back to article NASDAQ IT security spend: $1bn. Finding mystery malware on its servers: Priceless

NASDAQ servers were infected by malware that exploited two mystery zero-day vulnerabilities, according to a magazine cover story published today. Despite spending a ton of money on computer security, the stock exchange was wide open to attack, we're told. Today's report pulls back the curtain back to reveal a little more about …

Silver badge
WTF?

"Not all of the banks agreed to take part"

Wait? What? Which ones? How do you say "no" to the FBI when they're checking on computer security?

"We're the FBI. We want to see if you've been hacked." "No."

How does that work?

5
3

Re: "Not all of the banks agreed to take part"

Company: "Do you have a court order?"

FBI: "No."

Company: "Ok, you're not seeing our computers."

That's simple enough to understand, isn't it?

5
0
Silver badge
Facepalm

Re: "Not all of the banks agreed to take part"

"The FBI want to check our computers to see if we've been hacked, shall we let them?"

"Will it enhance shareholder value?"

"If they find nothing, then not really, and if they do, definitely not"

"Tell them to sod off then"

4
0
Anonymous Coward

Re: "Not all of the banks agreed to take part"

I guess the Russians were very pleased that NASDAQ migrated to Linux based systems just before this happened - and immediately took advantage of the very high vulnerability count - and of being able to find their own holes in the source code...

1
5
Anonymous Coward

You are confused

NASDAQ is a Windows shop (actually almost a poster child), NYSE runs on Red Hat.

5
0
Pint

Re: "Not all of the banks agreed to take part"

"We're the FBI. We want to see if you've been hacked." "No."

How does that work?

"We pay your, uh I mean we pay the salary of the guy that controls your funding. No not that salary, his real one."

0
0
Silver badge

Re: You are confused

but..but...but we buy expensive software from reputable vendors so that _they_ take the risk...

Whaddayamean "they don't"?

0
0
ZSn

Toilets

I'm amazed that this is news. Security is like the toilets, people only notice either when it's backed up and their up to their knees in sh*t. For some reason they think that security is something that you order like printer paper (and have to pay just as much attention to).

8
0

Re: Toilets

There aren't special private thrones at our head office for the board members to use so they have to poo with the rest of us.

We therefore have cleaners working all day long and our shitters smell lemon fresh.

I wonder if this is what we need to get the same approach to be taken with security? Perhaps we need an epidemic to force action, just like that one filthy loo seat with no toilet paper the MD was forced to use one day prompted this obsession with cleanliness? Do we need some skiddies to get in and replace all our corporate documents with bestiality?

5
0

May as well save the $1 billion

for the inevitable lawsuits, if it's not going to be spent on actual security.

0
0
Silver badge

Re: May as well save the $1 billion

Nah... spend it on bonuses for those who run it. That way there's nothing left to take after they lose. And nothing to pay the lawyers with either...

2
0
Silver badge
Boffin

Re: May as well save the $1 billion

For there to be a lawsuit, you have to show that you were harmed as result of the infection.

Not an easy thing to do...

0
0
Silver badge

Security

What is it with Americans and security? skiddies can get into the pentagon with little effort and now the banks appear to have an open door policy.

2
3
Stop

Re: Security

And yet... All of the banks haven't been mysteriously stripped of all assets. Somehow, all of the banks' clients still have all their deposits and investments. Miraculous!

Do you think that all the banks in all the countries other than in the U.S. would pass the same type of scrutiny? I'll bet one or two would balk as well, and more than a few wouldn't pass the more stringent security tests.

No one has a monopoly on security.

4
7

Re: Security

That's what happens when the only measure of "effort" is how much you spend.

I can spend 100 000$ on a 20 000$ car, I'm sure I could find someone who'd be willing to sale it to me for that price. Does that mean I have 100 000$ worth of car?

Paying someone a million to write a nice report saying "everything is following best practice" isn't getting a proper security audit with penetration testing by people who actually know what they are doing. But that requires hard work and actual costs, yet doesn't look as good on paper to the board.

15
0
Silver badge

Re: Security

Upvoted for offering a rational comment to a well-known and widespread problem.

1
0
Silver badge

Re: Security

"And yet... All of the banks haven't been mysteriously stripped of all assets. Somehow, all of the banks' clients still have all their deposits and investments. Miraculous!"

Sez who?

4
1
Bronze badge

Re: Security

Read the article "according to the NSA, [it] had the ability to seriously disrupt the exchange's activities". How would you like a live bomb under your house?

(Oh dear, I used the word bomb. Dear reader, and dear snooper, I am comparing malware to a bomb under someones house - both are very bad - I do not advocate either).

1
0
Silver badge

Interesting problem. The infiltrators wouldn't actually need to do much with the malware and could easily just pilfer a very small fraction of a cent off every share traded to turn a rather impressive profit. Even a single hundredth of a cent for a month would be a few million dollars and if you skim a penny you're talking real money rather quickly.

5
0
Anonymous Coward

Office Space (1999) *ding* that was easy!

2
0
Anonymous Coward

"Office Space (1999) *ding* that was easy!"

Make sure you get the decimal points correct!

0
0

Office Space

That reminds me, you really need to change the cover sheet of that TPS report!

If you could do that for me, that would be just fine..

1
0

Business Opportunity?

I honestly wonder what the real case is here. As someone implied, if the systems have all been effectively compromised, it is puzzling that things are seemingly stable. What is holding the attacks in abeyance? The best I can come up with is that well armed attackers such as other states or organized crime have staked their claims on various systems and like some malware does, the people who have hijacked the system have actually put in effective security to keep other attackers from poaching what they have stolen.

Whether it is already in progress or not, it is only a matter of time before the network as it currently exists, with its hopeless security, is a hot battleground.

I believe it is possible to architect a reasonably secure network. If it is, it surprises me that others are not clamoring to have that done. Continued patching as we are doing is likely to become ever more ineffectual.

You should never attribute to malice what you can attribute to incompetence. It seems positively bizarre that there would be such profound widespread ignorance. However, it seems even more bizarre that what is happening overall is by anyone's design.

Are there really that many PHBs that rose to the top of the pyramid that this is all incompetence? It is plausible.

We are already well beyond the point where people with even ordinary abilities with network security should be making a little noise. If they are really that incompetent with security in all those executive suites, then they should be hiring people outside of their organizations to come in and do audits at least. Even if you are not going to fix it, you should have some idea of the profundity of your exposure.

Is this not a juicy business opportunity for someone to sell pricey reviews that allow executives plausible deniability?

4
1
Trollface

Re: Business Opportunity?

HA! It is true that some of the most effective anti-malware I've seen in my honey-pot lab, are those crime-ware packages that assure no other criminal's cr@p gets a foothold on that territory. How ironic it would be to let them operate, just to keep the exchange secure!! Seems like they could skim a lot, and stay under the radar, and be worth much more that that wasted billion dollar boondoggle!

1
0

This post has been deleted by a moderator

Re: Business Opportunity?

The article did say the malware was much like that used for spying and stuff! Not all malware is about stealing electronic money, but finding out information, which at certain times is more powerful than money.

3
0
Silver badge

The Rise and Rise of the Inexorable RobotICQ Virtual Machine …. Heavy Duty JTRIG Kit?*

The article did say the malware was much like that used for spying and stuff! Not all malware is about stealing electronic money, but finding out information, which at certain times is more powerful than money. …. RTNavy

Have another upvote for that astute observation, RTNavy. And might I request reconsideration and reinstatement of the post above RTNavy’s …. in the spot now occupied by This post has been deleted by a moderator ….. and which said just as much the same and quite a bit more on the subject and objects of desire which be more powerful than money.

Surely ….

Here be the abiding flaw and systemic weakness which can always be exploited to devastating effect by that and/or those which understand and control its genesis which commands power and powers command. And to hunt for it without being in command and control of it, will have one outed and defeated as any unwelcome bug and parasite would be whenever considered and decided as being quite unnecessary in any and all fit for future virtually real purpose and executive administrative systems with relays and connections to machines internetworking and processing information into intelligence and intelligence into information and presenting novel content and creative ideas for ........ well, New Orderly World Order Systems for Global Operating Devices would only be one arrow in that quiver of NEUKlearer HyperRadioProActive Weapons.
…. is not destructively and disruptively offensive whenever intelligently designed to be comprehensively defensive and failsafe protective across all web browser facing and interfacing portals.

Malware doesn’t target manufactured devices and programmed machines, IT finer tunes humans to correct the error of their ways in a novel creative stream of incredibly fabulous and incredulous fabless ways. And that is worth printing and sharing El Reg.

* A little something tasty to spend as much of that recently found and allocated £1.1billion on and as be necessary for modern defense ……. David Cameron pledges “Unseen enemies” defence

0
0
Silver badge

It may not be crimeware as we know it...

It might be some brokerage firm or firms or hedge fund planted this to allow them to squeeze their trades in the middle of someone else's transaction. There's been a lot in the press about high speed trading by certain firms who under investigation. Possible that this is part of it????

4
0

Logs

The most astonishing single thing here as that the server logs were unavailable. How can you do any kind of system administration, let alone security, without log files?

3
0
Anonymous Coward

Re: Logs

It's easy. Log collection is one thing - alerting and resources to investigate them is another. Of course, if you don't have the logs in the first place then you can't possibly be having problems - amirite?

0
1

Re: Logs

As someone who manages hundreds of servers, some with under 900MB dedicated to the /var slice (yep!) and no centralized syslog'ing, I can tell you that you administrate the system in one way, and one way only: blindly. Got two choices, disable logging completely and stop those annoying pages to the on-call that management has been complaining about, or keep 2 hours worth of logs for a handful of select applications. But you know, business and app devs know best. They got the design they wanted and pushed for. I won't mention what servers' functions are, because you won't believe the criticality....and yes, we always pass audits.

0
0

Mad Horse/Tiny Pony Drivers

" if the systems have all been effectively compromised, it is puzzling that things are seemingly stable" - who in this or tomorrow world needs the horsemen of destabilisation the way they drive their beasts? Notice that you should have children to answer in this thread (-:

http://youtu.be/I8j2ej5jqQw

ReLater - MGB 94 ctr Aston - seems like it could've been worse. Dam it all man.

0
1
Big Brother

Mystery Malware found on servers.

"Despite spending a ton of money on computer security, the stock exchange was wide open to attack"

You don't spend a ton of money on security, you built it into the core system.

"The biz mag was not able to reveal which software was attacked"

We only mention the platform when it's one of Apple, Android or Linux Operating Systems

"Daily server logs, which could have shed more light on any malicious activity, were largely unavailable"

How about the FBI issue a supoena for the log files.

ref: “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”

WTF* .. I would have thought that factoids didn't change over time, that's why they're referred to as factoids ..

0
1

you could easily spend a billion dollars on AVG

And still not catch a single virus.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017