SEC staffers slammed for serious security snafus
Took unsecured laptops to Black Hat hacker's soirée
There are red faces at the Securities and Exchange Commission after a report highlighted computer security failings by agency staff that forced it to spend $200,000 to check whether it had lost critical information.
Staff at the Trading and Markets Division were found to have stored highly confidential and market-sensitive information on their laptops without any encryption, even when out and about. Some staff attended the Black Hat hacking convention with these unsecured laptops, an act of lunacy given the predilections of the attendees.
The security failings came to light in a yet-to-be-released report ordered by the SEC's Interim Inspector General Jon Rymer. The report found that the SEC had to hire a third-party computer forensics specialist to go through its data and check to see if anything had been purloined by hackers – it appears that no systems were compromised.
Sources within the SEC said that the staff involved had been disciplined over the security failings following an internal investigation. Rich Adamonis, a spokesman for the New York Stock Exchange, told Reuters that the exchange was "disappointed" at the report's findings.
"From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information," he said.
What makes this doubly worrying is that the Trading and Markets Division has a responsibility for checking the security, audit, and disaster recovery systems used in the major equity markets. These policies essentially map out each exchange's infrastructure in a level of detail that would be a boon to anyone looking to hack the most lucrative markets in the world.
That the SEC attended Black Hat isn't surprising – but that they didn't secure their hardware is.
All attendees are warned in the conference materials to lock down their systems before attending, to run full-disk encryption, never use non-conference Wi-Fi, and to change all their passwords after the show is finished.
At this year's show, for example, a first-time press visitor from a national newspaper was sat down by the Black Hat flacks and had the rules explained to him in such frightening terms that he nearly reverted to note-taking with pencil and paper.
Hacking attendees' systems is actually frowned upon at Black Hat. The conference is keen to stress that it has grown up and that such behavior is seen as a breach of etiquette – but it goes on nevertheless.
But what's really worrying is whether the SEC staffers stayed on after Black Hat to attend the Defcon event that's held afterwards.
Every Defcon runs the Wall of Sheep, where teams of volunteers passively scan systems that log onto the conference network for insecurities. The publicly-displayed list shows the names, passwords (partially blacked out), domains, and applications of hacked systems, and those caught out receive some very humbling ridicule and helpful reminder to be smarter. ®