Hacking Capitalism

[scepticus]

Recent hacking incidents have shown that computer security is an illusion. Hackers have taken down defences at newspapers, defence departments,

alternative currency markets, major corporations and so on. 'State Hackers' invented the Stuxnet, in which a US/Israeli designed program penetrated Irans

industrial networks and caused major physical damage to Iran's nuclear program.

What's to stop these entities attacking the appendages of financial markets, everything from specific ETFs through to major clearing systems, financial

data networks (e.g. Bloomberg), or even central banks? The actors could be anarchist hackers, laid off traders, major governments (e.g. chinese), nefarious hedge funds

etc etc.

The modern capitalist system is absolutely predicated on secure electronic trading and information. Without that, it's dead. As more and more people

and collective groups are alienated by it, is the thing that will ultimately limit liquidity the security problem?

I'd like to solicit opinions on this subject. How could financial markets be attacked and what would the short and long term consequences be? I'm interested

in specific examples of the vulnerabilities of a specific ETF, stock, nation or financial sector player? Obviously I have no interest in (or capability to enact) such acts, I'm just a concerned investor.

[interestrateripoff]

Wouldn't asking why haven't these systems been hacked be a better question?

Imagine the profit that could be made if you could intercept and delay the buy/sell for a couple of seconds whilst you make a counter bid.

[scepticus]

Wouldn't asking why haven't these systems been hacked be a better question?

That is exactly my question.

[Injin]

Absolutely nothing.

There is also nothing stopping the very technically minded from setting up "fake" banks, piggybacking etc - and they have been doing.

This is my main argument for the inevitable return of metallics and other commodities as money - your local shopkeeper has to be able to perform the checks himself and be absolutely sure of the result. Relying on boffins ain't going to happen after a few big scams.

Edit - the reason these things "haven't happened" is the need to maintain confidence due to banking etc already being a scam. Reckon Mervyn King is going to come on the news and tell you half the trades yesterday were actualyl ********? Or that someone has faked up an ATM somewhere and buggered off with a small fortune after claiming technical issues?

Edited July 23, 2011 by Injin

[scepticus]

Oh, they already have:

http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html

""So far, [the perpetrators] appear to have just been looking around," said one person involved in the Nasdaq matter. Another person familiar with the case said the incidents were, for a computer network, the equivalent of someone sneaking into a house and walking around but—apparently, so far—not taking or tampering with anything.

A spokesman for Nasdaq declined to comment.

A probe into the matter was initiated by the Secret Service and now includes the Federal Bureau of Investigation.

Read more: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html#ixzz1SxqzLdN1"

Anyone else have a bad feeling about this?

[interestrateripoff]

That is exactly my question.

I read it more as what's stopping them from doing this.

Maybe they have and watched Superman and are just earning a decent living without attracting anyone's attention.

If you really want to get into conspiracy territory maybe the kids aren't doing it but the CIA is funding it's activities via intercepting market data? Please note this thought is after a couple of beers.

[Traktion]

Server and software security is always an arms race. Ultimately, it comes down to time and experience. Businesses need to ensure their efforts are sufficient to protect the systems. Sadly, many don't take it seriously enough and it's usually too late by the time it becomes obvious.

TBH though, many hacks come from fooling people into giving over their access details. 'Fishing' is often much easier than trying to break the security on institutions which take security seriously.

I would imagine that in banks, security is paramount, which may be why such hacks are rare.

[Traktion]

double post

Edited July 23, 2011 by Traktion

[scepticus]

'Fishing' is often much easier than trying to break the security on institutions which take security seriously.

I would imagine that in banks, security is paramount, which may be why such hacks are rare.

Sure, we can place fishing at the 'low threat' end of the spectrum. At the top end, you have Stuxnet.

Stuxnet was an 'industrial' virus that targeted specific programmable logic controllers (electronics that control factory automation systems). In this case,

it was the systems that controlled iran's nuclear enrichment centrifuges.

My question is about stuxnet level threats directed at financial systems. Stuxnet is believed to have been a state-sponsored activity. However that does not

mean that state level organisations are required for such attacks. Enough inside knowledge about how a given industrial or financial system works

would suffice,

[bmf]

Recent hacking incidents have shown that computer security is an illusion. Hackers have taken down defences at newspapers, defence departments,

alternative currency markets, major corporations and so on. 'State Hackers' invented the Stuxnet, in which a US/Israeli designed program penetrated Irans

industrial networks and caused major physical damage to Iran's nuclear program.

What's to stop these entities attacking the appendages of financial markets, everything from specific ETFs through to major clearing systems, financial

data networks (e.g. Bloomberg), or even central banks? The actors could be anarchist hackers, laid off traders, major governments (e.g. chinese), nefarious hedge funds

etc etc.

The modern capitalist system is absolutely predicated on secure electronic trading and information. Without that, it's dead. As more and more people

and collective groups are alienated by it, is the thing that will ultimately limit liquidity the security problem?

I'd like to solicit opinions on this subject. How could financial markets be attacked and what would the short and long term consequences be? I'm interested

in specific examples of the vulnerabilities of a specific ETF, stock, nation or financial sector player? Obviously I have no interest in (or capability to enact) such acts, I'm just a concerned investor.

Hi - ok you have a number of issues when it comes to accessing clearing systems or ETFs. All connectivity into exchanges is via leased lines - you have to be a registered company, hire a line into the exchange (via a reseller like TNS, BT Radianz etc). You can't interface with the LSE via the internet. So because someone fraudulent couldn't get a leased-line they have to go through a broker. That's an extra hop. Most lines into brokers are also leased-lines. Same issue.

If you wanted to attack a clearing house, how would you do that? Make up some trades? Who owns the shares you are accruing? You'd have to have a broker on both sides of the trade notify the clearing house then have them reconcile on this and pay it back to you. There are a number of cross-checks in this process. You can't just create an account, credit it with $1m and then transfer it to your Lloyds account.

Stuxnet wasn't something that subtly changed behaviour for the gain of an outsider. It completely shafted their systems. If you are talking about the same behaviour for an exchange then you are again taking about something very difficult. Stuxnet was done with state help. The US refused to state they were involved. Read into that what you will. Let's say you somehow slip a binary into a release at an exchange. It is going to send a stock down that you are going to short at 14:15. So you do it, you make your money on a massive short. The exchange roll back the release - you have had your one shot. They spot something suspicious and notify the exchange - that short is traced back to a broker then to your account. Better have a fake id, bank account and fake address. Sounds complicated. At this point wouldn't it be easier to set up your own MTF seeing as you are such a hot-shot? Or trade against the market yourself. Or just get a regular job and get paid. You are talking a big time investment as you need someone on the inside who doesn't mind pissing away his entire career and maybe going to jail. eg the Goldman guy who copied some of their code and got put in jail. He just copied code, he didn't try to skew the market for a scam.

[A.steve]

I read it more as what's stopping them from doing this.

The answer to this is simple: fear.

It's one thing to deface an insecure website - or to acquire inadequately protected documents. It's quite another matter to turn that situation to a profitable advantage... Where money is involved, you've both a trail that can be followed and a strong motivation for it to be diligently followed. Anonymity evaporates the moment money is involved.

I'm absolutely certain that computer misuse will feature alongside a significant portion of insider trading... There have also been numerous documented cases involving hacking and credit card fraud... a simple way to turn nefarious activity into cash.

Edited July 23, 2011 by A.steve

[rw42]

I sort of see it as a jenga deck made of a mix of gold and nitroglycerine - the challenge is to steal something of value without blowing the whole f*cking lot up.

[wonderpup]

Why worry about the illegitimate gaming the system to destruction when the 'legitimate' players seem hell bent on taking it down anyway?

[frenchy]

Wouldn't asking why haven't these systems been hacked be a better question?

Imagine the profit that could be made if you could intercept and delay the buy/sell for a couple of seconds whilst you make a counter bid.

it has already, it is called high frequency trading and it is legal! what a marvelous world we live in...

[DabHand]

it has already, it is called high frequency trading and it is legal! what a marvelous world we live in...

Ha, yeah l can only assume 'rate's comment was tongue in cheek, HFT pretty much does this already.

[stormymonday_2011]

Externally hacking entire IT systems and then manipulating them for personal gain is quite hard. You would need to know the full architectural specification, network design, security model , some knowledge of the software application and how it interacts with the databases. Without inside knowledge, your own project team and serious money behind you then it would be a big call. If you want to hack data for profit it is most vulnerable at the interfaces of systems after processing but before transmission between systems. Even then it is normally surrounded by security and encryption.

While controlling IT sytems is difficult breaking them is relatively simple. IT staff working for companies manage that legitimately every day of the working week.

Any cursory examination of the major incidents that routinely cross IT help desk will show you the major vulnerabilties. These include such things as failed power supplies (you would be amazed how fast entire systems go down after air conditioning failures in data centres); failed or damaged routers; misconfigured firewalls; incorrect security settings (GPOs etc). The actual software applications are often the least likely to cause a total system meltdown. In fact if you wanted to cause major problems you don't need a computer at all. A set of bolt cutters and a knowledge of which manhole covers to lift and cables to cut would suffice.

BTW the fact that has not yet been fully revealed yet from the News International NOTW scandal is that a lot of the information was not hacked at all. Instead it was extracted from the legitimate applications by corrupt insiders and sold for profit. This illegal trade in private data is likely to include not just the police but also government departments and some big private corporations. It will be interesting to see if the proposed public enquiry manages to somehow miss this huge stinking pile of crap.

Edited July 24, 2011 by stormymonday_2011

[interestrateripoff]

You are talking a big time investment as you need someone on the inside who doesn't mind pissing away his entire career and maybe going to jail. eg the Goldman guy who copied some of their code and got put in jail. He just copied code, he didn't try to skew the market for a scam.

Only the big boys get to skew the market with impunity.

[ParticleMan]

The view that security is about protecting your (or anyone else's) gold - at all - (and then drinking "drink me" so you can jump right down the rabbithole designing anti-anti-anti-anti missile missiles to protect it) is so 90's.

Mind the generational gap.

Edited July 24, 2011 by ParticleMan

[ParticleMan]

In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :-

1/ Nature hates arbitrage

2/ Information security is information arbitrage

There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying.

[Injin]

In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :-

1/ Nature hates arbitrage

2/ Information security is information arbitrage

There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying.

It is rather nice, therefore, to have information other people cannot actually understand or even emotionally tolerate.

Even if it's in their direct interests, and you openly tell them it.

[50sQuiff]

Oh, they already have:

http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html

""So far, [the perpetrators] appear to have just been looking around," said one person involved in the Nasdaq matter. Another person familiar with the case said the incidents were, for a computer network, the equivalent of someone sneaking into a house and walking around but—apparently, so far—not taking or tampering with anything.

A spokesman for Nasdaq declined to comment.

A probe into the matter was initiated by the Secret Service and now includes the Federal Bureau of Investigation.

Read more: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html#ixzz1SxqzLdN1"

Anyone else have a bad feeling about this?

If the whole system is predicated on IT security - which seems to be an oxymoron - then we could be cruising for a bruising.

If kids with apparent personality disorders are so effective, what are the MIT crowd and Commie equivalent capable of?

[scepticus]

Externally hacking entire IT systems and then manipulating them for personal gain is quite hard.

LulzSec and anonymous don't do what they do for personal gain, they just want to stuff things up. That is much easier than actually turning a profit from such activities, and this is where I feel the main threat lies. That, and activities by states.

You would need to know the full architectural specification, network design, security model , some knowledge of the software application and how it interacts with the databases. Without inside knowledge, your own project team and serious money behind you then it would be a big call. If you want to hack data for profit it is most vulnerable at the interfaces of systems after processing but before transmission between systems. Even then it is normally surrounded by security and encryption.

Much of that can be reverse engineered, although I agree it would be time consuming. But a lot of these hackers work using a stigmergy like process (look that up), so given individuals need not spend vast amounts of time themselves.

[scepticus]

In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :-

1/ Nature hates arbitrage

2/ Information security is information arbitrage

Yes I get that, that's what my blog is all about. Incidentally, central bank base rates are also information arbitrage. That's why they've gone away.

There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying.

Agreed. But where does alpha come from if not from proprietary information?

Also, our private lives are arguably 'proprietary information'.

[A.steve]

In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :-

1/ Nature hates arbitrage

2/ Information security is information arbitrage

There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying.

I think your metaphor of arbitrage for espionage is interesting - but I don't share your view that proprietary information (secrets) are dying.

Any 'secret' that is available to a few thousand (or a few million) employees is no secret at all. Osama bin Laden had secrets - he took them to his grave. That's the fascinating thing about secrets - you don't get to know about them.

It is ironic that the most likely consequences arising from this 'hacking scandal' (which, frankly, was so low-tech that it seems an error to label it hacking) will be to increase secrecy. Legitimate press now have strong disincentive to engage in investigative journalism (not that I apply that label to activities at NoW and its sleazy tabloid rags)... secondly, absolutely everyone moving in the upper echelons of society are now aware that they're of interest to snoopers... so will be more cautious than ever before with emails, phone calls and messages. Technology strongly favours the side of maintaining secrecy - even if people are extremely bad at using such technology. I anticipate, over the next few years, emerging secure communications for the mass market - initially targeting celebrity - then, once endorsed - being adopted by the population at large. If these new consumer-level facilities are implemented honestly, it will dramatically undermine any efforts to infiltrate private communication - be that by law-enforcement; foreign governments; criminals or the press. It has the scope to change the world forever.

Edited July 24, 2011 by A.steve

[stormymonday_2011]

LulzSec and anonymous don't do what they do for personal gain, they just want to stuff things up. That is much easier than actually turning a profit from such activities, and this is where I feel the main threat lies. That, and activities by states.

Much of that can be reverse engineered, although I agree it would be time consuming. But a lot of these hackers work using a stigmergy like process (look that up), so given individuals need not spend vast amounts of time themselves.

Very interesting but to be honest if I wanted most forms of protected or confidential data it would be simpler and cheaper to bribe an insider (probably via a third party cut out) to get it for me. This is exactly what UK newspapers have been doing. In fact I suspect this rather than voicemail eavesdropping is where a lot of their information was obtained.