
“NASDAQ is owned.” Five men charged in largest financial hack ever - shawndumas
http://arstechnica.com/security/2013/07/nasdaq-is-owned-five-men-charged-in-largest-financial-hack-ever/
======
austenallred
I honestly believe eastern Europe and possibly Israel are years ahead of the
United States when it comes to the Internet - not with regard to adaptivity,
but with regard to raw hacking ability.

I have yet to understand why and I only have anecdotal evidence (including
living in Ukraine), but there's something to those places that make them breed
hackers.

~~~
2pasc
In Israel, military service is compulsory for all men when they are 18 years
old. The best hackers in the country are detected and lured into cyberwarfare
positions where they need to be the best cyber attackers in the world for 3
years. You bet that these guys are among the best in the world.

~~~
devcpp
The IDF's ICT unit also has a very large budget (it's actually the only unit
with an increasing budget despite a 2 billion overall budget drop), and with
access to all kinds of technologies that only a government can afford. When
the engineers get out of there, they know things that few people know about.

~~~
enraged_camel
Yep. This is why many people believe that Stuxnet was developed by Israel - it
was so advanced that only a country like that could have done it.

~~~
sumzup
According to Snowden it was co-written by Israel and the US.

------
minimax
I've seen this story (NASDAQ being hacked) reported in a couple of places, but
it isn't clear to me what damage was done. It's not really possible for them
to have messed with the actual trading without anyone noticing. Everyone
connecting to an exchange is reconciling the orders they send in against the
trade confirmations they receive. You basically design your technology
assuming the exchange is going to fuck something up eventually. I'd really
like to hear more details about what was going on here.

~~~
nonchalance
The matching engine and the ring of servers around it are not accessible via
internet. You can only connect to them if you have a server collocated in
Carteret, and even then the NASDAQ machines only expose the ports relevant to
order entry and feed data.

They _could_ have hacked a customer (say, citigroup) and entered that way, but
all they really could do is incur losses for the customer.

~~~
jbert
> but all they really could do is incur losses for the customer.

If they could inject "incorrect" trades, could they put themselves on the
other side of those trades via normal means and so benefit from such losses?

~~~
gohrt
Surely.

~~~
DannyBee
But how would this be noticeable from the regular fraud that occurs?

------
driverdan
> Court documents allege that as a result of the scheme, financial
> institutions, credit card companies and consumers suffered hundreds of
> millions in losses, including _more than $300 million in losses_ ...

BULLSHIT. I want to see hard evidence that there were _real_ losses totaling
more than $300 million. The justice dept loves inflating loss figures based on
sentencing guidelines which mandates minimum losses for stolen info even if
they were never used to commit a crime.

~~~
antiterra
Why does this call for an all-caps "bullshit?"

It's really not that much money per card for just the Heartland breach alone,
even if you assume only a fraction of cards were actually being used.

The Heartland breach was discovered after card companies found a pattern of
chargebacks over a number of months. If the cards hadn't been used, the breach
likely would have been undiscovered, for years, if at all. It took Heartland
months of investigation to find internal evidence they had been breached. The
attackers had long since left and attempted to erase their tracks.

------
gnufied
An interesting trivia is - one of the guys being charged is "Dmitry
Smilianets", CEO of Moscow 5. A rather very prestigious esports organization
that has/had good teams in League, Dota2 and Counter strike.

The arrest itself happened an year ago and was widely reported on gaming
websites ([http://www.joindota.com/en/news/3537-moscow-5-ceo-
arrested-i...](http://www.joindota.com/en/news/3537-moscow-5-ceo-arrested-in-
amsterdam)).

------
kevinalexbrown
Is anyone aware of a) whether other security auditors or services could have
identified these vulnerabilities and b) what it takes to sell to these
exploited firms?

My understanding of security is fairly small, but it seems to me that there's
a market to be had here ... If the expertise exists to dramatically reduce
exposure, it's a question of sales or ease of use. If the expertise doesn't
exist yet, someone smart might make a lot of money.

~~~
tptacek
There is a market here.

~~~
larrys
Someone who does security work for me on the side (for about 12 years works
now) manages a team that does this at a large consulting company.

I can't remember exactly, but he told me what they bill him out for and it
sounded like NY senior attorney level rates.

He travels overseas regularly on longer term assignments. I told him he should
go out on his own but he's not entrepreneurial. He also said that a few of the
"sales guys" at the firm already did that with some of the other security
people last year.

~~~
tptacek
I think starting a security consultancy is a business idea that just might
work.

~~~
janzer
I admit by the time I made it through this comment thread, I wasn't quite
laughing out loud, but I was having a good chuckle.

~~~
larrys
When I was maybe 5 years old I asked my parents why they couldn't just cut
cancer out? Everybody is a newbie at one point.

------
peterwwillis
_" According to one indictment, European credit card numbers sold for as much
as $50, while US ones fetched about $10._"

Where are they getting their numbers from? Last I heard (a year or two ago),
carders charged about 10 cent for foreign cards and a dollar per US card. Any
actual carding researchers care to weigh in?

~~~
driverdan
I'm not sure where you got your info from but non-US cards have always had
higher value due to limited supply. The value also depends on the type of
info. For example, magnetic stripe data (dumps) is worth more than basic card
info (which isn't worth much).

~~~
peterwwillis
The botnet carding numbers were what I was quoting, not mag stripe dumps. And
I was told it was the other way around, that US cards either had higher limits
or the banks were more lenient with the credit? Seeing as Americans use credit
cards way more than most countries, a multitude of charges would be more
easily overlooked. But i'm pretty sure $50 per card is not a realistic rate,
even if they're worth more than US cards.

------
screwt

        Sites are susceptible when user input is ... incorrectly filtered for characters used in database commands ...   
    

If you're trying to protect yourself from SQLi by filtering & then running
user input, you're doing it wrong. If a supposedly tech-literate site like Ars
can't get that right, what hope do we have? (Let alone the banks
themselves...)

~~~
skolor
That's _exactly_ what defines SQLi. Incorrect filtering of user data is
precisely the reason why SQLi is a vulnerability.

~~~
0x0
The better way to defend against SQLi would be to use proper quoting/prepared
statements, instead of trying to play whack-a-mole by filtering and limiting
the content of the input strings.

~~~
skolor
Correct, but that doesn't make the statement of the causes for SQLi any
different.

------
readysetgo
Stealing money from global financial institutions is only allowed when you are
a banker.

------
k_bx
> SQL-injection

> NASDAQ

~~~
sirsar
Sanitizing your inputs is apparently even harder than salting and hashing your
passwords, something even the big-name companies tend to mess up.

Sigh.

~~~
PlaneSploit
Little Bobby Tables, we call him.

~~~
dpatru
[http://xkcd.com/327/](http://xkcd.com/327/)

------
alexjeffrey
the idea that NASDAQ might've been hacked using an SQL injection is pretty
scary, as it's a pretty trivial attack to protect against in most cases
(mysql_real_escape_string?) - is security in stock exchanges really so lax?

~~~
thesis
mysql_real_escape_string isn't secure. AT ALL.

~~~
NegativeK
This would be a perfect example of why SQL injections are so common:
toolchains aren't secure (or even securish) by default -- and it isn't clear
that this is the case.

~~~
jordanthoms
Anyone not using prepared statements in 2013 is just being stupid - there is
no reason to ever be vulnerable to a SQL injection, barring a bug in the
database or driver you are using. It's totally unacceptable.

------
startupfounder
You would think that a way to stop these kinds of attacks for pennies on the
dollar would be to have the security companies, banks, retail stores and
others involved on the receiving side of these attacks fund hackathons or
startup accelerators in every country, like a startup weekend, to give these
"kids" a chance at legal startups and to get paid for finding bugs.

~~~
samstave
We spend how many hundreds of billions on the NSA so they can slurp all the
worlds data? Why not force them to secure all networks?

~~~
gknoy
I do not think that we would want the result of that.

~~~
samstave
HA the jokes on you! We already HAVE the result of that.

In all serious though, just be thankful you're still alive you unappreciative
uppity citizen; at least you haven't been killed by a terrorist ___yet_ __.

~~~
readysetgo
People don't often die from terrorism. He is much more likley to die from
diabities, heart disease, cars or a gun shot.

More toddlers with guns have killed Americans this year than terrorist have.

If we are trying to save lives, worrying about terrorism is a waste of money.

~~~
rayiner
If you're going to ignore chilling effects, then by that reasoning the NSA
surveillance is totally harmless.

That's a ridiculous argument. The Beltway sniper killed 10 people in 2002, a
fraction of the number who died in car accidents that year. But tens of
thousands of people had their lives disrupted as they ducked down while
filling up at gas stations.

~~~
readysetgo
I don't see how your logic follows at all.

Car crashes in 2002 were in the range of 30,000 deaths. Which is orders of
magnitude higher than the sniper.

So in my opinion we shouldn't waste money on NSA wiretapping that doesn't stop
terrorism (because if it did it would have stopped the Boston Bombing) and
instead invest that time and money into transportation infrastructure.

By doing that we would save more lives, improve our economy and most
importantly still have constitutional freedoms.

------
jingo
I'll get downvoted for this, but I think SQL admins should in some way be held
accountable for successful injection attacks. Falling victim to this type of
exploit which is as old as the hills should be inexcusable. How difficult is
it to learn how a UNIX shell works, inside and out? For what these guys get
paid and what they are tasked with securing, they should be experts on
escaping and quoting and every possible thing one can do with the shell. All
the boring stuff. Because that's probably the knowledge these "hackers"
leveraged.

If I'm wrong here, if there's more to it, feel free to correct me. I want to
be empathetic with the people who set up these SQL databases, but I really
cannot understand why anyone can still in 20xx get a shell via SQL statements,
at a financial institution no less, after so many years of seeing others fall
victim.

~~~
meowface
Generally, the DBAs have very little role in knowing whether any part of their
application is vulnerable to SQL injection, and on top of that they can't
mitigate very well against it.

They can do the basic things: don't use the root MySQL user, restrict
privileges on each MySQL user, use AppArmor or SELinux to isolate the mysqld
process, etc. This does prevent an attacker, in most cases, from instantly
uploading a shell as soon as they find any sort of injection vector.

But it does not stop an attacker from reading arbitrary values from any table
in any of the databases the MySQL user has read-permissions to (which in many
cases is every database on the server).

And if an attacker can effectively dump your database, generally it's a matter
of cracking admin password hashes and using those to login and escalate their
access. DBAs really play no part in any of that; it is the developers of the
application who must be blamed here. It's their job to use good hashing
mechanisms, and to prevent admin accounts from being able to escalate
privileges and upload a shell to the server. And above all, to code securely
and prevent SQL injection in the first place.

Also, this isn't reddit, please don't say "I know I'll get downvoted for
this."

~~~
jingo
Question: Can/do they do "fuzzing" on their database applications? Has anyone
built a fuzzer for this purpose that tries an assortment of possible vectors
as well as random strings? I still do not understand why the injection vectors
cannot be preempted to begin with. It seems to me as if the folks securing the
database are unable to predict possible ways someone could exploit what their
application considers "valid" queries. If so, why?

Also, I don't follow reddit, so I didn't know they say that.

~~~
phlo
You're attacking the problem from the wrong angle. The fault lies with
whomever builds the application /interfacing/ with the DB, not whomever
manages the database.

In an application you may need to read user-selected data from some sort of
database. As a simple example, you might accept a user's input of an article
ID to fetch said article from a db. That might look something like this:

"SELECT * FROM articles WHERE id = $article_id"

Where $article_id is the input you received from your user. A valid
$article_id could for example be "7", an invalid one might be "7 OR 1=1". If
the latter value is not escaped, it'd change the statement to read "SELECT *
FROM articles WHERE id = 7 OR 1=1, returning all articles.

Any somewhat competent programmer would then check if $article_id contains a
value of the expected type (i.e. integer, string, string that looks like an
email address, ...) and use an escaping function (in PHP this might be
mysql_real_escape_string) to escape any special characters (e.g. turn " into
\").

If you're doing things right, you'll use a prepared statement. You'll tell
your database driver the format of your query first ("SELECT * FROM articles
where id = ?"), then provide the contents for your placeholders (? ->
$article_id).

Prepared statements are considered more elegant and comfortable to work with;
both approaches are secure when done correctly.

All of this is done by the application developer. Now the DBA only gets to
work with the assembled query. How would they be able to tell a valid "OR 1=1"
from an injected one?

Nonetheless, your point on holding the responsible party accountable stands --
but it's the developers, not the DBAs.

~~~
jingo
Thank you. This is the answer I was looking for.

I assumed (incorrectly) that the person designing the database was also
involved in selecting the "prepared statements" or "assembled queries", or was
the same person.

Now I'm thinking the problem may be more with the people building the
interfaces to these SQL databases, and the languages they are using to build
them.

If that's true, then "SQL injection" seems like less of an SQL-specific
problem and more of popular label for a more general "santization of user
input" in internet-facing programs problem. That problem is as old as the web.
And now we encourage every program to be a web-facing application, hosted in
"the cloud". Yikes.

Anyway, I think my original comment may indeed be valid: in 200xx, in too many
cases, programmer knowledge of escaping and quoting (rules that if I'm not
mistaken originated when more people were more familiar with terminals and
shells) is inadequate.

------
christianh
Well maybe there's some light at the end of the tunnel: If hackers had an
easier way to gain recognition and being rewarded when they discover
vulnerabilities, I'm certain most would choose to disclose their findings
rather than try selling them on the black market. I'm working on a startup
right now, www.crowdcurity.com, where we want to let any site easily create a
bug bounty program (similar to Google, Mozilla, Paypal, etc.) and thereby
leverage testers around the world to find vulnerabilities; hopefully
initiatives like this will strengthen the security of web apps and websites
around the world.

------
KumarAseem
Their actions might have been illegal but they for sure are good at breaking
things and their skills should be used instead of throwing them in jail for 20
years. Counsel them and give them a change to reform themselves.

~~~
jokoon
There are still too many computer illiterate people, it's a matter of how
people view things.

Blaming the existing systems instead of blaming the hackers, it's like being
an astronomer in the middle age. Deciders and business owners will scream and
tell their systems are fine, and that the ones who think differently and prove
otherwise are at fault.

~~~
anigbrowl
No it isn't. These people weren't publishing white papers about the lack of
security at Nasdaq and other companies, they were using their knowledge to
steal money, and the costs were passed back to you, the (presumably) law-
abiding customer/credit card user.

Suppose you went out and came home to find your window smashed and your most
valuable possessions gone. Would you be happy to have received an unscheduled
visit from a private security consultant who decided to pay himself a handsome
fee in the form of your stuff? No, you'd call the police to report a burglary.

Just because these guys were using computers and you also use computers does
not mean they're basically the same as you and would be your good friends if
only those mean old suits would get out of the way and let you run everything.

~~~
jokoon
If those people were not "publishing white papers", maybe it's because
computer security sucks everywhere, maybe because there is no true incentive
to make things better at all.

I was answering to the question "why were those guys using their skills for
criminal activity instead of working on protecting against those crimes ?".

The thing is, I doubt company deciders really care about real computer
security at all, and even if they do, the security market is very slim. OSes
are not really designed with security first in mind, while they should be the
first ones to do research on it, and apply it steadily.

I can find many reasons why the computer security market is still weak: there
are not that many crimes because we don't use computers for many important
things (even if it's on the rise), intelligence agencies prefer to let those
vulnerabilities in place so they can have the upper hand to investigate or spy
other countries (not talking about PRISM), and programmers are still a rare
supply, and I don't really see any open discussion in university about
computer security theory, it's mostly black hats/white hats folks, it's not
really productive.

If those guys committed those crimes, either they are not good enough, but
that also means nasdaq systems were weak, or that they were actually good
enough, but the computer security job market did not propose them enough
money, which is why they risked 20 year prison sentences, because it paid
more.

You could compare it with the drug market. Right now those substances are
illegal, which allows criminals to make huge amounts of money, but the DEA
people will also make money, and are often found to work with criminals.
That's an example why most of the time, crime pays, while it would be wiser to
make those substance legal, and try to help drug users instead. For computer
security, it could be a good idea to stimulate the security market by asking
universities to create degrees, and maybe make some government programs to
work on computer security, instead of letting it rot like that.

------
dclowd9901
> According to one indictment, European credit card numbers sold for as much
> as $50, while US ones fetched about $10.

This is truly dumbfounding to me. They had normalized, searchable access to
millions of credit cards. They presumably had systematic ways of siphoning off
money on high balance cards in a way that no one would've ever noticed. And
yet, their grand scheme was to hock the numbers piecemeal for 50 a pop?

How are such smart people so bad at business.

~~~
driverdan
They had millions of credit cards. It's far easier and safer to sell the cards
than try to come up with a scheme that will make an equivalent amount of money
using them. Plus with that many they had far more than they could ever use.

That's like saying anyone who runs a SaaS that helps other businesses make
money for $50/m is bad at business.

------
trotsky
Wow, the US Attorney is really going out of his way to fill this one up with
bullshit. I knew something was very wrong when goodin claims hundreds of
millions in losses on a carding ring and it didn't take long to find it. The
only people that would pay $50 for anything having anything to do with credit
cards would be fbi investigators. Hell they're the only ones that would pay
one tenth that.

------
txutxu
Upvoted, did make me enjoy the read.

6 months since the first SQLi to the "Nasqad is owned".

6 months...

Sometimes I've play Neo from a pub connection with recycled hardware (not buy
with my card number) but at most one week to the same target.

I wish I could have the skills of those people. Not that I want to make money
stoled from unknown people... I just would like to have their skills.

~~~
icpmacdo
"Sometimes I've play Neo from a pub connection with recycled hardware (not buy
with my card number) but at most one week to the same target."

Could you explain what you are saying here?

~~~
txutxu
Yes, I see my sentence was not clear at all.

There I was saying, that even if I have make some security research, from a
internet connection not related with me, with hardware not related with me,
I've never work on it more than 1 week. This people was 6 months against the
same target (owning it) without being detected.

------
thomasbk
The actual indictment is here, it's a fairly interesting read:
[http://www.justice.gov/iso/opa/resources/5182013725111217608...](http://www.justice.gov/iso/opa/resources/5182013725111217608630.pdf)

------
coldcode
Amazing people are still ignorant of how to properly code a web application.
Not to mention all the companies that likely still store passwords using a
reversible algorithm and fail to separate and encrypt credit card information.
What is this, 1994?

~~~
bdamm
It's not that people don't know how to properly code a web application. It's
that coding a web application with a strong and secure perimeter is more
expensive, more effort, and difficult to QA (the perimeter) than building one
without.

"Ship it."

~~~
chrismarlow9
I love the "ship it" here. Deadlines kill security. When you're under the gun
to finish something as a dev, the first thing to go is the security mindset.
The next thing to go is the "beautiful code" mindset, which leads to even more
security issues. The problem is that by definition projects that have a
critical deadline will usually be used by thousands of people or handle very
important information.

It's a weird issue of "I need it now because it's important" and "I need it
working well because it's important". Good, fast, cheap. Pick two.

Thanks for supporting my confirmation bias.

------
itsallbs
'SQL-injection vulnerabilities in the victim companies' websites'

/facepalm

------
kevin818
How would one even go about doing this? Do you just keep trying difference ssh
key values?

I never understood how people can just magically "gain access" to servers.

~~~
wiml
It can be pretty enlightening to read the few postmortems of big hacks that do
get published.

Another seemingly common scenario (aside from a direct attack on the server)
is to spear-phish someone else inside the company, not necessarily an admin or
anyone technical, into clicking on some flash applet or trojan'd excel doc or
something that owns their machine, then install keyloggers, proxies, etc., and
work from there until you snag a credential that lets you into the server you
actually want.

------
sarreph
Was most of this done by SQL injection?

~~~
ripter
Looks like they used SQL injection to get passwords and then used those
passwords to access the servers.

~~~
acv
The article says that they used the injection to get hashed login credentials.
Did they then use a rainbow table to reverse the hashing?

~~~
meowface
There are a wide myriad of ways that plaintext can be derived from password
hashes. Rainbow tables are an option if they're not salted; otherwise the
attackers likely had access to fairly significant computing power (considering
the amount of money they were raking in) to perform typical dictionary +
bruteforce attacks on them.

------
lifeisstillgood
Is there a summary of the techniques used, the escalations take ? Does it
compare to OWASP ?

------
ereckers
I just think its funny that a hacksaw is now the international symbol for
hacking.

------
AsymetricCom
Doesn't NASDAQ have some responsibility for this hack? Doesn't NASDAQ have
serious security reputation issues now?

~~~
driverdan
Blaming the victim? Nice.

~~~
jonah
If indeed it was a basic SQLi attack and NASDAQ failed to prevent it, then to
some degree, yes, they're responsible. As a high-value target it's incumbent
on them to secure their systems.

Here on HN we often say "security through obscurity is no security." Relying
on the fact that it is "illegal" for someone to hack your system to prevent
them from doing so is similarly flawed logic.

~~~
alexhawdon
Yep. And depending on where the attackers are from, it might only be illegal
in US jurisdiction anyway. So it's just plain negligence not to do your best.
That said, it is a huge attack surface and it sounds like they had a lot of
time and resources; they can afford to just wait to get lucky. NASDAQ had to
be lucky ALL the time. /devils advocate - obviously someone f'd-up.

