Quick question: Why did shares in Yahoo slide by nearly 10% in the days BEFORE Heartbleed was announced and then recover after the main news items?
It has long been seen that security vulnerabilities can have a negative effect on the public’s perception of a company, and also on the value of a company’s stock value. Thus CEO’s need to understand this, and take action so that the exposure (and associated risk) is reduced. It happened with Sony with an outage of over one week on their PlayStation network, resulting in a share price drop of 8%. This had an affect on both consumers and developers, causing major embarrassment for the company. Computer security is now a major headline, and any negative news items which associate it with a company can have major implications for the stock value of a company.
So what does the analysis of the share price show in terms of the Heartbleed vulnerability? Within this analysis we will look at the major companies which could be affected by Heartbleed, including Yahoo (identified as one of the companies was used to demonstrate the leaked information on their private key, and also for usernames and passwords from their site), Amazon (who have much to lose on a dip in consumer confidence related to electronic commerce), and the other major Internet giants of HP, Dell, Google, AOL and Microsoft. Figure 1 thus shows the stock price of these companies over the time of the Heartbleed vulnerability timeline. From this we can see there are two dips, and these can be explained by three main phases.
Figure 1: Stock prices for major IT companies around the Heartbleed Zero Day
Day Zero Minus 2
The first phase related to the technical release of information about the OpenSSL vulnerabilty, and its associated patching by major IT companies. The first major news release was on 7 April 2014 with the stark message of “We are doomed”:
Re: heartbleed OpenSSL bug CVE-2014-0160 From: Andrew Case <atcuno () gmail com> Date: Mon, 07 Apr 2014 19:35:47 -0500 its 64KB per request so you can read much more than that through multiple requests Thanks, Andrew (@attrc) On 4/7/2014 7:10 PM, Kirils Solovjovs wrote: We are doomed. Description: http://www.openssl.org/news/vulnerabilities.html Article dedicated to the bug: http://heartbleed.com/ Tool to check if TLS heartbeat extension is supported: http://possible.lv/tools/hb/ A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. 1.0.1[ abcdef] affected. P.S. Happy Monday!
We can see that the full dip happened on 7 April 2014, but the slide had been happening for a few days, as seen from Figure 2 (where the dip started on the Thursday before the main release of information). One reason for this dip could be due to the information being disseminated to the major companies, before the rest of the World knew about it. This release of information is intended to give the major companies a day or two to get their systems ready for the Day Zero threat, where it would be an open season in terms of intruders probing systems. It could be that that this information was also leaked to insiders who then pulled their stocks in the major IT companies, waiting for a time to repurchase them with a tidy profit. One thing that is well known to traders, is that a news item can glitch the stock price, and then after it blows over, the price will end up at the same level. So if the market can push the stock price down by 5-10%, then a trader can re-purchase more stock for the same price.
With the official announcement on 7 April 2014, many researchers and companies worked to be the first to identify the script which could be used to exploit the vulnerability, and by the next day, even a script kiddie, with access to a Python script engine could capture information from a vulnerable Web server, and actually view the running information. With a basic search of the Internet, the script were ready, with full version control and updates. The blue line in Figure 2 shows the effect that it had on Yahoo’s stock. Unfortunately for them the demo screen capture used related to their site, and it was there stock price was was affected most (see graphic on the right-hand side).
Figure 2: Day Zero and the days before
Day Zero Plus One
In the next phase, from 7 April 2014 to 9 April 2014, the stock price went back up, almost to normal levels. Within this phase the key technical teams within the major IT companies were patching their systems, and reporting back. The information coming back perhaps didn’t look too bad on their systems and on their exposure. Along with this there was possibly an after-the-affect re-purchasing of the stocks, where things took a blip, and where the vulnerability was only seen a technical flaw and nothing to alarm the business community. Few, at that time, were predicting the storm that would hit, and the impact that the vulnerability would have.
Figure 3: After Day Zero
Day Zero Plus Two
The news of Heartbleed broke in a major way around the World on 9 April 2014, and it was then that the stocks took the major hit, with Yahoo in the firing line, and losing 9.4% from the days before Day Zero, and Amazon losing 8.3%. These two companies were heavily quoted within news items at the time, and were seem to be at the most risk. What was strange was the even Microsoft was hit, and they were not even exposed to the vulnerability, and were down 4.85%.
What was obvious was there were two affects going on. The first was a major opportunity for profit taking, by bailing out from the stock, and waiting for the news item to play through, and then go back in when the stock was at its lowest, and make a nice profit. There was another where there was a general knee jerk feeling that the Internet was cracking, and that the roof was about to collapse. Would user trust be broken in on-line commerce? At news items broke around the World, no-one really knew what was going on, especially as many in governments were advising users to change all their passwords immediately, and others were saying don’t change until things had been patched. The uncertainty would certainly have an effect on most types of e-Commerce systems, as users pondered on whether they could trust their click. It should be highlighted that to a company such as Amazon, this lack of user trust, even for a short period, can have major effects on their infrastructure.
Figure 4: The tidal wave
The after effects
So what happened after the main news events? Well, in most cases, the stock prices have went back to where they started, with Yahoo having a 0.00% change. This, perhaps, identifies that the Stock Market see security threats as a way to make a profit, in the hope that there will be a short-term blip in consumer confidence, with the price rising back to where it should be? This, though, is second guessing the consumer, who might be less inclined to click the button on their next major purpose, which is perhaps a reason that Amazon’s stock was down over the Heartbleed vulnerability period. The other thing was that none of these companies actually caused the problem, so their reputation has probably went untarnished. In fact, the traffic flows to Yahoo have increased over the past week or so (where page views are up 5.4% from pre-Heartbleed).
If you’re interested in the technical background for Heartbleed there is more information here.