How the SEC Almost Shut Down Wall Street
What happened when SEC computers were brought to a hacker convention.
Nov. 18, 2012— -- Here's a fun fact: Hackers, just like bankers, real estate agents and collectors of Star Trek memorabilia, attend conferences. Even better: they play games at the conferences. One of the games they play has attendees aggressively competing to access any device in the hall, thereby demonstrating prowess in obtaining sensitive information. The goal is to exploit any vulnerability, or crack that which is perceived to be impenetrable, and share details for both educational purposes and bragging rights. This is the kind of thing you'd expect at a Black Hat hacker conference and why people with sensitive information on computers probably shouldn't bring them to the party. Especially employees of the Securities and Exchange Commission Trading and Markets division. And they really shouldn't have brought their computers with them. Except they did. Yes. This really happened.
Computers owned by the Securities and Exchange Commission Trading and Markets division were brought by SEC staffers to a hacker convention. They contained unencrypted, step-by-step instructions to shut down our financial trading system. Essentially: A Hacker's Guide to our Financial Universe.
Consider for a moment the kind of information that was hanging out in these computers, according to a recent Reuters story:
- How the computers and networks inside massive stock exchanges including NASDAQ and the New York Stock Exchange are linked together.
- How, in the event of a terrorist attack or natural disaster, what are the specific steps required to shut down the entire American stock exchange system, and how, after the disaster, we safely turn those systems back on.
- What specific security measures have the exchanges implemented to secure their systems against accidental data breaches and determined hackers.
Sophisticated algorithms or complex malware were not required to crash the world's largest exchanges (and with them the world economy). No need for security clearance. A common thief could have hit the lottery with these babies.
The fact that S.E.C. employees brought Wall Street's blueprints to a Black Hat hackers' conference is both terrifyingly dumb and dumbfounding, despite the fact it appears, according to Reuters, that no data was breached. Nevertheless, it is hard to conceive of a less secure venue than this get-together where computer security experts and government intelligence leaders swap notes with all stripes of cyber-ninjas.
With the sensitive information purportedly contained on these hard drives, even a run-of-the-mill hacker arguably could possess the foundational knowledge to potentially shut down Wall Street like he was flipping off a light switch. Yet there it was at a convention center overflowing with hackers, brought by public servants whose job is to secure the American financial system from natural and man-made disasters. Imagine the value of that data on the black market?
Let's be clear about this. The Trading and Markets Division of the S.E.C. is responsible for monitoring compliance with "Automation Review Policies," a set of voluntary but crucial rules regarding security measures and business continuity plans for how the various stock exchanges will respond to disasters. And yet there they were, courting disaster.