purchasers NewsFactor Sites:     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
This ad will display for the next 20 seconds. Click for more information, or
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note
Data Security
Capitalize on the Power of Big Data
Average Rating:
Rate this article:  
Hackers Spied on Board Directors After Nasdaq Breach
Hackers Spied on Board Directors After Nasdaq Breach

By Jennifer LeClaire
October 21, 2011 1:30PM

    Bookmark and Share
"Gaining remote access to confidential data held within the Director's Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," said security researcher Gunter Ollman. "In my years of running penetration tests...these were the most common vulnerabilities."

Related Topics


Results from Nasdaq's investigation into a breach it disclosed in February are trickling out. The bottom line: The attack was worse than initially expected.

Fox News said hackers who infiltrated the Nasdaq's computer systems installed malicious software on the exchange's computers that allowed them to spy on scores of directors of publicly held companies. Fox cited "two people familiar with an investigation" as sources.

The target of the attack was a Web-based software program called Directors Desk. Nasdaq OMX develops Directors Desk, which serves as a communications and information management solution for boards. Security is touted as one of its benefits.

An SQL Injection?

Gunter Ollman, vice president of research at security firm Damballa, said the sparse public information available on the NASDAQ breach and the nature of the Director's Desk Web-based application leads him to believe that remote hackers probably exploited vulnerabilities within the application that allowed them to peruse information exchanges between various company directors.

"Gaining remote access to confidential data held within the Director's Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," Ollman said. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."

Some security experts are reporting that the attackers successfully installed malware on the system. In order to do this, Ollman said, the attacker would need the capability to upload files to the application and/or break out of the application itself and gain access to the server directly. Interestingly, he noted, several Open Web Application Security Project top-10 attack vectors will allow this to occur.

Web App Vulnerabilities

Ollman, for one, is not surprised at the Directors Desk revelations. That's because vulnerabilities within large Web-based applications are increasingly common. Web-based software is under constant development and change, he said, which means that vulnerabilities can be unintentionally introduced at any time.

"If there are multiple development teams working on the same application portal -- all developing their own micro applications -- then the probability of new vulnerabilities being introduced grows considerably," Ollman said. "This is why Web applications need to be security-tested continuously. Regular security assessments and penetration tests are standard requirements for running large and important Web services."

Ollman said automated tests and change-control monitoring ideally should be conducted daily, and skilled consultants should manually assess the Web application monthly. What's more, he continued, given the human element in most advanced testing, it is a good idea to rotate between penetration-testing vendors so that the tests are not limited by the skills of the individual consultants they employ or the tool sets they use to conduct their tests.

"Access to Web-based applications by attackers is important for cybercriminals -- as well as state actors," Ollman said. "Again, it bears repeating that very little is known about the specific nature of the Nasdaq attack. But given the level of access to the application and the potential to modify content upon the Director's Desk application, likely consequences could include the ability to eavesdrop on company director communications and the ability to use that information for 'virtual insider trading' processes."

Tell Us What You Think



Posted: 2011-11-17 @ 6:48am PT
Funny you would trust the government or NASDAQ to tel you the truth. You're more likely to get the truth from the hacker(s). The world is truly upside-down now isn't it?


Posted: 2011-10-21 @ 3:52pm PT
You have absolutely no idea what you are talking about. Has anyone actually confirmed this is true from NASDAQ or the government? Basic speculation is all this is!

Download this complementary white paper, Transitioning to a New Era of Human Information, and learn how you can easily manage, understand and leverage all forms of Big Data in real time to discover new opportunities and increase revenue.

 Data Security
1.   Data Recovered from 'Wiped' Phones
2.   Cybercrime Ring Uncovered in Brazil
3.   Four Threats Risk Internet's Freedom
4.   Gartner Rates IT Security Companies
5.   Hackers Target Western Energy Firms

Gartner Rates IT Security Companies
IBM, HP, McAfee, Splunk ranked well.
Average Rating:
Hackers Target Western Energy Firms
Appears to be state-sponsored group.
Average Rating:
IBM Uncovers Android Security Flaw
Ten percent of devices at risk.
Average Rating:
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Another Month, Another IE-Focused Patch Tuesday
Microsoft rolled out 59 vulnerabilities for Internet Explorer in June. But the IE-patching party is not over yet. Redmond published six new security bulletins on Tuesday; two, critical; three, important.
Russian Arrested in Hacking Case Filed in Seattle
The U.S. Secret Service has arrested a Russian man who is accused of hacking store computers to steal thousands of credit card numbers, charging him with bank fraud, identity theft and more.
More Than Half of Networks Not Ready for Internet of Things
Most enterprises are prepared for the IoT and see its business potential. But the reality is that there may not be enough network capacity to handle the increased demand in connected devices.

Enterprise Hardware Spotlight
Another Day, Another Internet of Things Consortium Is Born
In the emerging Internet of Things, zillions of devices will be talking to each other. Samsung, Intel and Dell just formed a consortium to ensure each thing can understand what others are saying.
Gartner Sales Study Sees Tablets Up, PCs Down but Recovering
Are PCs on the comeback trail? That depends on how you define "comeback." While tablet sales remain strong, Gartner's latest study found PC shipments aren't dropping as fast as they did last year.
Review: Warming Up to Tablets with Keyboard Covers
If you've ever thought tablets with keyboard covers were just a poor excuse for a laptop, think again. Nokia's Lumia 2520 comes with an optional keyboard cover that just may change your mind.

NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | Data Storage | Small Business | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech
Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters | XML/RSS Feed

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.