Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Scolds NASDAQ Over Out of Date Patches

Posted by samzenpus on from the someone-needs-a-time-out dept.

DMandPenfold writes "NASDAQ's aging software and out of date security patches played a key part in the stock exchange being hacked last year, according to the reported preliminary results of an FBI investigation. Forensic investigators found some PCs and servers with out-of-date software and uninstalled security patches, Reuters reported, including Microsoft Windows Server 2003. The stock exchange had also incorrectly configured some of its firewalls. NASDAQ, which prides itself on running some of the fastest client-facing systems in the financial world, does have a generally sound PC and network architecture, the FBI reportedly found. But sources close to the investigation told Reuters that NASDAQ had been an 'easy target' because of the specific security problems found. Investigators had apparently expressed surprise that the stock exchange had not been more vigilant."

11 of 66 comments (clear)

  1. In a alternate Universe by AftanGustur · · Score: 3, Insightful

    If these had been Linux servers, Microsoft would now be making bold statements about "Linux Insecurity" and urging Everyone to get a complete Microsoft Solution with patch management.

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
    1. Re:In a alternate Universe by Alwin+Henseler · · Score: 5, Insightful

      In an alternate Universe, software would be released not before it's done, bug-free, and not need updates other than to add functionality.

      Software quality being what it is today, there's only 2 choices:

      1. If you don't want to patch all the time, disconnect from network so that you have a stand-alone installation (or only use on very strict managed local network).
      2. If internet-facing: patch, patch, patch, so that you have current software with known leaks fixed. In this respect, *nix or Windows doesn't make much difference, the important thing is that it's kept up-to-date.
    2. Re:In a alternate Universe by Anonymous Coward · · Score: 5, Insightful

      If these had been Linux servers, Microsoft would now be making bold statements about "Linux Insecurity" and urging Everyone to get a complete Microsoft Solution with patch management.

      If you think *nix servers in enterprise networks are more up to date then Windows servers, you clearly dont work in the industry.

    3. Re:In a alternate Universe by The+Askylist · · Score: 5, Insightful

      More concerning is the poor firewall configuration. Badly patched servers can be put down to laziness, or unwillingness to fully regression test servers running bespoke software. Badly configured firewalls can only indicate incompetence.

    4. Re:In a alternate Universe by Anonymous Coward · · Score: 3, Insightful

      Laziness in following security bulletins and applying critical patches == incompetence of sysadmin.

      You're basically saying "Their admins aren't just incompetent, they're incompetent as well!"

    5. Re:In a alternate Universe by somersault · · Score: 4, Insightful

      How are you going to guarantee that your software is bug-free? That's like trying to prove that God exists.

      Software complexity being what it is today, it's very difficult to make sure that a system is bug free. Even if you didn't rely on other people's libraries, it would be very difficult to do anything non-trivial without introducing some kind of unanticipated behaviour.

      Back to the summary, what's wrong with running Windows Server 2003 if it's still getting security updates? Wouldn't it be more likely to be secure than a newer version of Windows Server, which has new features that haven't had as much time to mature?

      --
      which is totally what she said
  2. Never underestimate the lazyness of managers by Viol8 · · Score: 5, Insightful

    If they have 2 choices:

    A) which is easy to set up and can be run by click-monkeys but is full of security vulnerabilities

    or

    B) harder to set up and requires people who know what they're doing but is very secure...

    the BAs I'm afraid will will always go for A since people will usually trade effort now (setting up) for effort later (clearing up after a hack).

  3. Scolds? by aikodude · · Score: 5, Insightful

    Scolds? Really? What is this, kindergarten? How about a nice hefty fine to make them take security seriously? Oh, I forgot, can't be angering the real bosses. :/

  4. Wow by Dunbal · · Score: 4, Insightful

    NASDAQ makes at least $0.001 in exchange fees for every single transaction that happens on that exchange, and yet they can't hire a competent IT department.

    --
    Seven puppies were harmed during the making of this post.
  5. It's a culture issue by onyxruby · · Score: 4, Insightful

    It's a culture issue on the concept of server up-time vs service up-time.

    I developed the patch management process that is used on the servers of one of the largest trading companies in the world. I got started on this at the time after hearing one of the server admins brag about an up-time over five years. What he was really saying was that he hadn't patched his servers in over 5 years. Unless your running a mainframe or a certain flavors of Linux a reboot is required for many patches.

    When one of those servers go down the cost is measured in the millions of dollars per minute. The culture took as a matter of pride to make sure that never happened. The best perceived way to avoid this was avoid anything that could affect server up-time. Since patching necessarily involved rebooting the server it simply wasn't done.

    Changing this culture was a half year long internal political fight that boiled down to a single thing. I posited the argument that server up-time should no longer be tracked as a metric and should instead be replaced with service up-time.

    During that half year period I developed the process (working with a lot of other teams) for patching these servers without affecting service up-time. Doing so involved creating a SLA that had server maintenance windows defined for specific times. It also explicitly defined that service availability would not be affected by having a server be unavailable during those very maintenance windows.

    Ultimately the culture was so entrenched that it literally took upper management handing down orders from on high that server up-time was no longer allowed to be tracked as a metric. In the end we were patching our servers on a routine basis and doing so without impacting service availability.

  6. Ditto. by khasim · · Score: 4, Insightful

    It is impossible for a cynic (admin) to get certain concepts through to an optimist (management).

    Every day that you are not cracked (or the crack go undetected) is "proof" for the optimist that he was right and you were just pushing unnecessary precautions to justify your job.

    So, those 24 months ... that's over 700 times he was "proven" right and you were "proven" wrong.

    The same with skipping patches. Every patch skipped multiplied by every day without a crack ... he's right thousands of times and you're chicken little ("the sky is falling, the sky is falling").