DOW Plunge Highlights Trillion Dollar Hacker Threat

Monday, May 24, 2010

Anthony M. Freed


Investigations continue into the root cause of the anomalous stock market volatility that recently saw nearly one trillion dollars in market value evaporate in matter of minutes.

Three very possible scenarios where postulated immediately in the news.

First, that the social, economic and political unrest in Greece caused the precipitous decline - though this is unlikely simply because the problems in Greece have long been anticipated and accounted for by the market.

The second was high volume electronic trades - either accidental or as means to game the market with a temporary panic - which in itself reveals some serious systemic vulnerabilities in trading systems, regardless of whether it played a part or not.

The third hypothesis, that the decline was due either to a coordinated cyber attack or to hacker infiltration, is by far the most troubling from a security perspective.

Daniel Wagner of the Associated Press reported, "The White House's homeland security and counterterrorism adviser says there is no evidence that a cyber attack was behind the chaos that shook Wall Street... John Brennan told Fox News Sunday that officials have uncovered no links suggesting that cyber attacks caused turbulence that sent the Dow Jones industrials plunging almost 1,000 points..."

Assuming the Obama administration's well-publicized rebuke of the notion that hackers played a part in the raucous trading is correct, the mere fact that they made such a concerted effort to dispel the hacker scenario highlights the reality that such an infiltration is not only possible, it is highly probable.

The fact that the "kill-the-hacker-story" message was issued during the Sunday political talking head circuit is strong evidence that the administration is not only taking the threat of cyber insecurity in our financial systems very seriously, they are also cognizant of the damage to investor confidence that could result from such an event - or even from the rumor of such an event.

While market turbulence may create opportunity for investors to profit, fear and uncertainty from intangible risks work to undermine confidence in the fundamental mechanisms that organize and govern our financial system.

Theoretically, any number of large scale financial cyber security events could set in motion a series of catastrophic events fueled by a sudden collapse in institutional confidence, regardless of whether or not the event itself actually resulted in significant losses.

Consider for a moment a scenario where tens of thousands of consumers awake one morning to find their bank accounts apparently cleaned out.

I say apparently because the effect would be the same whether or not the loss of funds was actual or merely perceived for a long enough period of time that the event was seized upon by the media.

Under such circumstances, it is highly likely panicked customers would descend upon their financial institutions, frantically trying to pull their funds out before they too become a victim.

Affected banks could find they are insolvent and under FDIC control in a matter of days.

For those of you not familiar with the nature of our fractional reserve system, it needs to be mentioned here that banks are only required to maintain a small portion of their booked deposits at any given time.

Simply stated, they loan out or invest all but about 10% of your deposits, so it only takes a small percentage of the bank's customers suddenly pulling their funds out to kick regulatory bodies into action.

The stock market would also react with a sharp dip in the financials and related sectors, and the chain of events would be so swift that not even the fabled "Plunge Protection Team" could prevent a crash of some magnitude.

Meanwhile, subsequent investigation could reveal that there was no actual loss of funds, and that there was not even a breach of the banking networks at all.

This entire scenario could result from hijacked URLs and rogue websites that appear identical to those of legitimate banking sites, combined with a mass email blast "alerting customers" that their accounts have been flagged due to a large withdrawal.

Dramatic? Perhaps, but the point is that our entire financial system dances on the head of pin, and unlike the unrest in Greece, the markets have yet to account for systemic cyber security risks.

Financial sector cyber security events - whether real or perceived - threaten our economic stability by potentially undermining the public's confidence in our collective ability to protect our critical financial infrastructure from manipulation and outright attack.

General Security Awareness
Post Rating I Like this!
Terry Perkins Scary as it may be... it is so true. Thanks for sharing this.
David Dennis The complexity of modern computer systems in the financial sector is mind boggling. We may scoff at a system not denying a trade order for a number of shares beyond what the firm has, but these days, no one can manually verify what their holdings are in any real time moment. Could it be that a system might only check for references to an equity, which would include shares owned, derivatives, swaps, hedges, and other esoteric instruments?

Program complexity also gives rise to vulnerabilities in operational security. With systems this complex, only a few people exist to maintain and police them. Turn a small number of them and the possibility of malicious intent is real. The book by Tom Clancy (in 1994) called Debt of Honor ought to wake us up to that threat.
Katie Weaver-Johnson Great post Anthony and like you said, what is so alarming about the recent stock market chaos is the reality that a cyber security infiltration is not only possible, it is highly probable.

When this plunge initially occurred, a fat-fingered human error was blamed. While this story was eventually withdrawn, many consumers out there may still believe that was the cause. With so many information resources available today (media, social networks, etc.) rumors can spread and have a direct and lasting effect on our systems.

Financial institutions need to not only ensure they have the appropriate security measures in place; it will be an uphill battle to restore consumer confidence and trust.
Michael Bruck Anthony: great article - we need to be a little more concerned about these issues...

The majority of my firm's clients are in the financial sector and one of our primary services is risk and vulnerability assessment. I don't claim to be the expert in "trading" systems, but I do know the percentages in term of financial organizations (i.e., banking, etc.) currently being at serious risk.

I have little doubt that a major coordinated attack is quite possible. They wouldn't have to hit the trading systems directly. Widespread breaches could ultimately have the same affect. ...for which the systemic impact would be crippling to the market and consumer confidence.

We simply never seem to run out of new clients that are in total disbelief regarding their level of risk - after one of our first-time audits.

Makes me nervous just publicizing these general facts...
Michael Bruck I would have to concur with your comment.

I had a new account executive come to me the other day and explain to me that much to her amazement "it seems like a lot of these prospects get turned off when I discuss how comprehensive our audit is...".

The attitude that this is going to cost us (i.e., remediation resources and technology) that I don't have the staff or budget for - seems to be the bigger priority in far too many cases.

I'm not a huge fan of a lot of regulation, but in this case I have to admit - thank god someone is "making" them do something...
Terry Perkins I've worked in the financial industry as well. My experience was the same as yours, Lance. It is all about compliance and not security.
Anthony M. Freed I am also out of the financial sector - fines for compliance violations are very well delineated, where as the impact from data loss is a dynamic variable that is difficult to quantify for profit/loss analysis, and thus rarely given adequate weighting.
Mark Gardner Anthony, great post.

There was an article in the UK version of Wired Magazine last month about the complexity of the computing involved in trades ( When you have the potential for "10,000 orders per second with a sub-millisecond latency", inspection of every trade at that volume is impossible. Therefore, the risk of an attack going undetected is high. As we have seen with the credit crunch, market behaviour has a huge effect on our daily lives.

In this type of arena, technical vulnerability assessments must be a commonplace activity, in the hope that the levels of protection employed are strong enough, to protect from external attack. However, as with all industries, you are most vulnerable to an internal attack, so access controls and management must be extremely tightly controlled.

At the start of the credit crunch here in the UK, the bank Northern Rock was at the centre and we did see as you say "highly likely panicked customers would descend upon their financial institutions, frantically trying to pull their funds out before they too become a victim." Subsequently Northern Rock were taken under Government control.

As another correspondent stated, this was put down to a mistake - you can never legislate against this occurring but you can put in a series of checks and balances to attempt to prevent these mistakes. However, given the volume of trade and the fact that milliseconds can be costly it amy be that these have been ignored, which ultimately led to this type of incident occurring.
Tom Caldwell Full Disclosure: This isn't an advertisement, just some background that isn't on our 'dark' website.

I lead a company called Idalis Software, and we perform forensic analysis/risk management on e-mail/firewall attacks by obtaining one sample or more of the attacking data/logs, including tracking the infected computers [botnets], malicious URL's, and any other specifically defined "point of contact" from the originating data source and store this data for risk management, blocking, remediation, and for cyber-crime evidence purposes.

I can tell you without any doubt that several large financial banking institutions have dozens to hundreds of botnet infections on their corporate networks. In the past we have detected hacked servers on the Chicago Board of Trade, which were sending pedophile advertisements to rape children in the Ukraine [another group was in the Caribbean] then they would kill the children for their black market organs also on sale. These hackers were also selling weapons such as AK-47's, C4 explosives, and others to willing buyers and those groups could be considered 'terrorist' cells. In one instance of many both the sending IP address and e-mail URL redirect to another site for their contact were hosted on the network contracted AND hosting servers used by the Chicago Board of Trade. One sample included a hijacked URL owned by a financial firm! This shows they had full admin access to these servers/resources based on the activity occurring as they were not open relays.

After analyzing networks such as the DOW, NASDAQ, and many Broker/Trading firms we can conclude that it is indeed possible to install a trojan, then a packet sniffer on a network which would give hackers or even malicious traders the ability to see which stock sale orders are being placed approximately 30 seconds before they are executed, and thus move large amounts of money they control WITH the market making millions or billions in a price shift, up or down. This of course is at current time a hypothetical attack since we haven't looked inside their network, however we have evidence that it CAN occur on these firms highly vulnerable networks based on the sheer number of internal infections and spread across their industry.

That being said, I don't believe bank runs [or fear causing withdrawls of money] will occur because most media outlets would downplay it or calm people. This again is my opinion, however one of my accounts resides on a network where there are no less than 350 ACTIVE botnet infections at one time. I don't keep a lot of money in this account for that specific reason, AND because their network admins have ignored attempts to help them secure their network. We'll try again since they are/were a TARP bank.

I haven't named additional names for the purpose of not taunting potential customers or causing an actual attack, however for those who don't secure their networks it will eventually come out and expose them. I will also state that we do have national newspaper/large TV network assets at our disposal.

This is real, and if it didn't occur in the recent 'stock drop short sale', IT EVENTUALLY WILL.

Tom Caldwell
Idalis Software
Mourad Ben Lakhoua Great article Anthony! Security plays a vital role behind the success of financial institutions. But obviously there is a big focus on compliance more than Security!
Peter Abatan I'll make 2 points. I have heard of 2 banks here in the UK that have had serious data breaches that have resulted in multi-million pound losses. The banks in question have kept it secret because of the embarassment and the panic it will cause to both the customers and the market. In this case they rather absorb the losses than come out with egg in their faces.

Second, with respect to hackers gaining access to trading systems to cause mayhem is a question of when and not if. These guys are very sophisticated and bask in the glory of overcoming sophisticated security systems.

The main reason why I am of this opinion is that as mentioned before security is mainly driven in banking & finance by compliance, rather than vulnerability.
Ray Tan Anthony,

Great articles.
Believe it or not, it is possible and easy to conduct such attacks, besides the technical factor, we need to pay more attention to social engineering.
Hijacked URLs and rogue websites are frequently used, if they are sent from our trusted person, how many of us will check it carefully as a security professional?
John England Anthony, a very interesting post!

Having read through it, I was Reminded of when I was at school, and the prank that I 'never' took part in......Setting the school fire alarm off, oh how I miss my school days!

It has the same notion of ringing alarm bells within an institution, and the effects of that:

1) There is genuinely a fire, and with that volatility in the immediate area, sparking panic and a mass evacuation (our Greece scenario).

2) The bored students loath to sit an exam or making a protest over a cause want a deliberate upset of equilbrium and BAU activities within the institution (our short term panic).

3) A malicious person wants to gain access to the part of a building he or she cannot normally reach and is using this as a mask (our cyber crime).

With the school scenario a measured response is sent in the first instance, firefighters. Now, if we are in sceanrio one the response is correct and then can deal with the fire. The school head (or president in the real world sceanrio) can issue comforting words to a nervy school (or market) in genuinely volatile times.

If we send firefighters to fight an intruder they are not aware of, they are not going to resolve the situation. If the realisation of the breach happens then the head of school is going to limit the panic by initially keeping the information private. Additional time will then have to be spent investigating the breach, all the time keeping unrest and uncertainty in a nervous audience.

So, why did I miss option two?? Well, what if the purpose of spreading that unknown fear in the institution was a planned and measured attempt. Terrorism can be defined as the intimidation or fear instilled into making people believe something is going to happen. If I were to stand in a busy London street and shout bomb, the resulting pandemonium has caused significant short term chaos as people run, shops are shut, and the emergency services react.

Call it ethical terrorism if you will, (not that anything like this could be ethical), but create a belief amongst the markets that there has been a serious breach, and they will follow the basic instinct.....self presrvation, save my (or my clients) money. Hey presto, one trillion dollars wiped, and not one person has been injured in the attempt, which is far more ethical than a 9/11 or 7/7 style attack.

So, whether cyber crime or cyber terrorism are playing an increase in todays society, we have to be diligent to the ever increasing threats, and as pers a good security policy, user awareness is always key. In the case of ensuring the general public is aware of the financial markets, and the workings of said markets, may take more than a little effort.

The world is not stable, and never will be, by any stretch if the imagination. I nearly missed my trip to Los Angeles to see my first baseball match because mother nature decided to blow a vent in Iceland, and that wasn't the first time there had been an Icelandic influence to a market shift in the UK. People used to say when America coughs the UK catches a cold, but there are economic germs all over the world, and at the moment, no one is immune. Ironically though, it is that volatility that keeps the world moving.

Keep up the good work Anthony!

Ron Baklarz Thanks Anthony - great post. Unfortunately, I tend to NOT believe the governmental spin on these issues. Initially, we were told that the "diaper" bomber and Times Square bomber were acting alone, lone wolves as they say. This is precisely why I immediately disounted the "fat finger" explanation that was put out intially after the DOW plunge. If it was a case of fat fingering, this would be a common occurence. Therefore, it doesn't pass the sanity check. We will probably never know the real reason behind this incident.
Anthony M. Freed In late 2009 FBI , American Banking Association and Financial Services Information Sharing and Analysis Center (FS ISAC) had issued a confidential alert to its members, which include the Federal Reserve, the New York Stock Exchange, Citigroup, Morgan Stanley and Goldman Sachs. The FS ISAC alert urged business bank customers to "carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible."

This shows the level of insecurity in very vivid colors...
John England The safest way is in person at the teller............unless you happen to be there the day the bank gets robbed!

Cash under the bed?? the burglar breaking in!!

Certainly here in the UK I have a pinpad I have to input my 4 digit pin to, which gives me a nice OTP along with the 12 digit bank code for something I have. Two factor authentication on a machine running IE8 with firewall and AV is to me a reasonable attempt. Just let me know if you want my details to try it yourselves, bank code is...........
Rakesh Goyal Anthony,

Really great article. The risk perception is not hypothetical but can happen.

I reminded an old saying about difference between human mistakes and computer mistakes. "Computers do mistakes but the only difference is they do bigger mistakes with high volume at lightening speed (many times irreversible)".

Hackers has taken small steps, gradually learning the ropes, working in networked small groups in widely distributed manner. Gradually, they have reached the stage, where they can shake wall street apart from defense and utility.

On the other hand, technology is evolving beyond moore's law, with out stabilizing for functionality, bugs and security. Every day brings at least one new feature, without considering security, which becomes feast for hackers (wider meaning to the word hacker).

As most of the hackers are unknown entities like ET, we, as an organized society, even do not know their identity, organization structure, thinking process, command structure, etc. Quite possible, theories like support of Chinese, Russian and other governments may be true.

May be one day, most of these hacker may reorganize for a specific task and bring down the shining icons of organized societies of the world such as wall streets, multi-lateral organizations, utilities, nuclear command, banks, health care, communication to either grinding halt or (mis)use to their advantages.

Technology is really double-edged weapon, both sides sharper than the other.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.