Security Experts:

NASDAQ Attackers Likely Monitored Director Communications

Two unknown sources close to the NSADAQ investigation have told Reuters that malicious software that worked its way into a web-based communications platform at NASDAQ last year allowed the attackers to monitor communications between business leaders using its Director’s Desk system.

Directors Desk is a solution to help board members communicate and collaborate "securely", which the company says is used by more than 10,000 directors around the globe.

Hackers Penetrate NASDAQ Directors DeskIt is unknown what the attackers may have stolen information wise, or what passive communications were viewed as they monitored on the directors of several publically held companies. At the time of the breach, NASDAQ reported that no evidence was discovered that pointed to access of customer’s information, but given the nature of Director’s Desk, the latest details are far from cheery.

NASDAQ CEO Robert Greifeld told the news agency that the exchange is under constant attack. Because of this, they spend nearly a billion dollars annually on their information security program. Yet, is this money that should be applied elsewhere? Perhaps on basic Application Security?

“Due to the true nature of the Director’s Desk Web-based application, it appears that vulnerabilities within the application were probably successfully exploited by remote attackers that allowed them to peruse information exchanges between various company directors. There are several classes of common vulnerabilities that would allow attacks like this, and I would direct people to take a closer look at the OWASP Top-10 application security risks,” commented Damballa’s Gunter Ollman.

“Gaining remote access to confidential data held within the Director’s Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures. In my years of running penetration tests against Fortune-500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data.”

He added that the new details of the malicious usage of Director’s Desk, or any major Web application being targeted should come as no surprise.

“Overall, vulnerabilities within large Web-based applications are very common. They are under constant development and change, which means that vulnerabilities can be unintentionally introduced at any time. If there are multiple development teams working on the same application portal – all developing their own micro applications – then the probability of new vulnerabilities being introduced grows considerably. This is why Web applications need to be security tested continuously.”

Directors Desk is completely unrelated to the NASDAQ trading platforms which power the exchange and trading operations were never affected.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.