FTSE reviews website policy after hack

A website run by stock exchange indices company FTSE, co-owned by the London Stock Exchange (LSE) and the Financial Times (FT), was defaced on Friday morning, prompting a security review at the firm.

The hack, a simple defacement by a relatively unknown group of hackers calling themselves 'katkrew', posted a web page over the top of ft-se.co.uk, one of two URLs pointing to a public information website run by the company.

No confidential data is thought to have been present on the website, which runs Netscape 3.0 on Sun's Unix operating system, Solaris.

Donald Keith, managing director of FTSE Europe, confirmed that the website had been hacked. He told vnunet.com: "There was a breach this morning but no business-critical data was affected. We do take this very seriously. I'm particularly concerned about this issue and we will review how the breach took place and what steps can be taken to ensure it doesn't happen again."

Keith said the company was in the process of implementing a new ecommerce strategy for www.ftse.com, the other address of the current website.

Experts said this morning's attack may have been made possible because the website was running old software, and that FTSE may have got off lightly.

Chris McNab, network security analyst at MIS Corporate Defence Solutions, said: "Solaris is difficult to hack these days. It's a bit suspect that they're running such an old version of Netscape. You'd expect financial institutions to have a much more proactive security policy as most hackers prey on those websites who are slow in updating and patching their software."

He also said that similar hacks on US stock exchange websites had been far more complicated, taking as long as nine months from placing entry points into a network, so-called back doors which only the hacker knows about, to exploiting the hole.

"I'm personally surprised the hackers defaced the website rather than put in tools, such as network sniffers or back doors. That, and the fact that I've never heard of these hackers, suggests it was probably the work of opportunists," said McNab.

"If they had put in tools, they could have worked towards attacking the FT.com website or perhaps the LSE website, which would have been much more damaging," he added.

However, Gavin Day, director of IT and operations at FTSE, ruled out any possible implications for FT.com or the LSE. He explained that the FTSE website was run from a dedicated server and that the only links to either of the other websites were HTML links on a web page. He did admit that the firm had been running old software on its website but said this would change.

"We used Netscape 3.0 on Solaris on the current website because it contained no business-critical data - it is purely for marketing purposes. In the near future, we will be implementing a new ecommerce strategy which will include running the very latest versions of software," said Day.

Blue-chip and security companies that have suffered attacks which have made headlines this year include:

Network Associates , Microsoft , HSBC , Barclays , Powergen , Woolworth's , Credit Suisse , Safeway , a href=http://www.vnunet.com/news/1108897>Bloomberg .