InfoSec News

XSS attack

NASDAQ Vulnerable to XSS

By

Dream it, Do it, NASDAQ

By William Knowles @c4i
Senior Editor
InfoSec News
January 16, 2015

Bob Greifeld, CEO of The NASDAQ Stock Market explains in a promotional video “that NASDAQ is a technology-based company, those businesses that we’re in have a unifying theme that are built upon our technology.”

Top technology companies such as GoogleTeslaAmazon, and GoPro to name a few use NASDAQ as their trading exchange.

When NASDAQ “goes to a developing market and provide to them our technology, its not just the software code, its all the best practices that have been developed on a global basis that they to integrate into their operations.

With this information in mind, it doesn’t explain why a security researcher named analfabestia was able to discover and report a new XSS (Cross-Site Scripting) vulnerability on NASDAQ.com on January 14, 2015, The sixth such vulnerability in nearly seven years.

The vulnerability reported to XSSposed (XSS exposed) is still unpatched putting NASDAQ users, visitors and administrators at risk of being compromised by malicious hackers. Theft of cookies, personal data, authentication credentials and browser history are probably the less dangerous consequences of XSS attacks.

NASDAQ was previously hacked back in 2010, Bloomberg BusinessWeek covered this in July 2014.

Nasdaq (NASDAQ: NDAQ) is a leading provider of trading, exchange technology, information and public company services across six continents. Through its diverse portfolio of solutions, Nasdaq enables customers to plan, optimize and execute their business vision with confidence, using proven technologies that provide transparency and insight for navigating today’s global capital markets.

Photo: Marc van der Chijs via CompfightCreative Commons License

DoD 8570 InfoSec Training and Compliance Vendors Vulnerable to XSS

By

CVC8

By William Knowles @c4i
Senior Editor
InfoSec News
July 1, 2014

XSSposed (XSS exposed) is reporting that the Web sites of both the InfoSec Institute and the EC-Council are vulnerable to a Cross-site scripting (XSS) attack.

Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to a bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013.

According to XSSposed, the InfoSec Institute has not onetwothreefourfivesix, but SEVEN XSS vulnerabilities discovered this week.

This most recent XSS vulnerability to the EC-Council is to their portal page where their customers sign in. This is not the only XSS vulnerability to their site, The Hacker News reported one back in 2011 and Rafay Baloch and Deepanker Arora discovered another in 2013.

In a previous Web defacement statement, the “EC-Council takes the privacy and confidentiality of their customers very seriously.” Regardless, the EC-Council Web site was compromised three times during a single week in February 2014. Since the breach, EC Council has neither confirmed nor denied allegations that the attacker exfiltrated thousands of passports, drivers. licenses, government, and military Common Access Cards (CAC).

It seems neither organization is practicing what they preach for thousands of taxpayer’s dollars training the next generation of cyber warriors.

A (supposedly) expert team of information security instructors founded the InfoSec Institute in 1998. Their goal was to build a business by offering the best possible training experience for students.’ ‘InfoSec Institute deeply understands the needs of today’s IT professionals and is best positioned to offer world-class training.

The EC-Council is an Albuquerque New Mexico based organization that offers security professionals a reasonably inexpensive certificate among other security certificates to be compliant with Department of Defense standard 8570.

 

Photo by Richard Termine Photography