Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Stock market "wipe out" may be due to computer error - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Stock market "wipe out" may be due to computer error

A number of stocks lost about all their market value yesterday in the span of 5 minutes, leading to the fastest ever drop in the Dow Jones index. Luckily, most of the value was recovered, but the index overall was still substantially lower. It is not clear yet what exactly happened, but computer issues are cites as a possible reason. One report suggested a data entry error (entering "B" for "Billion" instead of "M" for "Million"). But several stocks where affected. These company's stocks went from as high s $59 to a couple of cents in a few minutes.

Again, the investigation is just starting. But this overall reminded me of a scenario we put forward a few years back. John Bambenek published a nice diary [1] in September of 2005 estimating that $24 Billion worth of assets are under the control of bot herders at the time in the form of brokerage accounts owned by infected users. This number is of course just a guess, but it does support the scenario of a bot control "Market DoS". The scenario we put forward back then was that a botnet could cause economic mayhem if such a sell-off would be timed right to coincide with real world events that would cause "market jitters". Right now, the economic crisis in Greece and the oil spill in the gulf of Mexico can be seen as such events.

How do we protect ourself? Sadly, as typical in our approach to software security, incident handling and forensics will have to come first. Maybe then, we will learn what should have considered int he first place: How to write more secure software, how to put the controls in place to prevent these errors.

[1] http://isc.sans.org/diary.html?storyid=712

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

=====================================================

More thoughts on this - - if you want to a large financial influence (for instance in a cyber-war scenario), you don't need to control 24B in household assets through malware, you need to control one trader's workstation at a major firm.   Yesterday's event shows us just how vulnerable we are - one bad trade, and all the lemmings follow the leader over the cliff!  Fund managers would be good targets as well.  Through a lever like this, your control is multiplied potentially  hundreds of times.

Looking for targets like that?  I just searched linkedin for "hedge fund" (36,000 results)  or "fund manager" for targets (12,000 results) - all nicely searchable by city, company etc.

A targeted phish campaign against a narrowly defined audience like that ... hmmmm ....

 

============== Rob VandenBrink, Metafore  ================

 

I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019

Johannes

3562 Posts
ISC Handler
Okay, I think it is obvious that the United States financial sector is being attacked. This makes sense if you think about it because the financial sector does not have all the safeguards that the military sector has. Further, if our enemies are able to wreck havoc on the financial system and our money becomes worthless then it does not matter how much military technology we have because we still need to buy and sell to provide support for our armed forces. I feel that a comprehensive review of the financial sector computer systems must be done, ASAP. This must analyze whether third party code is used at the financial websites that could be a hacking entry point. Are websites using full encryption as well as additional safeguards. In addition, new and further safeguards could be implemented by having a human being have to sign off on huge computer generated trades thus not allowing the process to be fully automated.
Danster

13 Posts
I think it would be safer if these trades were automated. Many transactions on the floor of the NYSE still happen through human beings (the traders) and where you have people, you have the potential for error, especially in a high-pressure, high-density trading environment.
AndrewB

24 Posts
To suggest that this occurred in theory now just throws gasoline on the fire.

The system was made by humans and has all the imperfections they do, too. This is -not- news to most of the sane population. Get the emotion out of the equation. Over time, when cooler heads prevail, the thought process will correct the failures of the past, unless we choose to allow history to repeat itself.

Lord protect us from those who never make a mistake, and those who make the same mistake twice.

.
Jack

160 Posts
AndrewB, many trades are automated, which in reality is part of the problem. An error in pricing that triggers automatic sell orders could be devastating, value-wise.
Jack
2 Posts

To anyone who's ever worked in the financial market [IT] business this event is trivial. Market readjusts rapidly, especially since Black Monday

Yes, it can lead someone to devise an attack, and when you think of it, anybody who's ever worked in the financial market [IT] business can do the same, if not better.

Jack
17 Posts
Jim... Automated trades are not the problem. It's the person entering an extra zero or two that's the problem. When the automated systems see that, they react as they were programmed to. The root of it is still human error. We need to program computers to not trust humans hehe.

At any rate, time to go buy as much stock as I can. Gotta take advantage of the dips before it corrects itself...
Anonymous
Beware the Daemon, and the Major.
Syd

3 Posts
Beware the Daemon, and the Major.
Syd

3 Posts
A crash is often multi-faceted. However, the explanation for the one-cent stocks might be pretty simple. The NYSE went into slow-down mode on those stocks, which means that more time is allowed for a buy order and sell order to match up. This makes it LESS likely that a wild price transaction happens. However, it appears that some of the electronic trading systems run by other companies IGNORED the NYSE slowdown. You know how some places GUARANTEE 2-second trades, etc? Well, if the NYSE is going to 30 or 60 seconds, those other guys might decide not to come along.

The problem is that there are a lot less orders for NYSE stocks if you aren't looking on the NYSE. So if you put a wild 'SELL!'-at-market order in on the electronic platform, the only buy order might have been some joker with a standing 1-cent bid. So 1-cent was your price.

market-ticker.denninger.net has more discussion of this, also pointing out that SEC rules should make this illegal, because brokers are required to provide the best nationwide price. They aren't allowed to ignore NYSE bids just because NYSE wants to take 60 seconds to fill.
Syd
5 Posts
It is odd that whilst we see numerous variants malware for banking and online game account stealing, we don't see much specific to online trading platforms.
hacks4pancakes

48 Posts

- http://news.yahoo.com/s/ap/20100507/ap_on_bi_ge/us_wall_street_sec
May 7, 2010 5:02 pm ET - "... identifying one possible cause: Conflicting trading rules for different markets. The Securities and Exchange Commission and the Commodity Futures Trading Commission say they are reviewing data related to Thursday's trading frenzy. They are looking at information from exchanges, self-regulatory groups and market participants. They say they will make any necessary changes to prevent the problem from recurring..."

.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!