You are here: Home / Viruses & Malware / Nasdaq Breach Worse than Believed
Hackers Spied on Board Directors After Nasdaq Breach
Hackers Spied on Board Directors After Nasdaq Breach
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus

Results from Nasdaq's investigation into a breach it disclosed in February are trickling out. The bottom line: The attack was worse than initially expected.

Fox News said hackers who infiltrated the Nasdaq's computer systems installed malicious software on the exchange's computers that allowed them to spy on scores of directors of publicly held companies. Fox cited "two people familiar with an investigation" as sources.

The target of the attack was a Web-based software program called Directors Desk. Nasdaq OMX develops Directors Desk, which serves as a communications and information management solution for boards. Security is touted as one of its benefits.

An SQL Injection?

Gunter Ollman, vice president of research at security firm Damballa, said the sparse public information available on the NASDAQ breach and the nature of the Director's Desk Web-based application leads him to believe that remote hackers probably exploited vulnerabilities within the application that allowed them to peruse information exchanges between various company directors.

"Gaining remote access to confidential data held within the Director's Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," Ollman said. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."

Some security experts are reporting that the attackers successfully installed malware on the system. In order to do this, Ollman said, the attacker would need the capability to upload files to the application and/or break out of the application itself and gain access to the server directly. Interestingly, he noted, several Open Web Application Security Project top-10 attack vectors will allow this to occur.

Web App Vulnerabilities

Ollman, for one, is not surprised at the Directors Desk revelations. That's because vulnerabilities within large Web-based applications are increasingly common. Web-based software is under constant development and change, he said, which means that vulnerabilities can be unintentionally introduced at any time.

"If there are multiple development teams working on the same application portal -- all developing their own micro applications -- then the probability of new vulnerabilities being introduced grows considerably," Ollman said. "This is why Web applications need to be security-tested continuously. Regular security assessments and penetration tests are standard requirements for running large and important Web services."

Ollman said automated tests and change-control monitoring ideally should be conducted daily, and skilled consultants should manually assess the Web application monthly. What's more, he continued, given the human element in most advanced testing, it is a good idea to rotate between penetration-testing vendors so that the tests are not limited by the skills of the individual consultants they employ or the tool sets they use to conduct their tests.

"Access to Web-based applications by attackers is important for cybercriminals -- as well as state actors," Ollman said. "Again, it bears repeating that very little is known about the specific nature of the Nasdaq attack. But given the level of access to the application and the potential to modify content upon the Director's Desk application, likely consequences could include the ability to eavesdrop on company director communications and the ability to use that information for 'virtual insider trading' processes."

Read more on: Nasdaq, Security, Malware
Tell Us What You Think


Posted: 2011-11-17 @ 6:48am PT
Funny you would trust the government or NASDAQ to tel you the truth. You're more likely to get the truth from the hacker(s). The world is truly upside-down now isn't it?

Posted: 2011-10-21 @ 3:52pm PT
You have absolutely no idea what you are talking about. Has anyone actually confirmed this is true from NASDAQ or the government? Basic speculation is all this is!

Like Us on FacebookFollow Us on Twitter

It could be the biggest Apple hack ever. More than 225,000 valid iPhone accounts have been compromised and thousands of certificates, private keys, and purchasing receipts stolen.

At a time when industry-wide PC sales are sliding, Lenovo just rolled out a major redesign of its ThinkPad Yoga and ThinkCentre products to meet the needs of business users for cutting-edge technology.

© Copyright 2015 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.