Tuesday, September 15, 2009

A tale of bad security

Back in 1987, I was working at a branch of the Federal Home Loan Bank Board. The FHLBB was an organization (now defunct) described to me when I was there as holding roughly the same place w/r/t US savings and loans as the Federal Reserve did for US banks. [Insert half a dozen jokes that write themselves here.]

One of the things the 12 FHLBB branches did was to gather all the information on mortgage paper from their constituent S&Ls and transmit it at the same time every day to the mainframe in DC. This was done with a 2400-baud modem, which was a perfectly reasonable way to transmit data in 1987. What concerned me was that this was done with no data compression, no encryption, nothing. It was a clear, uncompressed flat text file with info on hundreds of millions of dollars of mortgage paper every day. PC-based compression and encryption was in its infancy back then--PKZip 2.0 was kind of the standard for this at that point--but that would've been a heckuva lot better than the nothing they were doing. Even worse, there wasn't anything that prevented someone from logging into the mainframe themselves. The password for logging in was "superman" and had been unchanged for over 2 years.

I figured I'd talk to the DP manager and suggest there was a problem. I don't recall his name, but he was a forgettably vague man who looked baffled by the things going on around him. I said that there was a problem with transmitting all this data at the same time every day in the clear on an unsecured line. "I see...." he said, looking confused. "Why would that be a problem?"

"Well," I explained, "if someone wanted to, they could monitor the data flow and get the mortgage numbers a month before they're released by the Fed and know what's coming. They could even go so far as to inject their own phony data stream into the system and artificially inflate or deflate the numbers by adding bogus mortgage paper numbers of their own."

"I see," he said again, slower. There was a slight pause and I could tell he was really trying to keep up with this but he was in way over his head already. "Why would they want to do that?" he finally asked.

"Well," I said (thinking "The natives really can understand you; they're just pretending they don't to be difficult, but if you keep speaking louder and slower, it should get through eventually!"), "if they inject their own numbers, they'll be able to affect the movement of interest rates on mortgage paper and then make money by making investments that reflect their advance knowledge of how the market is going to move."

"I... see...." he said again. I was dreading what he was going to say next, but sure enough, there it was: "Why would they want to do that?"

"It'd be a really bad idea!" I said. (You just can't help some people.) "You should change the password regularly to something secure, consider changing the time you transmit data, and maybe go for a secure line." He clearly had no understanding about why he needed to do any of this, but he said he'd take care of this. Okay, fine.

A few days later, I asked the guy who did the data transfer if he'd changed the password. "Yes," he said proudly, "I changed it to 'batman'."

The best you can hope for some people is that they'll just forget to breathe some day, y'know?


No comments: