Results from Nasdaq's investigation into a breach it disclosed in February are trickling out. The bottom line: The attack was worse than initially expected.
Fox News said hackers who infiltrated the Nasdaq's computer systems installed malicious software on the exchange's computers that allowed them to spy on scores of directors of publicly held companies. Fox cited "two people familiar with an investigation" as sources.
The target of the attack was a Web-based software program called Directors Desk. Nasdaq OMX develops Directors Desk, which serves as a communications and information management solution for boards. Security is touted as one of its benefits.
An SQL Injection?
Gunter Ollman, vice president of research at security firm Damballa, said the sparse public information available on the NASDAQ breach and the nature of the Director's Desk Web-based application leads him to believe that remote hackers probably exploited vulnerabilities within the application that allowed them to peruse information exchanges between various company directors.
"Gaining remote access to confidential data held within the Director's Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures," Ollman said. "In my years of running penetration tests against Fortune 500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data."
Some security experts are reporting that the attackers successfully installed malware on the system. In order to do this, Ollman said, the attacker would need the capability to upload files to the application and/or break out of the application itself and gain access to the server directly. Interestingly, he noted, several Open Web Application Security Project top-10 attack vectors will allow this to occur.
Web App Vulnerabilities
Ollman, for one, is not surprised at the Directors Desk revelations. That's because vulnerabilities within large Web-based applications are increasingly common. Web-based software is under constant development and change, he said, which means that vulnerabilities can be unintentionally introduced at any time.
"If there are multiple development teams working on the same application portal -- all developing their own micro applications -- then the probability of new vulnerabilities being introduced grows considerably," Ollman said. "This is why Web applications need to be security-tested continuously. Regular security assessments and penetration tests are standard requirements for running large and important Web services."
Ollman said automated tests and change-control monitoring ideally should be conducted daily, and skilled consultants should manually assess the Web application monthly. What's more, he continued, given the human element in most advanced testing, it is a good idea to rotate between penetration-testing vendors so that the tests are not limited by the skills of the individual consultants they employ or the tool sets they use to conduct their tests.
"Access to Web-based applications by attackers is important for cybercriminals -- as well as state actors," Ollman said. "Again, it bears repeating that very little is known about the specific nature of the Nasdaq attack. But given the level of access to the application and the potential to modify content upon the Director's Desk application, likely consequences could include the ability to eavesdrop on company director communications and the ability to use that information for 'virtual insider trading' processes."
Posted: 2011-11-17 @ 6:48am PT
Funny you would trust the government or NASDAQ to tel you the truth. You're more likely to get the truth from the hacker(s). The world is truly upside-down now isn't it?
Posted: 2011-10-21 @ 3:52pm PT
You have absolutely no idea what you are talking about. Has anyone actually confirmed this is true from NASDAQ or the government? Basic speculation is all this is!