Security Experts:

NASDAQ Hackers Helped by Shoddy Security, Says Reuters

Update: Reuters Accused of Omitting Disclosures in NASDAQ Breach Reports

According to a report from Reuters, anonymous sources connected to the FBI’s probe into the mater, said that lax security practices made NSADAQ an easy target, when its Director’s Desk platform was breached last year.

NASDAQ Directors Lax SecurityThe FBI continues to probe the incident, and while the basic architecture of NASDAQ’s network was fine, investigators discovered that systems were running with misconfigured firewalls, out-of-date software, and missing security patches. The investigators told Reuters that servers running Windows 2003 for example were not properly updated.

When asked, Carl-Magnus Hallberg, the Senior VP of ITS for Nasdaq OMX, said that calling the exchange’s security practices lax was unfair, as the last year’s incident was a sophisticated attack, noting that it would have been “virtually impossible to defend against the hackers who used malware that had not been disclosed.”

This is the second Reuters scoop on the NASDAQ investigation, following one in October that revealed the fact that malicious software worked its way into a web-based communications platform at NASDAQ last year allowed attackers the ability to monitor business leaders using its Director’s Desk system.

“Gaining remote access to confidential data held within the Director’s Desk application could have been through SQL injection, broken authentication and session management, and URL restriction failures. In my years of running penetration tests against Fortune-500 companies, these were the most common vulnerabilities that could be exploited to reveal this level of confidential data,” commented Damballa’s Gunter Ollman at the time.

The addition of failed patching, and misconfigured firewalls certainly doesn’t help the situation, zero-day malware or not. More from Reuters is here.

Update: Reuters Accused of Omitting Disclosures in NASDAQ Breach Reports

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.