Hacker News new | past | comments | ask | show | jobs | submit login
“NASDAQ is owned.” Five men charged in largest financial hack ever (arstechnica.com)
290 points by shawndumas on July 25, 2013 | hide | past | web | favorite | 135 comments

I honestly believe eastern Europe and possibly Israel are years ahead of the United States when it comes to the Internet - not with regard to adaptivity, but with regard to raw hacking ability.

I have yet to understand why and I only have anecdotal evidence (including living in Ukraine), but there's something to those places that make them breed hackers.

Speaking as bulgarian, my guess is that the eastern block countries were limited to the amount of software/hardware that could be sold in the countries due to Cocom ( http://en.wikipedia.org/wiki/CoCom ) and this possibly brought a whole generation of people that became good at reverse engineering, but most likely also at whole culture that thinks it's okay to reverse engineer almost everything...

One of my friend's mother worked at bulgarian shop that all they did was to translate Norton Commander into russian (basically hex editing here and there), and then it was sold on the russian market.

We had up to 1988-1989 a bulgarian company that was selling bootlegged games under their own name (yes I bought Karateka from them, and it worked on the bootlegged Pravetz-8C - a.k.a Apple ][/c).

But it doesn't stop there - you can (or at least back in the days) find people living in the same apartment building that were able to fix your TV, car, radio, etc. without calling technician.

My father regularly fixed TV sets of neighbors for no money (he's an ex military engineer - worked in radio-location)

But then it was something about russian, or eastern block made hardware - you take any plane, car, tank, radio, etc. - you can open it yourself and start hacking, replace parts, etc. - e.g. even the own-made products were meant to be hackable.

Now this is according to my father, who told me that it was much easier to fix russian produced military vehicles than anything else.

The I-fix-it culture was really thriving, and some thanks to the "communism" (there was never such thing), but lots of kids got free education since 1st grade in computer science, hardware, rocketry, train modeling. The magazines were so cheap (and printed out on cheap paper) - that you can buy dozen of them full with models, etc.

This is no longer the case (I've been living in USA since 1999, but visit my own Bulgaria almost every year).

I wish some of the days are back, but I knew that it was utopia we lived....

Well take it with a grain of salt, typing this while on vacation from my lovely Bulgaria :)

Same reason as why demo coders from amiga, c64 and other limited systems are premier coders today. Limited financial and hardware resources make you shine in all kind of situations.

> "communism" (there was never such thing)

In college I wrote a major research paper on market-style exchanges on the factory floors of Eastern Europe, with the underlying point that you can never really purge all market forces, that "capitalism" is more descriptive than normative.

When I think back on it, well, I'm mostly ashamed for talking out of my ass about what other people actually experienced. It'd be great to hear more of your thoughts on it.

Possibly you understood what it was better than me, especially since you've researched it.

From my point, it was never communism - ahem the simple - produce as much as you can, take as much as you need

There was one difference - central planning - all prices were fixed and you can't find much variety in the store (2-3 types of bread, 2-3 types of feta cheese, etc.)

Another thing was the foreign currency - read about it here - http://en.wikipedia.org/wiki/Corecom

As a kid one of the best things were getting bananas/oranges for New Year, or getting some real dollars so you can buy kinder eggs/pezz/tobleron/etc from the Corecom stores (above). Although you might afford the money, there was no easy way to exchange them.

It was a 'meh' moment for me, when democracy came, and my favourite store (selling cake, soda drinks) start also selling kinder eggs - It was impossible for me to think that I can go and buy as much as I want with ... levas (our currency).

And as such they were no longer interesting :)

I had a happy childhood, maybe because I did not know anyone too rich, or too poor, and the choice was limited... okay maybe that was not the case... But looking at all old bulgarian kid movies, one can see kids roaming the streets without any danger (and it was so - It was normal for me to stroll around while I was 5 or 6 years old). This gets old, a a bit reddit-ish, and it's purely my experience and surely for other people it could've been totally different story.

+1 for Karateka and Pravetz-8C which was my first computer =)

They can't easily get jobs that pay them well, the way most programmers in the West can. People really good at security in the US just get a job making a great salary.

Its also more dangerous in the US. Since the majority of major web apps are hosted in the US, if you're in the US it is easy for the app's owners to go after you legally. It gets much more complicated if you're in another country. For example, if weev had been in eastern Europe, it would make it much more difficult for ATT to go after him.

You don't even have to be 'good at security' to get a job making great salary - just a clearance and maybe a certification or two.

This is a very believable explanation.

In Israel, military service is compulsory for all men when they are 18 years old. The best hackers in the country are detected and lured into cyberwarfare positions where they need to be the best cyber attackers in the world for 3 years. You bet that these guys are among the best in the world.

The IDF's ICT unit also has a very large budget (it's actually the only unit with an increasing budget despite a 2 billion overall budget drop), and with access to all kinds of technologies that only a government can afford. When the engineers get out of there, they know things that few people know about.

Yep. This is why many people believe that Stuxnet was developed by Israel - it was so advanced that only a country like that could have done it.

According to Snowden it was co-written by Israel and the US.

"military service is compulsory for all men when they are 18 years old."

Not correct. All men (and women) except those in a Yeshiva (religious school). As I understated it, they can post-pone their enlistment indefinitely.

I also understand this is a touchy subject in Israel right now.

Sure. But a vast majority of men do that, and are proud to do it. In Israel, you meet your best friends in the army.

you're speaking on behalf of a "vast majority of men"?

Interesting, I remember reading that the hacker (jsz) who helped Kevin Mitnick back in the day with the IP spoofing attack against Shimomura's computer was from Israel as well.

> for 3 years

Not exactly true. There are a few different computer groups, one of which requires only three years and it is nowhere near the level of sophistication of an average programmer (they are mostly responsible for the technological infrastructure of the army). The other programs require a degree beforehand (so they only go into the army at about 22) and then require 5 years of service. These are the people who create cool things. But let me say: even the things that they do are closer to things you can think about than what you would find in a sci-fi novel.

You describe the mamram thing, but aman conscripts people who are better at 17 than good compsci grads from the technion at 22. They do 4 years, not like atuda. aman also gets people from talpiot and the best mamram has to offer.

I'm from Eastern Europe myself, and while I know it's anecdotal only, from living for one year in the same dorm-room with a guy like the ones described in the article all I can say it's that it was not about the money (at least not 14 years ago, when I was still a freshman) but more about "hey, I want to see what this piece of closed-source software is actually all about! How can I crack it?". It also "helped" that we were generally quite poor (we still are, comparetavily) and so it made "economic sense" to spend days and days tweaking with assembly code and what-have-you in order not to pay $4.99 for a crappy music player or something similar, and in the process acquiring quite a bit of knowledge (much more valuable) about how such things work.

And the guy I started talking about now works for a pretty important anti-virus company , he's one of the most gifted hackers I've ever met.

Speaking from personal experience (Ukraine).

There are plenty of job opportunities and the coders are relatively even more overpaid than in the West, so that's not the reason.

The real reason I believe is that people mostly can do this with impunity. There's very little being done for prevent or prosecute credit card fraud. In Ukraine and Russia CCs are still used very little, so this fraud hurts "the West" which is mostly seen as a good thing by the general population. Rampant piracy is practically encouraged for the same reason.

Of course this creates a barrier for doing legitimate business online. For example PayPal simply does not allow merchant accounts from Ukraine and Russia to reduce fraud. These countries are the safe haven for hosting illegal content etc. It would benefit local programmers to clean up the reputation of the country and to my great annoyance people just do not realize this. Crooks are accepted as keynote speakers at business conferences etc (they do make money, so what's the problem?)

I've always figured (at least for former soviet states) that it's a combination of:

+ a rigorous STEM curriculum

+ limited conventional job prospects

+ a social/business environment in which exploit-selling is a respectable profession

Can you tell why you know that? Is that knowledge from personal experience?

From my personal experience I can confirm p. 1, totally disagree with p.2 (there are plenty of good and well payed jobs for IT specialists in xUSSR countries). About p.3 - exploit-selling is not a respectable profession, but in recent 20 years people have seen too many examples of people becoming rich by illegal and dirty ways and this definitely did bad influence.

Raw hacking ability I believe is defined loosely by a very strict early mathmetical education.

I'm slavic but I was raised in Sweden, visits with family in the balkans always leave me surprised at the strict education children go through.

Of course, my only perspective is from small country villages, not cities.

> I have yet to understand why and I only have anecdotal evidence (including living in Ukraine), but there's something to those places that make them breed hackers.

Or maybe it's just USA that's good at breeding anger and revenge-driven people all over the world. ;)

Well, Eastern European cybercriminals typically go after companies worldwide; there usually isn't a particular focus on America. That's in contrast to China.

It feels like it's been that way for at least a couple of decades. In the early years of PC viruses it seemed like all the innovation was coming out of eastern Europe.

And before that, I remember that (at least in Mexico) there was the idea that the USSR had the best people in mathematics and chess.

I've heard theories that it's as simple as they had older and slower machines, so they thought more carefully about not just the code they were writing but about the machine it was running on as well. In the end, they end up gaining a better understanding than 'spoiled' programmers in the west who could afford to compile, run, edit, compile, run...

There's also the theory that they don't have as much to do, at least not as many distractions.

From my experience with employees who originally came from russia to germany is that they were all pretty smart... most of them were also really good at chess for example, so i guess its something about the education there...seems to be quite math heavy

Could it also be that the US hackers are just as visible? They could be quietly recruited by the government when they get caught.

I've seen this story (NASDAQ being hacked) reported in a couple of places, but it isn't clear to me what damage was done. It's not really possible for them to have messed with the actual trading without anyone noticing. Everyone connecting to an exchange is reconciling the orders they send in against the trade confirmations they receive. You basically design your technology assuming the exchange is going to fuck something up eventually. I'd really like to hear more details about what was going on here.

From the linked US DOJ press release:

>It is not alleged that the NASDAQ hack affected its trading platform.


The matching engine and the ring of servers around it are not accessible via internet. You can only connect to them if you have a server collocated in Carteret, and even then the NASDAQ machines only expose the ports relevant to order entry and feed data.

They could have hacked a customer (say, citigroup) and entered that way, but all they really could do is incur losses for the customer.

> but all they really could do is incur losses for the customer.

If they could inject "incorrect" trades, could they put themselves on the other side of those trades via normal means and so benefit from such losses?


But how would this be noticeable from the regular fraud that occurs?

You couldn't create or delete orders for other people without them noticing, but frontrunning could maybe stay under the radar.

> Court documents allege that as a result of the scheme, financial institutions, credit card companies and consumers suffered hundreds of millions in losses, including more than $300 million in losses ...

BULLSHIT. I want to see hard evidence that there were real losses totaling more than $300 million. The justice dept loves inflating loss figures based on sentencing guidelines which mandates minimum losses for stolen info even if they were never used to commit a crime.

Why does this call for an all-caps "bullshit?"

It's really not that much money per card for just the Heartland breach alone, even if you assume only a fraction of cards were actually being used.

The Heartland breach was discovered after card companies found a pattern of chargebacks over a number of months. If the cards hadn't been used, the breach likely would have been undiscovered, for years, if at all. It took Heartland months of investigation to find internal evidence they had been breached. The attackers had long since left and attempted to erase their tracks.

An interesting trivia is - one of the guys being charged is "Dmitry Smilianets", CEO of Moscow 5. A rather very prestigious esports organization that has/had good teams in League, Dota2 and Counter strike.

The arrest itself happened an year ago and was widely reported on gaming websites (http://www.joindota.com/en/news/3537-moscow-5-ceo-arrested-i...).

Is anyone aware of a) whether other security auditors or services could have identified these vulnerabilities and b) what it takes to sell to these exploited firms?

My understanding of security is fairly small, but it seems to me that there's a market to be had here ... If the expertise exists to dramatically reduce exposure, it's a question of sales or ease of use. If the expertise doesn't exist yet, someone smart might make a lot of money.

A good blog to follow is Krebs on Security: https://krebsonsecurity.com/

He often has screenshots and other details on the working of various markets.

Here is a market for ecommerce credentials: https://krebsonsecurity.com/2012/12/exploring-the-market-for...

What use a hacked PC has: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hack...

And even a thriving software industry for the bad guys http://krebsonsecurity.com/2013/07/one-stop-bot-chop-shops/

Counterpane is a company (now owned by BT) that sells managed network security services as an example of how you sell to the firms.

There is a market here.

Someone who does security work for me on the side (for about 12 years works now) manages a team that does this at a large consulting company.

I can't remember exactly, but he told me what they bill him out for and it sounded like NY senior attorney level rates.

He travels overseas regularly on longer term assignments. I told him he should go out on his own but he's not entrepreneurial. He also said that a few of the "sales guys" at the firm already did that with some of the other security people last year.

I think starting a security consultancy is a business idea that just might work.

I admit by the time I made it through this comment thread, I wasn't quite laughing out loud, but I was having a good chuckle.

When I was maybe 5 years old I asked my parents why they couldn't just cut cancer out? Everybody is a newbie at one point.

Some services that scan the assets on a network for a wide range of vulnerabilities: QualysGuard, Nexpose, McAfee EPO.

There is a market there among Fortune 500 companies, for sure. The difficulties (as I've experienced it) are:

1. Companies want some omni tool that scans vulnerabilities, manages tickets, enforces policies, tests controls, etc and feeds all the data into a single database that they can run reports on.

2. Large companies (especially financial ones) don't want their data in the cloud so you have to provide some sort of support onsite.

The bigger the network the more likely something like a simple vulnerability scan will take something down. For this reason many organizations don't allow blanket scans to take place which is a shame because if the scan itself is capable of taking down an important system on your network then clearly you have a huge vulnerability!

I remember when I was working as a security consultant doing a "safe" Nessus scan of a relatively small organization that happened to have a mainframe. The mere act of scanning the ports on the mainframe caused it to crash. The whole thing had to be rebooted and it took HOURS. Essentially, a whole day of work was lost.

When we met with the CSO to talk about it he was both happy and sad: Happy that we discovered such a huge vulnerability and sad that he was going to have to explain to his superiors that an action that he undertook (hiring security consultants to perform a scan) cost the business a lot of money.

I later found out that he was fired because of the incident.

That right there explains a lot about the state of IT security in business right now.

software is fundamentally broken in some way that it just gets harder and harder to keep a lid on the more effort we make. There is money to be made selling inflatable rafts before a tsunami, but it's pretty depressing work and pretty much everyone is still going to die. The only semi-workable answers are air gapping and drastically reducing the size of your code base, and neither are working that awesome for people or is anyone much willing to do it. Look at google chromeos. One of the lowest attack surface pcs on the market and it was designed from the ground up assuming they'd get owned regularly. Very few other orgs are doing either one.

The real problem here is that this is extremely asymmetric. All the bad guys need to do is to find a single mistake from an employee, subcontractor, vendor etc.

I wish more people would get this through their heads. The secretary opening a zero-day PDF is usually all it takes for an entire organization to be owned! Especially organizations with Active Directory and Windows workstations. Here's why:

* Secretary's workstation gets owned via zero day. * Attacker installs keylogger. * Attacker "breaks" the workstation's join to the domain. * Domain admin shows up to re-join the workstation to the domain (to "fix it").

Now the attacker has the credentials necessary to manage all of AD and give themselves rights to whatever they want. Also, since AD doesn't use a salt with password hashes the attacker can now trivially obtain the passwords of every employee in the company along with things like service accounts. It's game over at that point--rebuild everything time.

Sure, you can identify them -- but will they listen and actually take corrective action?

"According to one indictment, European credit card numbers sold for as much as $50, while US ones fetched about $10."

Where are they getting their numbers from? Last I heard (a year or two ago), carders charged about 10 cent for foreign cards and a dollar per US card. Any actual carding researchers care to weigh in?

I'm not sure where you got your info from but non-US cards have always had higher value due to limited supply. The value also depends on the type of info. For example, magnetic stripe data (dumps) is worth more than basic card info (which isn't worth much).

The botnet carding numbers were what I was quoting, not mag stripe dumps. And I was told it was the other way around, that US cards either had higher limits or the banks were more lenient with the credit? Seeing as Americans use credit cards way more than most countries, a multitude of charges would be more easily overlooked. But i'm pretty sure $50 per card is not a realistic rate, even if they're worth more than US cards.

    Sites are susceptible when user input is ... incorrectly filtered for characters used in database commands ...   
If you're trying to protect yourself from SQLi by filtering & then running user input, you're doing it wrong. If a supposedly tech-literate site like Ars can't get that right, what hope do we have? (Let alone the banks themselves...)

That's exactly what defines SQLi. Incorrect filtering of user data is precisely the reason why SQLi is a vulnerability.

The better way to defend against SQLi would be to use proper quoting/prepared statements, instead of trying to play whack-a-mole by filtering and limiting the content of the input strings.

Correct, but that doesn't make the statement of the causes for SQLi any different.

Incorrect handling I'd say. If you're filtering apostrophes from your user input you're doing it wrong.

This is a semantic quibble. Your point could be restated as, "if you're not filtering potentially dangerous data out of your SQL queries (i.e. you're not using a fixed vocabulary of properly-quoted phrases) then you are vulnerable to SQLi."

think of it this way: no matter how you slice it, there are Bad Things you need to keep out of your SQL, and an easy layperson term for doing so is 'filtering'.

Recall that 'filter' != regexp.

Stealing money from global financial institutions is only allowed when you are a banker.

> SQL-injection


Sanitizing your inputs is apparently even harder than salting and hashing your passwords, something even the big-name companies tend to mess up.


Little Bobby Tables, we call him.

You don't even need to sanitize them, actually.

That's true. For example in Python, you declare the query as "Select * from a where b=? and c=d" and then put a tuple (z,) to specify b.

It's something the NYSE should get "hip" to.

That was my first note as well.. imho, they deserved to get hacked.

the idea that NASDAQ might've been hacked using an SQL injection is pretty scary, as it's a pretty trivial attack to protect against in most cases (mysql_real_escape_string?) - is security in stock exchanges really so lax?

mysql_real_escape_string is not the right answer. The only way to prevent SQL injection attacks is to use bind variables.

mysql_real_escape_string isn't secure. AT ALL.

How so? The function does what it's supposed to do. Of course you still have to write the rest of the SQL statement to make use of the escaped input - put all params in quotes (or much better: use prepared statements to begin with).

This would be a perfect example of why SQL injections are so common: toolchains aren't secure (or even securish) by default -- and it isn't clear that this is the case.

Anyone not using prepared statements in 2013 is just being stupid - there is no reason to ever be vulnerable to a SQL injection, barring a bug in the database or driver you are using. It's totally unacceptable.

it is when used correctly within quotes (and used with common charsets, but that's a different story altogether). There is no publicly known way to inject the following when the database is encoded in ISO-8859-1 or UTF-8:

"SELECT ... WHERE `field_name` = '" . mysql_real_escape_string($string_value) . "'";

You would think that a way to stop these kinds of attacks for pennies on the dollar would be to have the security companies, banks, retail stores and others involved on the receiving side of these attacks fund hackathons or startup accelerators in every country, like a startup weekend, to give these "kids" a chance at legal startups and to get paid for finding bugs.

We spend how many hundreds of billions on the NSA so they can slurp all the worlds data? Why not force them to secure all networks?

I do not think that we would want the result of that.

HA the jokes on you! We already HAVE the result of that.

In all serious though, just be thankful you're still alive you unappreciative uppity citizen; at least you haven't been killed by a terrorist yet.

People don't often die from terrorism. He is much more likley to die from diabities, heart disease, cars or a gun shot.

More toddlers with guns have killed Americans this year than terrorist have.

If we are trying to save lives, worrying about terrorism is a waste of money.

If you're going to ignore chilling effects, then by that reasoning the NSA surveillance is totally harmless.

That's a ridiculous argument. The Beltway sniper killed 10 people in 2002, a fraction of the number who died in car accidents that year. But tens of thousands of people had their lives disrupted as they ducked down while filling up at gas stations.

I don't see how your logic follows at all.

Car crashes in 2002 were in the range of 30,000 deaths. Which is orders of magnitude higher than the sniper.

So in my opinion we shouldn't waste money on NSA wiretapping that doesn't stop terrorism (because if it did it would have stopped the Boston Bombing) and instead invest that time and money into transportation infrastructure.

By doing that we would save more lives, improve our economy and most importantly still have constitutional freedoms.

I'm fairly certain he was being facetious.

I would hope so, but even so the character hes playing isn't clever.

Our whole DOD budget is only 600-700 billion, so its unlikely we spend "hundreds of billions" on the NSA. Estimates are 8-10 billion: http://money.cnn.com/2013/06/07/news/economy/nsa-surveillanc....

That's hardly de DoD budget as it ignores a lot of rather costly items like the VA.

I'll get downvoted for this, but I think SQL admins should in some way be held accountable for successful injection attacks. Falling victim to this type of exploit which is as old as the hills should be inexcusable. How difficult is it to learn how a UNIX shell works, inside and out? For what these guys get paid and what they are tasked with securing, they should be experts on escaping and quoting and every possible thing one can do with the shell. All the boring stuff. Because that's probably the knowledge these "hackers" leveraged.

If I'm wrong here, if there's more to it, feel free to correct me. I want to be empathetic with the people who set up these SQL databases, but I really cannot understand why anyone can still in 20xx get a shell via SQL statements, at a financial institution no less, after so many years of seeing others fall victim.

Generally, the DBAs have very little role in knowing whether any part of their application is vulnerable to SQL injection, and on top of that they can't mitigate very well against it.

They can do the basic things: don't use the root MySQL user, restrict privileges on each MySQL user, use AppArmor or SELinux to isolate the mysqld process, etc. This does prevent an attacker, in most cases, from instantly uploading a shell as soon as they find any sort of injection vector.

But it does not stop an attacker from reading arbitrary values from any table in any of the databases the MySQL user has read-permissions to (which in many cases is every database on the server).

And if an attacker can effectively dump your database, generally it's a matter of cracking admin password hashes and using those to login and escalate their access. DBAs really play no part in any of that; it is the developers of the application who must be blamed here. It's their job to use good hashing mechanisms, and to prevent admin accounts from being able to escalate privileges and upload a shell to the server. And above all, to code securely and prevent SQL injection in the first place.

Also, this isn't reddit, please don't say "I know I'll get downvoted for this."

Question: Can/do they do "fuzzing" on their database applications? Has anyone built a fuzzer for this purpose that tries an assortment of possible vectors as well as random strings? I still do not understand why the injection vectors cannot be preempted to begin with. It seems to me as if the folks securing the database are unable to predict possible ways someone could exploit what their application considers "valid" queries. If so, why?

Also, I don't follow reddit, so I didn't know they say that.

You're attacking the problem from the wrong angle. The fault lies with whomever builds the application /interfacing/ with the DB, not whomever manages the database.

In an application you may need to read user-selected data from some sort of database. As a simple example, you might accept a user's input of an article ID to fetch said article from a db. That might look something like this:

"SELECT * FROM articles WHERE id = $article_id"

Where $article_id is the input you received from your user. A valid $article_id could for example be "7", an invalid one might be "7 OR 1=1". If the latter value is not escaped, it'd change the statement to read "SELECT * FROM articles WHERE id = 7 OR 1=1, returning all articles.

Any somewhat competent programmer would then check if $article_id contains a value of the expected type (i.e. integer, string, string that looks like an email address, ...) and use an escaping function (in PHP this might be mysql_real_escape_string) to escape any special characters (e.g. turn " into \").

If you're doing things right, you'll use a prepared statement. You'll tell your database driver the format of your query first ("SELECT * FROM articles where id = ?"), then provide the contents for your placeholders (? -> $article_id).

Prepared statements are considered more elegant and comfortable to work with; both approaches are secure when done correctly.

All of this is done by the application developer. Now the DBA only gets to work with the assembled query. How would they be able to tell a valid "OR 1=1" from an injected one?

Nonetheless, your point on holding the responsible party accountable stands -- but it's the developers, not the DBAs.

Thank you. This is the answer I was looking for.

I assumed (incorrectly) that the person designing the database was also involved in selecting the "prepared statements" or "assembled queries", or was the same person.

Now I'm thinking the problem may be more with the people building the interfaces to these SQL databases, and the languages they are using to build them.

If that's true, then "SQL injection" seems like less of an SQL-specific problem and more of popular label for a more general "santization of user input" in internet-facing programs problem. That problem is as old as the web. And now we encourage every program to be a web-facing application, hosted in "the cloud". Yikes.

Anyway, I think my original comment may indeed be valid: in 200xx, in too many cases, programmer knowledge of escaping and quoting (rules that if I'm not mistaken originated when more people were more familiar with terminals and shells) is inadequate.

Yes, database fuzzers exist. (http://sqlmap.org)

To answer your second question, Standard Query Language is very, very complicated, and you would have to be a genius to make a proper input scrubber. That's why you are supposed to use things like parameterized queries and bypass the danger of sql injection entirely. However, security mistakes still happen, and you should code in such a way that database leaks are not catastrophic.

Well maybe there's some light at the end of the tunnel: If hackers had an easier way to gain recognition and being rewarded when they discover vulnerabilities, I'm certain most would choose to disclose their findings rather than try selling them on the black market. I'm working on a startup right now, www.crowdcurity.com, where we want to let any site easily create a bug bounty program (similar to Google, Mozilla, Paypal, etc.) and thereby leverage testers around the world to find vulnerabilities; hopefully initiatives like this will strengthen the security of web apps and websites around the world.

Their actions might have been illegal but they for sure are good at breaking things and their skills should be used instead of throwing them in jail for 20 years. Counsel them and give them a change to reform themselves.

There are still too many computer illiterate people, it's a matter of how people view things.

Blaming the existing systems instead of blaming the hackers, it's like being an astronomer in the middle age. Deciders and business owners will scream and tell their systems are fine, and that the ones who think differently and prove otherwise are at fault.

No it isn't. These people weren't publishing white papers about the lack of security at Nasdaq and other companies, they were using their knowledge to steal money, and the costs were passed back to you, the (presumably) law-abiding customer/credit card user.

Suppose you went out and came home to find your window smashed and your most valuable possessions gone. Would you be happy to have received an unscheduled visit from a private security consultant who decided to pay himself a handsome fee in the form of your stuff? No, you'd call the police to report a burglary.

Just because these guys were using computers and you also use computers does not mean they're basically the same as you and would be your good friends if only those mean old suits would get out of the way and let you run everything.

If those people were not "publishing white papers", maybe it's because computer security sucks everywhere, maybe because there is no true incentive to make things better at all.

I was answering to the question "why were those guys using their skills for criminal activity instead of working on protecting against those crimes ?".

The thing is, I doubt company deciders really care about real computer security at all, and even if they do, the security market is very slim. OSes are not really designed with security first in mind, while they should be the first ones to do research on it, and apply it steadily.

I can find many reasons why the computer security market is still weak: there are not that many crimes because we don't use computers for many important things (even if it's on the rise), intelligence agencies prefer to let those vulnerabilities in place so they can have the upper hand to investigate or spy other countries (not talking about PRISM), and programmers are still a rare supply, and I don't really see any open discussion in university about computer security theory, it's mostly black hats/white hats folks, it's not really productive.

If those guys committed those crimes, either they are not good enough, but that also means nasdaq systems were weak, or that they were actually good enough, but the computer security job market did not propose them enough money, which is why they risked 20 year prison sentences, because it paid more.

You could compare it with the drug market. Right now those substances are illegal, which allows criminals to make huge amounts of money, but the DEA people will also make money, and are often found to work with criminals. That's an example why most of the time, crime pays, while it would be wiser to make those substance legal, and try to help drug users instead. For computer security, it could be a good idea to stimulate the security market by asking universities to create degrees, and maybe make some government programs to work on computer security, instead of letting it rot like that.

> According to one indictment, European credit card numbers sold for as much as $50, while US ones fetched about $10.

This is truly dumbfounding to me. They had normalized, searchable access to millions of credit cards. They presumably had systematic ways of siphoning off money on high balance cards in a way that no one would've ever noticed. And yet, their grand scheme was to hock the numbers piecemeal for 50 a pop?

How are such smart people so bad at business.

They had millions of credit cards. It's far easier and safer to sell the cards than try to come up with a scheme that will make an equivalent amount of money using them. Plus with that many they had far more than they could ever use.

That's like saying anyone who runs a SaaS that helps other businesses make money for $50/m is bad at business.

If they used them all at once to make purchases, it would have triggered fraud protection software. If they were distributed, less likely to be caught.

Because low risk, little effort, high volume. Easy (if you're smart).

It's easy to farm credit cards and accounts once you have your infrastructure in place, but it's not so easy to actually profit from them. It's time-consuming and a big liability. So you do the next best thing: you dump them.

Wow, the US Attorney is really going out of his way to fill this one up with bullshit. I knew something was very wrong when goodin claims hundreds of millions in losses on a carding ring and it didn't take long to find it. The only people that would pay $50 for anything having anything to do with credit cards would be fbi investigators. Hell they're the only ones that would pay one tenth that.

Upvoted, did make me enjoy the read.

6 months since the first SQLi to the "Nasqad is owned".

6 months...

Sometimes I've play Neo from a pub connection with recycled hardware (not buy with my card number) but at most one week to the same target.

I wish I could have the skills of those people. Not that I want to make money stoled from unknown people... I just would like to have their skills.

"Sometimes I've play Neo from a pub connection with recycled hardware (not buy with my card number) but at most one week to the same target."

Could you explain what you are saying here?

Yes, I see my sentence was not clear at all.

There I was saying, that even if I have make some security research, from a internet connection not related with me, with hardware not related with me, I've never work on it more than 1 week. This people was 6 months against the same target (owning it) without being detected.

The actual indictment is here, it's a fairly interesting read: http://www.justice.gov/iso/opa/resources/5182013725111217608...

Amazing people are still ignorant of how to properly code a web application. Not to mention all the companies that likely still store passwords using a reversible algorithm and fail to separate and encrypt credit card information. What is this, 1994?

It's not that people don't know how to properly code a web application. It's that coding a web application with a strong and secure perimeter is more expensive, more effort, and difficult to QA (the perimeter) than building one without.

"Ship it."

I love the "ship it" here. Deadlines kill security. When you're under the gun to finish something as a dev, the first thing to go is the security mindset. The next thing to go is the "beautiful code" mindset, which leads to even more security issues. The problem is that by definition projects that have a critical deadline will usually be used by thousands of people or handle very important information.

It's a weird issue of "I need it now because it's important" and "I need it working well because it's important". Good, fast, cheap. Pick two.

Thanks for supporting my confirmation bias.

'SQL-injection vulnerabilities in the victim companies' websites'


How would one even go about doing this? Do you just keep trying difference ssh key values?

I never understood how people can just magically "gain access" to servers.

It can be pretty enlightening to read the few postmortems of big hacks that do get published.

Another seemingly common scenario (aside from a direct attack on the server) is to spear-phish someone else inside the company, not necessarily an admin or anyone technical, into clicking on some flash applet or trojan'd excel doc or something that owns their machine, then install keyloggers, proxies, etc., and work from there until you snag a credential that lets you into the server you actually want.

in this case it was supposedly done using SQL injections: http://en.wikipedia.org/wiki/SQL_injection#Incorrectly_filte...

Was most of this done by SQL injection?

Looks like they used SQL injection to get passwords and then used those passwords to access the servers.

Yeah, and that's from the application layer down to the DB layer. I wonder how they were able to pass through the other layers of the stack. I heck of a work, no wonder they'd spent "months" on it.


The article says that they used the injection to get hashed login credentials. Did they then use a rainbow table to reverse the hashing?

There are a wide myriad of ways that plaintext can be derived from password hashes. Rainbow tables are an option if they're not salted; otherwise the attackers likely had access to fairly significant computing power (considering the amount of money they were raking in) to perform typical dictionary + bruteforce attacks on them.

Is there a summary of the techniques used, the escalations take ? Does it compare to OWASP ?

I just think its funny that a hacksaw is now the international symbol for hacking.

Doesn't NASDAQ have some responsibility for this hack? Doesn't NASDAQ have serious security reputation issues now?

Reputation ? The same company who's one of its chairman ran the biggest known ponzi scheme in recent financial times.

Blaming the victim? Nice.

If indeed it was a basic SQLi attack and NASDAQ failed to prevent it, then to some degree, yes, they're responsible. As a high-value target it's incumbent on them to secure their systems.

Here on HN we often say "security through obscurity is no security." Relying on the fact that it is "illegal" for someone to hack your system to prevent them from doing so is similarly flawed logic.

Yep. And depending on where the attackers are from, it might only be illegal in US jurisdiction anyway. So it's just plain negligence not to do your best. That said, it is a huge attack surface and it sounds like they had a lot of time and resources; they can afford to just wait to get lucky. NASDAQ had to be lucky ALL the time. /devils advocate - obviously someone f'd-up.

The victim isn't NASDAQ. The victims are the people who trusted NASDAQ. Parent is asking whether NASDAQ was negligent.

That path has dangers all around (though, financial regulations try somewhat, don't they?) but it's a different discussion than victim blaming.

This isnt a mugging or an assault.

This is a company charged with processing financial information that apparently didnt sufficiently protect the data.

I can see it now. NASDAQ brass participating in it's own "slut walk" for "sloppy-seconds" developers and IT managers. "Just because I cut contracts for the lowest bidder doesn't mean I deserve to be penetrated!"

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact