Rogue Code Page 4
The irony is that the Internet was created by the United States Department of Defense to have maximum redundancy in the event of nuclear attack. The network is based on spreading the flow of data to as many different routes as possible. If any portion is taken offline, the others will take over.
The NYSE is taking the exact opposite approach.
“They are doing this for economic reasons,” accused one critic, “not to safeguard the world financial system. We trust them with our assets when by their actions they demonstrate they are undeserving of that trust.”
TAGS: MANNING BENTING, BEARING INSTITUTE, NYSE EURONEXT, SUPER HUBS
Cyber Security News
6
COPACABANA BEACH
RIO DE JANEIRO
12:41 P.M.
Victorio Manuel da Silva-Bandeira—or Victor Bandeira, as he more commonly called himself—took in the sweep of the azure South Atlantic through his Chopard sunglasses and estimated he’d take another hour in the sun and sand.
It was a warm spring day in Rio, the temperature approaching eighty, with a light wind off the water. The sky and sea were so closely matched in color as to blend into one. The majestic Sugarloaf Mountain commanded the landward view.
Bandeira sat in a low white lounge chair protected by an expansive umbrella. Beside him on the sand were a rumpled beach towel and a small table for drinks and food. Bandeira sighed contentedly as he set an empty beer bottle down. It had been too long since he last did this. As a boy, and later as a teenager, he’d spent every day he could on the beach. What had happened?
Life, he thought, life is what happened.
Spread across the fine sand was the usual crowd for this time of year: couples, pairs of friends, residents of the hotel, and the occasional family. Around the point was Ipanema beach. There the beach was carefully, though informally, sectioned off—couples here, teenagers there, families in this place, sports enthusiasts playing on their stretch, the entirety of the famous expanse demarcated for organized use.
Copacabana was different, had always been different. Extending along its stretch across the street were the resort hotels, the beach before them designated as exclusive territory by modest flags. No intruders, no roaming packs of disruptive youths, no vendors in irritating numbers. Each area was meticulously maintained and carefully serviced by attentive hotel staff.
The only exception to the rules of beach occupancy was made for lovely young women, who were always welcome. This was, after all, Brazil. From his chair, Bandeira tipped his head to more carefully examine the two women lying on oversized beach towels not that far away. He’d wondered about them at first, but when his bodyguard, Paulinho, standing between Bandeira and the roadway, shook his head lightly he decided they were exactly what they appeared to be—very attractive women taking in the sun. It was the national pastime of Brazil, for rich and poor alike, especially in Rio.
Beyond them, Sonia, Bandeira’s current mistress, rose from the water and stood there a moment, moving her long blond hair onto her back, then met his gaze with her bright dark eyes. Of primarily German stock, Sonia was Brazilian about the eyes and in the languid manner of her every motion.
Bandeira’s yacht, the Esmeralda, was in dry dock. Otherwise, they’d have spent the day aboard her, but this beach was very nice indeed. Bandeira made a mental note to visit it more often. He turned to summon a waiter for another beer. As he did so, he caught a glimpse of the Copacabana Palace Hotel, the oldest premier resort in South America. Built in 1923 when the tunnel through the mountains from central Rio opened up Copacabana beach and what became the South Zone of the city, the structure, with its distinctive art deco design, was now a national landmark. Almost anybody who was anyone had spent time here: the rich, the famous, royalty, movie stars, millionaires, billionaires, and the grifters they drew. The hotel had been remodeled and extended but remained from the beach as unchanged as the day it went into operation.
Unlike in modern hotels, you actually felt as if you were living in luxury when staying at the Palace. The only irritation from Bandeira’s perspective was that thus far, his attempt to acquire a penthouse on the top floor with a view of the beach and sea had been rebuffed. Well, he thought, if money doesn’t talk, there are other ways.
Sonia had come over to stand beside him, her firm legs dominating his view, droplets of water sparkling on her lightly tanned skin, pretending to shiver as she toweled herself dry, making a brrr sound with her lips. Then she smiled—always an invitation there—before lying back on the beach towel, squirming this way and that, her breasts commanding his attention as she made herself comfortable. “The water is very refreshing,” she said. “You should go in.” As she slipped on her sunglasses, her pretty face assumed the aspect of an innocent child.
“Soon.” It was pleasant here with the sun and warm sand. The water would be cold.
The waiter arrived with his Bohemia beer and glass balanced atop a small silver serving tray and held it down for Bandeira, then vanished when the beer alone was removed, taking the empty bottle with him. Bandeira took a pull, instinctively glancing down at his stomach and wondering where they had gone—his youth and fitness. He’d been a slender young man, one who always took his vitality and vigor for granted. Over the years, with greater personal and financial success, he’d slowly filled out, first into a man of stature, now into one of advancing years with too much fat.
Despite the excess weight he was a handsome man, just above average height for his generation, a bit darker in complexion than the upper class of Brazil, with gleaming teeth behind fleshy lips. He wore his lustrous, mostly black hair combed straight back. Occasionally when he smiled, there was just a touch of cruelty about his mouth, the hint of something more sinister than his usual pleasant demeanor suggested.
Bandeira had no illusions about Sonia. At fifty-one years of age, he knew his appeal lay with his bank account. He’d seen more than one man in his place make a fool of himself over a woman like her—a girl, really. He wasn’t about to play that game—or be played.
Still, her affection seemed genuine enough, and with the exception of telling him that her ambition was to become Miss Brazil, she’d never asked him for a thing, absolutely nothing. Of course, they’d been involved only a few weeks. That self-suffiency could change.
Sonia came from a good family, one of the oldest if no longer the richest in the country. She knew other wealthy men. In fact, her father would have been very happy if she’d shown an interest in nearly any of the rich men with whom he worked. It was still traditional and common in Brazil for the young daughters of the wealthy to marry men who were contemporaries of their fathers. Such arrangements were mutually profitable to everyone concerned. Through such a marriage her father, Carlos Lopes de Almeida, long president of the Banco do Novo Brasil, would unite his family with another powerful and affluent family. The patriarchs would share the same grandchildren, who would in time inherit. His daughter would be assured of a life that continued in the style in which she’d been raised. All would remain as it was.
Bandeira wondered what Lopes de Almeida would think if he knew about the two of them. He smiled at the thought. He wondered even more just how much of Sonia’s interest in him was a youthful act of rebellion against her father and his traditional ways; certainly more than a small measure. Not that it mattered. He gazed at her and speculated what she’d think and do if she knew his real history, where he’d come from.
“What are you smiling at?” she asked.
He hadn’t realized she was looking at him. “Nothing.”
“Mmmm. I’ll bet it was something.”
I’ll tell her, Bandeira decided. I’ll tell her the whole story and just watch. That, he thought, easing back in his chair, will be something. Better yet, he reconsidered, I’ll show her.
7
TRADING PLATFORMS IT SECURITY
WALL STREET
NEW YORK CITY
9:17 A.M.
As Jeff Aiken and Frank w
orked in their assigned office on Wall Street that morning, Jeff reflected on how this assignment had come about. He was contacted two months earlier by the director of Trading Platforms IT Security for the New York Stock Exchange and had negotiated the terms of the project as well as the start date. The two had never met, but as was often the case, Jeff’s reputation preceded him, and his name came up by word of mouth. A common bot had been discovered on one of the Exchange’s Web servers, and security had no idea how it got there. The breach should have been impossible.
The director was Bill Stenton, a handsome African American man whom Jeff estimated to be in his early forties. Before meeting, Jeff had done his usual background research and learned that Stenton had been with the Exchange just three years, having come from the IT department of Wells Fargo. Though Stenton was reportedly competent, some of the feedback Jeff got characterized the director as high-strung and even difficult at times.
Jeff couldn’t help noticing that though trading platform security was a major component in maintaining the integrity of the world’s most important financial trading institution, there were three layers of bureaucracy between Stenton and the CEO. That was just one of several indicators to Jeff that the Exchange, despite all its computer and software dependency, didn’t give its core system’s security the attention it required.
When they met, Stenton told Jeff that his IT team was of the opinion that the trading platform had not been targeted specifically by the malware bot, but rather the NYSE site had been accessed by an automated scan searching for a vulnerability. Finding one, it had infected the system. The bot didn’t appear to have impacted any customers or disrupted operations, but there was concern because it had managed to get past the security team’s defenses, and it had been on the server for at least three days before IT stumbled across it while performing routine software upgrades on the system. If something as straightforward as a bot could make it into NYSE’s computers, then certainly malware far more dangerous could break through as well.
“We regularly run internal red team versus blue team exercises, but I’m concerned that we’re overlooking obvious weaknesses,” Stenton said evenly. “What we want is an external penetration test, the very best and most sophisticated you can manage. Our suspicion is that one of our own employees inadvertently opened the door for this bot. Pull no punches. I want you to be sneaky as hell. Learn our exposure and tell us where it is so it can be fixed. Our own people won’t even know what you’re up to. It is absolutely essential that the integrity of our trading software not be subject to question. The stability of world financial markets depends on it.”
“Pentests” were the cybersecurity equivalent of military war games, designed to evaluate the security of a computer system by simulating a malicious attack from outsiders as well as insiders. Once the pentest was completed, its results were presented to the system operator. The report included an assessment of the system’s security and vulnerability along with specific recommendations to counter them.
The pentest itself involved an analysis for gaps that were usually a consequence of inadequate system configuration, hardware or software flaws, or other operational process weaknesses or lax security countermeasures. Those conducting a pentest approached the computer system as a potential attacker might and sought to aggressively exploit any security holes they discovered. Those chinks in the armor could include misconfigured and unpatched software or systems not properly secured. Employees might be lured into visiting infected Web sites or opening malicious e-mails. Malware then tried to take advantage of missteps in the system.
Jeff and Frank Renkin, Daryl’s replacement at Red Zoya, had been housed in a Holiday Day Inn Express off nearby Water Street and were given an office on Wall Street in IT operations not far from the Exchange itself. Jeff was surprised the software development and computer operations were housed here, as it was some of the most expensive real estate on earth. The location was especially questionable, as the main data center was in New Jersey. The Exchange’s primary IT operation could have been housed anywhere; much of its supporting IT operation was, in fact, in Chicago. Apparently, NYSE Euronext had money to burn.
Access granted to a receptionist or data-entry employee was the weakest link of the Exchange’s cyberdefense because through those users, malware could gain entry into the system. Receptionist-level accounts on the network position served as Red Zoya’s starting point. Frank and Jeff were given contractor key cards to enter the building and assigned a shared office. They found it to be standard IT issue. Jeff had worked in dozens, likely more than a hundred, similar offices, each interchangeable with every other. The staff itself worked from cubicles, with managers occupying real offices around the perimeter. Jeff and Frank were given one of the small outer offices containing two desktop computers with flat-panel monitors, a modest gesture acknowledging the significance of their work but really chosen for privacy concerns.
The staff was told that the consultants were software contractors finishing the last stages of a project on-site. They were given computer accounts with the limited access permissions of basic staff unaffiliated with any particular group or project. The e-mail program that came with the accounts contained a directory of users, while the browser was programmed by default to open the Exchange’s intranet portal. That page served as a central source of company news and was a hub to which department and team sites were linked. It also served as a search facility that enabled users to find documents and sites across the network. With no more information than that, Jeff and Frank were to launch their attack.
* * *
Neither Jeff nor Frank had been surprised at being hired by the Exchange, or the nature of their project. NYSE Euronext was entirely computer and software driven. It was essential that the trading public and world financial system have faith in the Exchange’s operation, so its security needed to be as close to perfect as possible.
There had always been problems with operationalizing high security. The keys to the Exchange were information and transaction speed. During the crash of 1929, the ticker tapes that recorded trades and were the lifeblood of traders had run hours behind events. The growing lag had spread panic and, it was believed, intensified the financial disaster. Traders had speculated in the dark, acting on rumors, many of which later proved unfounded. Reforms, including faster ticker machines and new regulations concerning trades, had improved transactions and renewed traders’ faith in the Exchange but never eliminated a lingering level of unease.
NYSE Euronext traded equities, derivatives, futures, and options of nearly every sort. It listed nearly ten thousand individual items from more than sixty countries. The Exchange’s markets represented a quarter of all worldwide equities trading and provided the most liquidity of any global exchange group, meaning it was almost always possible to actually make a trade. It was rapidly working to become the only exchange any trader would ever need for every kind of financial trading transaction.
As a consequence, NYSE Euronext had embarked on the greatest expansion in its history. When the expansion was completed, nearly all the world’s trades would, at some point, pass through the Exchange’s computers. The envisioned future was breathtaking in its audacity.
Nothing so innocuous as a bit of untargeted malware was going to bring the integrity of NYSE operation into question. The implications of broad distrust in its security were simply unimaginable, not just to the Exchange, but also to the interconnected world financial system. It was a system that operated largely on faith. Break that faith, and a financial catastrophe of epic proportions loomed.
As the pair had expected, NYSE system security was first rate. But once past the initial layer of defense, Jeff discovered the same erratic patching he had seen time and again with companies that asked the public to trust them with their private information. Some of this exposure had to do with time, as a certain delay was inherent in how patching was actually performed. First the vulnerability had to be detected, which usually took place
only after an exploit that took advantage of it was released. It then took the software vendor, security research firms, or in-house shops anywhere from two to four weeks to develop mitigating configurations and a corrective patch, which would then be rolled out. The actual patching itself was time consuming and many times failed to receive the immediate IT attention it deserved, resulting in another delay until a patch was finally applied to the company’s software, though too often even that failed to take place.
Part of the reason for delays and failures was simply human error and sloppiness. But there was more than just negligence involved. Every business had to make an assessment of the consequences that might arise from installing a patch. Updates were not always smooth and could create any number of unintended problems. Businesses, therefore, tended to err on the side of assuming the patch might compromise their software or interfere with something that interacted with it. In many cases, security risks were balanced against the risks to business processes, and then there was a period of reflection, during which the consequences were weighed. Sometimes after deliberation, the patch was intentionally never installed.
But whether holes were left unpatched as a result of a conscious decision or from plain ineptitude, they remained open doors for aggressors who might come later. Banks with household names too frequently had tin-box defenses within their outer walls, even though they usually adhered to industry-approved responses and followed cybersecurity best practices.
In the case at hand, an unpatched vulnerability in Payment Dynamo, a popular business application, was the missing brick in the wall that had separated Jeff and Frank from the fantastically complex internal IT network connecting the Exchange’s hundreds of servers and thousands of employee PCs.