SEC Discloses Hackers Penetrated EDGAR, Profited in Trading

Chris Woodyard, writing for USA Today: Hackers made their way into the Security and Exchange Commission's EDGAR electronic filing system last year, retrieving private data that appear to have resulted in "an illicit gain through trading," the agency said. It was only in August that the commission learned that hackers may have been able to use their illegal activities to make ill-gotten gains through market trading, said Chairman Jay Clayton in a lengthy statement posted on the SEC's website. EDGAR, which stands for Electronic Data Gathering Analysis and Retrieval, is considered critical to the SEC's operation and the ability of investors to see the electronic filings of companies and markets. The SEC says about 50 million documents are viewed through EDGAR on a typical day. It receives about 1.7 million filings a year.

My security test

It's getting to the point where my security test is going to be "Are your systems connected to the Internet? If so, you failed my test and I will not do business with you."

So from what I'm gathering...

...if it's connected the the internet, it is currently being hacked. Noted.

Assumption

[Archangel+Michael]

Lets just assume that everything has been hacked, and proceed from there.

Because if it hasn't been hacked, then it will be. And if you think you haven't been hacked, you probably already have been.

This is the safest assumption of all, and is more than likely to be accurate at some point.

Re:Assumption

When we get full blown AI operational, it will be able to easily screen legitimate accesses from illegal intrusions and redirect latter for additional human scrutiny and/or law enforcement action, before the hackers even realize they've been made. Combined with severe and possibly violent, example-setting punishments, the problem should be heavily reduced from the current wild-wild-west state of affairs.

Re:Assumption

When we get full blown AI operational, it will be able to easily screen legitimate accesses from illegal intrusions and redirect latter for additional human scrutiny and/or law enforcement action, before the hackers even realize they've been made. Combined with severe and possibly violent, example-setting punishments, the problem should be heavily reduced from the current wild-wild-west state of affairs.

No, you've got this exactly backwards. Full blown AI will ensure everything that can be hacked will be hacked.

And considering the current state of security...

Re:Assumption

[Wootery]

Combined with severe and possibly violent, example-setting punishments

Yes yes, this will be the time that barbaric punishments will finally work as effective deterrents, right?

You ACs and your poorly-thought-out ideas.

Re:Assumption

[Qzukk]

But with AI we can finally unleash the full force of Roko's Basilisk on them and tell hackers that the AI will torture a simulation of themselves for billions of CPU cycles if they're caught!

Re:Assumption

[hord]

If violence isn't working, you aren't using enough of it.

Re:Assumption

[DCFusor]

Yup, and when everyone and -thing else has been hacked, I won't stand out as a target as much as before. We might even think of better ways to do ID...

Accountants

[fluffernutter]

This will just get worse and worse until organizations understand that technology is as important to their business plan as proper accounting, lawyers and paying shareholders. Up until now it seems to be an afterthought, glommed on and budgeted like office supplies.

Re:Accountants

[Archangel+Michael]

This will get worse and worse until the people who are supposedly guarding the data get financially destroyed when any breach occurs, and we can start locking up hackers. And since hackers can more or less remain anonymous, locking them up is hardly a deterrent when any script kiddy can hack any system from Mom's basement.

Re:Accountants

[olsmeister]

Actually, the solution is probably to start locking up executives of companies who are found to be negligent in their data protection responsibilities.

Re:Accountants

What businesses don't understand is that their websites amount to an open lobby, located everywhere on the planet simultaneously. Convenient for anyone and everyone with internet access to visit 24-7. Whatever you keep in that lobby is just as exposed as if it were a physical lobby at street level in Manhattan. You think your locks are good and your security glass is bulletproof? Substitute 1994 Bosnia for Manhattan, and remember the lack of police enforcement, jurisdiction and extradition - now what do you think?

Re:Accountants

[gidzero]

Until we realize that building secure systems is actually really hard, and we can't just glob on security. There is more to security then making sure systems are updated regularly, audits are performed, and absurd password requirements are met. The GAO report on the SEC's systems (https://www.gao.gov/assets/690/686192.pdf) had these 2 recommendations: (1) Maintain up-to-date network diagrams and asset inventories in the system security plans for GSS and a key financial system to accurately and completely reflect the current operating environment. (2) Perform continuous monitoring using automated configuration and vulnerability scanning on the operating systems, databases, and network devices Stop rushing software and services to market, understand your software threat / overall architecture. Companies need to understand their applications, dependencies, attack space, how to actually implement security, and what having a secure system means. TLS and SSL doesn't mean anything if I can compromise an endpoint and now I (as an attacker) have access to your keys and can feed whatever I want into the pipe. Can you MITM your data access / caching layer? Where all can attacks come from and what is the impact at each level? What components are you using in the architecture? There is not a silver bullet to security. Sure, firewalls, IDS, password requirements, logging, encryption, etc. all help. They don't do anything if they aren't configured correctly, or they are bypassed, or some aspect of the system is wide open.

Re: Accountants

[nehumanuscrede]

They like to use cost as an excuse for poor security. Cheapest hardware, outsourced IT personnel, and always slashing of the IT budgets. Security isn't an investment in their eyes, it's an expense. Is why they all like " The Cloud " because it offloads that responsibility onto anothers shoulders.

Not enough forward thinking to understand what happens to their stock price and / or litigation flooding when a serious breach goes public due to their negligence disguised as " cost savings ".

Start jailing the executives of these companies and they'll start taking things more seriously.

Re:Accountants

That won't happen unless the penalties for poor security become serious enough. The reason companies care so much about accounting is 1) SEC requirements and the penalties for violating them 2) to develop reporting that helps management manage.

Re:Accountants

[Rob+Riggs]

The information security professionals should define security standards, security auditing standards, and security reporting standards, much like we have in the financial realm, for all publicly traded companies. And they should lobby the SEC and Congress to mandate that these be filed with them just like quarterly financial statements. Actually, its far more likely that we can get the Europeans on board with this, and then it will eventually trickle down to the US.

Re: Accountants

nehumanuscrede posited:

They like to use cost as an excuse for poor security. Cheapest hardware, outsourced IT personnel, and always slashing of the IT budgets. Security isn't an investment in their eyes, it's an expense. Is why they all like " The Cloud " because it offloads that responsibility onto anothers shoulders.

Not enough forward thinking to understand what happens to their stock price and / or litigation flooding when a serious breach goes public due to their negligence disguised as " cost savings ".

Start jailing the executives of these companies and they'll start taking things more seriously.

Your analysis of the roots of executive negligence is, IMnsHO, spot on - although I would have substituted the acronym "MBAs" for "accountants" in the title of my response. After all, it's rare that a mere accountant rises to the executive suite of any significant-size corporation. MBAs, OTOH, absolutely dominate the top ranks of major corporations across the Western world. It is they, and not the accountants who work for them, who prioritize spending and set corporate policy. Accountants, by contrast, are mere hewers of wood and carriers of water, metaphorically speaking.

The problem lies in your proposed solution: to jail the executives responsible for making security a second- or third-tier priority, rather than a primary concern. You know - the kind of thing on which CEOs decide to spend actual money and devote real effort. There are two principal reasons why MBAs disregard its importance:

• a. MBA programs throughout the world pound into their students' heads that increasing short-term shareholder return should not be their first priority - it should and must be their ONLY one; and
• b. current corporate law - at least in the United States - is designed to shield boards of directors and the executives who work for them from personal legal responsibility for their decisions (and thus from their consequences).

For a lot of this, you can blame SCOTUS's decisions over the course of the past century or so. Especially in times when the court has been dominated by Republican jurists, the Supremes have steadily expanded the "rights" of fictitious persons (i.e. - corporations), and diminished the legal accountability of those who run them. The entirely-predictable result has been exactly the corporate governance trends we've increasingly experienced, especially since the dawn of the Rehnquist court and its philosophical heir, the Roberts version: a precipitous fall in legal corporate executive accountability, and a corresponding rise in corporate fecklessness and misgovernance.

Nor does it help that MBA programs actively foster careerism in their students - the conviction that loyalty to their current employer is foolish, that the boards of directors who will hire and reward them have no sense of history, and that, so long as they increase quarter-over-quarter returns for shareholders, the damage they do in the process to the long-term viability of the companies they will lead is and should be of no personal concern to them, because, within five years, they'll have moved on to work (for a larger salary and better perquisites) for some other corporate entity, altogether. And the mess they leave behind them will have become somebody else's problem.

Or opportunity, as the case may be.

So:

• 1 - Focus on short-term shareholder return.
• 2 - Ignore security (because see #1).
• 3 - Profit!

(Posting as AC only to avoid undoing up-mods - including for parent.)

--

Check out my novel.

Re: Accountants

[Archangel+Michael]

Just one minor complaint on your rant (most of which I agree with).

The SCOTUS ruled based on the actual law, not what people think the law ought to be. The corporate charter laws are fairly clear on the language.

The easy fix is to pass the ability to revoke corporate charters for criminal activity. Simply revoking the charter would essentially liquidate and invalidate all assets leaving the shareholders empty handed. This would effectively create a culture of ethical profits, not amoral(immoral) profits.

Re: Accountants

[torkus]

You'd be surprised how seriously the exchange take security...and how seriously the SEC pretends to.

The SEC regularly audits...and digs into all kinds of inane, improbable scenarios while often ignoring gaping holes. Their auditors are usually far more interested in finding 'something' that suits the current trend then an actual look at overall security. I've been through the process with them myself more than once and it's a comical game of 'what if'

What if a hacker stole a terminal
It has a password
What if they reset the password
they can't, the drive is encrypted
What if they got the decryption key
the accounts are domain based and local logins have no permissions
What if they compromised the computer itself
local accounts have no network permissions
What if they compromised the computer AND got a user login
they'd still be offline and we don't store local data
What if they did all that AND got the computer online
they can't since remote access requires 2FA
What if they circumvented 2FA
the computer wouldn't do much good since we'd invalidate the machine certs once it's reported stolen
What if they circumvented network access control and bypassed the cert checks
then...they could get online but only as a client access so the most they could do is compromise what that individual could access
What if they got access to the servers from there
non-application level production server access requires separate permissions and 2FA
What if they bypassed that too
they'd still need admin priv accounts on the server
And if they had those?
Then they'd take over the world tonight pinky instead of us. WTF?

Seriously, conversations actually follow that kind of stupidity. They'll follow some extremely improbably chain of events and ignore things like 'bad actor' who already has all the access needed to compromise things. Buy hey, we checked the box for 'doing code review' so obviously no one could EVER slip bad code in.

Maybe

Maybe they put so much focus on protecting the trading systems that they lost track of the importance of security on their own document filing system.

and yet nothing of value...

...was lost

So who is exactly using EDGAR for non-illicit trad

Legal for one, not for another? 'Us big boys only, the rest of ya go home!' Interesting....

Commander Adama didn't connect to the network...

[MikeDataLink]

Commander Adama in BSG had the solution to all of this! Pull the plug on the network connection!

Aren't filings on edgar public?

[fortfive]

What could a trader gain by hacking into it?

Re:Aren't filings on edgar public?

One possibility they're submitting stuff that appears to be coming from the company, but really isn't.

This came up about two years ago regarding a fake company trying to acquire a real company, sending shares soaring like 20%...

Re:Aren't filings on edgar public?

[chill]

Not everything in EDGAR is public. Some items are submitted to EDGAR in advance of actions, and aren't released to the public until later, on a set schedule.

Those items can be used for frontrunning trades, and are essentially "insider information".

Re:Aren't filings on edgar public?

[BlueStrat]

Those items can be used for frontrunning trades, and are essentially "insider information".

But those in Congress can profit from "frontrunning" stock trading using their "insider information", it's only fair that others can as well, right?

Strat

Re:Aren't filings on edgar public?

[BlueStrat]

Wow, modded 'Troll' for dissing Congress, as low as their approval polls have been?

Must be some bored Congresscritters or their staff are trolling Slashdot comments in between passing Acts and laws selling-out the US population and exempting themselves from insider stock trading laws.

Strat

My bet

[fubarrr]

I bet that what they are talking about refers to people being able to see company's statements earlier than their nominal publication date. No hacking was required, that just had to make up a URL parameter

Re:Actual security test

we need to dumpo the trumpo

Re: Actual security test

Itâ(TM)s Her turn, down with Bern!!

It will not get better any time soon

The SEC has really been focusing on security the last few years which is good in some ways, pointless in others, and dangerous at the same time. What auditors always want is documentation. If you create some really nice documentation then they are happy. I have never seen any real meaningful attempt to validate security by SEC or auditors. Some clients really try but they just want indemnification. One thing about the documentation is that if you create complete and accurate documentation and provide to the auditors how do you know they will protect it. It seems to me the more people you provide with your security documentation (all auditors and clients want it) then the less secure you are.

The only way a system is going to be secure is if the people running the security are more knowledgeable and motivated than the people attacking. That is just not going to happen at most companies. Companies add bureaucracy to solve problems. Security can not improved this way and is most likely harmed by it.

Mattresses and buried coffee cans

[Rick+Schumann]

Are we approaching the point where the only way your money and valuable personal information is only safe if it's stuffed under your mattress or buried in a coffee can in your yard somewhere? i'm only half kidding.

Re:Mattresses and buried coffee cans

[torkus]

Two people can keep a secret if one of them is dead, and the other doesn't have internet.

Re:Actual security test

To late for you to learn how to spell, obviously.

It's not too late for the cry babies to get a life!

What a looser!

Re: Actual security test

Trump is terrible, but this has absolutely nothing to do with Trump, and you're boring. Please fuck off with this shit until such time as you have an opportunity to die in a fire.

Government/Government Entity

[oldgraybeard]

The truth is if anyone wants something to get out to the public have a government/government entity collect and centralize all the sensitive information in order to protect it.

And BAM! it is in the WILD!! ;) lol

NSA == Profit ?

And how much can/does the NSA make from trading based on what must be the superset/ultimate of insider information?

How much proprietary non-patented IP, or corporate strategy information, are people within the NSA in a position to sell, based on their government-sanctioned snooping of all domestic information transfer?

Re: Actual security test

Doesn't accountability flow upwards?

Some folks were pretty quick to blame Obama (or, yes, GWB, Clinton, GHWB, etc..) for everything that happened in the executive branch..

Trace the Money?

[bill_mcgonigle]

Let's see them trace the money to prove who the criminals are.

Many states are saying cryptocurrencies need to be regulated by them so that crimes can be traced, like fiat money.

Let's see the crime-fighting performance on this USD alt-coin, then.

Re:Trace the Money?

every trade in a US-listed security can be traced back to a SSN (or a foreign account). the problem is separating the bad guys from everyone else. if you know exactly the security, date, and time of the suspected transactions, you might be able to narrow down the search to several thousand individuals. extensively investigating that many people (often manual effort of eyeballing through past activity, etc.) to maybe nab one bad guy is not practical.

unless of course there's an anonymous tip that such-and-such individual is upto nogood, and even then, the SEC would need hard proof to even request the closing of said individual's brokerage account (for SEC to bring up an-often-dismissed-case against someone, they'd have to be pretty bad [think many millions in gains] and hurting others [others with deep pockets, such as investment banks] with their actions).

Re:Actual security test

If it was last year, then this happened before Trump took office. Thanks, Obama.

How could they tell hackers had penetrated Edgar?

The SEC kinda figured it out when Edgar started walking funny, avoided eye contact and hardly ever sat down.

"Please have a seat, Edgar"
"No, no. I'm fine. I'll stand."

Re:Actual security test

it's clit-ons all the way down