Oops: Stock exchange forgets to change password from factory installed “admin”
Oman’s Muscat Securities Market, with a market cap reported near $23 billion, was discovered to have not changed passwords on one of its routers, using the original “admin” as both the username and password for months, ZDNet first reported.
The mistake could have allowed for hackers to gain unfettered access to the network. “Actually, ‘owning the network’ is a breeze,” according to Victor Gevers, a security consultant for the GDI Foundation who discovered the vulnerability and promotes himself as an “ethical hacker.” Hackers often scan for such vulnerabilities because they are easy targets, he said.
“Our advice was to block the telnet protocol on your firewall because this protocol is not safe to use anymore,” said Gevers. “If you need to mitigate this problem quickly we suggest you change this telnet password for a long and complex one. And then immediately apply a firewall rule to block the telnet service to only allow on their local network and start a replacement for this Huawei router as soon as possible.”
While ZDNet reported the problem went unaddressed for months, the exchange said the problem was resolved shortly after it was discovered.
The culprit? The exchange claimed that an outside consultant who installed the router was to blame.
Hacking is a business and exchanges should be prepared, says consultant
“Hacking has now become a business, so it is very important to be secure all the time,” Fahad Al Moharbi, IT Director, Infrastructure Department at Muscat Securities Market, was said after the hack was discovered. “We have multi-layers of security starting from the end users and ending with external firewall.”
The extent to which exchanges are taking the problem seriously is of concern to Ilia Kolochenko, CEO and Founder of High Tech Bridge, a security consulting firm.
“Many companies have to sacrifice cybersecurity for innovation and growth,” he told ValueWalk, pointing to a rush to market without stringent security testing as a cause for concern. The result of such technical lapses can be costly. “A fine, or even a settled collective lawsuit, is usually much less expensive than a missed opportunity or lost market segment.”
The problem has been very real.
In 2014, Russian hackers were reported to have breached the NASDAQ stock exchange in what was described as an attack that was described as “easier than you think.”
More recently the US Security Exchange Commission was the target of such exploits, with hackers accessing the Wall Street regulators EDGAR database and potentially allowing the hackers to trade on the information.
This past December, a South Korean Bitcoin exchange, Youbit, was forced out of business as a result of the hack when cybercriminals electronically looted nearly one-fifth of client’s holdings.
But it is not just security of applications controlled by a corporation that matter, but the transference of data as well.
“One of the things that hackers do is to intercept traffic before it reaches the share values, and if this data is intercepted, you can use that data to manipulate the market, and the market is then not subject to fair market forces,” Naseer Khan, Managing Director of IT consultancy firm IEON, said.
Kolochenko, for his part, thinks financial firms need to pay even greater attention to cybersecurity. “There are no clear policies, processes and procedures, and even when companies increase their information security budget every year – it does not help,” he said. “Cloud, mobile devices, IoT, and emerging technologies (e.g. AI, blockchain) just exacerbate the situation.”
A recent US News report pointed out that while hacking a stock exchange is a concern, the consequences can be limited. “A hack might cause a temporary outage, however any fraud perpetrated or operational mistakes on the exchange would be unwound by the participants or covered by the brokers and their insurance,” says Philip Lieberman, president of Los Angeles-based Lieberman Software was quoted as saying. “When there is an irregularity, the exchange is simply shut down,” Lieberman says. “This has happened multiple times and it does not cause a panic. The exchange is reopened when everyone is calmed down.”