Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Scolds NASDAQ Over Out of Date Patches

Posted by samzenpus on from the someone-needs-a-time-out dept.

DMandPenfold writes "NASDAQ's aging software and out of date security patches played a key part in the stock exchange being hacked last year, according to the reported preliminary results of an FBI investigation. Forensic investigators found some PCs and servers with out-of-date software and uninstalled security patches, Reuters reported, including Microsoft Windows Server 2003. The stock exchange had also incorrectly configured some of its firewalls. NASDAQ, which prides itself on running some of the fastest client-facing systems in the financial world, does have a generally sound PC and network architecture, the FBI reportedly found. But sources close to the investigation told Reuters that NASDAQ had been an 'easy target' because of the specific security problems found. Investigators had apparently expressed surprise that the stock exchange had not been more vigilant."

6 of 66 comments (clear)

  1. Re:In a alternate Universe by Alwin+Henseler · · Score: 5, Insightful

    In an alternate Universe, software would be released not before it's done, bug-free, and not need updates other than to add functionality.

    Software quality being what it is today, there's only 2 choices:

    1. If you don't want to patch all the time, disconnect from network so that you have a stand-alone installation (or only use on very strict managed local network).
    2. If internet-facing: patch, patch, patch, so that you have current software with known leaks fixed. In this respect, *nix or Windows doesn't make much difference, the important thing is that it's kept up-to-date.
  2. Re:In a alternate Universe by Anonymous Coward · · Score: 5, Insightful

    If these had been Linux servers, Microsoft would now be making bold statements about "Linux Insecurity" and urging Everyone to get a complete Microsoft Solution with patch management.

    If you think *nix servers in enterprise networks are more up to date then Windows servers, you clearly dont work in the industry.

  3. Re:Go anything else by Anonymous Coward · · Score: 5, Funny

    Your attempt to join our hive-mind is appreciated, but found to be lacking in zeal.

  4. Re:In a alternate Universe by The+Askylist · · Score: 5, Insightful

    More concerning is the poor firewall configuration. Badly patched servers can be put down to laziness, or unwillingness to fully regression test servers running bespoke software. Badly configured firewalls can only indicate incompetence.

  5. Never underestimate the lazyness of managers by Viol8 · · Score: 5, Insightful

    If they have 2 choices:

    A) which is easy to set up and can be run by click-monkeys but is full of security vulnerabilities

    or

    B) harder to set up and requires people who know what they're doing but is very secure...

    the BAs I'm afraid will will always go for A since people will usually trade effort now (setting up) for effort later (clearing up after a hack).

  6. Scolds? by aikodude · · Score: 5, Insightful

    Scolds? Really? What is this, kindergarten? How about a nice hefty fine to make them take security seriously? Oh, I forgot, can't be angering the real bosses. :/