Users Online Now: 407 (Who's On?)		Visitors Today: 22,979
Pageviews Today: 49,920	Threads Today: 48	Posts Today: 971
02:38 AM

News

Back to Forum

Post New Thread

View Favorites

Data Detailing New York Stock Exchange Network Exposed on Unsecured Server

RSS

Just A Thought
User ID: 93768
7/29/2009 9:04 AM
Report abusive post

Data Detailing New York Stock Exchange Network Exposed on Unsecured Server

Quote

Sensitive information about the technical infrastructure of the New York Stock Exchange’s computer network was left unsecured on a public server for possibly more than a year, Threat Level has learned.

The data, which was removed after Threat Level disclosed the situation to the NYSE, included several directories of files containing logs; server names; IP addresses; lists of hardware; lists of software versions running on the network; and configuration and patch histories, including what patches have not yet been installed. It was all available on a publicly accessible, unprotected FTP server maintained by EMC, a company that sells storage systems and managed services to the NYSE and other companies.

“We have discussed the matter with EMC and at this point we believe that there has been no impact on our operations or our customers,” said NYSE spokeswoman Mirtha Medina in an e-mail.

“Unless the NYSE knows that this stuff is out there and has approved for it to be out there (highly doubtful), I see no good reason why EMC is allowing this to happen,” said an information security specialist via e-mail who asked not to be named because he works in the financial industry. “Leaving information like this in a ‘public’ place definitely would make a bad guy’s job somewhat easier.”

The information could allow an intruder to map the NYSE’s network architecture and determine what vulnerabilities exist in the system.

For example, one of the documents posted on the server was an Excel spreadsheet, called a “heat report,” which consisted of a long list of low-level and high-level warnings, some of them indicating where patches had not yet been installed, such as the one below:

WARNING : Solaris 5.9 kernel patch fix 122300 is not installed.

It’s unclear how long the information was left unprotected on the server, but a note posted amid the files by an EMC employee named Dan Sferas read, “This directory contains all relevant data to the NYSE account.” The note was dated April 2, 2008.

A spokesman for EMC said the data exposed on the site was not sensitive, although the company locked the data behind a password gateway to protect it from public access shortly after Threat Level spoke with the NYSE, and has since moved the data to another location.

“We’ve discussed the situation with the NYSE,” said EMC spokesman Paul Farmer in an e-mail. “We’re confident that the information exchanged on our FTP site is not sensitive and will have no impact on NYSE Euronext systems or its customers.”

A source knowledgeable about the leak, speaking on condition of anonymity, said that the FTP server was used to share configuration information between EMC engineers, vendors and customers. “This was a breakdown of process within EMC, and normally that information would not be accessible to the public,” said the source.

The network security expert, who examined a few of the files for Threat Level, said it was unclear whether the data was limited to the stock exchange’s public network or if it also included information that would help someone access its trading network, which should normally be segregated from the internet.

“I would think they would/should be totally separate,” he said, “but I don’t know enough about their network topology to know for sure.”

EMC spokesman Farmer did not respond to questions on how long the information was available on the site or whether the data included information about the NYSE’s trading network.

EMC’s executive team includes Art Coviello, executive vice president, who is also president of RSA Security, one of the top computer security firms in the country, which EMC bought in 2006.

[link to www.wired.com]

Back to Forum

Post New Thread

View Favorites

Disclaimer:
This website exists for entertainment purposes only. The reader is responsible for discerning the validity, factuality or implications of information posted here, be it fictional or based on real events. Moderators on this forum make every effort to review the material posted on this site however, it is not realistically possible for our small staff to manually review each and every one of the more than 10,000 posts GodlikeProductions gets on a daily basis.

The content of post on this site, including but not limited to links to other web sites, are the expressed opinion of the original poster and are in no way representative of or endorsed by the owners or administration of this website. The posts on this website are the opinion of the specific author and are not statements of advice, opinion, or factual information on behalf of the owner or administration of GodlikeProductions. This site may contain adult content and if you feel you might be offended by such content, you should log off immediately.

Not all posts on this website are intended as truthful or factual assertion by their authors. Some users of this website are participating in internet role playing, with or without the use of an avatar. NO post on this website should be considered factual information on face value alone. Users are encouraged to USE DISCERNMENT and do their own follow up research while reading and posting on this website. Godlikeproductions.com reserves the right to make changes to, corrections and/or remove entirely at any time posts made on this website without notice. In addition, Godlikeproductions.com disclaims any and all liability for damages incurred directly or indirectly as a result of a post on this website.

This site is provided "as is" without warranty of any kind, either expressed or implied. You should not assume that this site is error-free or that it will be suitable for the particular purpose which you have in mind when using it. In no event shall Godlikeproductions.com be liable for any special, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not advised of the possibility of damage, and on any theory of liability, arising out of or in connection with the use or performance of this site or other documents which are referenced by or linked to this site.

Some events depicted in certain posting and threads on this website may be fictitious and any similarity to any person living or dead is merely coincidental. Some other articles may be based on actual events but which in certain cases incidents, characters and timelines have been changed for dramatic purposes. Certain characters may be composites, or entirely fictitious.

We do not discriminate against the mentally ill!

Fair Use Notice:
This site may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. Users may make such material available in an effort to advance awareness and understanding of issues relating to civil rights, economics, individual rights, international affairs, liberty, science & technology, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C.Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.
For more information please visit:
http://www.law.cornell.edu/uscode/17/107.shtml

Please be aware any communications sent complaining about a post on this website may be posted publicly at the discretion of the administration.

This Disclaimer is subject to change at anytime.

Mail Webmaster with questions or comments about this site.

Privacy Policy - Terms Of Use

Copyright 1999-2009 © GodLikeProductions.com

Page generated in 0.031s (5 queries)