Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Architecture

NASDAQ Hackers Helped by Shoddy Security, Says Reuters

Update: Reuters Accused of Omitting Disclosures in NASDAQ Breach Reports

Update: Reuters Accused of Omitting Disclosures in NASDAQ Breach Reports

According to a report from Reuters, anonymous sources connected to the FBI’s probe into the mater, said that lax security practices made NSADAQ an easy target, when its Director’s Desk platform was breached last year.

NASDAQ Directors Lax SecurityThe FBI continues to probe the incident, and while the basic architecture of NASDAQ’s network was fine, investigators discovered that systems were running with misconfigured firewalls, out-of-date software, and missing security patches. The investigators told Reuters that servers running Windows 2003 for example were not properly updated.

When asked, Carl-Magnus Hallberg, the Senior VP of ITS for Nasdaq OMX, said that calling the exchange’s security practices lax was unfair, as the last year’s incident was a sophisticated attack, noting that it would have been “virtually impossible to defend against the hackers who used malware that had not been disclosed.”

This is the second Reuters scoop on the NASDAQ investigation, following one in October that revealed the fact that malicious software worked its way into a web-based communications platform at NASDAQ last year allowed attackers the ability to monitor business leaders using its Director’s Desk system.

“Gaining remote access to confidential data held within the Director’s Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures. In my years of running penetration tests against Fortune-500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data,” commented Damballa’s Gunter Ollman at the time.

The addition of failed patching, and misconfigured firewalls certainly doesn’t help the situation, zero-day malware or not. More from Reuters is here.

Update: Reuters Accused of Omitting Disclosures in NASDAQ Breach Reports

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Microsoft and Mitre release Arsenal plugin to help cybersecurity professionals emulate attacks on machine learning (ML) systems.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.