The Hacking of NASDAQ

puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"

The market is rigged already

Would we even notice if it was hacked?

Re:The market is rigged already

[GameboyRMH]

Exactly. Do your worst, black hats. The system's already rooted by Wall Street bankers.

Re:The market is rigged already

..and, why, xactly, was the OP troll-Modded?

Consider the following scenario - you place an order to purchase a book on Amazon, or ebay, you press "One Click Buy", and..

you then get an email from some pondlife, informing you he has just intercepted your communications, and taken over your purchase - but you can still have your book, plus a small fee for him, of course.

Difference being, they don't even inform you of the fact, just charge you.. - Like, why is this shit even legal?

As the OP stated, Hell, Hack away, everyone else does - and if you can't beat them, or outlaw them, may as well join them.

Re:The market is rigged already

[GameboyRMH]

That's not a perfect analogy, but it's not too far off.

It's more like this. There's a classifieds forum which regular users can refresh once every 10 minutes. Special users with a paid subscription can refresh once per second.

You post "Bicycle wanted, will pay up to $500" and someone else posts "Bicycle for sale, $400" then the speedy special user buys the bicycle for $400 and puts it up for sale for $500 before you or the seller can refresh (at best, when they're not doing even shadier things like spamming the forum with fake Wanted posts etc).

Somehow this is supposed to produce value. I think it has a similar effect on the economy to either robbery or counterfeiting currency. I can see no way this produces any value.

Re:The market is rigged already

[lgw]

You've got it completely backwards, is the thing. Don't worry, most people get this backwards, because they reason from "these guys must be evil" to "ahh, so it must work like this".

It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK:
* Mr B posts "Bicycle wanted, will pay up to $500"
* Mr S posts "Bicycle for sale, $600"
* Special user says "OK, now buying bikes for $520, selling for $580"
* You post "buying 1 bike, best price".

You get the bike $20 cheaper. The market maker takes a risk here: that he can balance buys and sells, and not get left holding the bag when the price changes.

But the story gets better:
* Special user 2 says "Oh, I see you Special 1, I'm now buying bikes for $525, selling for $575, hey, $50 a bike is better than nothing.
* Special user 1 says "Oh no you didn, Buying for $530, selling for $570"
* Very quickly it's $550/$551.

You get the bike for $551, $49 cheaper. I've seen this happen over the past 15 years, where the bid-ask gap shrank by that much on options. Competition is so fierce you see sub-cent pricing now: you'll get filled at $550.0001 or $549.9999 sometimes, because in very active markets these guys can make a killing with less then 1 cent profit.

Do you see now why it adds value?

Re:The market is rigged already

[crimson+tsunami]

It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK: * Mr B posts "Bicycle wanted, will pay up to $500" * Mr S posts "Bicycle for sale, $600" * Special user says "OK, now buying bikes for $520, selling for $580" * You post "buying 1 bike, best price".

This is pants on head retarded.
If the Special user can just create bikes out of thin air, he should just set up a bike shop and sell them for $500.
In the real world, where is he getting his bikes from? Mr S wont sell his for anything less than $600 and Mr B is buying.
What really happens is that Special user sees you want a bike and are too stupid to name a price, so he quickly buys the $600 bike and realising the next best price is $610, sells it to you for $609.99
If you want to add in more competing special leechers, they all bid/cancel spam each other $609 $608 etc. and you end up paying $600.01 Best case you were only ripped off 1 cent.

Re:The market is rigged already

[aybiss]

The thing is that this is so wrong and simply not how things work. Nobody would trade on a market where the first person to bid or offer is the not first person to trade. In your example, as soon as someone said 'will pay $500', they would be given the bike that was available at $400. And they would pay $400, not $500.

The other thing is, even if this did occur, the person wanting to pay $500 for a bike has gotten what they want. This is called liquidity and it's valuable in its own right. If they didn't want to pay $500 for a bike then they shouldn't go to a market place and say that they did. But they did, because they didn't want the $500 as it won't help them travel to the shops (by itself).

Re:The market is rigged already

No. All I see is that money was transferred. None of them actually made the bike. Making the bike is creating actual value. Whizzing money around with sub-cent profits that depend on latency is just a giant scheme. Sooner or later the limit of latency will be reached - the laws of physics will see to that. Anyone not standing at the absolute minimum will be left holding their dick in their hand.

We need to get back to broadening the ability to create actual value by making shit.

Re:The market is rigged already

[jaitropmange]

Either you allow the market maker to take the bid / ask spread or you pay a broker a commission to get you the market price. Either way you give up a little to have access to a convenient centralized market. This seems reasonable, but maybe you'd prefer to buy and sell your securities on craigslist? ;-)

Re:The market is rigged already

[flajann3290]

I really think using bikes is a bad analogy (unless you are discussing Futures markets, but even then!!)

They are exchanging one token for another. They are exchanging the money tokens for corporate tokens (in the case of the equities market). The only real thing you can do with most corporate tokens these days is to trade it back for the money tokens.

Some stocks, a few, still pay dividends, but most do not. And voting rights??? Hahaha! Unless you can own 51% of the corporate stock, your votes are nothing. And in many cases some owners DO maintain 51% just to quell the voice of the other stock holders....

The market is not "rigged", per se, but neither is it the smooth-talking bit that many try to sell you on. The true nature of the stock market is a zero-sum game, a free-running and legalized Ponzi scheme. And when I say zero-sum, I mean it in the mathematical sense. It kills me that some of our specialized and technical jargon has slipped out into the popular media and have taken on completely different meanings than were intended.

Re:The market is rigged already

[GameboyRMH]

Nope I gotta agree with all the other people who have replied to you. I can't figure out how this is adding value. To me it just doesn't compute. Why did the seller sell the bike for less than $600? Why did the buyer pay more than $500? If they're willing to compromise, couldn't they have done the transaction directly and saved money without the middleman?

Re:The market is rigged already

[lgw]

In the real world, where is he getting his bikes from?

Like I said, he hopes to balance buys and sells. If 100 people sell at his price, and 100 people buy at his price, he needs no bikes. If he's off by 1 or 2, he'll trade with Mr B or Mr S, and still do OK. But he does take a real risk.

Anyhow, that's how it really works. Remember, we're talking about markets that trade billions of shares a day, so the metaphor only stretches so far.

Re:The market is rigged already

[lgw]

You're missing the entire point here. If the buyer and seller agree on a price, the trade just happens, no market maker needed, the end. All done.

But after all possible trades like that are done you're left with the "bid" and "ask" prices, where the seller and buyer are willing to stand on their prices and not compromise. Any good financial tool will show you the bid/ask for any exchange - you can check it out and see I'm not making this up.

Where the market maker adds value is in making it cheaper for the weak trader, the guy like me who doesn't have the time to play the game, who just wants a stock or bond at a fair price (given today's market mood), and so you just buys or sells "at market". I, the little guy get a better price. I've seen real evolution over the past 15 years in this, and it's like a tax of a few % has been lifted. Inefficient markets suck.

Re:The market is rigged already

[lgw]

No, what happens is: instead of the prices being set buy the professionals who are perfect at gaming the system (buy a new car, then sell it the next day, see how that goes), the little guy gets a fair price, as the middle man screws the big guy (well, the middle man is likely the biggest guy, but still).

Re:The market is rigged already

[GameboyRMH]

OK, so it's good for people like you who don't want to shop around for a good price. But what about those who do? They don't have the option of not going through these middlemen unless they are faster. So which is greater, the savings to those who don't want to shop around or the losses to those who do?

Re:The market is rigged already

[lgw]

Well, these are exchanges, so "shop around for a better price" isn't really a thing. What you can't do is profit from someone not paying much attention - profit from the inefficiency of the market. And that's a good thing: there should be no game to play, no skill at haggling required, nor deep understanding of market mechanics, simply to execute a trade. Deciding what price you're willing to buy or sell at is where the smarts belong, but if you buy something by mistake, and turn around and sell it 2 minutes later, that should cost you as little as possible.

Re:The market is rigged already

[GameboyRMH]

It has to be possible to make money by "shopping around," or the HFT companies wouldn't be making money, and you wouldn't be saving any. Even if it's a miniscule amount for each trader, their total impact comes down to the balance between the savings for the "weak traders" and the losses for everyone else.

Re:The market is rigged already

[lgw]

Well, maybe I don't know what you mean by "shop around". There may be multiple exchanges selling the same thing (though not for stocks), and you usually aren't even aware if which one your broker deals with, as arbitrage keeps prices the same on all of them at faster than human scale these days - another example of making markets efficient.

The market makers simply trade on the exchange, filling orders at better prices than the bid/ask would be without them there. Because they trade so frequently, they can make good money off of quite a small price difference between what they buy and sell at.

You seem worried about these "losses for everyone else", but the market makers aren't siphoning off a % of each trade or anything like that. The only ones hurt are real parasites on the system: those who would profit from inattentive traders, by taking advantage of a thin market for price gouging.

It really seems like you're trying to argue "they add no value, because they must be taking money form someone, because they add no value."

Re:The market is rigged already

[lgw]

They must take out more value (than they could possibly even theoretically add) or else they would be broke.

Ahh, liberals, forever convinced economics is a zero-sum game.

Market spreads and brokerage prices had been coming down way before HFT were inserted into the system. It's like all the efficiencies of the last couple decades have been so great that you don't even notice when HFT quietly slip in a new tax on everyone.

It's all the same trend. HFT isn't some cliff we fell off - trade frequency and market maker participation has been increasing steadily for 20 years as technological advance made it more and more practical. Spreads fell steadily during this time as a result.

Re:The market is rigged already

[crimson+tsunami]

Ahh, liberals, forever convinced economics is a zero-sum game.

Ahh market manipulators, forever convinced their market is the same as an economy.

First question ...

[gstoddart]

Was it a foreign government, or your own government?

Quite frankly, I find either plausible.

Re:First question ...

The NSA does not need to hack the exchanges. They have the ultimate insider trading advantage.

Final Objective?

'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

Ummm to make money or destabilize our economy?

Makes one feel good that you are the head of the Intelligence Committee.

Re:Final Objective?

[Artifakt]

If they found it was some nation-state where a corrupt bureaucrat did it to line his pockets and those of the supreme leader, the consequences might be less trust in the market (if that's possible), and similar, limited economic effects. If the nation-state in question wanted to destabilize our whole economy, that's part of WAR. (you know, that thing where lots of people die very rapidly and it wasn't one of the other horsemen?). Those are very, very different consequences and levels.
            YOU picked two possible options from what may well be more. YOU didn't notice that even if your limited answer is the whole truth, it implies two incredibly different possible 'final objectives'. YOU chose to regard destabilizing our economy as a 'final objective', when it simply isn't, and never historically has been, in a single case. It's always been an intermediate objective, and the 'final' one, in every historic example, has always been winning a war. YOU then criticised the chairman for having noticed what YOU didn't. Fail reading 101 much? I can think of an enormous number of things Mike Rogers has said that make me question his judgment (and sometimes whether all the many-tentacled pre-cambian era cyanogen breathing epifauna really died off), but not this quote - it's accurate, non-inflammatory, and rational.

Re:Final Objective?

[Stolpskott]

'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

Ummm to make money or destabilize our economy?

Makes one feel good that you are the head of the Intelligence Committee.

The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at what areas the bad guys had access to and where they went. In a private home, there is the external alarm - once that is down, you have no way of knowing where the guys went unless they leave a physical trail. In this case, while it might be expected that Nasdaq would be the IT security equivanelt of a bank, they apparently were the equivalent of a home owner who left the alarm deactivation code on a piece of paper taped next to the alarm console.

Let's try a few plausible options, based on the article. Determining the probable source of the hack/attack will help there.
The core of the malware used was a 0-day exploit kit that had previously been attributed to a team within the Russian FSB's electronic warfare group, suggesting that the Russians may be behind this. At the approximate time the hack took place, the Russians were combining their two domestic stock exchanges into what they planned as a single super-exchange to rival Nasdaq, NYSE, LSE in London and the Hang Seng in Hong Kong. Probably a dual-purpose reason being (a) increasing international prestige and economic diversification, and (b) preparation for pressurising large Russian companies whose stocks were listed on international exchanges to draw back and list exclusively on the new Russian exchange, thus reducing the potential leverage and influence that US and international governments would have over those Russian companies (thinking sanctions, as with the current situation in Ukraine). For the Russians therefore, a plausible action would be to hack the Nasdaq exchange servers and copy the software code that powers the exchange, so that they can use it or modify it for their own exchange - believe it or not, the code for the Nasdaq exchange is generally considered to be world-beating, so that would be a viable target.

Second, the CIA apparently found some information in the real world suggesting Chinese connections - the Chinese Peoples' Liberation Army certainly had electronic warfare capabilities, and conceivably might plant an electronic bomb in the Nasdaq systems for use at a later date if it proved convenient. Equally, with the Chinese approach to IP and industrial espionage, hacking to steal the code in a similar way to the Russian scenario is possible.

Both of those governments' beurocrats are often known to be corruptable and have links to organised crime, so there is another possible source for the attack, with the goal of either blackmailing Nasdaq or gaining access to the not-yet-public information stored on the compromised systems to give them advance knowledge of information that would move stock markets and prices (financial gain).

In determining the source of the attack, the origin of the malware used is not the greatest indicator - malware kits can be copied as easily as any other software, so either an actor within the FSB may have sold a copy to someone, or another hacker may have hacked a completely different system infected with that malware kit and downloaded the elements of the kit they could find, reverse-engineering the rest. So just because the FSB are credited with creating a previous version of this specific kit does not mean

Security

[BitcoinBenny]

The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

Re:Security

[gstoddart]

There is a perverse incentive not to properly secure exchanges because security is slow.

When so much profits depends on fast, direct access to skim money off the top with high frequency trading, these people do not want security.

They want to be able to access the system directly, and security be damned.

Re:Security

[bobbied]

For the longest time people were sending ethernet raw packets...

So? Look, there are two possible approaches to security here and you don't need a fully encrypted VPN link between two buildings to have a secure link. You could just put your own wire between the two locations and protect the wire from unauthorized physical access.

I'd not suggest you put sensitive financial data on the internet "in the clear", but if you are sure the physical link is only available to your intended destination, you can safely send all the data you want in the clear. If you look at the configurations being used, what was really happening was the exchange was in one room and the traders had platforms in another room near by. They had short physical connections, which, unlike the internet, are easy to physically secure.

Re:Security

[aybiss]

In actual fact most connections used by HFTs are encrypted AND dedicated.

Re:Security

[jbmartin6]

I would be there is no HFT in the world that is encrypting FIX traffic. Why bother? All the links are cross connects within the exchange's data center.

Re:Security

[BitcoinBenny]

Yeah, HFT encryption is spectacularly rare. I think the argument that the links is short doesn't make much sense to me. If you are talking about third parties hacking the link I guess maybe you make a point, but that wasn't the attack vector I was thinking about. I was talking about third party HFT firms getting hacked and then leveraging those short, encrypted and insecure connections into matching engines to cause problems. I guarantee you that there are exploitable vectors into some of these major markets.

Reminds me of a Tom Clancy novel

[PapayaSF]

I forget which one, but as I recall the solution was to restore everything to the state before the hack, erasing the tainted trades along with all the valid ones.

Re:Reminds me of a Tom Clancy novel

[GameboyRMH]

Wasn't something like this done after the Flash Crash (or some other recent stock exchange fuckup?)

Re:Reminds me of a Tom Clancy novel

[jbmartin6]

Yes, and also after quite a few similar smaller incidents. Remember the scene from the recent Batman movie where Bane stole all of Bruce Wayne's money by forcing him to put his finger on the scanner? A crock. The financial institutions would just undo the whole transaction as soon as Bane left. This is one reason why there is surprisingly little security in certain aspects of the financial system. it isn't like Bitcoin where if someone steals your key file done is done and there is no going back. In the financial world, a whole slew of transactions can simply be reversed and often are. Why spend the money and effort on security when the potential impact is relatively low?

more convenient fear mongering

[Cardoor]

i wonder what newly minted organization that will undoubtedly be called in to 'protect us' while stripping yet more privacy and liberties. (of course getting budgeted billions to do the job). oh wait - theyve already announced it. and it's the benevolent wisdom of the usual suspects that will save us all!

So the takeaway from this is ...

[userw014]

Wow. Something happened, but we don't know what or why.

Re:So the takeaway from this is ...

[bobbied]

Wow. Something happened, but we don't know what or why.

Yea, well, I guess that it's better that we know where it ended up, unlike some airliners in recent history...

Re:Recording all data to and from a machine

[qwijibo]

That would require basically infinite storage and run very, very slowly. In effect, the disk (which is the slowest of CPU/memory/network/disk) becomes the bottleneck preventing any of the others from being well utilized.

There are much better ways to track what happens on critical systems, but they introduce costs that most organizations consider excessive or unnecessary, right until after a breech where they realize how the alternative can be orders of magnitude more expensive.

why hack it?

[JoeJohnson2175]

Isn't wall street doing enough to destroy our economy for their short term benefit? If I was a hacker, I'd pick a more interesting target than one which collapses on its own greed twice in a decade.

Re:why hack it?

[bobbied]

Let me see.. We are due then? Last major crash was 2008 and it's 2014.

You might be right....

"panic quick"? It has been four years. Zero-day bu

[raymorris]

I can only guess you didn't read even the first sentence of TFS. The attack occurred in 2010, so this is hardly a case of "people panic way to quick".

"or it was just a bug" - we have a copy the malware they used, and they exploited at least two zero-day vulnerabilities, and were accessing the system for months.

This incident was kind of a big deal. Someone with sophisticated exploit capabilities had run of Nasdaq's network for several months.

Re:Where's the NSA?

[gmhowell]

Isn't this probaly one of the foremost National Security issues of the US? The freaking Stock Exchanges? You're telling me they don't know to what end, or who was in it?

If even part of this is true, this country really is FUCKED! All the way to the top!

Guess who didn't RTFA?

Rogers is a serial liar

[Lawrence_Bird]

He has lied, willfully exaggerated and generally acted like a complete piece of shit countless times. Do not believe anything out of that man's mouth, ever.

Re:Rogers is a serial liar

[El_Oscuro]

How is that different than any other member of congress?

A nation-state? Baloney.

[ItsJustAPseudonym]

Look no further than a too-big-to-fail company, e.g. Goldman Sachs.

However with colocation ...

[perpenso]

The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

Technically true. However in the quest for low latency there has been a tendency for some to colocate with the exchange. So if an exchange system and a broker system are in the same high physical security room and have a direct connection between them then the risk is mitigated to a degree.

Re:However with colocation ...

[BitcoinBenny]

Well if we are talking physical access control then most of these places have figured it out. My argument is that the threat is from the firms connecting into the exchange. A lot of them have poor border security, and if you don't have any additional checks then what?

Talk about the incident, but not really

[Mister+Liberty]

It's all part of getting the rich richer and the rest frightened.
Don't be tricked by the conmen.

More hysteria

[jbmartin6]

If you review the details, the attackers were on one specific non-trading application owned by Nasdaq and had some access to their internal network. There is no evidence that they had any access to the exchange's systems, which are on a segregated network. In other words "the exchange" was not hacked at all.

The Chinese, the French, the Israelis.

[Eunuchswear]

The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another.

But never the USA.