Forgot your password?
typodupeerror
Security

The Hacking of NASDAQ 76

Posted by Unknown Lamer
from the tales-of-hacking-and-intrigue dept.
puddingebola (2036796) writes Businessweek has an account of the 2010 hacking of the NASDAQ exchange. From the article, "Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. 'The bad news of that equation is, I'm not sure you will really know until that final trigger is pulled. And you never want to get to that.'"
This discussion has been archived. No new comments can be posted.

The Hacking of NASDAQ

Comments Filter:
  • by Anonymous Coward on Thursday July 17, 2014 @01:49PM (#47476611)

    Would we even notice if it was hacked?

    • by GameboyRMH (1153867) <gameboyrmh AT gmail DOT com> on Thursday July 17, 2014 @02:01PM (#47476725) Journal

      Exactly. Do your worst, black hats. The system's already rooted by Wall Street bankers.

      • by Anonymous Coward

        ..and, why, xactly, was the OP troll-Modded?

        Consider the following scenario - you place an order to purchase a book on Amazon, or ebay, you press "One Click Buy", and..

        you then get an email from some pondlife, informing you he has just intercepted your communications, and taken over your purchase - but you can still have your book, plus a small fee for him, of course.

        Difference being, they don't even inform you of the fact, just charge you.. - Like, why is this shit even legal?

        As the OP stated, Hell, Hack a

        • by GameboyRMH (1153867) <gameboyrmh AT gmail DOT com> on Thursday July 17, 2014 @04:13PM (#47477771) Journal

          That's not a perfect analogy, but it's not too far off.

          It's more like this. There's a classifieds forum which regular users can refresh once every 10 minutes. Special users with a paid subscription can refresh once per second.

          You post "Bicycle wanted, will pay up to $500" and someone else posts "Bicycle for sale, $400" then the speedy special user buys the bicycle for $400 and puts it up for sale for $500 before you or the seller can refresh (at best, when they're not doing even shadier things like spamming the forum with fake Wanted posts etc).

          Somehow this is supposed to produce value. I think it has a similar effect on the economy to either robbery or counterfeiting currency. I can see no way this produces any value.

          • by lgw (121541) on Thursday July 17, 2014 @05:37PM (#47478343) Journal

            You've got it completely backwards, is the thing. Don't worry, most people get this backwards, because they reason from "these guys must be evil" to "ahh, so it must work like this".

            It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK:
            * Mr B posts "Bicycle wanted, will pay up to $500"
            * Mr S posts "Bicycle for sale, $600"
            * Special user says "OK, now buying bikes for $520, selling for $580"
            * You post "buying 1 bike, best price".

            You get the bike $20 cheaper. The market maker takes a risk here: that he can balance buys and sells, and not get left holding the bag when the price changes.

            But the story gets better:
            * Special user 2 says "Oh, I see you Special 1, I'm now buying bikes for $525, selling for $575, hey, $50 a bike is better than nothing.
            * Special user 1 says "Oh no you didn, Buying for $530, selling for $570"
            * Very quickly it's $550/$551.

            You get the bike for $551, $49 cheaper. I've seen this happen over the past 15 years, where the bid-ask gap shrank by that much on options. Competition is so fierce you see sub-cent pricing now: you'll get filled at $550.0001 or $549.9999 sometimes, because in very active markets these guys can make a killing with less then 1 cent profit.

            Do you see now why it adds value?

            • It works like this. You want a bike, you don't have time to research the right price, you just hope the market price is OK: * Mr B posts "Bicycle wanted, will pay up to $500" * Mr S posts "Bicycle for sale, $600" * Special user says "OK, now buying bikes for $520, selling for $580" * You post "buying 1 bike, best price".

              This is pants on head retarded.
              If the Special user can just create bikes out of thin air, he should just set up a bike shop and sell them for $500.
              In the real world, where is he getting his bikes from? Mr S wont sell his for anything less than $600 and Mr B is buying.
              What really happens is that Special user sees you want a bike and are too stupid to name a price, so he quickly buys the $600 bike and realising the next best price is $610, sells it to you for $609.99
              If you want to add in more competing sp

              • by lgw (121541)

                In the real world, where is he getting his bikes from?

                Like I said, he hopes to balance buys and sells. If 100 people sell at his price, and 100 people buy at his price, he needs no bikes. If he's off by 1 or 2, he'll trade with Mr B or Mr S, and still do OK. But he does take a real risk.

                Anyhow, that's how it really works. Remember, we're talking about markets that trade billions of shares a day, so the metaphor only stretches so far.

            • by Anonymous Coward

              No. All I see is that money was transferred. None of them actually made the bike. Making the bike is creating actual value. Whizzing money around with sub-cent profits that depend on latency is just a giant scheme. Sooner or later the limit of latency will be reached - the laws of physics will see to that. Anyone not standing at the absolute minimum will be left holding their dick in their hand.

              We need to get back to broadening the ability to create actual value by making shit.

            • I really think using bikes is a bad analogy (unless you are discussing Futures markets, but even then!!)

              They are exchanging one token for another. They are exchanging the money tokens for corporate tokens (in the case of the equities market). The only real thing you can do with most corporate tokens these days is to trade it back for the money tokens.

              Some stocks, a few, still pay dividends, but most do not. And voting rights??? Hahaha! Unless you can own 51% of the corporate stock, your votes are nothin

            • Nope I gotta agree with all the other people who have replied to you. I can't figure out how this is adding value. To me it just doesn't compute. Why did the seller sell the bike for less than $600? Why did the buyer pay more than $500? If they're willing to compromise, couldn't they have done the transaction directly and saved money without the middleman?

              • by lgw (121541)

                You're missing the entire point here. If the buyer and seller agree on a price, the trade just happens, no market maker needed, the end. All done.

                But after all possible trades like that are done you're left with the "bid" and "ask" prices, where the seller and buyer are willing to stand on their prices and not compromise. Any good financial tool will show you the bid/ask for any exchange - you can check it out and see I'm not making this up.

                Where the market maker adds value is in making it cheaper for th

                • OK, so it's good for people like you who don't want to shop around for a good price. But what about those who do? They don't have the option of not going through these middlemen unless they are faster. So which is greater, the savings to those who don't want to shop around or the losses to those who do?

                  • by lgw (121541)

                    Well, these are exchanges, so "shop around for a better price" isn't really a thing. What you can't do is profit from someone not paying much attention - profit from the inefficiency of the market. And that's a good thing: there should be no game to play, no skill at haggling required, nor deep understanding of market mechanics, simply to execute a trade. Deciding what price you're willing to buy or sell at is where the smarts belong, but if you buy something by mistake, and turn around and sell it 2 min

                    • It has to be possible to make money by "shopping around," or the HFT companies wouldn't be making money, and you wouldn't be saving any. Even if it's a miniscule amount for each trader, their total impact comes down to the balance between the savings for the "weak traders" and the losses for everyone else.

                    • by lgw (121541)

                      Well, maybe I don't know what you mean by "shop around". There may be multiple exchanges selling the same thing (though not for stocks), and you usually aren't even aware if which one your broker deals with, as arbitrage keeps prices the same on all of them at faster than human scale these days - another example of making markets efficient.

                      The market makers simply trade on the exchange, filling orders at better prices than the bid/ask would be without them there. Because they trade so frequently, they can

                    • by lgw (121541)

                      They must take out more value (than they could possibly even theoretically add) or else they would be broke.

                      Ahh, liberals, forever convinced economics is a zero-sum game.

                      Market spreads and brokerage prices had been coming down way before HFT were inserted into the system. It's like all the efficiencies of the last couple decades have been so great that you don't even notice when HFT quietly slip in a new tax on everyone.

                      It's all the same trend. HFT isn't some cliff we fell off - trade frequency and market maker participation has been increasing steadily for 20 years as technological advance made it more and more practical. Spreads fell steadily during this time as a result.

                    • Ahh, liberals, forever convinced economics is a zero-sum game.

                      Ahh market manipulators, forever convinced their market is the same as an economy.

          • by aybiss (876862)

            The thing is that this is so wrong and simply not how things work. Nobody would trade on a market where the first person to bid or offer is the not first person to trade. In your example, as soon as someone said 'will pay $500', they would be given the bike that was available at $400. And they would pay $400, not $500.

            The other thing is, even if this did occur, the person wanting to pay $500 for a bike has gotten what they want. This is called liquidity and it's valuable in its own right. If they didn't wan

  • by gstoddart (321705) on Thursday July 17, 2014 @01:51PM (#47476645) Homepage

    Was it a foreign government, or your own government?

    Quite frankly, I find either plausible.

  • by Anonymous Coward

    'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

    Ummm to make money or destabilize our economy?

    Makes one feel good that you are the head of the Intelligence Committee.

    • by Artifakt (700173)

      If they found it was some nation-state where a corrupt bureaucrat did it to line his pockets and those of the supreme leader, the consequences might be less trust in the market (if that's possible), and similar, limited economic effects. If the nation-state in question wanted to destabilize our whole economy, that's part of WAR. (you know, that thing where lots of people die very rapidly and it wasn't one of the other horsemen?). Those are very, very different consequences and levels.

    • 'We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is,' says House Intelligence Committee Chairman Mike Rogers

      Ummm to make money or destabilize our economy?

      Makes one feel good that you are the head of the Intelligence Committee.

      The problem with the final objective is that Nasdaq's IT security was (and probably still is) pretty incompetent, because once the bad guys were past the outer defences, there was very little internally to audit unusual activity. The analogy used in the BusinessWeek article uses the analogy of physically breaking into a bank versus breaking into a private home - the bank will have internal security sections, cameras, password-protected doors, and so on. So when determining what was taken, you can look at wh

  • Security (Score:5, Insightful)

    by BitcoinBenny (3025373) on Thursday July 17, 2014 @01:56PM (#47476681)

    The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

    • Re:Security (Score:5, Insightful)

      by gstoddart (321705) on Thursday July 17, 2014 @02:15PM (#47476867) Homepage

      There is a perverse incentive not to properly secure exchanges because security is slow.

      When so much profits depends on fast, direct access to skim money off the top with high frequency trading, these people do not want security.

      They want to be able to access the system directly, and security be damned.

    • by bobbied (2522392)

      For the longest time people were sending ethernet raw packets...

      So? Look, there are two possible approaches to security here and you don't need a fully encrypted VPN link between two buildings to have a secure link. You could just put your own wire between the two locations and protect the wire from unauthorized physical access.

      I'd not suggest you put sensitive financial data on the internet "in the clear", but if you are sure the physical link is only available to your intended destination, you can safely send all the data you want in the clear. If you look at the

      • by aybiss (876862)

        In actual fact most connections used by HFTs are encrypted AND dedicated.

        • I would be there is no HFT in the world that is encrypting FIX traffic. Why bother? All the links are cross connects within the exchange's data center.
          • Yeah, HFT encryption is spectacularly rare. I think the argument that the links is short doesn't make much sense to me. If you are talking about third parties hacking the link I guess maybe you make a point, but that wasn't the attack vector I was thinking about. I was talking about third party HFT firms getting hacked and then leveraging those short, encrypted and insecure connections into matching engines to cause problems. I guarantee you that there are exploitable vectors into some of these major market

    • The security of the stock exchanges is really pretty bad. Low latency access means no firewalls and few application level checks. For the longest time people were sending ethernet raw packets...There is a perverse incentive not to properly secure exchanges because security is slow.

      Technically true. However in the quest for low latency there has been a tendency for some to colocate with the exchange. So if an exchange system and a broker system are in the same high physical security room and have a direct connection between them then the risk is mitigated to a degree.

      • Well if we are talking physical access control then most of these places have figured it out. My argument is that the threat is from the firms connecting into the exchange. A lot of them have poor border security, and if you don't have any additional checks then what?

  • by PapayaSF (721268) on Thursday July 17, 2014 @02:00PM (#47476717) Journal
    I forget which one, but as I recall the solution was to restore everything to the state before the hack, erasing the tainted trades along with all the valid ones.
    • Wasn't something like this done after the Flash Crash (or some other recent stock exchange fuckup?)

      • Yes, and also after quite a few similar smaller incidents. Remember the scene from the recent Batman movie where Bane stole all of Bruce Wayne's money by forcing him to put his finger on the scanner? A crock. The financial institutions would just undo the whole transaction as soon as Bane left. This is one reason why there is surprisingly little security in certain aspects of the financial system. it isn't like Bitcoin where if someone steals your key file done is done and there is no going back. In the fin
  • by Cardoor (3488091) on Thursday July 17, 2014 @02:03PM (#47476749)
    i wonder what newly minted organization that will undoubtedly be called in to 'protect us' while stripping yet more privacy and liberties. (of course getting budgeted billions to do the job). oh wait - theyve already announced it. and it's the benevolent wisdom of the usual suspects that will save us all!
  • Wow. Something happened, but we don't know what or why.
    • by bobbied (2522392)

      Wow. Something happened, but we don't know what or why.

      Yea, well, I guess that it's better that we know where it ended up, unlike some airliners in recent history...

  • Isn't wall street doing enough to destroy our economy for their short term benefit? If I was a hacker, I'd pick a more interesting target than one which collapses on its own greed twice in a decade.
    • by bobbied (2522392)

      Let me see.. We are due then? Last major crash was 2008 and it's 2014.

      You might be right....

  • by Lawrence_Bird (67278) on Thursday July 17, 2014 @04:54PM (#47478013) Homepage

    He has lied, willfully exaggerated and generally acted like a complete piece of shit countless times. Do not believe anything out of that man's mouth, ever.

  • Look no further than a too-big-to-fail company, e.g. Goldman Sachs.
  • It's all part of getting the rich richer and the rest frightened.
    Don't be tricked by the conmen.

  • If you review the details, the attackers were on one specific non-trading application owned by Nasdaq and had some access to their internal network. There is no evidence that they had any access to the exchange's systems, which are on a segregated network. In other words "the exchange" was not hacked at all.
  • The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another.

    But never the USA.

The F-15 Eagle: If it's up, we'll shoot it down. If it's down, we'll blow it up. -- A McDonnel-Douglas ad from a few years ago

Working...