Feeds

SEC staffers slammed for serious security snafus

Took unsecured laptops to Black Hat hacker's soirée

Intelligent flash storage arrays

There are red faces at the Securities and Exchange Commission after a report highlighted computer security failings by agency staff that forced it to spend $200,000 to check whether it had lost critical information.

Staff at the Trading and Markets Division were found to have stored highly confidential and market-sensitive information on their laptops without any encryption, even when out and about. Some staff attended the Black Hat hacking convention with these unsecured laptops, an act of lunacy given the predilections of the attendees.

The security failings came to light in a yet-to-be-released report ordered by the SEC's Interim Inspector General Jon Rymer. The report found that the SEC had to hire a third-party computer forensics specialist to go through its data and check to see if anything had been purloined by hackers – it appears that no systems were compromised.

Sources within the SEC said that the staff involved had been disciplined over the security failings following an internal investigation. Rich Adamonis, a spokesman for the New York Stock Exchange, told Reuters that the exchange was "disappointed" at the report's findings.

"From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information," he said.

What makes this doubly worrying is that the Trading and Markets Division has a responsibility for checking the security, audit, and disaster recovery systems used in the major equity markets. These policies essentially map out each exchange's infrastructure in a level of detail that would be a boon to anyone looking to hack the most lucrative markets in the world.

That the SEC attended Black Hat isn't surprising – but that they didn't secure their hardware is.

All attendees are warned in the conference materials to lock down their systems before attending, to run full-disk encryption, never use non-conference Wi-Fi, and to change all their passwords after the show is finished.

At this year's show, for example, a first-time press visitor from a national newspaper was sat down by the Black Hat flacks and had the rules explained to him in such frightening terms that he nearly reverted to note-taking with pencil and paper.

Hacking attendees' systems is actually frowned upon at Black Hat. The conference is keen to stress that it has grown up and that such behavior is seen as a breach of etiquette – but it goes on nevertheless.

But what's really worrying is whether the SEC staffers stayed on after Black Hat to attend the Defcon event that's held afterwards.

Every Defcon runs the Wall of Sheep, where teams of volunteers passively scan systems that log onto the conference network for insecurities. The publicly-displayed list shows the names, passwords (partially blacked out), domains, and applications of hacked systems, and those caught out receive some very humbling ridicule and helpful reminder to be smarter. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.