NASDAQ IT security spend: $1bn. Finding mystery malware on its servers: Priceless NASDAQ servers were infected by malware that exploited two mystery zero-day vulnerabilities, according to a magazine cover story published today. Despite spending a ton of money on computer security, the stock exchange was wide open to attack, we're told. Today's report pulls back the curtain back to reveal a little more about …
I guess the Russians were very pleased that NASDAQ migrated to Linux based systems just before this happened - and immediately took advantage of the very high vulnerability count - and of being able to find their own holes in the source code...
There aren't special private thrones at our head office for the board members to use so they have to poo with the rest of us.
We therefore have cleaners working all day long and our shitters smell lemon fresh.
I wonder if this is what we need to get the same approach to be taken with security? Perhaps we need an epidemic to force action, just like that one filthy loo seat with no toilet paper the MD was forced to use one day prompted this obsession with cleanliness? Do we need some skiddies to get in and replace all our corporate documents with bestiality?
And yet... All of the banks haven't been mysteriously stripped of all assets. Somehow, all of the banks' clients still have all their deposits and investments. Miraculous!
Do you think that all the banks in all the countries other than in the U.S. would pass the same type of scrutiny? I'll bet one or two would balk as well, and more than a few wouldn't pass the more stringent security tests.
No one has a monopoly on security.
Read the article "according to the NSA, [it] had the ability to seriously disrupt the exchange's activities". How would you like a live bomb under your house?
(Oh dear, I used the word bomb. Dear reader, and dear snooper, I am comparing malware to a bomb under someones house - both are very bad - I do not advocate either).
That's what happens when the only measure of "effort" is how much you spend.
I can spend 100 000$ on a 20 000$ car, I'm sure I could find someone who'd be willing to sale it to me for that price. Does that mean I have 100 000$ worth of car?
Paying someone a million to write a nice report saying "everything is following best practice" isn't getting a proper security audit with penetration testing by people who actually know what they are doing. But that requires hard work and actual costs, yet doesn't look as good on paper to the board.
Interesting problem. The infiltrators wouldn't actually need to do much with the malware and could easily just pilfer a very small fraction of a cent off every share traded to turn a rather impressive profit. Even a single hundredth of a cent for a month would be a few million dollars and if you skim a penny you're talking real money rather quickly.
I honestly wonder what the real case is here. As someone implied, if the systems have all been effectively compromised, it is puzzling that things are seemingly stable. What is holding the attacks in abeyance? The best I can come up with is that well armed attackers such as other states or organized crime have staked their claims on various systems and like some malware does, the people who have hijacked the system have actually put in effective security to keep other attackers from poaching what they have stolen.
Whether it is already in progress or not, it is only a matter of time before the network as it currently exists, with its hopeless security, is a hot battleground.
I believe it is possible to architect a reasonably secure network. If it is, it surprises me that others are not clamoring to have that done. Continued patching as we are doing is likely to become ever more ineffectual.
You should never attribute to malice what you can attribute to incompetence. It seems positively bizarre that there would be such profound widespread ignorance. However, it seems even more bizarre that what is happening overall is by anyone's design.
Are there really that many PHBs that rose to the top of the pyramid that this is all incompetence? It is plausible.
We are already well beyond the point where people with even ordinary abilities with network security should be making a little noise. If they are really that incompetent with security in all those executive suites, then they should be hiring people outside of their organizations to come in and do audits at least. Even if you are not going to fix it, you should have some idea of the profundity of your exposure.
Is this not a juicy business opportunity for someone to sell pricey reviews that allow executives plausible deniability?
HA! It is true that some of the most effective anti-malware I've seen in my honey-pot lab, are those crime-ware packages that assure no other criminal's cr@p gets a foothold on that territory. How ironic it would be to let them operate, just to keep the exchange secure!! Seems like they could skim a lot, and stay under the radar, and be worth much more that that wasted billion dollar boondoggle!
The article did say the malware was much like that used for spying and stuff! Not all malware is about stealing electronic money, but finding out information, which at certain times is more powerful than money. …. RTNavy
Have another upvote for that astute observation, RTNavy. And might I request reconsideration and reinstatement of the post above RTNavy’s …. in the spot now occupied by This post has been deleted by a moderator ….. and which said just as much the same and quite a bit more on the subject and objects of desire which be more powerful than money.
Surely ….
Here be the abiding flaw and systemic weakness which can always be exploited to devastating effect by that and/or those which understand and control its genesis which commands power and powers command. And to hunt for it without being in command and control of it, will have one outed and defeated as any unwelcome bug and parasite would be whenever considered and decided as being quite unnecessary in any and all fit for future virtually real purpose and executive administrative systems with relays and connections to machines internetworking and processing information into intelligence and intelligence into information and presenting novel content and creative ideas for ........ well, New Orderly World Order Systems for Global Operating Devices would only be one arrow in that quiver of NEUKlearer HyperRadioProActive Weapons.…. is not destructively and disruptively offensive whenever intelligently designed to be comprehensively defensive and failsafe protective across all web browser facing and interfacing portals.
Malware doesn’t target manufactured devices and programmed machines, IT finer tunes humans to correct the error of their ways in a novel creative stream of incredibly fabulous and incredulous fabless ways. And that is worth printing and sharing El Reg.
* A little something tasty to spend as much of that recently found and allocated £1.1billion on and as be necessary for modern defense ……. David Cameron pledges “Unseen enemies” defence
It might be some brokerage firm or firms or hedge fund planted this to allow them to squeeze their trades in the middle of someone else's transaction. There's been a lot in the press about high speed trading by certain firms who under investigation. Possible that this is part of it????
As someone who manages hundreds of servers, some with under 900MB dedicated to the /var slice (yep!) and no centralized syslog'ing, I can tell you that you administrate the system in one way, and one way only: blindly. Got two choices, disable logging completely and stop those annoying pages to the on-call that management has been complaining about, or keep 2 hours worth of logs for a handful of select applications. But you know, business and app devs know best. They got the design they wanted and pushed for. I won't mention what servers' functions are, because you won't believe the criticality....and yes, we always pass audits.
" if the systems have all been effectively compromised, it is puzzling that things are seemingly stable" - who in this or tomorrow world needs the horsemen of destabilisation the way they drive their beasts? Notice that you should have children to answer in this thread (-:
http://youtu.be/I8j2ej5jqQw
ReLater - MGB 94 ctr Aston - seems like it could've been worse. Dam it all man.
"Despite spending a ton of money on computer security, the stock exchange was wide open to attack"
You don't spend a ton of money on security, you built it into the core system.
"The biz mag was not able to reveal which software was attacked"
We only mention the platform when it's one of Apple, Android or Linux Operating Systems
"Daily server logs, which could have shed more light on any malicious activity, were largely unavailable"
How about the FBI issue a supoena for the log files.
ref: “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”
WTF* .. I would have thought that factoids didn't change over time, that's why they're referred to as factoids ..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
