ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Hacker warns Nasdaq.com of security holes

InfoWorld

(IDG) -- Web sites with financial news have become vital for investors. Imagine the disarray that could occur if a hacker took over such a site. A Dutch hacker claims he could have altered Nasdaq.com and three sites run by MarketWatch.com.

He didn't, however. Instead he warned the administrators at Nasdaq.com, CBS.MarketWatch.com, BigCharts.com, and FTMarketWatch.com. Now the security holes have been patched up and the hacker is disclosing his discoveries.

Gerrie Mansur, one of the leaders of Dutch hacking group Hit2000, gained access to the global.asa file from the Web servers of the news sites. This file regulates who gets access to what applications on the server. The file also defines what the applications can do and contains the global settings for the applications, as well as start-up and shutdown routines. Nasdaq's global.asa file contains the password to the site's main database, Mansur said.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  InfoWorld home page
  Hacker Kevin Mitnick tells all
  E-Trade says password security hole is fixed
  Suspect in Emulex hoax case indicted
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

The news sites run on IIS (Internet Information Server) software from Microsoft.

"Mansur took advantage of known security holes," said Marco van Berkum, a security specialist at Dutch IT security company Obit. Van Berkum guessed that the hacker used a well-known security hole called the Source Fragment Disclosure Vulnerability.

"Often the global.asa file will contain database passwords," Van Berkum said. "It looks like that was the case with Nasdaq."

Details of this particular vulnerability, or security hole, were published on the BugTraq mailing list on July 17. By adding "+.htr" to a request for a known .asa (or .asp, .ini, etc.) file, Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code that should otherwise be inaccessible. (A description of the vulnerability can be found via the link below.)

Mansur, however, denied having used this method to hack into the servers.

"I did not use the Source Fragment Disclosure Vulnerability, but used an exploit I wrote myself," he said. The exploit is software tool that Mansur developed and then used to gain access to the servers.

"I will not publish the exploit," Mansur said.

"People will start using it, and that's just too dangerous. I was able to log in as service administrator and get full access to the server. I could even kick the administrator."

The hacker warned all the involved Webmasters by e-mail. Dan Schindler, director of technical client service at CBSMarketWatch.com, responded, "Many thanks for bringing this to our attention. We have installed a patch and deployed it to all our data centers. We appreciate your honesty and willingness to send this notification to us," Schindler said in his e-mail.




RELATED STORIES:
Hackers reject $10,000 offer to break code
September 18, 2000
New denial-of-service attack tool uses chat programs
September 6, 2000
Chinese company throws down gauntlet to hackers
August 28, 2000
Surf-for-pay sites jeopardized by hackers
August 18, 2000
Hackers are naughty and nice at Def Con
August 3, 2000

RELATED IDG.net STORIES:
Hacker Kevin Mitnick tells all
(The Industry Standard)
E-Trade says password security hole is fixed
(The Industry Standard)
Belgian algorithm selected by U.S. commerce department
(InfoWorld)
Suspect in Emulex hoax case indicted
(The Industry Standard)
FAA criticized for security neglect
(Computerworld)
Suspect arrested in NASA hack
(IDG.net)
Teen first to serve time for hacking
(IDG.net)
Keys to the privacy-enabled enterprise
(InfoWorld)

RELATED SITES:
SecurityFocus.com
Description of the vulnerability from SecurityFocus.com
MarketWatch.com, Inc.
The Nasdaq Stock Market, Inc.

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.