Authors: Mark Russinovich
It is projected that the bulk of those secret super hubs will be operational within five years. They are designed to be indispensable to any significant trade, anywhere in the world. Even if a trade were to take place outside the NYSE system, some of its elements must pass through one or more of the Exchange’s super hubs, incurring access fees as they do so. NYSE is a concentration of potential financial influence never previously known.
The problem Benting points out is that by consolidating the flow of data through a handful of key physical locations, the NYSE exposes itself to physical attack. Such an attack could come from a warring nation or from terrorist organizations. “We must keep in mind that the attacks on 9/11 were directed at the World Trade Center in New York City,” Benting said. “The financial underpinnings of the Western economy remain a prime target for them [al-Qaeda].”
The irony is that the Internet was created by the United States Department of Defense to have maximum redundancy in the event of nuclear attack. The network is based on spreading the flow of data to as many different routes as possible. If any portion is taken offline, the others will take over.
The NYSE is taking the exact opposite approach.
“They are doing this for economic reasons,” accused one critic, “not to safeguard the world financial system. We trust them with our assets when by their actions they demonstrate they are undeserving of that trust.”
TAGS
:
MANNING BENTING
,
BEARING INSTITUTE
,
NYSE EURONEXT
,
SUPER HUBS
Cyber Security News
6
COPACABANA BEACH
RIO DE JANEIRO
12:41
P.M.
Victorio Manuel da Silva-Bandeira—or Victor Bandeira, as he more commonly called himself—took in the sweep of the azure South Atlantic through his Chopard sunglasses and estimated he’d take another hour in the sun and sand.
It was a warm spring day in Rio, the temperature approaching eighty, with a light wind off the water. The sky and sea were so closely matched in color as to blend into one. The majestic Sugarloaf Mountain commanded the landward view.
Bandeira sat in a low white lounge chair protected by an expansive umbrella. Beside him on the sand were a rumpled beach towel and a small table for drinks and food. Bandeira sighed contentedly as he set an empty beer bottle down. It had been too long since he last did this. As a boy, and later as a teenager, he’d spent every day he could on the beach. What had happened?
Life, he thought, life is what happened.
Spread across the fine sand was the usual crowd for this time of year: couples, pairs of friends, residents of the hotel, and the occasional family. Around the point was Ipanema beach. There the beach was carefully, though informally, sectioned off—couples here, teenagers there, families in this place, sports enthusiasts playing on their stretch, the entirety of the famous expanse demarcated for organized use.
Copacabana was different, had always been different. Extending along its stretch across the street were the resort hotels, the beach before them designated as exclusive territory by modest flags. No intruders, no roaming packs of disruptive youths, no vendors in irritating numbers. Each area was meticulously maintained and carefully serviced by attentive hotel staff.
The only exception to the rules of beach occupancy was made for lovely young women, who were always welcome. This was, after all, Brazil. From his chair, Bandeira tipped his head to more carefully examine the two women lying on oversized beach towels not that far away. He’d wondered about them at first, but when his bodyguard, Paulinho, standing between Bandeira and the roadway, shook his head lightly he decided they were exactly what they appeared to be—very attractive women taking in the sun. It was the national pastime of Brazil, for rich and poor alike, especially in Rio.
Beyond them, Sonia, Bandeira’s current mistress, rose from the water and stood there a moment, moving her long blond hair onto her back, then met his gaze with her bright dark eyes. Of primarily German stock, Sonia was Brazilian about the eyes and in the languid manner of her every motion.
Bandeira’s yacht, the
Esmeralda,
was in dry dock. Otherwise, they’d have spent the day aboard her, but this beach was very nice indeed. Bandeira made a mental note to visit it more often. He turned to summon a waiter for another beer. As he did so, he caught a glimpse of the Copacabana Palace Hotel, the oldest premier resort in South America. Built in 1923 when the tunnel through the mountains from central Rio opened up Copacabana beach and what became the South Zone of the city, the structure, with its distinctive art deco design, was now a national landmark. Almost anybody who was anyone had spent time here: the rich, the famous, royalty, movie stars, millionaires, billionaires, and the grifters they drew. The hotel had been remodeled and extended but remained from the beach as unchanged as the day it went into operation.
Unlike in modern hotels, you actually felt as if you were living in luxury when staying at the Palace. The only irritation from Bandeira’s perspective was that thus far, his attempt to acquire a penthouse on the top floor with a view of the beach and sea had been rebuffed. Well, he thought, if money doesn’t talk, there are other ways.
Sonia had come over to stand beside him, her firm legs dominating his view, droplets of water sparkling on her lightly tanned skin, pretending to shiver as she toweled herself dry, making a
brrr
sound with her lips. Then she smiled—always an invitation there—before lying back on the beach towel, squirming this way and that, her breasts commanding his attention as she made herself comfortable. “The water is very refreshing,” she said. “You should go in.” As she slipped on her sunglasses, her pretty face assumed the aspect of an innocent child.
“Soon.” It was pleasant here with the sun and warm sand. The water would be cold.
The waiter arrived with his Bohemia beer and glass balanced atop a small silver serving tray and held it down for Bandeira, then vanished when the beer alone was removed, taking the empty bottle with him. Bandeira took a pull, instinctively glancing down at his stomach and wondering where they had gone—his youth and fitness. He’d been a slender young man, one who always took his vitality and vigor for granted. Over the years, with greater personal and financial success, he’d slowly filled out, first into a man of stature, now into one of advancing years with too much fat.
Despite the excess weight he was a handsome man, just above average height for his generation, a bit darker in complexion than the upper class of Brazil, with gleaming teeth behind fleshy lips. He wore his lustrous, mostly black hair combed straight back. Occasionally when he smiled, there was just a touch of cruelty about his mouth, the hint of something more sinister than his usual pleasant demeanor suggested.
Bandeira had no illusions about Sonia. At fifty-one years of age, he knew his appeal lay with his bank account. He’d seen more than one man in his place make a fool of himself over a woman like her—a girl, really. He wasn’t about to play that game—or be played.
Still, her affection seemed genuine enough, and with the exception of telling him that her ambition was to become Miss Brazil, she’d never asked him for a thing, absolutely nothing. Of course, they’d been involved only a few weeks. That self-suffiency could change.
Sonia came from a good family, one of the oldest if no longer the richest in the country. She knew other wealthy men. In fact, her father would have been very happy if she’d shown an interest in nearly any of the rich men with whom he worked. It was still traditional and common in Brazil for the young daughters of the wealthy to marry men who were contemporaries of their fathers. Such arrangements were mutually profitable to everyone concerned. Through such a marriage her father, Carlos Lopes de Almeida, long president of the Banco do Novo Brasil, would unite his family with another powerful and affluent family. The patriarchs would share the same grandchildren, who would in time inherit. His daughter would be assured of a life that continued in the style in which she’d been raised. All would remain as it was.
Bandeira wondered what Lopes de Almeida would think if he knew about the two of them. He smiled at the thought. He wondered even more just how much of Sonia’s interest in him was a youthful act of rebellion against her father and his traditional ways; certainly more than a small measure. Not that it mattered. He gazed at her and speculated what she’d think and do if she knew his real history, where he’d come from.
“What are you smiling at?” she asked.
He hadn’t realized she was looking at him. “Nothing.”
“Mmmm. I’ll bet it was something.”
I’ll tell her, Bandeira decided. I’ll tell her the whole story and just watch. That, he thought, easing back in his chair, will be something. Better yet, he reconsidered, I’ll show her.
7
TRADING PLATFORMS IT SECURITY
WALL STREET
NEW YORK CITY
9:17
A.M.
As Jeff Aiken and Frank worked in their assigned office on Wall Street that morning, Jeff reflected on how this assignment had come about. He was contacted two months earlier by the director of Trading Platforms IT Security for the New York Stock Exchange and had negotiated the terms of the project as well as the start date. The two had never met, but as was often the case, Jeff’s reputation preceded him, and his name came up by word of mouth. A common bot had been discovered on one of the Exchange’s Web servers, and security had no idea how it got there. The breach should have been impossible.
The director was Bill Stenton, a handsome African American man whom Jeff estimated to be in his early forties. Before meeting, Jeff had done his usual background research and learned that Stenton had been with the Exchange just three years, having come from the IT department of Wells Fargo. Though Stenton was reportedly competent, some of the feedback Jeff got characterized the director as high-strung and even difficult at times.
Jeff couldn’t help noticing that though trading platform security was a major component in maintaining the integrity of the world’s most important financial trading institution, there were three layers of bureaucracy between Stenton and the CEO. That was just one of several indicators to Jeff that the Exchange, despite all its computer and software dependency, didn’t give its core system’s security the attention it required.
When they met, Stenton told Jeff that his IT team was of the opinion that the trading platform had not been targeted specifically by the malware bot, but rather the NYSE site had been accessed by an automated scan searching for a vulnerability. Finding one, it had infected the system. The bot didn’t appear to have impacted any customers or disrupted operations, but there was concern because it had managed to get past the security team’s defenses, and it had been on the server for at least three days before IT stumbled across it while performing routine software upgrades on the system. If something as straightforward as a bot could make it into NYSE’s computers, then certainly malware far more dangerous could break through as well.
“We regularly run internal red team versus blue team exercises, but I’m concerned that we’re overlooking obvious weaknesses,” Stenton said evenly. “What we want is an external penetration test, the very best and most sophisticated you can manage. Our suspicion is that one of our own employees inadvertently opened the door for this bot. Pull no punches. I want you to be sneaky as hell. Learn our exposure and tell us where it is so it can be fixed. Our own people won’t even know what you’re up to. It is absolutely essential that the integrity of our trading software not be subject to question. The stability of world financial markets depends on it.”
“Pentests” were the cybersecurity equivalent of military war games, designed to evaluate the security of a computer system by simulating a malicious attack from outsiders as well as insiders. Once the pentest was completed, its results were presented to the system operator. The report included an assessment of the system’s security and vulnerability along with specific recommendations to counter them.
The pentest itself involved an analysis for gaps that were usually a consequence of inadequate system configuration, hardware or software flaws, or other operational process weaknesses or lax security countermeasures. Those conducting a pentest approached the computer system as a potential attacker might and sought to aggressively exploit any security holes they discovered. Those chinks in the armor could include misconfigured and unpatched software or systems not properly secured. Employees might be lured into visiting infected Web sites or opening malicious e-mails. Malware then tried to take advantage of missteps in the system.
Jeff and Frank Renkin, Daryl’s replacement at Red Zoya, had been housed in a Holiday Day Inn Express off nearby Water Street and were given an office on Wall Street in IT operations not far from the Exchange itself. Jeff was surprised the software development and computer operations were housed here, as it was some of the most expensive real estate on earth. The location was especially questionable, as the main data center was in New Jersey. The Exchange’s primary IT operation could have been housed anywhere; much of its supporting IT operation was, in fact, in Chicago. Apparently, NYSE Euronext had money to burn.
Access granted to a receptionist or data-entry employee was the weakest link of the Exchange’s cyberdefense because through those users, malware could gain entry into the system. Receptionist-level accounts on the network position served as Red Zoya’s starting point. Frank and Jeff were given contractor key cards to enter the building and assigned a shared office. They found it to be standard IT issue. Jeff had worked in dozens, likely more than a hundred, similar offices, each interchangeable with every other. The staff itself worked from cubicles, with managers occupying real offices around the perimeter. Jeff and Frank were given one of the small outer offices containing two desktop computers with flat-panel monitors, a modest gesture acknowledging the significance of their work but really chosen for privacy concerns.