Authors: Mark Russinovich
Looking up, Campos could see through one of the open office doors around the perimeter to the windows. The nearby taller buildings gleamed in the sunlight, catching rays like a mirror. He’d enjoyed these years in New York City. He regretted he’d not had time to see more of America. Well, he could always come back if he really wanted. But it would be good to be home again.
His mind turned to what he needed to do in the next week. He didn’t want to risk staying here much longer. Once Vacation Homes was shut down and especially after Carnaval was finished there’d be hell. Investigators would be swarming everywhere. They could look all they wanted. Marco Campos would vanish. The money would be gone as well.
From his work computer, Campos accessed the Internet using a server and student identity from New York State University, one of a group from the thousands of log-ins that the NL botnets had harvested to which he’d been given access for just these occasions. Students were always hacking each other’s identities as pranks or to get back at people for perceived social networking slights. He’d found in the past that a major university was an effective mask for what he was about to do.
He spent a few minutes in research, found two sites that looked right, and was satisfied when he visited the second, which he knew was the most popular. Data Retriever Solutions, or DRS, could have been anywhere from what Campos observed on their Web page. Likely it was physically located somewhere in the United States but its site was set up offshore, and when Campos checked, he saw it was registered to a corporation in Panama—about what he expected.
He’d already established a PayPal account and placed money into it from a throwaway prepaid credit card. Now he entered onto DRS as much information as he had on Jeff Aiken, including his business and residence address. Within seconds, he had his social security number, names of his parents and grandparents, schools he’d attended, his date of birth, which gave him his zodiac sign, even the name of two pets he’d had as a child.
Interesting, Campos thought, wondering where DRS had come by that information. Once he’d written it down, he returned to the first site and did it all again, this time using more of the information he’d just obtained. Nothing new there. Now he went back to DRS and repeated the process for Red Zoya.
A few minutes later, satisfied, he logged out. He walked down the hallway to the elevators, punched the button for the ground floor, then fingered the disposable cell phone he’d picked up for cash earlier that day. Sometimes, he thought, stepping into the elevator as he smiled at a coworker, technology just made all this too easy.
In the warming sunlight of the fall day Campos sat on a cement bench as he placed the call. Once he had a human voice at the other end, he fumbled the sheets of paper out.
“Yes, I’d like to set up a brokerage account.”
20
TRADING PLATFORMS IT SECURITY
WALL STREET
NEW YORK CITY
5:16
P.M.
Jeff had now turned his full attention to reverse engineering the hidden file. He and Frank had discussed this the night before, and though they accomplished what they’d been hired to do and could write their report, neither was satisfied with not knowing what this file did. Successfully reverse engineering it would tell them that. The downside was that not every reverse engineering effort went smoothly or quickly. So while Frank worked on the report and summary of findings, which included their recommendations for enhancing the cybersecurity for NYSE Euronext, Jeff worked on the mysterious software.
Reverse engineering meant taking a bit of software apart starting with the finished product and working backwards. This entailed going from implementation to the development cycle of the code, that is, to the time when it was first written. It was much like disassembling a toaster to see what made it work, except that in the software world, it was a process of examination only and did not involve modifying any of the code. The process wasn’t always successful, though with Jeff, it usually was.
Because the file was concealed by a rootkit, he suspected whoever created it didn’t want it to be reverse engineered, so he expected obstacles. It might take more time than he could reasonably justify to Stenton, which was one reason he’d hesitated, but he just couldn’t resist at least making the effort.
Jeff used a debugger to watch the file execute step by step. Whoever had written the code had, as he suspected, employed anti-debugging mechanisms, common in malware, which were intended to slow down and potentially discourage anyone from reverse engineering the file. Jeff was familiar with nearly all the known ones used, so though it slowed his work, it did not stop him. A software environment was simply too easily manipulated for code obfuscation to serve as a lasting barrier.
After several hours, Frank asked, “How’s it going?”
“I don’t know yet. I’m pretty sure it’s malware and has got something to do with trading. If so, it’s extremely sophisticated. But I still can’t clearly see what it’s meant to do, so I’m not positive.”
“You’ll figure it out, you always do.”
“Not always. I did find a string of numbers inside, but they aren’t related to anything, and they don’t fit any obvious pattern, at least not to me.”
“You sure they aren’t money figures?”
“I’m not sure of anything, but my guess is they’re identifying something.”
“Enjoy.”
“You know, the Exchange is lucky they hired us for this pentest. We’ve uncovered more than they feared was going on. We’re giving them more value for this test than they could ever have imagined.”
“I’m sure Stenton will be grateful when it comes time to pay up,” Frank said with a sly smile.
21
TRADING PLATFORMS IT SECURITY
WALL STREET
NEW YORK CITY
5:35
P.M.
Marc Campos was back in his cubicle and had accessed his computer but that was for show. He had no intention of taking the next step from his own workstation. That’s why this part had to be done now, as the place was winding down. A number of workers were taking a break before returning to finish projects due the next day. During the lunch hour and at times such as this, when workers often left their station, planning to return shortly, they didn’t always lock their screen. Idle computers required users to log back in after fifteen minutes. He didn’t have much time.
Still, this was risky, and he hated its necessity. So far he’d never taken such a significant risk. No, he thought bitterly, Iyers had done that for him.
Standing in his cubicle, Campos scanned the floor. Almost everyone was away from their desk. He rose, then slowly strolled down the hallway until he found an empty cubicle with no one occupying either side. He checked but the screen was locked.
He resumed his stroll and soon popped into another empty cubicle. The computer was unlocked. He sat down.
“Can I help you?”
Campos looked up. “Oh, hi, Rose.”
Rose Aquilar was a bit short and growing stout, originally from the Philippines, she already worked at the Exchange when Campos came on board. “Are you lost?”
Campos stood up. “I’m sorry. I was on my way out and realized I’d forgotten to check on something. I saw you were still logged in. I hope you don’t mind.”
Rose stared at Campos, as if considering her response. “I guess not but I don’t like sharing my computer. Your station’s not that far away.”
Campos stepped into the hallway. “I’m really sorry. My mind was somewhere else. I apologize. It won’t happen again.”
“All right, then.” Rose sat, logged off, stood pointedly, then said, “I’ll see you tomorrow.”
Campos went into the men’s room to give her time to leave the office. He stepped into one of the stalls, his hands shaking violently. That was close. What if she said something? Then he thought a second. Of course she’d say something. She was the office gossip. He should never have risked her station.
After five minutes, he went back out. Rose was nowhere in sight. He walked about the large space, ignoring the stations, confirming that Rose was really gone. He couldn’t risk her catching him at someone else’s computer but this couldn’t wait. Once he’d satisfied himself, he selected a station in the far corner. The user was still logged in but the timer was about to expire.
Campos rapidly downloaded a file from an internal site containing a collection of UTP diagnostic tools, this one with a backdoor he’d embedded that enabled it to execute commands from his own system—in essence, it was a disguised bot. Now he had access to this and other accounts on the network with no trace to his own location or computer. Campos programmed the backdoor so he could monitor the user’s connection to the jump server.
That done, Campos left the cubicle and waited for others to leave. He found four computers logged off for the day but located two other connected computers and did the same thing. The sooner someone accessed the secure zone through the jump server, the sooner he’d be finished.
He went back outside, bought a kosher hot dog from a cart, then ate standing up, savoring the moment. When he was finished, he returned to his cubicle and his own computer. One of the users he hacked was in the process of accessing the jump server as Campos had anticipated. Break time was over, time to get back to work. He piggybacked into the secure zone, leaving no trace of himself.
Now Campos meticulously searched for signs of Red Zoya and the specialized tools Jeff and Frank used in their work. He smiled slightly as he did. Satisfied at what he saw he planted in a version of Iyers’s trade manipulation malware very similar to the one used for Vacation Homes. Once that was in place, he dropped in the program he’d configured to blatantly manipulate trades, making no attempt at concealment. He set it up so the money skimmed from trades was moved into the brokerage account that he’d established earlier for Jeff. As an automated security measure the malware was programmed to delete part of itself and in so doing it extracted one of Jeff’s free cybersecurity tools, exposing it to view. This behavior Campos knew would trigger the antivirus program when it performed its next routine scan.
From this moment on, Vacation Homes would look as if it was Jeff Aiken’s pride and joy. Gotta love computers, Campos thought as he backed out of the secure zone. Now it was up to the Exchange’s IT sleuths and the software they had implanted, which hunted for just this sort of thing.
With this done Campos went in search of Iyers to discuss Carnaval. Everything had to move like clockwork from this point on.
DAY FOUR
THURSDAY, SEPTEMBER 13
HIGH-FREQUENCY TRADING UNDER SCRUTINY
HFTs Alleged to Harm Markets
By Frederick Z. Isaacs
September 13
Computers have reduced costs, increased participation, and improved the efficiency of stock markets the world over, according to the annual report of the Institute for Market Awareness. In its just-released report, institute president Arlene Bliss wrote that computers have linked exchanges, streamlined trading, and accelerated the flow of information, all of which has served the best interests of investors. But the report also cautioned that for all the good computing has brought to securities trading, it is now being used in ways not previously anticipated. The primary culprit is high-frequency trading while the driving principle is unparalleled greed.
HFT, as it is known, exploits the ability of supercomputers to execute trading opportunities in nanoseconds. Their highly sophisticated algorithms seek out price differences, then buy and sell at unbelievable speeds. The secret algorithms are referred to as Black Boxes.
Now that they dominate most major trades high-frequency trading companies are seeking new ways to leverage their advantage. The NYSE for one makes this easy by allowing new algos to be tested on their system without notifying them. More than once, such tests have caused serious disruptions in regular trading yet they are still permitted. In addition the NYSE allows HFTs to buy proximity location beside its super engines, giving them an advantage that others cannot exploit.
Competition with other exchanges is cited as the reason for NYSE behavior. “Administrators believe that if they do not allow proximity location or the testing of sophisticated algos other exchanges will and the NYSE will lose its advantageous place in world trading,” the report says.
Critics point out that such measures create tension between the need for security within the trading platform and the desire by the NYSE to serve the demands of its major, and favored, players. “While playing favorites raises the issue of fundamental fairness,” Clara Derns of the Investors Action League says, “its willingness to accept freewheeling algos and to grant favored access is courting disaster. The day is coming when the system will suffer a cataclysmic collapse because of high-frequency trading. It is inevitable given the current practices of the NYSE.”
According to the report, “NYSE is confident that high-frequency trading can be effectively managed. There is no reason for undue alarm.” The report concludes that such optimism is unwarranted.
Everyone in the industry knows that new regulatory controls are coming. While it is unlikely they will end the abuses of HFTs they will certainly make their current practices more difficult. In retrospect, these may well be seen as the halcyon days. The consequence is that greed is sure to drive these mysterious traders to even more extreme actions, which could create worldwide economic instability.
Bliss declined comment beyond what is contained in the institute’s annual report, adding only that she has grave personal concerns about the future for traditional market investors.
Internet News Service, Inc.
22
GRUPO TÉCNICO
RUA ADOLFO MOTA
GRANDE TIJUCA