The hacker collective known as "Anonymous" (sic) has declared war on the New York Stock Exchange (NYSE), promising to "erase" it from the Internet this October 10th (in support of #OccupyWallStreet). Should we be afraid of this threat?
No. Hackers who can, do. Those who can't, make threats.
The most likely threat would be a massive DDoS attack, like that Anonymous did against PayPal. In that attack, they posted a program called LOIC on various forums. Activists downloaded it, ran it on their computers, which then flooded PayPal with traffic. That attack affected PayPal briefly, but at the same time, it left fingerprints behind identifying people running LOIC. The FBI followed up and arrested many of these activists. It's not something activists would be willing to do again on a large scale.
Unlike PayPal, the NYSE website is not the real NYSE. You can blow it up with explosives and you won't affect trading. Such a flood could "erase" it temporarily from the Internet, but everyone would yawn.
There are more practical things that could be done, but here's the thing. If you could do it, you could make billions of dollars.
For example, there are a lot of trader terminals connected more deeply with actual trading network, which is completely disconnected from the NYSE website and the Internet. Such a system could be subverted and cause minor disruptions with trades. Even major disruptions can quickly be fixed: simply shut down the exchange, fix the problem, and bring it back up again. 9/11 disabled NYSE, and it came back a few days later. I doubt there is a way to permanently "erase" it.
But if you could do that, you could do something better. If you weren't interested in making money, the thing to do wouldn't be to DoS the stock exchange, but let them DoS themselves. Corrupt trades in a way that's undetected for as long as possible. The various counterparties would then be locked up in lawsuits for the next decade.
So technically, how could a hacker get inside the network?
The NYSE runs a completely separate network. Well, lots of people say this, like the operators of the power grid, and it's rarely true. But it's true in the case of the NYSE: I doubt hackers will find a way from the Internet into the NYSE private network.
But, there are lots of things on the NYSE private network, such as terminals on the desks of traders among the members of the NYSE. If a hacker could get physical access to one of those terminals, he could do a lot of damage.
The backend computers aren't the sorts hackers have experience with. Instead, they are things like AS/400 from IBM or "nonstop himalaya servers" from HP. These are actually FULL of vulnerabilities. It's astonishing how weak they are. But nobody knows, because the vendors assure customers they are secure, no hackers have challenged this impression (because they can't afford $100,000 for a system to test with), and nobody really cares, because they think the network is secure from outsiders.
Thus, a good hacker, one who can reverse engineer and write custom shellcode, will find that the network is actually fairly open. But the casual script kiddies like Anonymous aren't likely to find success.
No. Hackers who can, do. Those who can't, make threats.
The most likely threat would be a massive DDoS attack, like that Anonymous did against PayPal. In that attack, they posted a program called LOIC on various forums. Activists downloaded it, ran it on their computers, which then flooded PayPal with traffic. That attack affected PayPal briefly, but at the same time, it left fingerprints behind identifying people running LOIC. The FBI followed up and arrested many of these activists. It's not something activists would be willing to do again on a large scale.
Unlike PayPal, the NYSE website is not the real NYSE. You can blow it up with explosives and you won't affect trading. Such a flood could "erase" it temporarily from the Internet, but everyone would yawn.
There are more practical things that could be done, but here's the thing. If you could do it, you could make billions of dollars.
For example, there are a lot of trader terminals connected more deeply with actual trading network, which is completely disconnected from the NYSE website and the Internet. Such a system could be subverted and cause minor disruptions with trades. Even major disruptions can quickly be fixed: simply shut down the exchange, fix the problem, and bring it back up again. 9/11 disabled NYSE, and it came back a few days later. I doubt there is a way to permanently "erase" it.
But if you could do that, you could do something better. If you weren't interested in making money, the thing to do wouldn't be to DoS the stock exchange, but let them DoS themselves. Corrupt trades in a way that's undetected for as long as possible. The various counterparties would then be locked up in lawsuits for the next decade.
So technically, how could a hacker get inside the network?
The NYSE runs a completely separate network. Well, lots of people say this, like the operators of the power grid, and it's rarely true. But it's true in the case of the NYSE: I doubt hackers will find a way from the Internet into the NYSE private network.
But, there are lots of things on the NYSE private network, such as terminals on the desks of traders among the members of the NYSE. If a hacker could get physical access to one of those terminals, he could do a lot of damage.
The backend computers aren't the sorts hackers have experience with. Instead, they are things like AS/400 from IBM or "nonstop himalaya servers" from HP. These are actually FULL of vulnerabilities. It's astonishing how weak they are. But nobody knows, because the vendors assure customers they are secure, no hackers have challenged this impression (because they can't afford $100,000 for a system to test with), and nobody really cares, because they think the network is secure from outsiders.
Thus, a good hacker, one who can reverse engineer and write custom shellcode, will find that the network is actually fairly open. But the casual script kiddies like Anonymous aren't likely to find success.
No comments:
Post a Comment