September 16, 2013

"A good hacker can get full access to in a couple of days with the ability to do almost whatever he wants..."

"... such as push an announcement that Facebook shares have dropped 90% (which) could cause havoc on the stock exchange.... It is quite frightening when you think about it. I discovered these vulnerabilities in just 10 minutes with a Firefox browser without any special tools or software."


cubanbob said...

Oh goody! Yet another way to swindle in the stock market. So where is the SEC on this?

Tibore said...

I know that NASDAQ will be like any other enterprise and view security implementation like every other enterprise does: As if you're trying to change your car's tire while doing 70 MPH down the highway. You can't stop, even though it needs to be done.

Problem is, if they get compromised, they'll definitely come to a screeching halt on the roadside (insert "information superhighway joke here").

I'm not even shocked at these announcements anymore. I'm well aware of the difficulty in keeping an organization's IT functions running while trying to affect changes to them - heck, aspects of that affect my own job, so I'm very well aware of it. But some things NEED to be done. If their site is vulnerable to straightforward and well known XSS attacks, then they need to work on it. So the existence of these problems indicate that either something is wrong, or the sites Kolochenko looked at are deemed unimportant (and I have trouble thinking a pro like Kolochenko would raise the alarm for some immaterial, fenced-away section of their web presence).

They're lucky he's a white hat.

That said: Why in the WORLD would an organization like NASDAQ have such a sloppy sec implementation? While I normally hate indulging in unsupported conspiratorial hypothesizing, I'm one-quarter tempted to think this is a very public honeypot rather than a genuine case of IT negligence. After all, how in God's name has such a problem existed and NOT been discovered yet? Especially for such a high profile group? But that's taking me down a road of suspicion that has no evidence behind it. Can't pin responsibility on trickery when sheer incompetence can be a more likely explanation. It's just a matter of what eventually gets proven as the explanation.

Bob Ellison said...

White hats in cybersecurity are like experts on opinion pages: usually full of shit.