The Hacking of NASDAQ

puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"

The market is rigged already

Would we even notice if it was hacked?

Re:The market is rigged already

[GameboyRMH]

Exactly. Do your worst, black hats. The system's already rooted by Wall Street bankers.

Re:The market is rigged already

[GameboyRMH]

That's not a perfect analogy, but it's not too far off.

It's more like this. There's a classifieds forum which regular users can refresh once every 10 minutes. Special users with a paid subscription can refresh once per second.

You post "Bicycle wanted, will pay up to $500" and someone else posts "Bicycle for sale, $400" then the speedy special user buys the bicycle for $400 and puts it up for sale for $500 before you or the seller can refresh (at best, when they're not doing even shadier things like spamming the forum with fake Wanted posts etc).

Somehow this is supposed to produce value. I think it has a similar effect on the economy to either robbery or counterfeiting currency. I can see no way this produces any value.

Re:The market is rigged already

[lgw]

You've got it completely backwards, is the thing. Don't worry, most people get this backwards, because they reason from "these guys must be evil" to "ahh, so it must work like this".

It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK:
* Mr B posts "Bicycle wanted, will pay up to $500"
* Mr S posts "Bicycle for sale, $600"
* Special user says "OK, now buying bikes for $520, selling for $580"
* You post "buying 1 bike, best price".

You get the bike $20 cheaper. The market maker takes a risk here: that he can balance buys and sells, and not get left holding the bag when the price changes.

But the story gets better:
* Special user 2 says "Oh, I see you Special 1, I'm now buying bikes for $525, selling for $575, hey, $50 a bike is better than nothing.
* Special user 1 says "Oh no you didn, Buying for $530, selling for $570"
* Very quickly it's $550/$551.

You get the bike for $551, $49 cheaper. I've seen this happen over the past 15 years, where the bid-ask gap shrank by that much on options. Competition is so fierce you see sub-cent pricing now: you'll get filled at $550.0001 or $549.9999 sometimes, because in very active markets these guys can make a killing with less then 1 cent profit.

Do you see now why it adds value?

Re:The market is rigged already

[aybiss]

The thing is that this is so wrong and simply not how things work. Nobody would trade on a market where the first person to bid or offer is the not first person to trade. In your example, as soon as someone said 'will pay $500', they would be given the bike that was available at $400. And they would pay $400, not $500.

The other thing is, even if this did occur, the person wanting to pay $500 for a bike has gotten what they want. This is called liquidity and it's valuable in its own right. If they didn't want to pay $500 for a bike then they shouldn't go to a market place and say that they did. But they did, because they didn't want the $500 as it won't help them travel to the shops (by itself).

Re:The market is rigged already

[flajann3290]

I really think using bikes is a bad analogy (unless you are discussing Futures markets, but even then!!)

They are exchanging one token for another. They are exchanging the money tokens for corporate tokens (in the case of the equities market). The only real thing you can do with most corporate tokens these days is to trade it back for the money tokens.

Some stocks, a few, still pay dividends, but most do not. And voting rights??? Hahaha! Unless you can own 51% of the corporate stock, your votes are nothing. And in many cases some owners DO maintain 51% just to quell the voice of the other stock holders....

The market is not "rigged", per se, but neither is it the smooth-talking bit that many try to sell you on. The true nature of the stock market is a zero-sum game, a free-running and legalized Ponzi scheme. And when I say zero-sum, I mean it in the mathematical sense. It kills me that some of our specialized and technical jargon has slipped out into the popular media and have taken on completely different meanings than were intended.

First question ...

[gstoddart]

Was it a foreign government, or your own government?

Quite frankly, I find either plausible.

Security

[BitcoinBenny]

The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

Re:Security

[gstoddart]

There is a perverse incentive not to properly secure exchanges because security is slow.

When so much profits depends on fast, direct access to skim money off the top with high frequency trading, these people do not want security.

They want to be able to access the system directly, and security be damned.

Re:Security

[bobbied]

For the longest time people were sending ethernet raw packets...

So? Look, there are two possible approaches to security here and you don't need a fully encrypted VPN link between two buildings to have a secure link. You could just put your own wire between the two locations and protect the wire from unauthorized physical access.

I'd not suggest you put sensitive financial data on the internet "in the clear", but if you are sure the physical link is only available to your intended destination, you can safely send all the data you want in the clear. If you look at the configurations being used, what was really happening was the exchange was in one room and the traders had platforms in another room near by. They had short physical connections, which, unlike the internet, are easy to physically secure.

Reminds me of a Tom Clancy novel

[PapayaSF]

I forget which one, but as I recall the solution was to restore everything to the state before the hack, erasing the tainted trades along with all the valid ones.

more convenient fear mongering

[Cardoor]

i wonder what newly minted organization that will undoubtedly be called in to 'protect us' while stripping yet more privacy and liberties. (of course getting budgeted billions to do the job). oh wait - theyve already announced it. and it's the benevolent wisdom of the usual suspects that will save us all!

"panic quick"? It has been four years. Zero-day bu

[raymorris]

I can only guess you didn't read even the first sentence of TFS. The attack occurred in 2010, so this is hardly a case of "people panic way to quick".

"or it was just a bug" - we have a copy the malware they used, and they exploited at least two zero-day vulnerabilities, and were accessing the system for months.

This incident was kind of a big deal. Someone with sophisticated exploit capabilities had run of Nasdaq's network for several months.

Rogers is a serial liar

[Lawrence_Bird]

He has lied, willfully exaggerated and generally acted like a complete piece of shit countless times. Do not believe anything out of that man's mouth, ever.

Re:Final Objective?

[Stolpskott]

'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

Ummm to make money or destabilize our economy?

Makes one feel good that you are the head of the Intelligence Committee.

The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at what areas the bad guys had access to and where they went. In a private home, there is the external alarm - once that is down, you have no way of knowing where the guys went unless they leave a physical trail. In this case, while it might be expected that Nasdaq would be the IT security equivanelt of a bank, they apparently were the equivalent of a home owner who left the alarm deactivation code on a piece of paper taped next to the alarm console.

Let's try a few plausible options, based on the article. Determining the probable source of the hack/attack will help there.
The core of the malware used was a 0-day exploit kit that had previously been attributed to a team within the Russian FSB's electronic warfare group, suggesting that the Russians may be behind this. At the approximate time the hack took place, the Russians were combining their two domestic stock exchanges into what they planned as a single super-exchange to rival Nasdaq, NYSE, LSE in London and the Hang Seng in Hong Kong. Probably a dual-purpose reason being (a) increasing international prestige and economic diversification, and (b) preparation for pressurising large Russian companies whose stocks were listed on international exchanges to draw back and list exclusively on the new Russian exchange, thus reducing the potential leverage and influence that US and international governments would have over those Russian companies (thinking sanctions, as with the current situation in Ukraine). For the Russians therefore, a plausible action would be to hack the Nasdaq exchange servers and copy the software code that powers the exchange, so that they can use it or modify it for their own exchange - believe it or not, the code for the Nasdaq exchange is generally considered to be world-beating, so that would be a viable target.

Second, the CIA apparently found some information in the real world suggesting Chinese connections - the Chinese Peoples' Liberation Army certainly had electronic warfare capabilities, and conceivably might plant an electronic bomb in the Nasdaq systems for use at a later date if it proved convenient. Equally, with the Chinese approach to IP and industrial espionage, hacking to steal the code in a similar way to the Russian scenario is possible.

Both of those governments' beurocrats are often known to be corruptable and have links to organised crime, so there is another possible source for the attack, with the goal of either blackmailing Nasdaq or gaining access to the not-yet-public information stored on the compromised systems to give them advance knowledge of information that would move stock markets and prices (financial gain).

In determining the source of the attack, the origin of the malware used is not the greatest indicator - malware kits can be copied as easily as any other software, so either an actor within the FSB may have sold a copy to someone, or another hacker may have hacked a completely different system infected with that malware kit and downloaded the elements of the kit they could find, reverse-engineering the rest. So just because the FSB are credited with creating a previous version of this specific kit does not mean