This page has been archived and commenting is disabled.
NYSE Leaves Confidential Infrastructure Data Exposed
As the topic of high frequency trading gains attention, Wired magazine has released this stunner about just how "secured" mission-critical data on the world's largest exchange truly is.
Sensitive information about the technical infrastructure of the New York Stock Exchange computer network was left unsecured on a public server for possibly more than a year, Wired.com has learned.
The data was removed after Wired.com disclosed the situation to the NYSE. It included several directories of files containing logs, server names, IP addresses, lists of hardware, lists of software versions running on the network, and configuration and patch histories (including which patches have not yet been installed). It was all available on a publicly accessible, unprotected FTP server maintained by EMC, a company that sells storage systems and managed services to the NYSE and other companies.
The information could allow an intruder to map theNYSE’s network architecture and determine what vulnerabilities exist in the system.
For example, one of the documents posted on the server was an Excel spreadsheet, called a “heat report,” which consisted of a long list of low-level and high-level warnings, some of them indicating where patches had not yet been installed, such as the one below:
WARNING : Solaris 5.9 kernel patch fix 122300 is not installed.
It’s unclear how long the information was left unprotected on the server, but a note posted amid the files by an EMC employee named Dan Sferas read, “This directory contains all relevant data to the NYSE account.” The note was dated April 2, 2008.
A source knowledgeable about the leak, speaking on condition of anonymity, said that the FTP server was used to share configuration information among EMC engineers, vendors and customers. “This was a breakdown of process within EMC, and normally that information would not be accessible to the public,” said the source.
If this was uncovered accidentally and presumably highly sensitive and confidential information infrastructure has been floating around for "more than a year" one can only imagine how many other critical leaks exist within the exchange that trades well over one billion shares daily. It is imperative that the NYSE immediately disclose who has had access to these data, and just what potential abuse this information, floating in cyberspace, may have had on the integrity of capital markets.
Regardless, it merely enforces the notion that concentrating too much capital markets power in the hands of one exchange is simply an unacceptable risk, especially in light of the points brought up by Paul Wilmott in the prior article.
»
- 5058 reads
- Printer-friendly version
- Send to friend
- advertisements -
speechless. emc is the international, government approved, nato used, officially stamped backup / business continuous volume manufacturer of choice. if this is what we can expect from the big guns, kids, lookout.
for those of you that do not have to interact with EMC on a professional basis, as i do daily, please note that this does not come as a surprise to me.
while they may 'lead the world' in many areas, professional organization is .... "not" .... one of their strong points. their technology is great but their people are a joke.
one word: "Dummies"
your call for disclosure from the NYSE based on the integrity of the capital markets presupposes that said integrity exists at this point.
very correct lizzy36.
Odds are improving that a Black Swan wears a Black Hat.
i think we passed the point where we could only have on black swan, man i can see a whole flock of them on the horizon ...
This ties in beautifully with that POS "Trust Us" video Duncan was rambling about. What a marketing dept. they have!
Hearts and minds, people, hearts and minds....
Perhaps the FBI should get involved--this is WAY bigger than Sergey.
Agreed. A leak like this, if it is true, could be devastating. The blurb about the kernel patch is alarming - if true the hacker knows at which build level the OS was running at the time of the report. Solaris is a good OS, but all computer systems are vulnerable at the level of the information that is available. As ZH found yesterday port scans don't reveal that much about a networked computer, BUT a dedicated black hat with detailed information about the OS can really be destructive. Root kits, duplicate user accounts, trap doors, DDOS attacks. You name it, that is where they begin.
Bob, given the allure of high prestige targets and the sheer number of hackers who love doing this stuff, would it not be virtually certain that they DID get "hacked"?
There's an intrusion, and there is the installation of a root kit. Just getting in usually is not enough. If the system has few services (ftp was running on this one, how about smtp?) and the permissions are screwed down tight, then maybe an intruder wouldn't get too far. See:
http://www.snort.org/
No computer is completely secure, unless it's turned off.
What? There are very accurate remote OS/service guessing algorithms that use things like TCP sequence number fingerprinting. Even if an attacker has no idea what platform a remote target is on, it doesn't take very long to run through an exhaustive list of the most common known exploits for all OS's. This really isn't that big a deal, seriously. There is also a very slim chance that any of these machines were publicly accessible in the first place.
And, by the way, devoid of any information of the sort, attackers are blindly trying exploits out on every possible IP address IPv4. This happens all day long, every day. Get a clue. If a machine is vulnerable and outward-facing, it will eventually be compromised -- no list of patch levels required.
True. But your just asking for trouble by running exposed like that. I guess it was port 21. That's always a problem.
According to Wired, "It was all available on a publicly accessible, unprotected FTP server."
Hee hee. Unprotected FTP...as if there were any other kind.
Long gone are the days when we should even think of exposing clear text, non-passphrase protected protocols on the Interwebz.
Somebody got caught with their pants down.
I would assume that NYSE has some pretty tough NDA's with the EMC folks, but look, this is the EMC folks fault. But there is also such a thing as common sense, I mean, if microsoft asks you to send a list of passwords to help you figure out 'what's wrong with your servers' they may well intend to use them for the right reasons, but any halfway decent tech would still tell them "no."
That is not a high hurdle, is it?
But Sergey can dance!
Nothing is secure. It is all just an illusion.
Kathleen Hayes (Bloomberg TV reporter extraordinaire) "take transportation out of durable goods orders and they were actually up 1.6%"
I look forward to hearing from Bloomberg contributor Tom Daschle on health care reform.
These guys are actually worse than CNBC - as they have an aura of credibility so some people might actually buy what they are saying.
of interest I believe that she and DK get their eye glasses from the same Wal*Mart
Kathleen Hays is a university trained economist with experience at the Federal Reserve and who is now an on air financial reporter for Bloomberg Television. She was formerly a reporter for Investor's Business Daily, CNBC's Squawk Box and various CNNfn programming before joining Bloomberg.
---------
from wiki...see fed experience
surprised she's a sheep cheerleader
It was interesting to read the unique 'spin' put on Durable Goods this morning by CNBC and Bloomberg: CNBC says 'Durable Orders Plunge'; Bloomberg says 'U.S. Durable Goods Orders, Excluding Cars and Planes, Unexpectantly Advance'. They both are enough to give you whiplash... spin is king right now.
They can't spin it because it all feeds into GDP. You know, that number they promised would be positive the second half of the year.
Oops...was Dennis Kneale:
A) wrong? B) premature? C) clueless? D) all of the above
they should exclud all the negative data everything would be positive then. who needs reality?
this isnt exactly news and it doesn't really reflect that badly on the NYSE. the data is clearly on an EMC server. and only reflects badly on the NYSE insofar as they have entrusted this confidential infrastructure data to EMC and they have distributed it publicly...
The above post:
"Inner thoughts"
is brought to you by Duncan Niederauer. Enjoy!
Well, EMC has a lot of explaining to do. In this business your suppliers gather a lot of information about you, especially when they provide you consulting services to setup the equipment or software that they sell you. Those suppliers of course have that information stored somewhere. NYSE, and other EMC clients who had their tech stuff exposed like this should be looking for some recourse to make sure this doesn't happen in the future, or EMC is going to be losing business.
Well, EMC has a lot of explaining to do.
No they don't. Some people at the bottom of the project's food chain will either get a stern talking to or at worst fired. At the service-contract/executive level the blame will be shifted to project workers.
When in fact the *how* it happened is most likely due to service-contract-level people that might need the data for a management meeting find PKI "too complicated." and told the admin to "make it easy." This scenario is very common.
Wired is merely exploiting what is very common knowledge in IT.
Tyler, you are attempting to write about things for which you have no clue. It would be an improvement if you would not run stories like this. Or, maybe run the story by someone who is *in* IT to do a paranoia/reality check. I'm sure I'm not the only IT person who visits your site.
In context, EMC has a lot of explaining to do to its clients. Whatever they do internally it's their own business, but in cases like this has to be explained.
But the title of this "Tyler" post makes it sound like it's NYSE who left the data exposed. That's not what happened. And other EMC clients are now probably calling EMC top managment asking them to clean up their act.
"But the title of this "Tyler" post makes it sound like it's NYSE who left the data exposed. That's not what happened."
Try using that defense in court and see what happens.
OK, suppose that someone exposes all the data about ZH servers that periquito and ecatel have left exposed. I'm guessing you would blame ZH for that, even though ZH may have some claim against those providers for that breach.
You can share your responsibility but your portion is not diminshed.
Agreed. Why are they using an FTP server in the first place? Some low-level dipshit who doesn't know any better used their anonymous FTP server for something that should have been on a private repository.
that's very common, for example the Cisco IOS for routers and switches is upgraded via tftp from some unsecured tftp server.
security in IT is still an afterthought. functionality first, lets worry about security later or not at all.
THIS JUST IN -- CHUCK SCHUMER REQUESTING BAN ON FTP SERVERS.
high five anony!
Anyone with a backgound in large infrastucture IT knows that detailed info on the infrastructure is in many hands. This is embarrassing for EMC. Beyond that, you have to build and protect infrastructure assuming your worst threat is in fact inside the corporation with detailed knowledge. Settle down TD.
One luxury home sold in Florida yeh the Housing market is recovering.
woops sorry it dropped out of escrow. Buyer lost their job at Goldman Sachs.
WalMart has a sale on compaq laptops for 298.....the ten minimum/store deal, starting 7-26. I saw ad yesterday and figured "they're gone" as I am looking for a cheap laptop. wife calls today and the local walmart says they have at least 20 and nobody is buying them
I guess this is my anecdotal deflation story of the day.
Also, with all of this computer security talk going on, I'm feeling pretty confident that none of these hacking phucks will be able to break into my brand spanking new $298 laptop.
I'm feeling pretty confident that none of these hacking phucks will be able to break into my brand spanking new $298 laptop.
Seriously? If it runs Windows and you are using it to connect to the Internet they own it at will.
FYI: A meaningful improvement to your situation would be switching to a Linux distro. Ubuntu is good for newbies like you. http://ubuntu-releases.eecs.wsu.edu/hardy/ubuntu-8.04.3-desktop-i386.iso
CZ...thank you....though I was being tongue in cheek, i genuinely appreciate the ubunto info and thank you for it. what thinx about avoiding the vista and putting in firefox? thanks!
what thinx about avoiding the vista and putting in firefox?
Erm. Well, you see even if you switch to firefox, your operating system is *still* Vista. It helps, but you are still at the mercy of the operating system security that hasn't changed since windows 2000. They've added more cruft on top of the system to give the appearance that it's somehow different, but really? it's about the same.
The digital restrictions management (drm) in Vista is enough to give me a rash.
Linux is different in some important ways. When you get comfortable with the idea that it's possible to safely do many things that Visa nags or prevents you from doing. Then the potential of the Internet beyond the media controlled sh!t pipe it has become opens up.
For the fun of it, I reckon you have at least linked to the DVD and not to the CD iso image?
hahaha.
No idea. It should be enough to get anyone going though.
If you are running on old hardware,(IDE drives. SATA isn't well supported!) you can go here for a Debian online install. http://goodbye-microsoft.com/
Or, buy a cheap used laptop and put any version of Linux you care for on it. Slackware rules.
"Sensitive information about the technical infrastructure of the New York Stock Exchange’s computer network was left unsecured on a public server for possibly more than a year, Threat Level has learned."
"...logs; server names; IP addresses; lists of hardware; lists of software versions running on the network; and configuration and patch histories, including what patches have not yet been installed. It was all available on a publicly accessible, unprotected FTP server..."
omfg. So much for secure access to or from that network.
Those of you not in the biz: the process of scanning the Internet for possible connections is automated, and has been for more than a decade. Give scanner a range of IP's to scan, preferred ports, and go to work / school. When you return, you are presented with a list of found open ports for "further investigation" (old way). Attacks / compromises can also be automated, so now you could come home and have a list of new toys to play with. I can confidently predict that the information from the ftp server was found and copied within hours after it was actually posted there, a year ago or more. Since the data contain patch histories, compromising listed boxes is child's play if they are publicly accessible or can be reached through other boxes that are themselves both compromised and publicly accessible.
In other words, if Fred uses his workstation to control the HFT box, and Fred can also surf the Internet, if this data includes patch history on the HFT box then the HFT box is in serious jeopardy because Fred's workstation is pwnable. Even better scenario is one where Fred uses his workstation to configure real time trading data accessibility. You see where I'm going with this.
This is inexcusible. Whose goddamned brother-in-law got this contract?
Given the nature of the network, the possibilities here are mind-boggling. And given the facts of this disclosure, it seems safe to assume that the managers of this network are not up to the task.
With virtual certainty that the info got out, is it not almost as likely that it was exploited for some kind of concrete gain? In the hacker world, somebody's gonna see the opportunity and make sure they get PAID somehow, right?
IMO yes.
Does that make you wanna get a full look at Sergey's code?
Could bring things full circle, with the crooks using the FBI to cover their own crime . . .
comms guy, not a coder.
NEVER think that just because some entity is structurally important or even if it isn't that it conducts its affairs as if it is. This provides just one more example of how different the view can be from various vantage points. In this it is prudent to remember that in the quest for data one should always look everywhere one might be able to develop it and to check how folks respond to differing data stimulus.
there is only one thing to say; MASSIVE FAIL
bunch-a-n00bs ...
Look - we have two choices: We either come up new Ponzi scheme to swallow up the current ponzi scheme or we slowly unravel and crash over the next three years. That's it. There is no equilibrium, no balancing the weight of infinite greed. The tsunami wave is oscillating and building up strength.
Homeland Insecurity. Glad Cheney's Goons are so worried about listening in on sex-chat and dial-a-porn while the nation's largest financial exchange runs around with its pants down grabbing its ankles.
Most likely discussion is all we'll get from the 20 senate hearings we'll get on this topic over the next 5 years as they pass the buck around while GS grandly greases the wheels funding lobbyists, campaigns and paying massive bonuses with the "winnings" all the while government is finding the right way to politicize the issue so some party can gain a power base out of this mess which will happen only after the fact and GS has been destroyed (akin to shooting someone that is already dead).
I think I got that right? Wash, rinse, repeat.
The most important information that report could give is an internal diagram of server IP's, OS's (versions, service pack level), and types of network equipment would be stunningly valuable for a cracker. Do a driveby with a laptop with netsumbler and GPS and you could quickly find out if they are stupid enough to have wireless access (not easily hacked BUT doable). If they have wireless access points, a short hop into th heart of the network. Now I have all of the wired news information and I know what servers to after, what root kits or software needed to crack the servers. The information is an information loss of incredible magnitude. Here's how a hack would work:
1) If you dont know NYSE...check netsol and arin for their IP's and webserver URLs and info.
2) DNS lookups for all IPs located. Map out their external connections to the Internet
3) Well, since Wired was kind enough to give me a plethora of internal information , I would hope some of that info would include IP's of all IDS systems (OS's thereof!), list of network and host based systems, IP of routers and IOS's (assuming Cisco), IP's of all Servers, and if they have VLAN's....etc That kind of information is extremely hard to get unless you have an inside guy. THIS IS WHY THE WIRED INFORMATION IS CRITICAL.
4) Using all of the above information, ALL I NEED is a SINGLE entry point...a rogue WAP, a rogue modem, send someone in the office a trojan that creates a tunnel thru the network to their machine so I can use it as a launching platform for attacks. There is 50 different ways to get into a network and never have to worry about going thru their phalanx of firewalls and what not.
The wired news article gives STUNNING good Intel for attackers. A moderate hacker instead of a highspeed hacker could now damn near crack them.
-Silence Dogood
FYI to my fellow IT Pro's, to lock down wireless: I put my WAP's OUTSIDE my firewall and VPN thru my AES encrypted tunnel into my personal network. WAP's SHOULD NOT BE in a network in my humble opinion. I demonstrated to a client how I could figure out how to crack his wireless network as he had it "secured". Took me 30 mins.
-Silence Dogood
thanks again silence...very, very interesting.
That's right. Wire is still the best. None of the wireless encryption protocols that are commercially available are secure enough. You are correct thirty minutes would be all that is needed. Of course any sensitive traffic should be going through https anyway.
Time to stir the pot again...
Gold does not require an exchange to trade. Just an exchange of goods between two people.
I am Chumbawamba.
I'm convinced that information 'leaked' on retail traders is immense and in-depth.
It’s OBVIOUS that there is more money to be made by pounding day traders, than by legitimate investing and speculation on business growth.
And there's your sign...
I wonder if this kind of a thing provides a "cover" or "back story" for those doing bad things to then say "hey, it wasn't us, everyone had access since April 2008." In otherwords, leave this out deliberately as a defense.
Agreed, along with the Goldman Sachs code. The two go nicely together and both have G.S. fingerprints and the same theme - they can both be used to manipulate the market.
I was waiting for someone to tie this story into GS. Nicely done, but you did make me wait for it.
No way. Basically, this thing is a biggest present you can make to a hacker: network topology, equipment and vulnerabilities all in one place. Normally it would a considerable amount of time to accumulate such data having risk of exposing yourself.
If that's true, than that could be huge.