back to article NASDAQ IT security spend: $1bn. Finding mystery malware on its servers: Priceless

NASDAQ servers were infected by malware that exploited two mystery zero-day vulnerabilities, according to a magazine cover story published today. Despite spending a ton of money on computer security, the stock exchange was wide open to attack, we're told. Today's report pulls back the curtain back to reveal a little more about …

  1. Gene Cash Silver badge

    "Not all of the banks agreed to take part"

    Wait? What? Which ones? How do you say "no" to the FBI when they're checking on computer security?

    "We're the FBI. We want to see if you've been hacked." "No."

    How does that work?

    1. Aquilus

      Re: "Not all of the banks agreed to take part"

      Company: "Do you have a court order?"

      FBI: "No."

      Company: "Ok, you're not seeing our computers."

      That's simple enough to understand, isn't it?

      1. Anonymous Coward
        Anonymous Coward

        Re: "Not all of the banks agreed to take part"

        I guess the Russians were very pleased that NASDAQ migrated to Linux based systems just before this happened - and immediately took advantage of the very high vulnerability count - and of being able to find their own holes in the source code...

        1. Anonymous Coward
          Anonymous Coward

          You are confused

          NASDAQ is a Windows shop (actually almost a poster child), NYSE runs on Red Hat.

          1. P. Lee

            Re: You are confused

            but..but...but we buy expensive software from reputable vendors so that _they_ take the risk...

            Whaddayamean "they don't"?

    2. phuzz Silver badge

      Re: "Not all of the banks agreed to take part"

      "The FBI want to check our computers to see if we've been hacked, shall we let them?"

      "Will it enhance shareholder value?"

      "If they find nothing, then not really, and if they do, definitely not"

      "Tell them to sod off then"

    3. Munchausen's proxy

      Re: "Not all of the banks agreed to take part"

      "We're the FBI. We want to see if you've been hacked." "No."

      How does that work?

      "We pay your, uh I mean we pay the salary of the guy that controls your funding. No not that salary, his real one."

  2. ZSn


    I'm amazed that this is news. Security is like the toilets, people only notice either when it's backed up and their up to their knees in sh*t. For some reason they think that security is something that you order like printer paper (and have to pay just as much attention to).

    1. king of foo

      Re: Toilets

      There aren't special private thrones at our head office for the board members to use so they have to poo with the rest of us.

      We therefore have cleaners working all day long and our shitters smell lemon fresh.

      I wonder if this is what we need to get the same approach to be taken with security? Perhaps we need an epidemic to force action, just like that one filthy loo seat with no toilet paper the MD was forced to use one day prompted this obsession with cleanliness? Do we need some skiddies to get in and replace all our corporate documents with bestiality?

  3. Muckminded

    May as well save the $1 billion

    for the inevitable lawsuits, if it's not going to be spent on actual security.

    1. Mark 85

      Re: May as well save the $1 billion

      Nah... spend it on bonuses for those who run it. That way there's nothing left to take after they lose. And nothing to pay the lawyers with either...

    2. Ian Michael Gumby

      Re: May as well save the $1 billion

      For there to be a lawsuit, you have to show that you were harmed as result of the infection.

      Not an easy thing to do...

  4. Anonymous Coward
    Anonymous Coward


    What is it with Americans and security? skiddies can get into the pentagon with little effort and now the banks appear to have an open door policy.

    1. Flip

      Re: Security

      And yet... All of the banks haven't been mysteriously stripped of all assets. Somehow, all of the banks' clients still have all their deposits and investments. Miraculous!

      Do you think that all the banks in all the countries other than in the U.S. would pass the same type of scrutiny? I'll bet one or two would balk as well, and more than a few wouldn't pass the more stringent security tests.

      No one has a monopoly on security.

      1. tom dial Silver badge

        Re: Security

        Upvoted for offering a rational comment to a well-known and widespread problem.

      2. ecofeco Silver badge

        Re: Security

        "And yet... All of the banks haven't been mysteriously stripped of all assets. Somehow, all of the banks' clients still have all their deposits and investments. Miraculous!"

        Sez who?

      3. Uffish

        Re: Security

        Read the article "according to the NSA, [it] had the ability to seriously disrupt the exchange's activities". How would you like a live bomb under your house?

        (Oh dear, I used the word bomb. Dear reader, and dear snooper, I am comparing malware to a bomb under someones house - both are very bad - I do not advocate either).

    2. Mad Chaz

      Re: Security

      That's what happens when the only measure of "effort" is how much you spend.

      I can spend 100 000$ on a 20 000$ car, I'm sure I could find someone who'd be willing to sale it to me for that price. Does that mean I have 100 000$ worth of car?

      Paying someone a million to write a nice report saying "everything is following best practice" isn't getting a proper security audit with penetration testing by people who actually know what they are doing. But that requires hard work and actual costs, yet doesn't look as good on paper to the board.

  5. Eddy Ito

    Interesting problem. The infiltrators wouldn't actually need to do much with the malware and could easily just pilfer a very small fraction of a cent off every share traded to turn a rather impressive profit. Even a single hundredth of a cent for a month would be a few million dollars and if you skim a penny you're talking real money rather quickly.

    1. Anonymous Coward
      Anonymous Coward

      Office Space (1999) *ding* that was easy!

      1. Anonymous Coward
        Anonymous Coward

        "Office Space (1999) *ding* that was easy!"

        Make sure you get the decimal points correct!

        1. Anonymous Dutch Coward

          Office Space

          That reminds me, you really need to change the cover sheet of that TPS report!

          If you could do that for me, that would be just fine..

  6. btrower

    Business Opportunity?

    I honestly wonder what the real case is here. As someone implied, if the systems have all been effectively compromised, it is puzzling that things are seemingly stable. What is holding the attacks in abeyance? The best I can come up with is that well armed attackers such as other states or organized crime have staked their claims on various systems and like some malware does, the people who have hijacked the system have actually put in effective security to keep other attackers from poaching what they have stolen.

    Whether it is already in progress or not, it is only a matter of time before the network as it currently exists, with its hopeless security, is a hot battleground.

    I believe it is possible to architect a reasonably secure network. If it is, it surprises me that others are not clamoring to have that done. Continued patching as we are doing is likely to become ever more ineffectual.

    You should never attribute to malice what you can attribute to incompetence. It seems positively bizarre that there would be such profound widespread ignorance. However, it seems even more bizarre that what is happening overall is by anyone's design.

    Are there really that many PHBs that rose to the top of the pyramid that this is all incompetence? It is plausible.

    We are already well beyond the point where people with even ordinary abilities with network security should be making a little noise. If they are really that incompetent with security in all those executive suites, then they should be hiring people outside of their organizations to come in and do audits at least. Even if you are not going to fix it, you should have some idea of the profundity of your exposure.

    Is this not a juicy business opportunity for someone to sell pricey reviews that allow executives plausible deniability?

    1. JCitizen

      Re: Business Opportunity?

      HA! It is true that some of the most effective anti-malware I've seen in my honey-pot lab, are those crime-ware packages that assure no other criminal's cr@p gets a foothold on that territory. How ironic it would be to let them operate, just to keep the exchange secure!! Seems like they could skim a lot, and stay under the radar, and be worth much more that that wasted billion dollar boondoggle!

    2. RTNavy

      Re: Business Opportunity?

      The article did say the malware was much like that used for spying and stuff! Not all malware is about stealing electronic money, but finding out information, which at certain times is more powerful than money.

      1. amanfromMars 1 Silver badge

        The Rise and Rise of the Inexorable RobotICQ Virtual Machine …. Heavy Duty JTRIG Kit?*

        The article did say the malware was much like that used for spying and stuff! Not all malware is about stealing electronic money, but finding out information, which at certain times is more powerful than money. …. RTNavy

        Have another upvote for that astute observation, RTNavy. And might I request reconsideration and reinstatement of the post above RTNavy’s …. in the spot now occupied by This post has been deleted by a moderator ….. and which said just as much the same and quite a bit more on the subject and objects of desire which be more powerful than money.

        Surely ….

        Here be the abiding flaw and systemic weakness which can always be exploited to devastating effect by that and/or those which understand and control its genesis which commands power and powers command. And to hunt for it without being in command and control of it, will have one outed and defeated as any unwelcome bug and parasite would be whenever considered and decided as being quite unnecessary in any and all fit for future virtually real purpose and executive administrative systems with relays and connections to machines internetworking and processing information into intelligence and intelligence into information and presenting novel content and creative ideas for ........ well, New Orderly World Order Systems for Global Operating Devices would only be one arrow in that quiver of NEUKlearer HyperRadioProActive Weapons.
        …. is not destructively and disruptively offensive whenever intelligently designed to be comprehensively defensive and failsafe protective across all web browser facing and interfacing portals.

        Malware doesn’t target manufactured devices and programmed machines, IT finer tunes humans to correct the error of their ways in a novel creative stream of incredibly fabulous and incredulous fabless ways. And that is worth printing and sharing El Reg.

        * A little something tasty to spend as much of that recently found and allocated £1.1billion on and as be necessary for modern defense ……. David Cameron pledges “Unseen enemies” defence

  7. Mark 85

    It may not be crimeware as we know it...

    It might be some brokerage firm or firms or hedge fund planted this to allow them to squeeze their trades in the middle of someone else's transaction. There's been a lot in the press about high speed trading by certain firms who under investigation. Possible that this is part of it????

  8. Dr Who


    The most astonishing single thing here as that the server logs were unavailable. How can you do any kind of system administration, let alone security, without log files?

    1. Anonymous Coward
      Anonymous Coward

      Re: Logs

      It's easy. Log collection is one thing - alerting and resources to investigate them is another. Of course, if you don't have the logs in the first place then you can't possibly be having problems - amirite?

    2. elip

      Re: Logs

      As someone who manages hundreds of servers, some with under 900MB dedicated to the /var slice (yep!) and no centralized syslog'ing, I can tell you that you administrate the system in one way, and one way only: blindly. Got two choices, disable logging completely and stop those annoying pages to the on-call that management has been complaining about, or keep 2 hours worth of logs for a handful of select applications. But you know, business and app devs know best. They got the design they wanted and pushed for. I won't mention what servers' functions are, because you won't believe the criticality....and yes, we always pass audits.

  9. Tail Up

    Mad Horse/Tiny Pony Drivers

    " if the systems have all been effectively compromised, it is puzzling that things are seemingly stable" - who in this or tomorrow world needs the horsemen of destabilisation the way they drive their beasts? Notice that you should have children to answer in this thread (-:

    ReLater - MGB 94 ctr Aston - seems like it could've been worse. Dam it all man.

  10. Anonymous Coward
    Big Brother

    Mystery Malware found on servers.

    "Despite spending a ton of money on computer security, the stock exchange was wide open to attack"

    You don't spend a ton of money on security, you built it into the core system.

    "The biz mag was not able to reveal which software was attacked"

    We only mention the platform when it's one of Apple, Android or Linux Operating Systems

    "Daily server logs, which could have shed more light on any malicious activity, were largely unavailable"

    How about the FBI issue a supoena for the log files.

    ref: “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”

    WTF* .. I would have thought that factoids didn't change over time, that's why they're referred to as factoids ..

  11. Truth4u

    you could easily spend a billion dollars on AVG

    And still not catch a single virus.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like