Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nasdaq Intrusion Spreads To Listed Companies

Posted by Soulskill on from the careful-they-might-tank-the-economy dept.

New submitter SpzToid writes "Nasdaq's Directors Desk is a program sold to both listed and private companies, whose board members use it to share documents and communicate with executives. Apparently Directors Desk was infected during a breach widely publicized earlier this year. It has now become known that hackers were able to access confidential documents and communications of the corporate directors and board members who received this infected application, said Tom Kellermann, chief technology officer with security technology firm AirPatrol Corp. It is unclear how long the Directors Desk application was infected before the exchange identified the breach, according to Kellermann and another source."

9 of 50 comments (clear)

  1. TO THE CLOUD! by inject_hotmail.com · · Score: 2

    What could go wrong?

  2. Disturbing by msobkow · · Score: 2

    The idea of a secured system designed for the sole purpose of allowing executives and board members of the corporations to communicate in secret is profoundly disturbing on so many levels...

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:Disturbing by causality · · Score: 4, Insightful

      The idea of a secured system designed for the sole purpose of allowing executives and board members of the corporations to communicate in secret is profoundly disturbing on so many levels...

      Yes. I'll say up-front that I don't advocate such a criminal activity and anything I say next should be interpreted in that context. I'll add that my reason for this isn't because I'm so sympathetic to the execs who were made to look stupid by this breach, nor do I blindly believe that everything which is legal is good and everything which is illegal is bad, but because I imagine it would be serious prison time if anyone doing it got caught. I'm tempted to say that if caught, they should receive a medal, not prison time.

      Having said that ... I smiled and felt a certain satisfaction when I read this news. They may have made the legal system and the financial system into their personal playgrounds, and established a revolving door between the two, but this finally is one arena where they are going to get humbled again and again. The hackers who perpetrate such attacks are idealistic and can do a great deal with little or no organization, making them quite difficult to include in the corruption represented by their targets of choice.

      By contrast, we long ago gave up any serious notion of our politicians actually representing us and implementing some serious transparency and accountability in either system. I have said before and will reiterate again, you breed lawlessness when you systematically eliminate every legitimate "working through the system" method of effecting change or obtaining justice. Want to go through the court system? Well I hope you have lots of money and years of your life to invest in something you are likely to lose anyway. Want to run for office? I hope you don't cross the political and financial interests who can get you there, who are the gatekeepers much more than the voting booth has ever been. Most people are law-abiding and will stop there. Others, not so much.

      The power brokers who will be humiliated and maybe even harmed by this are simply reaping what they have sown. This is one realm where they are not so untouchable. In my opinion, it's healthy for society that they be reminded of that from time to time, and any decent person with principles wants that to happen in this sort of nonviolent manner. If you haven't noticed, people are getting fed up with the status quo and the direction in which it is moving. Something has to change; this is an amicable way for it to happen.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:Disturbing by Oxford_Comma_Lover · · Score: 2

      In part because it makes accountability to shareholders (and law, for that matter) harder than it already is. In part because it disincentivizes them from looking at company-wide solutions to security problems. In part because when it is for contact between companies, it turns into a shield for antitrust violations.

      --
      -- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
    3. Re:Disturbing by Shoten · · Score: 3, Insightful

      The idea of a secured system designed for the sole purpose of allowing executives and board members of the corporations to communicate in secret is profoundly disturbing on so many levels...

      Actually, it makes an enormous amount of sense. Keep in mind that things like IPOs, discussion around delisting, and other decisions that involve both a stock exchange and a public-traded company don't just happen. There's a good bit of communication that has to happen first, and even a rumor about some events can have impact on that company's stock price. So just as it is with company-internal information about financials during a quiet period just before an official announcement, it makes sense for there to be a channel of communications whereby things can be kept quiet until they are deliberately (rather than accidentally) disclosed.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    4. Re:Disturbing by HornWumpus · · Score: 3, Interesting

      "People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices."

      Adam Smith (the commie bastard).

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    5. Re:Disturbing by causality · · Score: 2

      Here here. (does that qualify this as a "me too" post?)

      Over the last few years I feel as if more and more "Violence is the answer" posts around the internet are popping up. Some may argue that freedom is only won with the blood of patriots, but I deeply hope that our republic is not so far gone that this is the only option left (and one that is, honestly, not likely to happen in any case). So, while I also do not condone illegal activity, I can say that I hope transparency and fairness can be reintroduced peacefully, that the sordid and the powerful can be humbled by whatever means is best for the most people.

      Also, something about Tarkin, and a grasp, and slipping through fingers?

      The following should be construed as my opinion. In this psychotic legal environment, I will add that it is to be interpreted as a hypothetical scenario. With that out of the way...

      I'll be straight with you. For those who really run the show, I think violence is exactly what they are trying to provoke. They have been and are gearing up for it in many different ways. Power-hungry fevered egos would love nothing more than an excuse to clamp down and enforce perpetual martial law. I believe this is why they don't even try to hide their asshattery anymore. They want it in your face. They want you to react to it in a predictable way. They are saying "oh yeah, you don't like that, well wtf are you going to do about it?" Don't fall for that. You'd be a fool to let them provoke you. Anyone who does that is going to lose badly to a very well-prepared adversary. Don't do it.

      I'll tell you what they don't want. The very last thing they want is peaceful, non-violent resistance like what Ghandi and Thoreau advocated. It doesn't give them anything to work with. They would have to drop all pretense of justification if they went heavy-handed against something like that, which would cost them the support of much of the military and police who would execute it. Those two forces are on their side if the real patriots can easily be portrayed as terrorists or rebels or whatever the evil of the day is. If they don't fall for that because they love peace, that's when the soldiers and cops stop being such myrmidons and start questioning their orders and who is really served by them.

      Something like that also implies non-participation in their way of doing things, such as the monetary system, paying taxes, etc. It would amount to cutting the bottom out of the pyramid. They really do derive their power from the consent of the governed, it's just that the governed no longer understand what that means.

      But in either case, violence is the biggest and worst mistake you can make with these "people". That would be playing their game by their rules. You are going to lose if you try it. I don't mind repeating myself: don't do it. Not only would you harm yourself, you also cause a guilt by association against anyone who also understands the problem but has sense enough to look for constructive solutions.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    6. Re:Disturbing by Alex+Belits · · Score: 2

      Here is something more disturbing and just as relevant, though violence has no part in it:

      Freedom is a stupid idea to begin with. All the time humans have to sacrifice something they want to achieve something more valuable and important. Sure, freedom is attractive -- as long as it is your freedom. But if some form of freedom is supposed to be available to either everyone or no one, it may be a perfectly valid reasoning that having it is not worth the trouble of other people having it, too. Most of "economic freedom" is firmly in this "not worth the trouble" category for everyone but tiny fraction of population that happens to be super rich.

      Plenty of such freedom was sacrificed with great results -- now-oppressed employers can't pay below minimum wage, have unsafe working conditions, pay in scrip, defraud the employees, plan that employees will not survive long enough to be paid, etc. Make no mistake -- laws that prohibit those atrocities are denying people real freedoms, at the same level as, say, freedom of speech or freedom of association. Without those laws no fundamental principle of "freedom" is violated. Those forms of freedom (again, not unlike freedom of speech that some people love so much) are available to everyone, but only useful to wealthy and powerful people. With such freedom I would be able to hire, say, a maid or a shoe shine guy and impose unsafe working conditions on them. Then, after performing an act of minor assholery on a shoe shine guy I would have to go back to the coal mine and work for less than a cost of food to sustain my life while breathing more carbon in than out, but everyone would have more freedom.

      It just happens that people are better off when no one has freedom to mistreat others in such a manner no matter how wealthy he is, so government oppresses population by denying everyone this kind of freedom, thus promoting public good at the price of certain kinds of freedom. So freedom can just likely be a good or bad thing, and in each particular case it should exist or not exist depending on its effect on the whole society. It's stupid to worship the idea of freedom by itself, and nothing should be promoted just because it is "freedom" -- things must have valid use and purpose, and their availability in society must be supported by those uses and purposes, not nebulous slogan of "freedom".

      Nothing will be improved until American society will abandon the idea of freedom as foundation of its ideology, and start caring about well-being of people. Then maybe they will have some use for freedoms that they will have left and shown to be valuable. Or maybe even invent new, more useful ones -- I am sure, Thomas Jefferson would have hard time understanding what kinds of freedom Richard Stallman is talking about or what they are good for, so we can just as well have no understanding of what will be good or bad centuries or even decades later.

      --
      Contrary to the popular belief, there indeed is no God.
  3. Re:Keep Critical Infrastructure Offline by bennett000 · · Score: 2

    While it would be nice to do so, it will hardly be possible. Instead it is high time to send those making bad IT security decisions to prison for it. While this will also hit a few engineers, most will be managers going cheap, ignoring warnings and generally being incompetent.

    I don't see this being hardly possible at all, thirty years ago we got along fine without having our critical infrastructure's information systems not plugged into a global network. I'm speaking more of nuclear reactors, hydroelectric dams, shipping locks, railway switches etc.

    On the subject of stock exchanges, I seriously doubt much good has come from plugging stock exchanges into the global information network. Even as recently as fifteen years ago people were physically trading stocks on the floor of some of the world's major exchanges. Nowadays computers perform thousands upon thousands of trades in a fraction of the time their former human counter parts could. Is this really a good thing though? There's an absurd arms race going on between investment firms to install increasingly faster computers as close to exchanges as possible to get the 'jump' on trades. There's even a new trans-Atlantic trunk line going in, that shaves off a few milliseconds of latency, all in the name of automatically trading stocks, and 'making' millions of dollars. What purpose are these systems really serving though? Why is it a good idea to put such an insane amount of speculation into our financial markets? The day to day price of stock had little enough relationship to the actual value of a company prior to computers dominating the trading scene, now this representation is becoming more diluted.

    As for sending people to prison for making bad IT security decisions, it's a lovely idea, but how do you determine who's to blame? The second something goes wrong, everyone starts pointing the finger at everyone else. Is the CFO to blame for not budgeting enough IT dollars? Is the head of IT to blame because she was following orders without questioning them? Should all the employees just be locked up to be safe? What about the programmer who didn't terminate a string properly, who works for an entirely different company that sold the software to the firm that was breached??

    Then there's the people problem. Even if we could somehow make the billions of lines of code that drive computers perfect, we'd still have people opening up alleged 'job interviews', which are really just malicious excel files, or what have you. In this case at least there's a forensic trail and a 'smoking' gun to link the ignoramuses to their negligence.

    I think there are a lot of cases where it would be a lot cheaper to hire security cleared specialists to manually handle the transfer of data between secure isolated networks, and the global internet. Sure it would seem more expensive, but these breaches can cost hundreds of millions of dollars. Specialists can be bought for less than a hundred thousand a year each, and they can be held directly accountable.