Nasdaq Faces Difficult Task Closing Attack Routes

By Fahmida Y. Rashid  |  Posted 2011-02-08 Print this article Print

Organizations tend to involve law enforcement after the hackers have already been in the system for some time, so there has already been some damage, Kellermann said. The unknown Nasdaq hackers had penetrated the network multiple times, and the investigation has been ongoing for at least six months.

Once in the system, the attackers likely had probed and traversed to other connected systems and set up "colonies" beyond where they entered the network, he said. The "tendrils do not end here," as the hackers definitely probed the network to find other systems, he said. Once hackers are in the system, they create backdoors and additional passwords to ensure they can get back in the system, he said.

"Hackers don't just stop where they land. Like the conquistadores in South America, they go deeper to see what they can colonize," Kellermann said.

Criminals often sell these "owned systems" in an underground marketplace for others to take advantage of, he said. Those individuals may have more nefarious intentions than the original thieves.

Criminals often target major managed services providers for the same reason these attackers chose Nasdaq, Kellermann said. It is a "gateway" to other systems. Instead of attacking one bank, hitting one service provider gets them access to 300 banks at once, he said. Nasdaq's Director's Desk is analogous to a managed service provider scenario, since Nasdaq offers its customers a platform to share documents.

Even though Nasdaq OMX claimed to have fixed the problem, it's not clear it can keep the attackers out. "Once these hackers are in the system, it is much like leukemia-it's hard to extricate them," Kellermann said.

The malware the hackers left behind allowed them to execute code, he said. Just because attackers left this malware behind didn't mean they hadn't accessed anything else, he said.

Usually, IT managers have to reimage and rebuild the machines from scratch to regain control of the compromised machine, he said. The Nasdaq servers are production machines and probably can't be down for more than 12 hours per week, he said. These can't be reimaged so there's no way to really ensure that all traces of the attackers have been removed.

Nasdaq OMX should be focusing on where the attackers can go next from the breached system and protect those systems, Kellermann said. "You can't fortify the castle once they are inside. You just have to build a better keep and dungeon," he said. With penetration testing, IT managers can figure out all the possible attack paths and prioritize the ones that should be secured.

It's "glaringly obvious" this application was never properly tested, he said. Now it's up to the defenders to find out and secure all the other applications that can be accessed from this system, he said.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel