I know that NASDAQ will be like any other enterprise and view security implementation like every other enterprise does: As if you're trying to change your car's tire while doing 70 MPH down the highway. You can't stop, even though it needs to be done.
Problem is, if they get compromised, they'll definitely come to a screeching halt on the roadside (insert "information superhighway joke here").
I'm not even shocked at these announcements anymore. I'm well aware of the difficulty in keeping an organization's IT functions running while trying to affect changes to them - heck, aspects of that affect my own job, so I'm very well aware of it. But some things NEED to be done. If their site is vulnerable to straightforward and well known XSS attacks, then they need to work on it. So the existence of these problems indicate that either something is wrong, or the sites Kolochenko looked at are deemed unimportant (and I have trouble thinking a pro like Kolochenko would raise the alarm for some immaterial, fenced-away section of their web presence).
They're lucky he's a white hat.
That said: Why in the WORLD would an organization like NASDAQ have such a sloppy sec implementation? While I normally hate indulging in unsupported conspiratorial hypothesizing, I'm one-quarter tempted to think this is a very public honeypot rather than a genuine case of IT negligence. After all, how in God's name has such a problem existed and NOT been discovered yet? Especially for such a high profile group? But that's taking me down a road of suspicion that has no evidence behind it. Can't pin responsibility on trickery when sheer incompetence can be a more likely explanation. It's just a matter of what eventually gets proven as the explanation.
Support the Althouse blog by doing your Amazon shopping going in through the Althouse Amazon link.
Amazon
I am a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for me to earn fees by linking to Amazon.com and affiliated sites.
Support this blog with PayPal
Make a 1-time donation or set up a monthly donation of any amount you choose:
3 comments:
Oh goody! Yet another way to swindle in the stock market. So where is the SEC on this?
I know that NASDAQ will be like any other enterprise and view security implementation like every other enterprise does: As if you're trying to change your car's tire while doing 70 MPH down the highway. You can't stop, even though it needs to be done.
Problem is, if they get compromised, they'll definitely come to a screeching halt on the roadside (insert "information superhighway joke here").
I'm not even shocked at these announcements anymore. I'm well aware of the difficulty in keeping an organization's IT functions running while trying to affect changes to them - heck, aspects of that affect my own job, so I'm very well aware of it. But some things NEED to be done. If their site is vulnerable to straightforward and well known XSS attacks, then they need to work on it. So the existence of these problems indicate that either something is wrong, or the sites Kolochenko looked at are deemed unimportant (and I have trouble thinking a pro like Kolochenko would raise the alarm for some immaterial, fenced-away section of their web presence).
They're lucky he's a white hat.
That said: Why in the WORLD would an organization like NASDAQ have such a sloppy sec implementation? While I normally hate indulging in unsupported conspiratorial hypothesizing, I'm one-quarter tempted to think this is a very public honeypot rather than a genuine case of IT negligence. After all, how in God's name has such a problem existed and NOT been discovered yet? Especially for such a high profile group? But that's taking me down a road of suspicion that has no evidence behind it. Can't pin responsibility on trickery when sheer incompetence can be a more likely explanation. It's just a matter of what eventually gets proven as the explanation.
White hats in cybersecurity are like experts on opinion pages: usually full of shit.
Post a Comment