Nasdaq hack must serve as wake-up call

The Nasdaq Stock Market has confirmed that its network was hacked into over the weekend.

Although the FBI has not revealed details on who was behind the attacks, a security expert, speaking to TechEye, suggests the culprits could be those “looking at causing more damage for Wall Street.”

The hacking, according to the WSJ, was targeted specifically at a service that lets leaders of companies, including board members, securely share confidential documents. However head honchos added that there was no evidence that any of its customer information or trading was compromised.

“Through our normal security monitoring systems we detected suspicious files on the US servers unrelated to our trading systems and determined that our web-facing application Directors Desk was potentially affected,” Vince Palmiere, vice president of Nasdaq said in a statement.

Our source tells us that if the files had been obtained then the data could easily be used for financial gain or a lot worse.

“We’re not sure who could have hacked into these servers, but personally I believe that it was a malicious attack looking at causing more damage for Wall Street. The industry has just recovered from the  the “flash crash” last May, which sent U.S. indexes plunging.”

He added that the index had also faced several attacks over the past year, some of which had driven share prices down.

“It’s also not yet clear what data these hackers actually got their hands on so if they weren’t hacking for disruption they could have been able to gain data for fraud, terrorism or financial gain,” he added.  

“One thing is for sure however, hackers, whether they are employed by other countries or are doing it for personal financial gain, are getting smarter and smarter. Unless we find a way to build stronger defences we could be in real trouble in the future.”

The WSJ said investigators had been unable to follow the trail back to any specific individual or country, and were unsure of whether they had plugged all of the network’s potential security gaps.

“Cyber attacks against corporations and government occur constantly,” Nasdaq added in its statement. “Nasdaq remains vigilant against such attacks. We have been working in cooperation with the government’s ongoing investigations and have received their technical advice.”

Nasdaq was hoping to keep quiet about the hack until at least the 14 February. But it was forced to go public with the news after the WSJ ran with the story.

Marcus Ranum, CSO of Tenable Network Security comments to TechEye: “Cyber crime and cyber espionage are real problems, and, as we see, attackers are motivated to go to great lengths if they think they can make a lot of money.

“I think it’s safe to say that this attack is almost certainly financially motivated.
“Secure information sharing over open networks is, and always will be, a hard problem. Anyone who claims to have solved it with a web based application (or anything else for that matter) doesn’t understand security.

“As far as the hackers’ methods are concerned, it’s hard to read between the lines but the fact that a ‘web based service’ for sharing information was penetrated means that most likely there was some typical web-based flaw, such as an, SQL injection, server vulnerability, or scripting vulnerability. Additionally, if the service exists as a place where important information is going to reside, then it’s a pretty obvious target.
“To protect themselves effectively, organisations firstly need to make sure that web applications are developed under a secure software development process, and are maintained carefully.

“Secondly, there is always the problem of endpoint trust and transitive trust – if the endpoint that is accessing a ‘secure’ site is insecure then the data is still exposed at the endpoint. If an attacker is able to steal a users’ credentials on their endpoint they can masquerade as the user and, for all intents and purposes, the site has no way of telling the authorised user from the attacker.

“That’s why a sharing site is particularly problematic; if one user has a trojan horse on their system then any data that user can access or post is now a target for the attacker. For example, consider if someone gets a trojan horse on one company officer’s machine via, say, a spear-phishing attack and then uses that officer’s account to upload a PDF file containing malware, to the sharing site. Now, everyone on the sharing site who sees that file is going to assume it came from that executive and if they open it, they get taken over, too, etc.
“We don’t know if the hackers in this case used a transitive trust attack or if they just exploited a basic website security flaw. But either way, none of this should come as a surprise to anyone.”