scepticus Posted July 23, 2011 Share Posted July 23, 2011 Recent hacking incidents have shown that computer security is an illusion. Hackers have taken down defences at newspapers, defence departments, alternative currency markets, major corporations and so on. 'State Hackers' invented the Stuxnet, in which a US/Israeli designed program penetrated Irans industrial networks and caused major physical damage to Iran's nuclear program. What's to stop these entities attacking the appendages of financial markets, everything from specific ETFs through to major clearing systems, financial data networks (e.g. Bloomberg), or even central banks? The actors could be anarchist hackers, laid off traders, major governments (e.g. chinese), nefarious hedge funds etc etc. The modern capitalist system is absolutely predicated on secure electronic trading and information. Without that, it's dead. As more and more people and collective groups are alienated by it, is the thing that will ultimately limit liquidity the security problem? I'd like to solicit opinions on this subject. How could financial markets be attacked and what would the short and long term consequences be? I'm interested in specific examples of the vulnerabilities of a specific ETF, stock, nation or financial sector player? Obviously I have no interest in (or capability to enact) such acts, I'm just a concerned investor. Quote Link to comment Share on other sites More sharing options...
interestrateripoff Posted July 23, 2011 Share Posted July 23, 2011 Wouldn't asking why haven't these systems been hacked be a better question? Imagine the profit that could be made if you could intercept and delay the buy/sell for a couple of seconds whilst you make a counter bid. Quote Link to comment Share on other sites More sharing options...
scepticus Posted July 23, 2011 Author Share Posted July 23, 2011 Wouldn't asking why haven't these systems been hacked be a better question? That is exactly my question. Quote Link to comment Share on other sites More sharing options...
Injin Posted July 23, 2011 Share Posted July 23, 2011 (edited) Absolutely nothing. There is also nothing stopping the very technically minded from setting up "fake" banks, piggybacking etc - and they have been doing. This is my main argument for the inevitable return of metallics and other commodities as money - your local shopkeeper has to be able to perform the checks himself and be absolutely sure of the result. Relying on boffins ain't going to happen after a few big scams. Edit - the reason these things "haven't happened" is the need to maintain confidence due to banking etc already being a scam. Reckon Mervyn King is going to come on the news and tell you half the trades yesterday were actualyl ********? Or that someone has faked up an ATM somewhere and buggered off with a small fortune after claiming technical issues? Edited July 23, 2011 by Injin Quote Link to comment Share on other sites More sharing options...
scepticus Posted July 23, 2011 Author Share Posted July 23, 2011 Oh, they already have: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html ""So far, [the perpetrators] appear to have just been looking around," said one person involved in the Nasdaq matter. Another person familiar with the case said the incidents were, for a computer network, the equivalent of someone sneaking into a house and walking around but—apparently, so far—not taking or tampering with anything. A spokesman for Nasdaq declined to comment. A probe into the matter was initiated by the Secret Service and now includes the Federal Bureau of Investigation. Read more: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html#ixzz1SxqzLdN1" Anyone else have a bad feeling about this? Quote Link to comment Share on other sites More sharing options...
interestrateripoff Posted July 23, 2011 Share Posted July 23, 2011 That is exactly my question. I read it more as what's stopping them from doing this. Maybe they have and watched Superman and are just earning a decent living without attracting anyone's attention. If you really want to get into conspiracy territory maybe the kids aren't doing it but the CIA is funding it's activities via intercepting market data? Please note this thought is after a couple of beers. Quote Link to comment Share on other sites More sharing options...
Traktion Posted July 23, 2011 Share Posted July 23, 2011 Server and software security is always an arms race. Ultimately, it comes down to time and experience. Businesses need to ensure their efforts are sufficient to protect the systems. Sadly, many don't take it seriously enough and it's usually too late by the time it becomes obvious. TBH though, many hacks come from fooling people into giving over their access details. 'Fishing' is often much easier than trying to break the security on institutions which take security seriously. I would imagine that in banks, security is paramount, which may be why such hacks are rare. Quote Link to comment Share on other sites More sharing options...
Traktion Posted July 23, 2011 Share Posted July 23, 2011 (edited) double post Edited July 23, 2011 by Traktion Quote Link to comment Share on other sites More sharing options...
scepticus Posted July 23, 2011 Author Share Posted July 23, 2011 'Fishing' is often much easier than trying to break the security on institutions which take security seriously. I would imagine that in banks, security is paramount, which may be why such hacks are rare. Sure, we can place fishing at the 'low threat' end of the spectrum. At the top end, you have Stuxnet. Stuxnet was an 'industrial' virus that targeted specific programmable logic controllers (electronics that control factory automation systems). In this case, it was the systems that controlled iran's nuclear enrichment centrifuges. My question is about stuxnet level threats directed at financial systems. Stuxnet is believed to have been a state-sponsored activity. However that does not mean that state level organisations are required for such attacks. Enough inside knowledge about how a given industrial or financial system works would suffice, Quote Link to comment Share on other sites More sharing options...
bmf Posted July 23, 2011 Share Posted July 23, 2011 Recent hacking incidents have shown that computer security is an illusion. Hackers have taken down defences at newspapers, defence departments, alternative currency markets, major corporations and so on. 'State Hackers' invented the Stuxnet, in which a US/Israeli designed program penetrated Irans industrial networks and caused major physical damage to Iran's nuclear program. What's to stop these entities attacking the appendages of financial markets, everything from specific ETFs through to major clearing systems, financial data networks (e.g. Bloomberg), or even central banks? The actors could be anarchist hackers, laid off traders, major governments (e.g. chinese), nefarious hedge funds etc etc. The modern capitalist system is absolutely predicated on secure electronic trading and information. Without that, it's dead. As more and more people and collective groups are alienated by it, is the thing that will ultimately limit liquidity the security problem? I'd like to solicit opinions on this subject. How could financial markets be attacked and what would the short and long term consequences be? I'm interested in specific examples of the vulnerabilities of a specific ETF, stock, nation or financial sector player? Obviously I have no interest in (or capability to enact) such acts, I'm just a concerned investor. Hi - ok you have a number of issues when it comes to accessing clearing systems or ETFs. All connectivity into exchanges is via leased lines - you have to be a registered company, hire a line into the exchange (via a reseller like TNS, BT Radianz etc). You can't interface with the LSE via the internet. So because someone fraudulent couldn't get a leased-line they have to go through a broker. That's an extra hop. Most lines into brokers are also leased-lines. Same issue. If you wanted to attack a clearing house, how would you do that? Make up some trades? Who owns the shares you are accruing? You'd have to have a broker on both sides of the trade notify the clearing house then have them reconcile on this and pay it back to you. There are a number of cross-checks in this process. You can't just create an account, credit it with $1m and then transfer it to your Lloyds account. Stuxnet wasn't something that subtly changed behaviour for the gain of an outsider. It completely shafted their systems. If you are talking about the same behaviour for an exchange then you are again taking about something very difficult. Stuxnet was done with state help. The US refused to state they were involved. Read into that what you will. Let's say you somehow slip a binary into a release at an exchange. It is going to send a stock down that you are going to short at 14:15. So you do it, you make your money on a massive short. The exchange roll back the release - you have had your one shot. They spot something suspicious and notify the exchange - that short is traced back to a broker then to your account. Better have a fake id, bank account and fake address. Sounds complicated. At this point wouldn't it be easier to set up your own MTF seeing as you are such a hot-shot? Or trade against the market yourself. Or just get a regular job and get paid. You are talking a big time investment as you need someone on the inside who doesn't mind pissing away his entire career and maybe going to jail. eg the Goldman guy who copied some of their code and got put in jail. He just copied code, he didn't try to skew the market for a scam. Quote Link to comment Share on other sites More sharing options...
A.steve Posted July 23, 2011 Share Posted July 23, 2011 (edited) I read it more as what's stopping them from doing this. The answer to this is simple: fear. It's one thing to deface an insecure website - or to acquire inadequately protected documents. It's quite another matter to turn that situation to a profitable advantage... Where money is involved, you've both a trail that can be followed and a strong motivation for it to be diligently followed. Anonymity evaporates the moment money is involved. I'm absolutely certain that computer misuse will feature alongside a significant portion of insider trading... There have also been numerous documented cases involving hacking and credit card fraud... a simple way to turn nefarious activity into cash. Edited July 23, 2011 by A.steve Quote Link to comment Share on other sites More sharing options...
rw42 Posted July 23, 2011 Share Posted July 23, 2011 I sort of see it as a jenga deck made of a mix of gold and nitroglycerine - the challenge is to steal something of value without blowing the whole f*cking lot up. Quote Link to comment Share on other sites More sharing options...
wonderpup Posted July 23, 2011 Share Posted July 23, 2011 Why worry about the illegitimate gaming the system to destruction when the 'legitimate' players seem hell bent on taking it down anyway? Quote Link to comment Share on other sites More sharing options...
frenchy Posted July 24, 2011 Share Posted July 24, 2011 Wouldn't asking why haven't these systems been hacked be a better question? Imagine the profit that could be made if you could intercept and delay the buy/sell for a couple of seconds whilst you make a counter bid. it has already, it is called high frequency trading and it is legal! what a marvelous world we live in... Quote Link to comment Share on other sites More sharing options...
DabHand Posted July 24, 2011 Share Posted July 24, 2011 it has already, it is called high frequency trading and it is legal! what a marvelous world we live in... Ha, yeah l can only assume 'rate's comment was tongue in cheek, HFT pretty much does this already. Quote Link to comment Share on other sites More sharing options...
stormymonday_2011 Posted July 24, 2011 Share Posted July 24, 2011 (edited) Externally hacking entire IT systems and then manipulating them for personal gain is quite hard. You would need to know the full architectural specification, network design, security model , some knowledge of the software application and how it interacts with the databases. Without inside knowledge, your own project team and serious money behind you then it would be a big call. If you want to hack data for profit it is most vulnerable at the interfaces of systems after processing but before transmission between systems. Even then it is normally surrounded by security and encryption. While controlling IT sytems is difficult breaking them is relatively simple. IT staff working for companies manage that legitimately every day of the working week. Any cursory examination of the major incidents that routinely cross IT help desk will show you the major vulnerabilties. These include such things as failed power supplies (you would be amazed how fast entire systems go down after air conditioning failures in data centres); failed or damaged routers; misconfigured firewalls; incorrect security settings (GPOs etc). The actual software applications are often the least likely to cause a total system meltdown. In fact if you wanted to cause major problems you don't need a computer at all. A set of bolt cutters and a knowledge of which manhole covers to lift and cables to cut would suffice. BTW the fact that has not yet been fully revealed yet from the News International NOTW scandal is that a lot of the information was not hacked at all. Instead it was extracted from the legitimate applications by corrupt insiders and sold for profit. This illegal trade in private data is likely to include not just the police but also government departments and some big private corporations. It will be interesting to see if the proposed public enquiry manages to somehow miss this huge stinking pile of crap. Edited July 24, 2011 by stormymonday_2011 Quote Link to comment Share on other sites More sharing options...
interestrateripoff Posted July 24, 2011 Share Posted July 24, 2011 You are talking a big time investment as you need someone on the inside who doesn't mind pissing away his entire career and maybe going to jail. eg the Goldman guy who copied some of their code and got put in jail. He just copied code, he didn't try to skew the market for a scam. Only the big boys get to skew the market with impunity. Quote Link to comment Share on other sites More sharing options...
ParticleMan Posted July 24, 2011 Share Posted July 24, 2011 (edited) The view that security is about protecting your (or anyone else's) gold - at all - (and then drinking "drink me" so you can jump right down the rabbithole designing anti-anti-anti-anti missile missiles to protect it) is so 90's. Mind the generational gap. Edited July 24, 2011 by ParticleMan Quote Link to comment Share on other sites More sharing options...
ParticleMan Posted July 24, 2011 Share Posted July 24, 2011 In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :- 1/ Nature hates arbitrage 2/ Information security is information arbitrage There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying. Quote Link to comment Share on other sites More sharing options...
Injin Posted July 24, 2011 Share Posted July 24, 2011 In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :- 1/ Nature hates arbitrage 2/ Information security is information arbitrage There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying. It is rather nice, therefore, to have information other people cannot actually understand or even emotionally tolerate. Even if it's in their direct interests, and you openly tell them it. Quote Link to comment Share on other sites More sharing options...
50sQuiff Posted July 24, 2011 Share Posted July 24, 2011 Oh, they already have: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html ""So far, [the perpetrators] appear to have just been looking around," said one person involved in the Nasdaq matter. Another person familiar with the case said the incidents were, for a computer network, the equivalent of someone sneaking into a house and walking around but—apparently, so far—not taking or tampering with anything. A spokesman for Nasdaq declined to comment. A probe into the matter was initiated by the Secret Service and now includes the Federal Bureau of Investigation. Read more: http://online.wsj.com/article/SB10001424052748704709304576124502351634690.html#ixzz1SxqzLdN1" Anyone else have a bad feeling about this? If the whole system is predicated on IT security - which seems to be an oxymoron - then we could be cruising for a bruising. If kids with apparent personality disorders are so effective, what are the MIT crowd and Commie equivalent capable of? Quote Link to comment Share on other sites More sharing options...
scepticus Posted July 24, 2011 Author Share Posted July 24, 2011 Externally hacking entire IT systems and then manipulating them for personal gain is quite hard. LulzSec and anonymous don't do what they do for personal gain, they just want to stuff things up. That is much easier than actually turning a profit from such activities, and this is where I feel the main threat lies. That, and activities by states. You would need to know the full architectural specification, network design, security model , some knowledge of the software application and how it interacts with the databases. Without inside knowledge, your own project team and serious money behind you then it would be a big call. If you want to hack data for profit it is most vulnerable at the interfaces of systems after processing but before transmission between systems. Even then it is normally surrounded by security and encryption. Much of that can be reverse engineered, although I agree it would be time consuming. But a lot of these hackers work using a stigmergy like process (look that up), so given individuals need not spend vast amounts of time themselves. Quote Link to comment Share on other sites More sharing options...
scepticus Posted July 24, 2011 Author Share Posted July 24, 2011 In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :- 1/ Nature hates arbitrage 2/ Information security is information arbitrage Yes I get that, that's what my blog is all about. Incidentally, central bank base rates are also information arbitrage. That's why they've gone away. There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying. Agreed. But where does alpha come from if not from proprietary information? Also, our private lives are arguably 'proprietary information'. Quote Link to comment Share on other sites More sharing options...
A.steve Posted July 24, 2011 Share Posted July 24, 2011 (edited) In fact if the OP really wants to understand what's been going on (since Q310 or so) they need to warp their mind around two concepts :- 1/ Nature hates arbitrage 2/ Information security is information arbitrage There's a kind of evolutionary sift happening at the moment; the dinosaurs (who rely on proprietary information remaining so) are dying. I think your metaphor of arbitrage for espionage is interesting - but I don't share your view that proprietary information (secrets) are dying. Any 'secret' that is available to a few thousand (or a few million) employees is no secret at all. Osama bin Laden had secrets - he took them to his grave. That's the fascinating thing about secrets - you don't get to know about them. It is ironic that the most likely consequences arising from this 'hacking scandal' (which, frankly, was so low-tech that it seems an error to label it hacking) will be to increase secrecy. Legitimate press now have strong disincentive to engage in investigative journalism (not that I apply that label to activities at NoW and its sleazy tabloid rags)... secondly, absolutely everyone moving in the upper echelons of society are now aware that they're of interest to snoopers... so will be more cautious than ever before with emails, phone calls and messages. Technology strongly favours the side of maintaining secrecy - even if people are extremely bad at using such technology. I anticipate, over the next few years, emerging secure communications for the mass market - initially targeting celebrity - then, once endorsed - being adopted by the population at large. If these new consumer-level facilities are implemented honestly, it will dramatically undermine any efforts to infiltrate private communication - be that by law-enforcement; foreign governments; criminals or the press. It has the scope to change the world forever. Edited July 24, 2011 by A.steve Quote Link to comment Share on other sites More sharing options...
stormymonday_2011 Posted July 24, 2011 Share Posted July 24, 2011 LulzSec and anonymous don't do what they do for personal gain, they just want to stuff things up. That is much easier than actually turning a profit from such activities, and this is where I feel the main threat lies. That, and activities by states. Much of that can be reverse engineered, although I agree it would be time consuming. But a lot of these hackers work using a stigmergy like process (look that up), so given individuals need not spend vast amounts of time themselves. Very interesting but to be honest if I wanted most forms of protected or confidential data it would be simpler and cheaper to bribe an insider (probably via a third party cut out) to get it for me. This is exactly what UK newspapers have been doing. In fact I suspect this rather than voicemail eavesdropping is where a lot of their information was obtained. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.