Slashdot Mirror

← Back to Stories (view on slashdot.org)

White Hats Take NASDAQ Through MS IIS Hole

Posted by CmdrTaco on from the white-hats-are-your-friend dept.

stomv writes: "A hacker found exploits in NASDAQ server, could have changed market info and admin passwds. Server: IIS. Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17. "

7 of 184 comments (clear)

  1. Fundamental architectural problem. by brad.hill · · Score: 5
    This is not just a problem with one little exploit, it is with Microsoft's whole web app model.

    Why doesn't anybody realize that for a Web application, the following things shouldn't be the case:

    1) Database passwords, admin passwords, ANY passwords shouldn't be stored on the Web server in plaintext.

    2) If an application management interface exists at all on the Web server (which I have some problems with), it should always run on a different port than the application itself and that port should be firewalled such that it can only be accessed from trusted (internal) IPs. The content directory structures for the application and application management should also be segregated.

    An architecture that stores permissions and passwords and allows access to change these things and modify the application through the same channels that the application is provided is INHERENTLY INSECURE BY DESIGN.

    Sorry if I'm ranting here, but as a professional developer working on a financial site this really tweaks my sense of professional ethics. Who designed this crap? Who audited it and said it was OK? Why do people think that Microsoft's architecture aimed at Joe Idiot who wants to put up a web page about his schnauzer fan club without having to learn anything is suitable for use by NASDAQ for cripessake!?!?

  2. Yes it does by Rurik · · Score: 5

    The company uses all Microsoft applications. I used to work at the above company that hosts nasdaq/amex/nasdaq-amex/americanstocks/etc... Financial Insight Systems. They were a Microsoft Certified Solutions Provider, and trying hard to become an MS Partner. Nasdaq had a good dozen-plus IIS Webservers, and we were discouraged from using anything BUT Microsoft software, because of the company's position with MS.

    Had it not been for the fact that we were trying so hard to become an MS Partner (by getting all employees certified at least to MCP, and getting sponsors), maybe there would have been some choice as to what software to install on what boxes. But there wasn't, so it was Microsoft all the way.

    Right before I left the company, they had just hired on a security specialist, at an exhorbant salary, who had no clue how to install NT, or how to install patches. But the fact that the IT team was less than 10 people, we were all overworked, and any extra person was a working person. That plus the fact that the company hired many low-salary low-experience techies to replace high-salary high-experience techies didn't help, but that is too much of a common business practice now to complain.

    The two guys in charge of the servers, getting the big bucks, were being worked to the bone, and I admire them for that. But there's only so far you can go before the IT staff has no say in the matter, and the company pushes them into roll-outs and upgrades that are beyond common sense. Then you end up with a lot of burn-outs, stuck in a job they hate, but have some unknown loyalty to.

  3. In other news... by LAI · · Score: 5
    ... stock in a small Dutch startup peaked at $256 per share today. Analysts are surprised, not least of all at the fact that the stock did not exist yesterday, and there has been no record of an IPO. All attempts at contact with the CEO, Gerrie Mansur, have failed.

    LAI

    --
    :eof
  4. Some corrections by Raphael · · Score: 5

    This /. story and the corresponding CNN article contain some vague or incorrect statements...

    • The Nasdaq.com web site was vulnerable, not the whole Nasdaq computer system. This is still a major risk as many investors rely on that web site for their online transaction, but hacking the web site is not the same thing as changing the stock values at the source.
    • The hacker states that he has not used the July 17 exploit that is mentioned on BugTraq. Maybe he used the same security hole with a different exploit, maybe not. I suspect that he has just written his own version of the exploit for the same bug, but it is hard to know.
    • The hacker did not release enough information about the security hole, so I would not call him a "white hat" because he could still use his exploit against other sites if they are vulnerable. So I would only call him "half-ethical".
    • (off-topic) Everyone should read this and this and think about how /. has evolved since the introduction of the moderation system. I tend to agree with Signal11 (not for everything and not for some of his past actions, but he is mostly right in his description of the Slashdot problems).
    --
    -Raphaël
  5. Erm.. the 17-july bug is patched on july 17th by Otis_INF · · Score: 5
    Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17. Erm, the bug (in IIS4 and IIS5) was patched on July 17th, and if I interpret the text correctly, that's THE SAME DAY as the bug was posted on bugtraq. If you look up the vulnerability on bugtraq you'll see the patches are already available. Check also:

    ht tp: //www.microsoft.com/NTWorkstation/downloads/Critic al/q267559/default.asp

    or bugtraq's page on this bug and the solutions:

    http: //w ww.securityfocus.com/frames/?content=/vdb/bottom.h tml%3Fvid%3D1488

    Now.. slashdot.. tell me... do you have a problem with a certain company or something? because the 'news' seem to get a little shakey in the 'correctness' area. :)
    --

    --
    Never underestimate the relief of true separation of Religion and State.
  6. that little bastard gerrie... by quonsar · · Score: 5
    ...defaced seven sites i host a year ago in july. he got in through a poorly written PHP script which accepted user input but did not check it. a few hours later i was reading his hit2000 newsgroup posts (courtesy of a dutch-fluent friend) in which he bragged about it and mentioning some of the domains by name.

    "I will gladly pay you today, sir, and eat up

    --

    Sacred cows make the best burgers.

  7. Do the good guys get enough attention? by cloudscout · · Score: 5

    The media jumps all over the "Bad Guys" on the Internet. Defaced websites (especially high-profile ones) get plenty of coverage. I'm curious how the media is going to treat this one. If more public praise is given to these White Hats, maybe the trend can be reversed. A disobedient kid is often looking for attention. If the good guys gain as much notoriety as the bad guys... you get the idea.