Hacking Flash Trading on Wall Street: From Fiction to Fact in Just Three Weeks

Rogue_Code_bk_cover

I read Mark Russinovich’s new novel, Rogue Code, a few weeks ago when it was first released. The book is about flash trading and criminal hackers attacking Wall Street hedge funds. Then, just this week, I read a news flash on CNBC of a real life hack attack of a Wall Street hedge fund. Cybersecurity firm says large hedge fund attacked (CNBC 1/19/14). Again, it involved the controversial practice of flash trading. The facts of the news report were eerily close to Russinovich’s fiction. The news report seemed to come right off the pages of Rogue Code. Unless this is an elaborate hoax to promote the book, Mark Russinovich has taken predictive coding to a new level.

Remarkable Parallels

In both the book and news report a sophisticated, highly organized team of skilled hackers penetrated what was thought to be a totally secure stock trading computer system. They then planted a very complex piece of software code, malware, that hid in the system. It operated undetected for months, taking a million here, a million there. The hidden program was remotely controlled to surreptitiously interfere with flash trading in order to direct profits to the hackers from intercepted trades. Millions of dollars were stolen over several months time.

In the novel and real world some suspicious circumstances caused the brokers to hire an outside cybersecurity firm to investigate their computer systems. The cybersecurity white hats finally discovered the malware. In the book the hero catches the bad guys. In real life no one seems to even have a clue as to who they are. They are at large, enjoying the rich life of the billionaires they stole from.

In the novel the penetration went beyond just one hedge fund into the very trading platform of the New York Stock Exchange. The whole world financial system was threatened. No one is saying if that has also happened in real life.

Paul Henninger_CNBCThe cybersecurity company that broke the story, BAE Systems Applied Intelligence, made a point of saying that this kind of hack into stock trading systems, especially high-speed flash systems, has never been seen before. It may not have been seen, but Mark Russinovich certainly imagined it. The BAE spokesman, Paul Henninger (shown right), says that this hack represents a new level of attack involving both very advanced computer technical skills and advanced trading skills. Henninger says there are only a few experts in the world with the necessary skills to pull it off. Yet, this was all described in detail in Mark Russinovich’s novel. Kind of makes you wonder where Mark gets his material?

Cyber Thrillers

zero_day

Russinovich is one of the best writers in the new fiction genre that I like, cyber thrillers. For a complete list of the most popular of these books that have a cybersecurity focus see my Must Read Books on Cybersecurity page, which is a part of eDiscoverySecurity.com. Rogue Code is Russinovich‘s third in a series that stated with Zero Day in 2010 and Trojan Horse in 2012. All three books in this series star Jeff Aiken, a cybersecurity expert who saves the world as a White Hat hacker. Jeff Aiken battles Black Hat bad guys and bureaucratic bumblers at the same time. Jeff Aiken is kind of a nerdy version of James Bond and serves as his own Q. He’s got some cool hacking tools that would even make the JΞSTΞR jealous.

I can really relate with Jeff Aiken’s constant frustration with small-minded government types that get in his way. They usually suspect him of the being the bad guy. The real bad guys, the black hatters, usually come across as more sympathetic characters, which is one of the charms of the Jeff Aiken series. But the real attraction of his novels for me is how much you learn about cyber security while reading them.

Mark Russinovich and the Texas Instrument 99/4A

TI99:4AI figured Russinovich books were good, and accurate, and provided real insights, just based on the background of the author himself. Mark Russinovich is the real deal. He is now a Technical Fellow in the Cloud and Enterprise Division at Microsoft. I personally like him because at age 15, he bought himself his first computer, a TI99/4A. That was also my first personal computer and the first one I wrote programs for.

My kids still fondly remember my Make a Face program of the 99/4A. My daughter claims that was the world’s first avatar creation program, although at the time, to be honest, I thought of it as a high-tech Mr. Potato Head. You could make thousand of different looking faces, and no matter what face you made, Mr. Computerhead was always happy with your design and said, with lips moving, I sure look good now! It was one of those games where you could not lose. I offered it for sale on the TI99/4A user group newsletter. I wonder if Mark was ever tempted to buy it? I say tempted, because I know for sure he did not buy it. Sadly, I never sold any, despite my one $25 ad, and so I concentrated instead on the life of a techno-trial lawyer and computer hobbyist.

mark_russinovichAnyway, Mark Russinovich went on to become a real computer expert while I plugged along as a lawyer. Mark earned a B.S. in computer engineering from Carnegie Mellon University, a leading university for elite white hats. Then he received an M.S. in computer engineering from Rensselaer Polytechnic Institute. Then after some work in the real world, he returned to Carnegie Mellon, for a Ph.D. in computer engineering in 1994. Yeah, Mark knows his stuff. In so far as Microsoft products are concerned, he is one of the top experts in the world. He has personally discovered, and we assume quickly disclosed and fixed, many software errors and vulnerabilities that hackers could otherwise have exploited for fun and profit. Indeed, Mark now has a suspiciously large body of knowledge on how to hack into business systems of all kinds, especially those based on Microsoft operating systems.

Is Truth Stranger Than Fiction?

I had no idea how good his knowledge really was, and how close he was to the pulse of the elite hacking world, until reading the news story this week. It seemed to come right off the pages of his new book. I fully expect Jeff Aiken to be on the case right now tracking down the rogue coders who penetrated the hedge fund. I wonder if they are in Brazil watching the World Cup? In fact, come to think of it, the events Mark was writing about in Rogue Code were, we now know, taking place on the real Wall Street at the very same time he was writing about it. Hmm. What a coincidence. I wonder if well-known SEC investigator and attorney, Robert Ashton, will look into that? Too bad Patrick Oot has moved on. I’m sure he could e-discover the truth, that is, unless the Brazilian Mafia, the NL, got to him first.

For more about the Rogue Code check out this video trailer. I think this book would make a great movie.

Of course, the facts in Rogue Code and the BAE Systems report are somewhat different. You would not want to be too obvious, would you? Still, to a careful reader of both stories, both fact and faction, the similarities dominate. Both involved teams of experts working together to interfere with hedge fund flash traders to directly profit from the trades. Both involved long-term penetrations that lasted for months and resulted in the diversions (a polite word for theft) of millions of dollars. That’s right. This is big time cyber fraud, involving Big Data and Big Money and victims who usually will not want to complain. It makes for the perfect crime, especially if you like stealing from billionaires in a way that will likely go undetected.

Will the True Story of Wall Street Hacking Ever Be Known?

The full story of the real attack on the Wall Street flash trading hedge fund is still unknown. Indeed, the odds of our ever knowing the full truth of the real attack are slim to none. The as yet unnamed hedge fund has every incentive to keep it secret and keep their name out of the press. Think how their customers would react if they knew their money had been stolen by hack attack? How would their customers, billionaires all, react if they found out that their brokers had been outsmarted by hackers. No. That would not work out too well. So, as we learn in Rogue Code the novel, these things are usually hushed up and the bad guys get away with millions.

Going back to real life, and the BAE report by Paul Henninger, who said:

It’s pretty amazing,” Henninger said in an interview Wednesday from London. “The level of business sophistication involved as opposed to technical sophistication involved was something we had not seen before.”  . . .

Henninger said such business-savvy financial attacks can represent “the perfect crime,” because they are extremely difficult to trace to obscure locations around the globe, and because companies can be reluctant to go to law enforcement. “It often takes a while for firms to get comfortable with the idea of exposing what is in effect their dirty laundry to a law enforcement investigation,” Henninger said. “You can imagine the impact potentially on investor confidence.”

He said he does not know if the hedge fund reported the details of the attack—which he estimated cost the firm millions of dollars over just a few months’ time—to the SEC or the FBI.

Officials from the SEC and FBI declined to comment on this specific case.  . . .

Henninger said the malware represented a multimillion dollar problem for the hedge fund. “This was not something that was a minor issue for them,” he said. “This was something that was getting reviewed at the board level of this hedge fund precisely because it was having a material impact on performance across the portfolio.”

Public disclosure of illicit trading based on hacked information is exceedingly rare.

Eamon Javers, Cybersecurity firm says large hedge fund attacked (CNBC 1/19/14).

Conclusion

Bodek_flashThe introduction to  Rogue Code was written by Haim Bodek, Managing Partner of Decimus Capital Markets, LLC. He is an expert on flash trading who is now sounding the alarm on the abuses that flash trading is causing on Wall Street. Even without cyber intrusions and theft by hackers, Bodek thinks the stock exchanges could fall by the dishonesty and inherent unfairness of flash trading. I do not know about that, but I do know this micro-second trading gives an unfair advantage to some. We need a level playing field and a stock market that provides equal opportunities to all, including small investors. I hope that the alarm sounded by Haim Bodek about flash trading is overstated, but fear it is not. Rogue Code, and now the report by BAE, suggest that his concerns are well founded.

I am not delusional enough to think that the alarm sounded by Mark Russinovich on hacking Wall Street is a false alarm. That is a separate issue. I have no doubt in my mind that this is a clear and present danger. Although Rogue Code is a work of fiction, the hacking of Wall Street is not. The SEC must start taking cybersecurity more seriously. Indeed, all of us need to do that. Hackers are now getting organized and profit driven. This is not just an Anonymous group of kids anymore, these are criminal gangs. Hack attacks should be reported to the FBI. The days of secretive cover-ups must come to an end.

Comments are closed.

%d bloggers like this: