CME Hack Draws FBI Probe While Renewing Market Structure Anxiety

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bloomberg.com/news/2013-11-15/cme-group-says-its-computers-were-hacked-no-trades-affected.html

The computer intrusion at CME Group Inc. (CME) has spurred a federal
investigation and renewed concerns about the trustworthiness of electronic
markets.

The Chicago Mercantile Exchange’s owner said yesterday that its systems
were hacked in July and some customer information was compromised. CME
Group said there’s no evidence that transactions on its electronic-trading
system or its clearing services were affected.

Although CME Group downplayed the significance of its incident, the danger
to capital markets from hacking is underappreciated, said John Edge, a
managing director at New York-based Nice Actimize who specializes in global
trading and market structure issues. It’s likely there will one day be a
large-scale attack that causes a major disruption, he said.

“From a statistical point of view, it’s completely improbable that it won’t
happen,” he said. “The hacking community belongs to usually one of three
groups: state-sponsored, organized financial crime or agenda-based
activists. You’ve got some very well-funded, very talented, competent
people whose job it is to breach security.”

Cybersecurity has been flagged as one of the biggest threats to markets and
governments by industry groups and regulators. A study in July found that
computers at about 53 percent of exchanges around the world were attacked
during the previous year. Nasdaq OMX Group Inc. discovered suspicious files
on its website in 2011, prompting a federal investigation.

Customer Credentials

ClearPort, the system that CME Group said was targeted, provides clearing
services for block trades that are negotiated privately in over-the-counter
energy and metals markets. “To protect participants, CME Group forced a
change to customer credentials impacted by the incident, and is
corresponding directly with the impacted customers,” the company said in a
statement yesterday.

“Assuming no customer assets were affected, this is useful as an
eye-opener,” Pete Lindstrom, an analyst at Spire Security in Philadelphia,
said of the CME Group incident. “We continue to see various types of folks
who are hacked,” he said. “It starts to generate concern over our financial
infrastructure.”

Michael Shore, a CME Group spokesman, declined to elaborate on the
statement, which said the incident was the subject of a U.S. criminal
investigation.

“We did receive the referral” from CME Group, said Joan Hyde, a spokeswoman
for the Chicago office of the Federal Bureau of Investigation. “We are
looking into the matter.”

Hong Kong

The Commodity Futures Trading Commission, the main U.S. derivatives
regulator, is helping with the investigation, according to a person
familiar with the matter, who asked to not be named because the inquiry is
private. The attack on CME Group came from a hub in Hong Kong, although the
perpetrators could have been based elsewhere, the person said.

CME Group offers futures based on interest rates, equity indexes,
currencies, metals, energy products and agricultural commodities. It also
guarantees interest-rate swaps and credit-default swaps with its
clearinghouse.

> From January to August of this year, CME Group handled 2.17 billion futures
contracts, according to an analysis by the Futures Industry Association,
making it the world’s largest exchange by volume.

While computer attacks are global, American exchanges have reported the
most instances of attempted sabotage via the Internet, according to a July
study co-authored by the World Federation of Exchanges and the
International Organization of Securities Commissions. About 67 percent of
U.S.-based trading venues said they had to fight them off, the study
showed. About 89 percent said it represents a systemic risk.

‘Big One’

That’s similar to the conclusion made by Depository Trust & Clearing Corp.,
which processes U.S. stock trades. It said in August that hacking is the
gravest threat to financial markets.

“Cybersecurity is a large and growing problem for all financial service
providers,”Howard Ward, the chief investment officer for growth equity at
Rye, New York-based Gamco Investors Inc., which oversees about $40 billion,
wrote in an e-mail. “We must accelerate our investments in protecting our
financial system and power grid from intruders before they score a big one.”

On July 25, U.S. prosecutors said they indicted four Russians and a
Ukrainian in what was called the largest hacking and data breach scheme in
U.S. history. Nasdaq OMX was among their targets.

‘Suspicious’ Files

Nasdaq OMX in 2011 disclosed an intrusion involving “suspicious” files on
its Directors Desk system, which lets corporate board members communicate
and share information. The National Security Agency, the top U.S.
electronic intelligence service, joined a probe of the 2010 attack, people
familiar with the investigation said in March 2011.

Although unrelated to hacking, U.S. stock and options exchanges have
experienced a series of self-imposed technical errors this year,
reinforcing concern that electronic markets are fundamentally flawed. The
errors, including an Aug. 22 malfunction at Nasdaq OMX that prompted a
three-hour trading suspension for thousands of stocks, prompted Securities
and Exchange Commission Chairman Mary Jo White to demand infrastructure and
protocol improvements.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.