Nasdaq Hackers May Be Burrowing Deeper

Nasdaq OMX startled the market this weekend with news that it found “suspicious files” on its computer servers. Hackers have apparently infiltrated the stock exchange’s computer systems, gaining access to confidential data on the companies that list on Nasdaq.

The files were found in the Directors Desk Web application, which is used by boards of directors to share information. Nasdaq said it found no evidence that its trading platforms were compromised.

That, however, offered little reassurance to investors, who have come to view Wall Street’s technology and security processes through doubtful eyes. There was last year’s so-called flash crash, in which stock prices went tumbling one day in Spring for as-yet unexplained reasons.

Last week, an inexplicable glitch locked prices on the Nasdaq Composite and Nasdaq 100 for one hour. The Federal Bureau of Investigation is looking into that incident.

Nasdaq did not immediately respond to the E-Commerce Times’ call.

Little Information, Lots of Guesses

Even with the investigation just beginning, the market is clamoring for Nasdaq to reveal more information about the breach — not surprisingly, given that virtually all equity trades are now conducted electronically. In the absence of more information, though, the security industry is filling the vacuum.

It is difficult to say specifically how the hack occurred, but more than likely it was via a flaw in the Web application, said Nick Percoco, SVP at SpiderLabs.

“Web application flaws are common in custom-developed applications, and if an attacker is motivated to find the flaws, they could have nearly unlimited time to do so — given most sites are available on the Internet and could be accessed from anywhere in the world,” Percoco told the E-Commerce Times.

One clue is the mention of “suspicious files,” he noted, along with the fact that Director’s Desk is used for sharing of documents.

“A common method used today is called a ‘client-side’ attack,” explained Percoco. “This means when the attackers penetrated this system, they placed malicious files that look like legitimate documents on the system with the hope that users of the system will download and attempt to view them. Once the user opens the document, it will deposit malware or a backdoor that could allow the attack deeper access into various trading environments.”

Based on the facts known at this time, Percoco is not expecting much more to develop, “other than raising awareness that Web-based applications should be continually scrutinized for flaws by the organizations who develop and operate them.”

Worst-Case Scenario

Others aren’t so sure.

This hack has the potential for the worst-case scenario to materialize, said Core Security Technologies VP of Security Awareness Tom Kellermann, a former computer security official at the World Bank.

The hackers may have already dug their way into Nasdaq’s system and could be using it to infiltrate member companies’ systems, he told the E-Commerce Times.

“The implications of the attack are interesting, because not only must the attackers have had someone in the crew familiar with financial institutions — but, more importantly, they attacked and infiltrated an application that is very much part of the infrastructure that its members use. It basically reveals what C-level executives of these institutions are thinking and doing.”

The question is not how did they get in, he continued — that is a moot point by now. Rather, “we should be worrying about where they have gone from here.”

With this access, the hackers potentially could manipulate data along with time tags, he said. More than likely, however, what they are doing is using the purloined information to fatten their own portfolios.

Orchestrated Overseas

Kellermann is not holding out much hope that an FBI investigation will lead to arrests, as it is all but certain the attacks were launched from an overseas cyberhaven.

“Nothing will come of this,” he predicted.