Oh goody, another day, another set of government officials involved in a sex scandal. Rolling Stone brings us the ewww tale of SEC Inspector General David Kotz (ALLEGEDLY) boning every lawyer (like this pretty lady) with business before the agency, as well as his successor, Noelle Maloney, who then refused to meet with said lawyers because
“DAVID WAS FUCKING THAT LADY!” Until we see pix, it’s no Broadwell-Kelley Tampa Tap-Out. So what else is in this 77 page whistleblower complaint, you might be wondering? Is it all seks and lies and intrigue?
Well, sure there is some! But more hilarious are the accusations of gross malfeasance and incompetence, the likes of which (if true) may be egregious enough to compromise the functioning of Stock Exchange itself (to the degree that it functions right now, of course). No big deal though!
First things first: the SEC at one time spent $4 million to rearrange the desks of less than 2000 employees:
[Maloney] described an affair that Kotz had during a review conducted by the OIG into the SEC’s “Restacking Project,” in which the SEC spent approximately $4 million dollars relocating the desks of around 1,750 SEC employees. Maloney stated that Kotz had an affair with one of the key SEC personnel involved with this project, despite being responsible for leading the review, and having personally authored sections of the final report, concerning the allegations of waste in the project.
Also, at one time, a 23 year old recent college grad, with no experience in security, was possibly hired by the Chief of Security to oversee physical security at the SEC:
[A] whistleblower, who was responsible for performing physical security for the SEC, was ultimately transferred by [Chief of Security William S.] Fagan, and his/her position was filled by a 23 year old female, who has no experience in security services and whose father has a personal connection to Fagan. This replacement employee was hired directly after college graduation, with no security experience whatsoever, and in violation of the Merit Systems principles for competitive service hiring.
Up to 100 employees were maybe handling extremely sensitive material absent any background checks:
[At one point, anywhere from] 50 to 100 SEC contractors were employed at the SEC without any background screening due to backlog. Many of these employees, like [a] contractor involved in [a sexual] assault [on SEC property], had never been screened, despite having been employed at the SEC for years. Some of these employees, like the contractor, were granted access to the SEC’s most confidential data, such as consumer records and confidential, corporate records produced to the SEC in investigations…
One of them was on early parole release for felony narcotics possession.
Further, the OIG obtained the criminal background [of a particular contractor] which showed that he had multiple criminal convictions and was on an early parole release from a 10 year prison sentence in the Commonwealth of Virginia for felony narcotics distribution. Despite this criminal background, the contractor had been permitted to work with the SEC’s most sensitive enforcement data as an enforcement forensic IT contractor for years.
Sadly, “Penetration Testing” has naught to do with sexytime.
SEC examiners assigned to the Division of Trading and Markets performed “penetration testing” of the computer infrastructure of the NYSE, NASDAQ, and all other major exchanges. […]
The information obtained by this ARP examination program is of an extremely sensitive nature. In the wrong hands, this information could be used to disrupt trading activities on all of the exchanges, either individually by exchange, or at all exchanges simultaneously…In the OIG inquiry into the alleged misuse of computer equipment, Weber and his investigators found that the laptops which were used by SEC examiners during these examinations, and on which all the information from the examinations were stored, neither contained virus protection, encryption programs, or firewalls, nor were they ever wiped clean after testing. Some of the computers at issue were used in every stock exchange in the United States, and therefore exposed exchanges to infections or compromises that could be brought from exchange to exchange…
Some of these laptops were brought to foreign countries by SEC management, and by certain SEC management and employees to the “Black Hat” Conference in Las Vegas, Nevada.
Many of these unsecured laptops were probably brought to a hacker convention in Vegas.
The “Black Hat” Conferences are infamous for the illegal activities that occur during the Conferences. In an August 4, 2009, CNN article describing these conferences, the author notes, “[a]t a hacker conference no one is safe.” Indeed, senior IT security personnel at the SEC had acknowledged to Weber as part of the investigation that they were themselves too afraid to attend this Conference.
a. During the 2009 Conference, websites belonging to security researchers were hacked and passwords, private e-mails, and other sensitive documents were released on a vandalized website.
b. During the 2008 Conference, a thumb drive that was passed around by attendees was found to contain a computer virus.
c. During the 2008 Conference, some attendees, themselves security experts, who used the Wi-Fi networks had their passwords “sniffed” and then posted on an electronic bulletin board called the “Wall of Sheep.” One “Wall of Sheep” participant remarked how surprising it was that so many Black Hat attendees were insecure.
d. Also during the 2008 Conference, three French reporters were caught hacking into the press room network.
It’s cool though. No big deal.
When Weber questioned the SEC examiners as to why they would bring their laptops, containing extremely sensitive information, including the architecture and trading engines of the major stock exchanges, to the Black Hat Conference, they replied to the effect that they didn’t “think it was a big deal.”
So what happened, in the end, after this Weber guy became absolutely panicked at the thought of SEC employees or contractors, who may or may not have been given security clearance, taking unsecured laptops to a hacker convention in Vegas filled with foreigners, networking experts, and French reporters? Weber was canned, and forcibly escorted off SEC property.
But it’s cool, we’ll just hope that none of this stuff is true and all this personal financial information — as well as the integrity of the stock market — is ok.