Sensitive information about the technical infrastructure of the New York Stock Exchange’s computer network was left unsecured on a public server for possibly more than a year, Threat Level has learned.
The data, which was removed after Threat Level disclosed the situation to the NYSE, included several directories of files containing logs; server names; IP addresses; lists of hardware; lists of software versions running on the network; and configuration and patch histories, including what patches have not yet been installed. It was all available on a publicly accessible, unprotected FTP server maintained by EMC, a company that sells storage systems and managed services to the NYSE and other companies.
“We have discussed the matter with EMC and at this point we believe that there has been no impact on our operations or our customers,” said NYSE spokeswoman Mirtha Medina in an e-mail.
“Unless the NYSE knows that this stuff is out there and has approved for it to be out there (highly doubtful), I see no good reason why EMC is allowing this to happen,” said an information security specialist via e-mail who asked not to be named because he works in the financial industry. “Leaving information like this in a ‘public’ place definitely would make a bad guy’s job somewhat easier.”
The information could allow an intruder to map the NYSE’s network architecture and determine what vulnerabilities exist in the system.
For example, one of the documents posted on the server was an Excel spreadsheet, called a “heat report,” which consisted of a long list of low-level and high-level warnings, some of them indicating where patches had not yet been installed, such as the one below:
WARNING : Solaris 5.9 kernel patch fix 122300 is not installed.
It’s unclear how long the information was left unprotected on the server, but a note posted amid the files by an EMC employee named Dan Sferas read, “This directory contains all relevant data to the NYSE account.” The note was dated April 2, 2008.
A spokesman for EMC said the data exposed on the site was not sensitive, although the company locked the data behind a password gateway to protect it from public access shortly after Threat Level spoke with the NYSE, and has since moved the data to another location.
“We’ve discussed the situation with the NYSE,” said EMC spokesman Paul Farmer in an e-mail. “We’re confident that the information exchanged on our FTP site is not sensitive and will have no impact on NYSE Euronext systems or its customers.”
A source knowledgeable about the leak, speaking on condition of anonymity, said that the FTP server was used to share configuration information between EMC engineers, vendors and customers. “This was a breakdown of process within EMC, and normally that information would not be accessible to the public,” said the source.
The network security expert, who examined a few of the files for Threat Level, said it was unclear whether the data was limited to the stock exchange’s public network or if it also included information that would help someone access its trading network, which should normally be segregated from the internet.
“I would think they would/should be totally separate,” he said, “but I don’t know enough about their network topology to know for sure.”
EMC spokesman Farmer did not respond to questions on how long the information was available on the site or whether the data included information about the NYSE’s trading network.
EMC’s executive team includes Art Coviello, executive vice president, who is also president of RSA Security, one of the top computer security firms in the country, which EMC bought in 2006.