NYSE Leaves Confidential Infrastructure Data Exposed

As the topic of high frequency trading gains attention, Wired magazine has released this stunner about just how "secured" mission-critical data on the world's largest exchange truly is.

Sensitive information about the technical infrastructure of the New York Stock Exchange computer network was left unsecured on a public server for possibly more than a year, Wired.com has learned.

The data was removed after Wired.com disclosed the situation to the NYSE. It included several directories of files containing logs, server names, IP addresses, lists of hardware, lists of software versions running on the network, and configuration and patch histories (including which patches have not yet been installed). It was all available on a publicly accessible, unprotected FTP server maintained by EMC, a company that sells storage systems and managed services to the NYSE and other companies.

The information could allow an intruder to map theNYSE’s network architecture and determine what vulnerabilities exist in the system.

For example, one of the documents posted on the server was an Excel spreadsheet, called a “heat report,” which consisted of a long list of low-level and high-level warnings, some of them indicating where patches had not yet been installed, such as the one below:

WARNING : Solaris 5.9 kernel patch fix 122300 is not installed.

It’s unclear how long the information was left unprotected on the server, but a note posted amid the files by an EMC employee named Dan Sferas read, “This directory contains all relevant data to the NYSE account.” The note was dated April 2, 2008.

A source knowledgeable about the leak, speaking on condition of anonymity, said that the FTP server was used to share configuration information among EMC engineers, vendors and customers. “This was a breakdown of process within EMC, and normally that information would not be accessible to the public,” said the source.

If this was uncovered accidentally and presumably highly sensitive and confidential information infrastructure has been floating around for "more than a year" one can only imagine how many other critical leaks exist within the exchange that trades well over one billion shares daily. It is imperative that the NYSE immediately disclose who has had access to these data, and just what potential abuse this information, floating in cyberspace, may have had on the integrity of capital markets.

Regardless, it merely enforces the notion that concentrating too much capital markets power in the hands of one exchange is simply an unacceptable risk, especially in light of the points brought up by Paul Wilmott in the prior article.