In the following Protega blog post, our technical director James Wootton, puts a blockbuster twist on the latest high profile IT hackings. Look out everyone...the Cyber Wolves of Wall Street are on the loose...
The Cyber Wolves of Wall Street
It’s been quite some time since the infamous ‘wolf’ allegedly turned over a new leaf, but there’s a new world with new opportunities for the cyber wolf, one that is probably going to lend itself to many shady deals, particularly if the current trend of high-publicity hacks of publicly listed companies is anything to go by. If we look at the latest Talk Talk compromise, we can see that there is a direct correlation between share price fall and recovery, relating to the hack event itself and subsequent capture of the alleged hackers.
It made me think of the many movies based upon companies that recognise and profit from such unhealthy events. However, imagine you have the power to manipulate such blips in share price through knowing when they’ll occur, something that I suspect will become a reality, requiring a change in current legislation worldwide and causing quite a stir in the process.
Let’s make a Movie!
Here’s the ‘meat’ of the blockbuster movie I envisage, clearly there’d be a lot more plot and ‘fluff’ around it:
Harriet-the-hacker identifies companies that are publicly trading and clearly have no idea about security, exhibiting all the weaknesses expected of companies grappling with profit versus investment. As part of a complex hedge-fund or speculation gamble, Harriet analyses the viability of shorting shares for those companies that were previously identified.
After randomising and creating a timeline for companies to be hacked, Harriet finds victims who are going to be the patsy (willing or otherwise) for those companies likely to provide a dip and recover profile, a-la Talk Talk. She selects people she can manipulate; script-kiddies, people who’d like to profit, or corruptible insiders.
Harriet then shorts the shares and hacks the target companies, at the appropriate point within the planned timeline, watching the share price plummet! Harriet cashes in once the share price bottoms out and shifts her strategy to a long position.
Harriet laughs as the Patsy gets caught, giggling with delight as she sees the near instantaneous start of share price recovery.
Over a glass of bubbly she watches the share price rise and cashes in once the price is to her liking, completing the financial transaction and sitting back, taking a sip, enjoying the fruits of her labours.
She completes the financial transactions and moves on to the next seemingly ‘random’ victim.
There are also a number of blackmail scenarios available along the way too, which we could slip into the plot. Operational security must be considered as people, particularly algorithmic fraud analysers, may notice a trend when the companies dip and recover. She would have to make sure there are a mix of identified perpetrators and undiscovered perpetrator profiles, with a combination of short and short/long scenarios across a portfolio of accounts, of course, not in her name.
Anyway, I think it’s wise to leave it there and not provide too much detail, after all this is purely fictional!
Hold on, is this already a reality, not a work of fiction at all?
Imagine this isn’t Hollywood, but in fact something that is already occurring. A number of well-publicised recent breaches have involved share price ‘fluctuations’ that were just too darn perfect and predictable for people to have not profited from them. I racked my brains (both the squidgy one and Google’s) to come up with where I’d heard of this ‘scam’ and of course, a legitimate story appeared that paralleled this, in a way that should really rattle the financial regulators of the world!
Anyone remember a hacker named Weev? One Andrew Alan Escher Auernheimer, he who was part of the imaginatively named Goatse Security group that exposed a serious flaw in AT&T’s interpretation of securing sensitive data on iPads. Turns out, that after spending some time in prison (I’m staying well away from the rights or wrongs of that one!), he announced last year the formation of a hedge fund that would short shares of companies exhibiting such weaknesses, but distanced himself from the actual ‘reconnaissance’ process.
Whilst it appears that his dream hasn’t been fulfilled, even after a crowd-fund attempt, TRO LLC (you have to laugh at the troll there) and its website no longer exist. It would seem that should this hedging become a legitimised reality, there would be yet another black mark against the money houses and a loss of confidence. My example above raises some ‘issues’ around the legalities of the described actions, but given a plausible gap between the legitimate and blatantly illegal actions, it could probably be performed relatively risk-free (and no, don’t try this at home kids!, i.e. this article does not condone nor encourage any illegal behaviour – just to be clear).
How do we identify and perhaps legislate against such events?
Well, that’s the hard part. If you consider how many money markets and how many publicly listed companies there are, it’s a target-rich environment. Given the state of some of those traded entities from a risk perspective, I can see how this scam is going to work with a little thought and carefully selected victims.
Big Data Analytics would help here and given access to share dealing data, would most likely identify anomalous behaviour, but we’re a way from this level of inter-connectivity, so it would be relatively easy to hide the money shots amongst a bunch of losing deals. If the ‘Harriets’ of our cyber world were prepared to accept the game would be over after a predetermined time, then the ‘in and out’ will most likely be untroubled. Split the activity amongst many accounts and money mules… who’d know?
Of course, we’re then left with the usual exasperations of the security community and the seemingly not-so-obvious mitigations, aren’t we?
- Pentesting etc. (i.e. Assurance activities - Test your beliefs and assumptions and educate, but these of course don’t start with a P!)
Plugging away at these vulnerabilities and changing an organisation’s risk profile, would make such an attack unpalatable and should cause the Harriet’s of this world to move on to the next, much softer target, assuming of course that the other P-word (profit) didn’t stop the C’s from investing in an appropriate security strategy…
And seriously folks, the poor script writing above, purely fictional, don’t get excited and end up breaking the law, that would wreck my Christmas and yours!
If this thought provoking read sparked your interest, why not head over to Protega's LinkedIn page, where similar blog postings can be enjoyed.