If Someone Hadn't Traded On Hacked SEC Files, We'd Never Have Known The SEC Was Hacked

Something very weird is going on at the Securities and Exchange Commission.
Author:
Updated:
Original:

Last week the SEC took an unusually hands-on approach to investor education when it modeled precisely what not to do when your organization becomes the victim of a hack. The agency's untimely disclosure, buried in the middle of a long-winded speech and lacking in basic chronological details, posed far more questions than it answered.

sec_CAT

Now, thanks to bits of leaked Senate testimony from SEC Chairman Jay Clayton, we have a slightly fuller answer to one of our central questions: Why did it take the SEC several months to realize that its previously discovered software glitch might have let crooks in the backdoor? The answer: The inquiry was coming from inside the agency:

The Securities and Exchange Commission looked anew at a 2016 hack of its electronic corporate filing system as part of an enforcement investigation, its chairman said in testimony prepared for a Senate hearing on Tuesday.... Clayton’s testimony said the commission began reviewing the hack of the Edgar filing system in August due to “an ongoing enforcement investigation,” according to remarks prepared for the Senate Banking Committee. The SEC hadn’t previously disclosed that it looked into the 2016 hack because of an investigation into possible illegal trading.

To review, it was sometime in 2016 that the SEC noticed it had a gaping hole in its EDGAR filing system, potentially allowing hackers to see market-moving releases before they went live. But it was only in August of this year that the agency determined the vulnerability “may have provided the basis for illicit gain through trading.”

The natural question, given those two data points, is how the SEC could have known about the bug in the system back in 2016, but somehow failed to imagine that hackers could exploit for pecuniary gain it until a year later. Wouldn't that be the first thing you'd check if you were an information security professional at the SEC? What else would there be to worry about?

Now we have an answer, kind of. Evidently some other office at the SEC, following the trail of some kind of fishy trading, traced the clues right back to the SEC. Which must have made for a tense conversation once the two teams interfaced:

ENFORCEMENT: Hey, so uh, did you know you had a EDGAR vulnerability last year?
INFOSEC: Oh, yeah, the pre-filing thing. We patched that up.
ENFORCEMENT: Did you ever consider the possibility that hackers could use that vulnerability to do insider trading on pre-public information?
INFOSEC:

tim-and-eric-mind-blown

On one hand, this revelation speaks pretty well of the abilities of the SEC's insider trading enforcement team; the agency found out the consequences of its IT weaknesses only because investigators found evidence those weaknesses were exploited, apparently. Then again, it speaks pretty poorly of the agency's overall effectiveness in safeguarding the kind of information that, when mishandled by corporations, becomes the focus of insider trading probes. Overall: not a good look.

UPDATE: Reuters has confirmed that what actually happened is more or less the scenario described above.

SEC Enforcement Probe Led to Renewed Look at 2016 Hack [WSJ]

Related

SEC Staffers Have Made Remarkable Progress Re: Learning What Constitutes Appropriate Use Of A Work Computer

If you had asked us two years or two months or two days ago if we thought that there would be a time in the near future when Securities and Exchange employees would not be getting reprimanded for watching porn on their work-issued computers, we would have said absolutely not. No judgment, but in our professional opinion, people do not go from, among other things: * Receiving "over 16,000 access denials for Internet websites classified by the Commission's Internet filter as either "Sex" or "Pornography" in a one-month period" * Accessing "Internet pornography and downloading pornographic images to his SEC computer during work hours so frequently that, on some days, he spent eight hours accessing Internet pornography...downloading so much pornography to his government computer that he exhausted the available space on the computer hard drive and downloaded pornography to CDs or DVDs that he accumulated in boxes in his office." * www.ladyboyx.com, www.ladyboyjuice.com, www.trannytit.com, and www.anal-sins.com ...to living a porn-free existence at l'office. Did we think they'd take baby steps toward that goal sure? But when you've tried to log on to your websites of choice, on average, 533 times a day, assuming weekends were worked, baby steps means getting yourself to a place where you can do a solid two hours of work each week without hitting up anal-sins.com. So you can imagine (and probably share in) our surprise to hear that, according to a probe by Interim Inspector General Jon Rymer re: "misuses of government resources," the worst offenses one office was charged with claiming they needed iPads to do their jobs when really they just wanted to watch movies on them at home and going to hacker conferences without encrypting the data on their computers. Granted, it doesn't look so great that the group that was running around with computers that didn't even have anti-virus programs on their computers was the one that "is responsible for ensuring exchanges are following a series of voluntary guidelines...concerning computer audits, security, and capacity" but still, no ladyboyjuice while on the job-- that's huge. In a 43-page investigative report that probed the misuse of government resources, SEC Interim Inspector General Jon Rymer discovered that an office within the SEC's Trading and Markets division spent over $1 million on unnecessary technology. The report also found that the staffers failed to protect their computers and devices from hackers, even as they were urging exchanges and clearing agencies to do just that. Although no breaches occurred, the staffers left sensitive stock exchange data exposed to potential cyber attacks because they failed to encrypt the devices or even install basic virus protection programs...On Friday Reuters reviewed a copy of the full report, which details an even broader array of problems, from misleading the SEC about the office's need to buy Apple Inc products, to cases in which staffers took iPads and laptops home and used them primarily for pursuits such as personal banking, surfing the Web and downloading music and movies. The report says the staff may have brought the unprotected laptops to a Black Hat convention where hacking experts discuss the latest trends. They also used them to tap into public wireless networks and brought the devices along with them during exchange inspections...The report also found that some people who worked in the office had little or no experience with exchange technical matters. SEC staffers used govn't computers for personal use - report [Reuters] Earlier: SEC Supervisor Surfed Tranny Porn To Cope With Stress Of The Job; SEC Official Who Surfed Tranny Porn To Deal With Stress Of The Job– Not Alone!;

SEC Posts Confidential Citadel Document

Oops. Those crazy porn-surfers at the Securities and Exchange Commission inadvertently posted a confidential earnings report from Citadel’s brokerage and market making unit on their website. The report, picked up by Bloomberg, shows Citadel Securities posted earnings of $81.6 on revenue of $1.01 billion last year.