Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Hacking of NASDAQ

Unknown Lamer posted about a month and a half ago | from the tales-of-hacking-and-intrigue dept.

Security 76

puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"

cancel ×

76 comments

Sorry! There are no comments related to the filter you selected.

The market is rigged already (4, Insightful)

Anonymous Coward | about a month and a half ago | (#47476611)

Would we even notice if it was hacked?

Re:The market is rigged already (5, Insightful)

GameboyRMH (1153867) | about a month and a half ago | (#47476725)

Exactly. Do your worst, black hats. The system's already rooted by Wall Street bankers.

Re:The market is rigged already (1)

Anonymous Coward | about a month and a half ago | (#47477689)

..and, why, xactly, was the OP troll-Modded?

Consider the following scenario - you place an order to purchase a book on Amazon, or ebay, you press "One Click Buy", and..

you then get an email from some pondlife, informing you he has just intercepted your communications, and taken over your purchase - but you can still have your book, plus a small fee for him, of course.

Difference being, they don't even inform you of the fact, just charge you.. - Like, why is this shit even legal?

As the OP stated, Hell, Hack away, everyone else does - and if you can't beat them, or outlaw them, may as well join them.

Re:The market is rigged already (5, Insightful)

GameboyRMH (1153867) | about a month and a half ago | (#47477771)

That's not a perfect analogy, but it's not too far off.

It's more like this. There's a classifieds forum which regular users can refresh once every 10 minutes. Special users with a paid subscription can refresh once per second.

You post "Bicycle wanted, will pay up to $500" and someone else posts "Bicycle for sale, $400" then the speedy special user buys the bicycle for $400 and puts it up for sale for $500 before you or the seller can refresh (at best, when they're not doing even shadier things like spamming the forum with fake Wanted posts etc).

Somehow this is supposed to produce value. I think it has a similar effect on the economy to either robbery or counterfeiting currency. I can see no way this produces any value.

Re:The market is rigged already (4, Insightful)

lgw (121541) | about a month and a half ago | (#47478343)

You've got it completely backwards, is the thing. Don't worry, most people get this backwards, because they reason from "these guys must be evil" to "ahh, so it must work like this".

It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK:
* Mr B posts "Bicycle wanted, will pay up to $500"
* Mr S posts "Bicycle for sale, $600"
* Special user says "OK, now buying bikes for $520, selling for $580"
* You post "buying 1 bike, best price".

You get the bike $20 cheaper. The market maker takes a risk here: that he can balance buys and sells, and not get left holding the bag when the price changes.

But the story gets better:
* Special user 2 says "Oh, I see you Special 1, I'm now buying bikes for $525, selling for $575, hey, $50 a bike is better than nothing.
* Special user 1 says "Oh no you didn, Buying for $530, selling for $570"
* Very quickly it's $550/$551.

You get the bike for $551, $49 cheaper. I've seen this happen over the past 15 years, where the bid-ask gap shrank by that much on options. Competition is so fierce you see sub-cent pricing now: you'll get filled at $550.0001 or $549.9999 sometimes, because in very active markets these guys can make a killing with less then 1 cent profit.

Do you see now why it adds value?

Re:The market is rigged already (1)

crimson tsunami (3395179) | about a month and a half ago | (#47479671)

It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK: * Mr B posts "Bicycle wanted, will pay up to $500" * Mr S posts "Bicycle for sale, $600" * Special user says "OK, now buying bikes for $520, selling for $580" * You post "buying 1 bike, best price".

This is pants on head retarded.
If the Special user can just create bikes out of thin air, he should just set up a bike shop and sell them for $500.
In the real world, where is he getting his bikes from? Mr S wont sell his for anything less than $600 and Mr B is buying.
What really happens is that Special user sees you want a bike and are too stupid to name a price, so he quickly buys the $600 bike and realising the next best price is $610, sells it to you for $609.99
If you want to add in more competing special leechers, they all bid/cancel spam each other $609 $608 etc. and you end up paying $600.01 Best case you were only ripped off 1 cent.

Re:The market is rigged already (1)

lgw (121541) | about a month and a half ago | (#47484117)

In the real world, where is he getting his bikes from?

Like I said, he hopes to balance buys and sells. If 100 people sell at his price, and 100 people buy at his price, he needs no bikes. If he's off by 1 or 2, he'll trade with Mr B or Mr S, and still do OK. But he does take a real risk.

Anyhow, that's how it really works. Remember, we're talking about markets that trade billions of shares a day, so the metaphor only stretches so far.

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47487345)

So he's not providing the liquidity he claims and is relying on other people already selling and buying and trying to scavenge a bit from both. Without him the 100 buy and sell to each other and are better off.
Or in the real market the billions of trades would happen anyway without him and the actual investors would be keeping the money the HFT would have otherwise leached out of the system. Spreads were already decreasing long before high frequency trading appeared.

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47479873)

> You get the bike for $551, $49 cheaper. I've seen this happen over the past 15 years, where the bid-ask gap shrank by that much on options. Competition is so fierce you see sub-cent pricing now: you'll get filled at $550.0001 or $549.9999 sometimes, because in very active markets these guys can make a killing with less then 1 cent profit.

yup. right into the thiefs pocket, who is neither buying or selling a bike - only taking a cut out of each and every transaction. That $50.00 loss is posted against a $50.00 savings. Whose to say the buyer wouldn't have upped his offer, or the seller lowered his, to meet market demand? i.e. only an idiot counts the reduction in bid/ask as a savings...

Re:The market is rigged already (1)

jaitropmange (1444507) | about a month and a half ago | (#47480167)

Either you allow the market maker to take the bid / ask spread or you pay a broker a commission to get you the market price. Either way you give up a little to have access to a convenient centralized market. This seems reasonable, but maybe you'd prefer to buy and sell your securities on craigslist? ;-)

Re:The market is rigged already (1)

Anonymous Coward | about a month and a half ago | (#47480135)

No. All I see is that money was transferred. None of them actually made the bike. Making the bike is creating actual value. Whizzing money around with sub-cent profits that depend on latency is just a giant scheme. Sooner or later the limit of latency will be reached - the laws of physics will see to that. Anyone not standing at the absolute minimum will be left holding their dick in their hand.

We need to get back to broadening the ability to create actual value by making shit.

Re:The market is rigged already (2)

Fred Mitchell (3717323) | about a month and a half ago | (#47480209)

I really think using bikes is a bad analogy (unless you are discussing Futures markets, but even then!!)

They are exchanging one token for another. They are exchanging the money tokens for corporate tokens (in the case of the equities market). The only real thing you can do with most corporate tokens these days is to trade it back for the money tokens.

Some stocks, a few, still pay dividends, but most do not. And voting rights??? Hahaha! Unless you can own 51% of the corporate stock, your votes are nothing. And in many cases some owners DO maintain 51% just to quell the voice of the other stock holders....

The market is not "rigged", per se, but neither is it the smooth-talking bit that many try to sell you on. The true nature of the stock market is a zero-sum game, a free-running and legalized Ponzi scheme. And when I say zero-sum, I mean it in the mathematical sense. It kills me that some of our specialized and technical jargon has slipped out into the popular media and have taken on completely different meanings than were intended.

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47481467)

It's unbelievably shocking that you think this "adds value". Could you give us your definition of "value"? Because it seems to be, "putting cash magically in the pockets of someone who isn't producing anything at all, and who is just leeching off a corrupted system".

Re:The market is rigged already (1)

GameboyRMH (1153867) | about a month and a half ago | (#47481505)

Nope I gotta agree with all the other people who have replied to you. I can't figure out how this is adding value. To me it just doesn't compute. Why did the seller sell the bike for less than $600? Why did the buyer pay more than $500? If they're willing to compromise, couldn't they have done the transaction directly and saved money without the middleman?

Re:The market is rigged already (1)

lgw (121541) | about a month and a half ago | (#47484163)

You're missing the entire point here. If the buyer and seller agree on a price, the trade just happens, no market maker needed, the end. All done.

But after all possible trades like that are done you're left with the "bid" and "ask" prices, where the seller and buyer are willing to stand on their prices and not compromise. Any good financial tool will show you the bid/ask for any exchange - you can check it out and see I'm not making this up.

Where the market maker adds value is in making it cheaper for the weak trader, the guy like me who doesn't have the time to play the game, who just wants a stock or bond at a fair price (given today's market mood), and so you just buys or sells "at market". I, the little guy get a better price. I've seen real evolution over the past 15 years in this, and it's like a tax of a few % has been lifted. Inefficient markets suck.

Re:The market is rigged already (1)

GameboyRMH (1153867) | about a month and a half ago | (#47486141)

OK, so it's good for people like you who don't want to shop around for a good price. But what about those who do? They don't have the option of not going through these middlemen unless they are faster. So which is greater, the savings to those who don't want to shop around or the losses to those who do?

Re:The market is rigged already (1)

lgw (121541) | about a month and a half ago | (#47486411)

Well, these are exchanges, so "shop around for a better price" isn't really a thing. What you can't do is profit from someone not paying much attention - profit from the inefficiency of the market. And that's a good thing: there should be no game to play, no skill at haggling required, nor deep understanding of market mechanics, simply to execute a trade. Deciding what price you're willing to buy or sell at is where the smarts belong, but if you buy something by mistake, and turn around and sell it 2 minutes later, that should cost you as little as possible.

Re:The market is rigged already (1)

GameboyRMH (1153867) | about a month and a half ago | (#47486643)

It has to be possible to make money by "shopping around," or the HFT companies wouldn't be making money, and you wouldn't be saving any. Even if it's a miniscule amount for each trader, their total impact comes down to the balance between the savings for the "weak traders" and the losses for everyone else.

Re:The market is rigged already (1)

lgw (121541) | about a month and a half ago | (#47486717)

Well, maybe I don't know what you mean by "shop around". There may be multiple exchanges selling the same thing (though not for stocks), and you usually aren't even aware if which one your broker deals with, as arbitrage keeps prices the same on all of them at faster than human scale these days - another example of making markets efficient.

The market makers simply trade on the exchange, filling orders at better prices than the bid/ask would be without them there. Because they trade so frequently, they can make good money off of quite a small price difference between what they buy and sell at.

You seem worried about these "losses for everyone else", but the market makers aren't siphoning off a % of each trade or anything like that. The only ones hurt are real parasites on the system: those who would profit from inattentive traders, by taking advantage of a thin market for price gouging.

It really seems like you're trying to argue "they add no value, because they must be taking money form someone, because they add no value."

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47487899)

It really seems like you're trying to argue "they add no value, because they must be taking money form someone, because they add no value."

They must take out more value (than they could possibly even theoretically add) or else they would be broke.
Unless you're claiming they are charities?
Having faster access and using it to profit is of no benefit to anyone but themselves.

Where the market maker adds value is in making it cheaper for the weak trader, the guy like me who doesn't have the time to play the game, who just wants a stock or bond at a fair price (given today's market mood), and so you just buys or sells "at market". I, the little guy get a better price. I've seen real evolution over the past 15 years in this, and it's like a tax of a few % has been lifted. Inefficient markets suck.

It's already been shown in this thread that 'at market' is like hanging a sign around your neck saying 'scam me'. HFT will jump in the middle and take some of your profits.
Due to all the HFT shenanigans you will never know what the 'fair price given todays market mood' will be. Is that liquidity going to evaporate as soon as you place your trade? Is all the recent trading just HFT's circle jerking each other?
Market spreads and brokerage prices had been coming down way before HFT were inserted into the system. It's like all the efficiencies of the last couple decades have been so great that you don't even notice when HFT quietly slip in a new tax on everyone.

Re:The market is rigged already (1)

lgw (121541) | about a month and a half ago | (#47489649)

They must take out more value (than they could possibly even theoretically add) or else they would be broke.

Ahh, liberals, forever convinced economics is a zero-sum game.

Market spreads and brokerage prices had been coming down way before HFT were inserted into the system. It's like all the efficiencies of the last couple decades have been so great that you don't even notice when HFT quietly slip in a new tax on everyone.

It's all the same trend. HFT isn't some cliff we fell off - trade frequency and market maker participation has been increasing steadily for 20 years as technological advance made it more and more practical. Spreads fell steadily during this time as a result.

Re:The market is rigged already (1)

crimson tsunami (3395179) | about a month and a half ago | (#47492213)

Ahh, liberals, forever convinced economics is a zero-sum game.

Ahh market manipulators, forever convinced their market is the same as an economy.

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47483183)

Yeah, and back in the real world we know this is complete bullshit.

Your scenario assumes that B and S are unaware of the of this behind the scenes nonsense.

Furthermore this is the very distillation of the race-to-the-bottom disease that's infected modern American business. Cheaper at any cost. Work the system harder, build faster machines so we can out-scam everyone else. Building better products is for suckers!

"Adding value" is a euphemism for "cheat better"

You didn't get it 20 dollars cheaper. You're just complacent in a scam where you helped ripoff the seller, and cheapened the system as a whole. "Value" isn't created out of thin air or "found" as if it was just laying there un-claimed.

Fucking apologists wonder why we balk when they keep insisting you can get something for nothing. That 20 dollars came from somewhere. Stop pretending externalized costs vanish in to the ether.

There's a good reason we've got a huge gap between the rich and the poor increasing at a frightening pace. Fuck, it's note even the rich and the poor anymore. It's the rich and the everyone else, and it's shit like this that is getting us there.

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47484089)

Yes, I see. So instead of the price of products being dictated by the end users ($500,) or what a producer will offer them for ($600,) instead both get screwed by the middlemen looking to make their cut. Yep - lot of value there! For the middlemen, anyway....

Re:The market is rigged already (1)

lgw (121541) | about a month and a half ago | (#47484195)

No, what happens is: instead of the prices being set buy the professionals who are perfect at gaming the system (buy a new car, then sell it the next day, see how that goes), the little guy gets a fair price, as the middle man screws the big guy (well, the middle man is likely the biggest guy, but still).

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47488381)

Exactly, the middle man here,
is the big guy,
is the professional who is gaming the system,
is the HFT/market maker.
Everyone else is ripped off, especially the little guy.

Re:The market is rigged already (2)

aybiss (876862) | about a month and a half ago | (#47480119)

The thing is that this is so wrong and simply not how things work. Nobody would trade on a market where the first person to bid or offer is the not first person to trade. In your example, as soon as someone said 'will pay $500', they would be given the bike that was available at $400. And they would pay $400, not $500.

The other thing is, even if this did occur, the person wanting to pay $500 for a bike has gotten what they want. This is called liquidity and it's valuable in its own right. If they didn't want to pay $500 for a bike then they shouldn't go to a market place and say that they did. But they did, because they didn't want the $500 as it won't help them travel to the shops (by itself).

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47481051)

Nobody would trade on a market where the first person to bid or offer is the not first person to trade.

Everybody does, they have no choice. Special people have special access, if you dont't realise this then I suggest further research before 'investing' any real money.

Re:The market is rigged already (0)

Anonymous Coward | about a month and a half ago | (#47481069)

Nobody would trade on a market where the first person to bid or offer is the not first person to trade

Yes they do, all the time.

Special people have special access. They don't join the normal queue like you would have to do.

First question ... (2)

gstoddart (321705) | about a month and a half ago | (#47476645)

Was it a foreign government, or your own government?

Quite frankly, I find either plausible.

Re:First question ... (0)

Anonymous Coward | about a month and a half ago | (#47476875)

Go with NSA2. The fascists have more control over the NYSE and would love to wipe out some competition.

Re:First question ... (1)

Anonymous Coward | about a month and a half ago | (#47478257)

The NSA does not need to hack the exchanges. They have the ultimate insider trading advantage.

Re:First question ... (0)

Anonymous Coward | about a month and a half ago | (#47477439)

the details remain classified.

At a minimum, this tells us that our government did something that the governed must not be allowed to find out about. They were either the attacker, or they were using illegal means to detect or investigate it. No other possibilities really make much sense.

Final Objective? (1)

Anonymous Coward | about a month and a half ago | (#47476655)

'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

Ummm to make money or destabilize our economy?

Makes one feel good that you are the head of the Intelligence Committee.

Re:Final Objective? (1)

Artifakt (700173) | about a month and a half ago | (#47477465)

If they found it was some nation-state where a corrupt bureaucrat did it to line his pockets and those of the supreme leader, the consequences might be less trust in the market (if that's possible), and similar, limited economic effects. If the nation-state in question wanted to destabilize our whole economy, that's part of WAR. (you know, that thing where lots of people die very rapidly and it wasn't one of the other horsemen?). Those are very, very different consequences and levels.
            YOU picked two possible options from what may well be more. YOU didn't notice that even if your limited answer is the whole truth, it implies two incredibly different possible 'final objectives'. YOU chose to regard destabilizing our economy as a 'final objective', when it simply isn't, and never historically has been, in a single case. It's always been an intermediate objective, and the 'final' one, in every historic example, has always been winning a war. YOU then criticised the chairman for having noticed what YOU didn't. Fail reading 101 much? I can think of an enormous number of things Mike Rogers has said that make me question his judgment (and sometimes whether all the many-tentacled pre-cambian era cyanogen breathing epifauna really died off), but not this quote - it's accurate, non-inflammatory, and rational.

Re:Final Objective? (0)

Anonymous Coward | about a month and a half ago | (#47477531)

I see someone forgot their meds.

Re:Final Objective? (2)

Stolpskott (2422670) | about a month and a half ago | (#47480995)

'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

Ummm to make money or destabilize our economy?

Makes one feel good that you are the head of the Intelligence Committee.

The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at what areas the bad guys had access to and where they went. In a private home, there is the external alarm - once that is down, you have no way of knowing where the guys went unless they leave a physical trail. In this case, while it might be expected that Nasdaq would be the IT security equivanelt of a bank, they apparently were the equivalent of a home owner who left the alarm deactivation code on a piece of paper taped next to the alarm console.

Let's try a few plausible options, based on the article. Determining the probable source of the hack/attack will help there.
The core of the malware used was a 0-day exploit kit that had previously been attributed to a team within the Russian FSB's electronic warfare group, suggesting that the Russians may be behind this. At the approximate time the hack took place, the Russians were combining their two domestic stock exchanges into what they planned as a single super-exchange to rival Nasdaq, NYSE, LSE in London and the Hang Seng in Hong Kong. Probably a dual-purpose reason being (a) increasing international prestige and economic diversification, and (b) preparation for pressurising large Russian companies whose stocks were listed on international exchanges to draw back and list exclusively on the new Russian exchange, thus reducing the potential leverage and influence that US and international governments would have over those Russian companies (thinking sanctions, as with the current situation in Ukraine). For the Russians therefore, a plausible action would be to hack the Nasdaq exchange servers and copy the software code that powers the exchange, so that they can use it or modify it for their own exchange - believe it or not, the code for the Nasdaq exchange is generally considered to be world-beating, so that would be a viable target.

Second, the CIA apparently found some information in the real world suggesting Chinese connections - the Chinese Peoples' Liberation Army certainly had electronic warfare capabilities, and conceivably might plant an electronic bomb in the Nasdaq systems for use at a later date if it proved convenient. Equally, with the Chinese approach to IP and industrial espionage, hacking to steal the code in a similar way to the Russian scenario is possible.

Both of those governments' beurocrats are often known to be corruptable and have links to organised crime, so there is another possible source for the attack, with the goal of either blackmailing Nasdaq or gaining access to the not-yet-public information stored on the compromised systems to give them advance knowledge of information that would move stock markets and prices (financial gain).

In determining the source of the attack, the origin of the malware used is not the greatest indicator - malware kits can be copied as easily as any other software, so either an actor within the FSB may have sold a copy to someone, or another hacker may have hacked a completely different system infected with that malware kit and downloaded the elements of the kit they could find, reverse-engineering the rest. So just because the FSB are credited with creating a previous version of this specific kit does not mean they are involved.

Lastly, looking at the capabilities of the payload may give some insight into the objective - a malware kit with a keylogger and dial-out facility to a C&C server is generally not going to be paired with a logic bomb to fry the infected system. So a system with a keylogger will be used for industrial espionage, while a logic bomb is an offensive, destructive weapon. The NSA's original analysis of the malware apparently indicated all sorts of interesting/terrifying capabilities. Given their extreme interest in surveillance of computer systems, if they chose to deliberately scare-monger and make this breach out to be more serious than it may otherwise have seemed, they could use that as leverage to expand their intelligence remit to be the gatekeepers of data security and cyberwarfare within the US - expanded influence, and also a much more free hand to conduct their own domestic surveillance. Plus, it is definitely conceivable that they would already have laboratory copies of the FSB malware kit that they could use when hacking Nasdaq.

So, there you have 4 other possible actors and objectives:
Russia: Domestic economic control over large businesses to reinforce geopolitical strength, and industrial espionage.
China: Industrial espionage, or the future possibility of electronic sabotage.
Organised crime: Extortion or industrial espionage for financial gain.
NSA: Empire-building.

This is not to suggest that any of those groups actually did do this, or that if they did that they did it for the reasons I have suggested. But it does indicate that there are a lot of possibilities out there, and Mike Rogers is a politician, so he is not going to start slinging mud at someone unless they give him a good quote as justification.

Security (5, Insightful)

BitcoinBenny (3025373) | about a month and a half ago | (#47476681)

The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

Re:Security (0)

Anonymous Coward | about a month and a half ago | (#47476797)

Security looks like a loss on the books because the books don't show the losses you WILL take if you fail to have security. So the powers-that-be, who only look at the books, don't want security because it co$t$.

Re:Security (4, Insightful)

gstoddart (321705) | about a month and a half ago | (#47476867)

There is a perverse incentive not to properly secure exchanges because security is slow.

When so much profits depends on fast, direct access to skim money off the top with high frequency trading, these people do not want security.

They want to be able to access the system directly, and security be damned.

Re:Security (2)

bobbied (2522392) | about a month and a half ago | (#47478051)

For the longest time people were sending ethernet raw packets...

So? Look, there are two possible approaches to security here and you don't need a fully encrypted VPN link between two buildings to have a secure link. You could just put your own wire between the two locations and protect the wire from unauthorized physical access.

I'd not suggest you put sensitive financial data on the internet "in the clear", but if you are sure the physical link is only available to your intended destination, you can safely send all the data you want in the clear. If you look at the configurations being used, what was really happening was the exchange was in one room and the traders had platforms in another room near by. They had short physical connections, which, unlike the internet, are easy to physically secure.

Re:Security (1)

aybiss (876862) | about a month and a half ago | (#47480129)

In actual fact most connections used by HFTs are encrypted AND dedicated.

Re:Security (1)

jbmartin6 (1232050) | about a month and a half ago | (#47481389)

I would be there is no HFT in the world that is encrypting FIX traffic. Why bother? All the links are cross connects within the exchange's data center.

Re:Security (1)

BitcoinBenny (3025373) | about a month and a half ago | (#47490875)

Yeah, HFT encryption is spectacularly rare. I think the argument that the links is short doesn't make much sense to me. If you are talking about third parties hacking the link I guess maybe you make a point, but that wasn't the attack vector I was thinking about. I was talking about third party HFT firms getting hacked and then leveraging those short, encrypted and insecure connections into matching engines to cause problems. I guarantee you that there are exploitable vectors into some of these major markets.

Re:Security (0)

Anonymous Coward | about a month and a half ago | (#47478183)

True, also they are notorious for being complete dicks to their IT people. They are complete dicks to everyone, but they don't even try to work with them unless they have no alternative, and fire them as soon as the system is working, keeping a skeleton of support, if any, for operation.

So it does not suprise me that there is incredibly poor security, no logs or other auditable data, and generally, no one has any idea how any of it actually works. I am actually surprised that they even knew they were hacked at all.

However with colocation ... (1)

perpenso (1613749) | about a month and a half ago | (#47478497)

The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

Technically true. However in the quest for low latency there has been a tendency for some to colocate with the exchange. So if an exchange system and a broker system are in the same high physical security room and have a direct connection between them then the risk is mitigated to a degree.

Re:However with colocation ... (1)

BitcoinBenny (3025373) | about a month and a half ago | (#47491637)

Well if we are talking physical access control then most of these places have figured it out. My argument is that the threat is from the firms connecting into the exchange. A lot of them have poor border security, and if you don't have any additional checks then what?

Reminds me of a Tom Clancy novel (2)

PapayaSF (721268) | about a month and a half ago | (#47476717)

I forget which one, but as I recall the solution was to restore everything to the state before the hack, erasing the tainted trades along with all the valid ones.

Re:Reminds me of a Tom Clancy novel (1)

GameboyRMH (1153867) | about a month and a half ago | (#47477215)

Wasn't something like this done after the Flash Crash (or some other recent stock exchange fuckup?)

Re:Reminds me of a Tom Clancy novel (1)

jbmartin6 (1232050) | about a month and a half ago | (#47481413)

Yes, and also after quite a few similar smaller incidents. Remember the scene from the recent Batman movie where Bane stole all of Bruce Wayne's money by forcing him to put his finger on the scanner? A crock. The financial institutions would just undo the whole transaction as soon as Bane left. This is one reason why there is surprisingly little security in certain aspects of the financial system. it isn't like Bitcoin where if someone steals your key file done is done and there is no going back. In the financial world, a whole slew of transactions can simply be reversed and often are. Why spend the money and effort on security when the potential impact is relatively low?

Re:Reminds me of a Tom Clancy novel (0)

Anonymous Coward | about a month and a half ago | (#47477627)

In this case, the exchange wasn't hacked, so there are no tainted trades to erase. The hack was against an app called Director’s Desk, which did contain some very valuable and confidential information, but is isolated from the exchange. The summary is misleading (as usual).

more convenient fear mongering (3, Insightful)

Cardoor (3488091) | about a month and a half ago | (#47476749)

i wonder what newly minted organization that will undoubtedly be called in to 'protect us' while stripping yet more privacy and liberties. (of course getting budgeted billions to do the job). oh wait - theyve already announced it. and it's the benevolent wisdom of the usual suspects that will save us all!

more convenient fear mongering (0)

Anonymous Coward | about a month and a half ago | (#47479443)

yep, and want to bet said newly minted organization will have a 3 letter acronym.

Are my computer banks at risk? (0)

Anonymous Coward | about a month and a half ago | (#47477023)

Oh my god! What can I do to prevent cyberspies from planting a digital bomb in my computer banks? :O

Re:Are my computer banks at risk? (0)

Anonymous Coward | about a month and a half ago | (#47480097)

In order to really get a decent level of protection, you'll need turboretroencabulated memory planes, each running at at least 14 hogsheads to the farthing.

Us or them (0)

Anonymous Coward | about a month and a half ago | (#47477027)

Odds are the hack will turn out to be a "rogue trader" at a major US bank, and this breach in morality & federal law will be dismissed as "big banks being big banks".

Us or them (0)

Anonymous Coward | about a month and a half ago | (#47477295)

or, it was just a bug somewhere that was triggered.
People panic way to quick when something happens with computers.

"panic quick"? It has been four years. Zero-day bu (3, Informative)

raymorris (2726007) | about a month and a half ago | (#47477571)

I can only guess you didn't read even the first sentence of TFS. The attack occurred in 2010, so this is hardly a case of "people panic way to quick".

"or it was just a bug" - we have a copy the malware they used, and they exploited at least two zero-day vulnerabilities, and were accessing the system for months.

This incident was kind of a big deal. Someone with sophisticated exploit capabilities had run of Nasdaq's network for several months.

So the takeaway from this is ... (1)

userw014 (707413) | about a month and a half ago | (#47477033)

Wow. Something happened, but we don't know what or why.

Re:So the takeaway from this is ... (1)

bobbied (2522392) | about a month and a half ago | (#47478101)

Wow. Something happened, but we don't know what or why.

Yea, well, I guess that it's better that we know where it ended up, unlike some airliners in recent history...

Recording all data to and from a machine (0)

Anonymous Coward | about a month and a half ago | (#47477089)

If one were to record all input/output, all disk writes, and all memory changes would one not be able to literally go back and see what was done? I'm not sure if this is a feasible technical solution. However what I'm imagining is something like git. Whenever a change is submitted it logs it. What if every bit of data written to the disk were logged, that is the difference between what was and what is? Do the same thing for memory and input/output from the network. If these features were added at a hardware level any malware wouldn't even be able to detect it. While this still leaves the problem of detecting the malware, determining what was done would be much much much simpler (I think).

While this wouldn't be a cheap solution it probably would be a good solution for at least critical infrastructure.

It probably wouldn't be something you attach to facebook's server, but it might be something you attach to Google's servers, backbone routers, Amazon Cloud services and similar (if this is being used by critical infrastructure, I'd hope not, but... if it is, or an attach might impact significant portion of the economy), exchange's servers, development servers at Microsoft, Apple, Google, Adobe, and similar, as well as any other developer's development systems, etc.

Re:Recording all data to and from a machine (1)

qwijibo (101731) | about a month and a half ago | (#47477341)

That would require basically infinite storage and run very, very slowly. In effect, the disk (which is the slowest of CPU/memory/network/disk) becomes the bottleneck preventing any of the others from being well utilized.

There are much better ways to track what happens on critical systems, but they introduce costs that most organizations consider excessive or unnecessary, right until after a breech where they realize how the alternative can be orders of magnitude more expensive.

Where's the NSA? (0)

Anonymous Coward | about a month and a half ago | (#47477345)

Isn't this probaly one of the foremost National Security issues of the US? The freaking Stock Exchanges? You're telling me they don't know to what end, or who was in it?

If even part of this is true, this country really is FUCKED! All the way to the top!

Re:Where's the NSA? (1)

gmhowell (26755) | about a month and a half ago | (#47477827)

Isn't this probaly one of the foremost National Security issues of the US? The freaking Stock Exchanges? You're telling me they don't know to what end, or who was in it?

If even part of this is true, this country really is FUCKED! All the way to the top!

Guess who didn't RTFA?

why hack it? (1)

Joe Johnson (3720117) | about a month and a half ago | (#47477359)

Isn't wall street doing enough to destroy our economy for their short term benefit? If I was a hacker, I'd pick a more interesting target than one which collapses on its own greed twice in a decade.

Re:why hack it? (1)

bobbied (2522392) | about a month and a half ago | (#47478127)

Let me see.. We are due then? Last major crash was 2008 and it's 2014.

You might be right....

2008 Financial Collapse Damage $6-14 Trillion (0)

Anonymous Coward | about a month and a half ago | (#47477851)

The NASDAQ's Director's Desk computers are not trading systems. Lots of hype, speculation, perhaps a paycheck for Keith Alexander and Michael Chertoff.

The Federal Reserve Bank of Dallas has analytically demonstrated that the same people entrusted to operate our financial markets (the CEOs, SEC regulators, and rating agency officials) are the #1 threat to U.S. economic security. Their short term unenlightened self-interest results in economic death spirals.

For details, see Blunden's slide deck on Chinese Cyber espionage: http://www.belowgotham.com/ODE-TO-MIKE-ROGERS.pdf

Our political leaders and their lie, and lie, and lie. All in service of corporate power.

Re:2008 Financial Collapse Damage $6-14 Trillion (0)

Anonymous Coward | about a month and a half ago | (#47480107)

"slide deck"

That says it all right there. Death by PowerPunt

Rogers is a serial liar (3, Informative)

Lawrence_Bird (67278) | about a month and a half ago | (#47478013)

He has lied, willfully exaggerated and generally acted like a complete piece of shit countless times. Do not believe anything out of that man's mouth, ever.

Re:Rogers is a serial liar (0)

Anonymous Coward | about a month and a half ago | (#47478551)

The US is in " Russkies are a comin' " mode. Everything that can be dragged up about them even if it happened years ago with different people is to be flogged to death.

Re:Rogers is a serial liar (1)

El_Oscuro (1022477) | about a month and a half ago | (#47478579)

How is that different than any other member of congress?

A nation-state? Baloney. (1)

ItsJustAPseudonym (1259172) | about a month and a half ago | (#47478173)

Look no further than a too-big-to-fail company, e.g. Goldman Sachs.

Talk about the incident, but not really (1)

Mister Liberty (769145) | about a month and a half ago | (#47479077)

It's all part of getting the rich richer and the rest frightened.
Don't be tricked by the conmen.

More hysteria (1)

jbmartin6 (1232050) | about a month and a half ago | (#47481435)

If you review the details, the attackers were on one specific non-trading application owned by Nasdaq and had some access to their internal network. There is no evidence that they had any access to the exchange's systems, which are on a segregated network. In other words "the exchange" was not hacked at all.

Just a Ploy to Increase Fear & Paranoia (0)

Anonymous Coward | about a month and a half ago | (#47481477)

So, I guess we are at stock-exchange threat level Orange? How long until we see the color-coded threat-level banners at the top of every trading site?

Mark my words, this is just setting up for the future. Now, the next time trillions of assets magically "disappear" (as the did in 2007 and 2008), we can avoid all those pesky protests against the bankers and instead just blame some other country and go to war with them. War being, coincidentally, also extremely profitable to the same people who will have "disappeared" those assets.

The Chinese, the French, the Israelis. (1)

Eunuchswear (210685) | about a month and a half ago | (#47481649)

The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another.

But never the USA.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>