Feeds

SEC staffers slammed for serious security snafus

Took unsecured laptops to Black Hat hacker's soirée

Protecting against web application threats using SSL

There are red faces at the Securities and Exchange Commission after a report highlighted computer security failings by agency staff that forced it to spend $200,000 to check whether it had lost critical information.

Staff at the Trading and Markets Division were found to have stored highly confidential and market-sensitive information on their laptops without any encryption, even when out and about. Some staff attended the Black Hat hacking convention with these unsecured laptops, an act of lunacy given the predilections of the attendees.

The security failings came to light in a yet-to-be-released report ordered by the SEC's Interim Inspector General Jon Rymer. The report found that the SEC had to hire a third-party computer forensics specialist to go through its data and check to see if anything had been purloined by hackers – it appears that no systems were compromised.

Sources within the SEC said that the staff involved had been disciplined over the security failings following an internal investigation. Rich Adamonis, a spokesman for the New York Stock Exchange, told Reuters that the exchange was "disappointed" at the report's findings.

"From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information," he said.

What makes this doubly worrying is that the Trading and Markets Division has a responsibility for checking the security, audit, and disaster recovery systems used in the major equity markets. These policies essentially map out each exchange's infrastructure in a level of detail that would be a boon to anyone looking to hack the most lucrative markets in the world.

That the SEC attended Black Hat isn't surprising – but that they didn't secure their hardware is.

All attendees are warned in the conference materials to lock down their systems before attending, to run full-disk encryption, never use non-conference Wi-Fi, and to change all their passwords after the show is finished.

At this year's show, for example, a first-time press visitor from a national newspaper was sat down by the Black Hat flacks and had the rules explained to him in such frightening terms that he nearly reverted to note-taking with pencil and paper.

Hacking attendees' systems is actually frowned upon at Black Hat. The conference is keen to stress that it has grown up and that such behavior is seen as a breach of etiquette – but it goes on nevertheless.

But what's really worrying is whether the SEC staffers stayed on after Black Hat to attend the Defcon event that's held afterwards.

Every Defcon runs the Wall of Sheep, where teams of volunteers passively scan systems that log onto the conference network for insecurities. The publicly-displayed list shows the names, passwords (partially blacked out), domains, and applications of hacked systems, and those caught out receive some very humbling ridicule and helpful reminder to be smarter. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.