Could a Cyber Attack Shut Down the Stock Exchange?

Friday, August 19, 2011

Infosec Island Admin


Hedge Fund Manager Predicts Cyber Attack Will Shut Down NYSE in 2011: Oh? Do Tell…

Recently the ideas of HFT trading (High Frequency Trading) being a vector for attacks on the stock market in tandem with an actual DDOS/Hack attempt on the Hong Kong stock market got me thinking about all of this again.

The original post was back in November of 2010, but it seems even more prescient today after we have been in a recession for so long and may in fact be up for a double dip.

Added to this we now also have the debt crisis and an onslaught of cyber espionage that could easily turn to offensive cyber warfare (i.e. an attack on the financial system as the coup de gras of our economy) as the Chinese even are trying to divest themselves of our debt.

This would mean that the Chinese would have much less to lose now if they were less monetarily invested in us and thus, they would become the larger economy and super power by taking us out of the running.

And all of this could be done by the simple (well not really in practice) act of taking down the markets here. The cascade effect of mistrust by the investors and other countries in our systems of trade could be devastating to us. This is why I am re-hashing this post and thought it important today to re-iterate.



The Internet becomes the tactical nuke of the digital age. I believe that cybercrime is going explode exponentially next year as the Web is invaded by hackers. And My surprise is that we will see a specific attack on the New York Stock Exchange which has a profound impact, causes a week long hiatus in trading which will cause abrupt slowdown in travel and domestic business.Hedge Fund Manager Douglas Kass

Some time ago I posted a story about how by using tools like FOCA, Maltego, and Google, one could gain enough intel on NYSE (New York Stock Exchange) to mount an attack.

Well, it would seem that others might have the same idea, but the above gent may have more in mind than just an attack on America’s financial machine. This guy is already positioning his funds for a “short sell” on the system.

So, a smart bet or perhaps some inside knowledge? Maybe he’s just a realist? Why is he betting that it will come during 2011? What’s more, and is questioned in the article, perhaps he is injecting fear into the market to drive it….

Interesting no?

The article goes on…

What could happen if Mr. Kass’ prediction is correct and a cyber attack effectively takes the New York Stock Exchange “offline” for a week? As far as historical events to compare to, after the terrorist attacks on September 11th, the New York Stock Exchange, the American Stock Exchange and NASDAQ didn’t open on September 11th and remained shut down until September 17, the longest shut down since the Great Depression in 1933. After the markets opened on September 17th, the Dow Jones Industrial Average fell 684 points, or a 7.1% loss.

The NYSE’s Web site ( has been targeted in the past with denial of service’ attacks but without success, according to NYSE reports. Importantly, the NYSE.Com Web site is not connected to any of the trading operations and even if such attack took offline it wouldn’t affect trading operations, of which most of the infrastructure is over private networks and not the public Internet.

So, the market has been offline before and then there was that “fat finger” event, but, what is really troubling is the lack of understanding on the part of the writers to comprehend that the site’s being “online” has nothing to do with a real and substantive attack on NYSE itself on that level.

What is really important is that the site as well as are leaky as all Hell and giving out the crown gems by simple Google searches of their domains. So sure, take their site down all you want with a DoS, but, if you use the data they are handing out, you can get into their systems potentially and manipulate the actual trading.


Well, lets see... Before I showed how they were serving our docs with intel on the protocols they are using, the programs used for trading, the collocation facilities location and pertinent data on their infrastructure etc etc.

This time around, the searches turned up much more, including a document that shows their entire internal IP structure. Passwords and logons to their “FTP’s” (yes that is FTP, not SFTP) to access programs and data. I also located documents on their API’s programming standards, and everything one would need to reverse R&D their software to do some damage.

So, the possibilities of an attack on the system as Mr. Kass has bloviated on are somewhat more possible than the articles writer would make of it.

Lets look at the next level of this too. By doing the searches with Google and Maltego, there were enough email addresses out there to show that it would be easy to attempt a phishing attack. I found at least 150+ addresses out there on the internet already, just by extending that logic that is 150 chances to root internal machines and pivot into their internal network, which, you already have a pretty good map of by the Google searches previously carried out. Then, you move on to your FOCA searches.

Oh yeah.

FOCA turned up a LOAD of data on NYSE and NYXDATA, So much so that it crashed several times just trying to analyze the data! I had to do it in parcels of documents. NYSE and NYXDATA have a lot of documents out there to parse through and all of it had a TON of metadata in them.

  • Usernames
  • Machine names
  • Folders saved to (directory structures)
  • Machine OS levels
  • Server Names

What struck me most was the number of machines polling as NT4.0 machines *shiver* as well as Win2K.

Ok, on that account the docs may be older and these machines may have been decomm’d… but.. If you look at the usual trading systems out there, they are often based off of a DOS prompt environment, so….Yeah, I can see these systems being still in play at NYSE.

So, back to Mr. Kass… I am with him on the side of being prepared for a short sell on the market as a whole. I think it’s just a matter of time before something happens either by design, or perhaps by accident. Say you had a stuxnet variant that got out of control and infected the old and creaky systems at NYSE, what would happen with the market if they were taken down for a time because of this?

What’s more, what would happen to the market if the “perception” was that these events happened because the NYSE was not doing the “due diligence” to take care of the security issues that would allow for such things to happen?

Trading would go down, money would be lost, and generally the market would be pretty shaky wouldn’t it? Let me go back to my favorite movie quote to illustrate:

Cosmo: Posit: People think a bank might be financially shaky.
Martin Bishop: Consequence: People start to withdraw their money.
Cosmo: Result: Pretty soon it is financially shaky.
Martin Bishop: Conclusion: You can make banks fail.
Cosmo: Bzzt. I’ve already done that. Maybe you’ve heard about a few? Think bigger.
Martin Bishop: Stock market?
Cosmo: Yes.
Martin Bishop: Currency market?
Cosmo: Yes.
Martin Bishop: Commodities market?
Cosmo: Yes.
Martin Bishop: Small countries?

There you have it. The basis for the markets is perception. How often do you see stocks fall because the perception is that company (A) is on shaky ground and about to stumble.

Hell, just look at what was happening back in 08 with AIG and Lehman with the monies that they owed and were trying to borrow daily to keep the system afloat. Banks and insurance companies mind you, that were declared “To Big To Fail” as the perception if they did just fail would be financial cataclysm right?

Just as well, how many brokers and company’s have been investigated or charged in manipulation through insider trading or perception jiggering? That’s what the market is really all about. It’s all about betting on a company and if you make that company or for that matter, “country” look “shaky” then you can manipulate the outcome to your desired effect.

I would have to say that Al Qaeda has already done that to some extent already with America. So, it is not an inconceivable notion. Lets go back to that precipitous market “bubble” as Kass called it with the “fat finger” event. Did you see how much effort there was to calm everyone? Spin the situation and downplay it when it happened?  Pay no attention to the man behind the curtain.

Look, if the system were that easily manipulated by a single set of lightning trades, then what does it say about the system’s security and integrity?

That’s the key question. So, where are the reports to congress about the security of the systems at NYSE? Does the SEC have some reports that we can all look at and see that they are doing their due diligence? I guess I will have to trawl the SEC domains to see. This is what I found through a quick search:

Information Technology Security

Finally, GAO’s audit confirmed weaknesses in the SEC’s information technology security that have been reported in prior years through our FMFIA program. These weaknesses include insufficient access controls, network security, and monitoring of security-related events. However, I should also note that the GAO found we had taken the right set of initial steps to address the weaknesses, including hiring a new Chief Information Security Officer and establishing a centralized security management program. In response, the SEC has developed a detailed inventory and timeline for correcting each of the specific weaknesses identified, such as through a certification and accreditation project and revisions to the agency’s policies and procedures in this area. We have continued to build out our information security program and address specific issues over the several months since the conclusion of the audit, and while our timeline is ambitious, we plan to complete the remediation efforts by June 2006.

This is all I could find at present... 2006… Hmmm…

In the end, all I am saying as a security professional is that I know human nature. Human nature usually consists of the path of least resistance especially where business is concerned.

I am willing to bet that not much has changed within the security environment at the NYSE even post 9/11 and their being targeted as a primary target of Al Qaeda never-mind the usual criminal elements looking to manipulate the system.

This means that yes, the system is potentially vulnerable to attacks that would have great consequences to the financial system within the US as well as potentially the world. Perhaps Mr. Kass is just looking to leverage the fear, perhaps he is trying to fire off the “Bat Signal” that something is wrong or inevitable...

Either way, we need to assure that these things aren’t so easily done... Don’t we?


Cross-posted from Krypt3ia

Help Support Infosec Island by Tweeting and Stumbling our Articles - Thanks!

Possibly Related Articles:
Financial Services
China Attacks DDoS Financial hackers High Frequency Trading NYSE
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked