Exclusive: U.S. Homeland Security found SEC had ‘critical’ cyber weaknesses in January

Exclusive: U.S. Homeland Security found SEC had 'critical' cyber weaknesses in January

By Sarah N. Lynch

WASHINGTON (Reuters) – The U.S. Department of Homeland Security detected five “critical” cyber security weaknesses on the Securities and Exchange Commission’s computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.

The report’s findings raise fresh questions about a 2016 cyber breach into the U.S. market regulator’s corporate filing system known as “EDGAR.” SEC Chairman Jay Clayton disclosed late Wednesday that the agency learned in August 2017 that hackers may have exploited the 2016 incident for illegal insider-trading.

The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most “critical” vulnerabilities.

It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC. But it shows that even after the SEC says it patched “promptly” the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator’s systems.

The hack, two weeks after credit-reporting company Equifax <EFX.N> said hackers had stolen data on more than 143 million U.S. customers, has sent shockwaves through the U.S. financial sector.

An SEC spokesman did not have any comment on the report’s findings.

It is unclear if any of those critical vulnerabilities, detected after a scan of 114 SEC computers and devices, still pose a threat.

During the Obama administration, such scans were done on a weekly basis.

“I absolutely think any critical vulnerability like that should be acted on immediately,” said Tony Scott, the former federal chief information officer during the Obama administration who now runs his own cybersecurity consulting firm.

“This is what was at the root of the Equifax hack. There was a critical vulnerability that went unpatched for some long period of time. And if you’re a hacker, you are going to … try to see if you can exploit it in some fashion or another. So there is a race against the clock.”

For the past several years, the Department of Homeland Security has been producing a report known as the “Federal Cyber Exposure Scorecard.” It provides a weekly snapshot to more than 80 civilian government agencies about potential outstanding cyber weaknesses and how long they have persisted without being patched.

A directive by Homeland Security requires agencies to address critical vulnerabilities within 30 days, though sometimes that deadline can be difficult to meet if it might disrupt a government system.

The January snapshot shows improvements have been made across the government since May 2015, when there were a total of 363 critical vulnerabilities on devices across all of the civilian agencies, according to the report.

As of January 23, by contrast, there were a total of 40 critical vulnerabilities across the agencies reviewed by DHS and another 280 weaknesses categorized as “active high,” which is the second more severe category.

The top four agencies with the most “critical” vulnerabilities as of January 23 included the Environmental Protection Agency, the Department of Health and Human Services, the General Services Administration and the SEC.

However, more vulnerabilities do not necessarily mean one agency is worse than another because things depend on how many computers or devices known as “hosts” were scanned and what kinds of information could potentially be exposed.

“All it takes is one,” Scott said. “You can have one host and one vulnerability and your risk might be 10 times as high as someone who has 10 hosts and ten vulnerabilities.”

(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)

SEC targets fake stock news on financial websites

The seal of the U.S. Securities and Exchange Commission hangs on the wall at SEC headquarters in Washington, DC

By Jonathan Stempel

(Reuters) – The U.S. Securities and Exchange Commission on Monday announced a crackdown against alleged stock promotion schemes in which writers were secretly paid to post hundreds of bullish articles about public companies on financial websites.

Twenty-seven individuals and entities, including a Hollywood actress, were charged with misleading investors into believing they were reading “independent, unbiased analyses” on websites such as Seeking Alpha, Benzinga and Wall Street Cheat Sheet.

According to the SEC, many writers used pseudonyms such as Equity Options Guru, The Swiss Trader, Trading Maven and Wonderful Wizard to hype stocks.

The regulator said had it identified more than 450 problem articles, of which more than 250 falsely said the writers were not being paid.

“This is different from the fraud cases that you usually see us bring,” Stephanie Avakian, acting director of the SEC enforcement division, said on the conference call.

“Here, we allege that the fraud was in presenting the analysis as impartial,” she said. “It was bought and paid for.”

Seventeen defendants including Galena Biopharma Inc , ImmunoCellular Therapeutics Ltd  and Lion Biotechnologies Inc agreed to pay more than $4.8 million, including fines and restitution, to settle, and to refrain from further wrongdoing.

Not all defendants were required to make payments, and Galena, ImmunoCellular and Lion did not admit wrongdoing. None of the websites was charged.

The SEC filed lawsuits against the other 10 defendants in Manhattan federal court.

These defendants include Lidingo Holdings LLC, run by Kamilla Bjorlin, 46, an actress from Encino, California who performs under the name Milla Bjorn; and CSIR Group LLC, a New York firm overseen by Christine Petraglia, 49.

It is unclear whether those defendants have hired lawyers. A lawyer representing Lidingo and Bjorlin in separate litigation had no immediate comment. CSIR and Petraglia did not immediately respond to requests for comment.

The SEC also issued an alert warning investors that articles on investment research websites may not be objective and independent, and that they should never invest based solely on information published there.

Mike Taylor, a Seeking Alpha managing editor, said in an email that website’s policies “act as a strong deterrent against potential promotions,” including documenting “all authors’ claims to not having been compensated by third parties.”

(Reporting by Jonathan Stempel in New York; Editing by Richard Chang)