Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/6/2007
07:48 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Hacking Capitalism'

Popular financial transaction protocol leaves trading open to hackers

You'd think electronic financial trading would be extra secure, but not so much: One of the most popular application-layer protocols in the financial industry leaves these money applications wide open to attack, according to researchers.

The application-layer FIX (financial information exchange) protocol is used by financial services firms, stock exchanges, and investment banks for automated financial trading. But apps written to the protocol can be vulnerable to denial-of-service, session hijacking, and man-in-the middle attacks over the Internet, as well as an attacker actually able to "watch" the transactions, says David Goldsmith, CEO of Matasano Security, who will present the firm's new research on FIX at the upcoming Black Hat USA briefings later this month.

Goldsmith says he can't divulge details on the specific vulnerabilities Matasano found in applications deploying FIX, as well as other financial industry-specific protocols, but the bottom line is that these protocols weren't built with security in mind. "For the most part, when you look under the hood of these protocols, we find almost no means of security," he says. The FIX spec, for instance, barely touches on how to secure data as it travels over the Internet.

And most apps that use FIX are written in C and C++, he notes, "which is not always super well-audited code."

FIX has no session-layer encryption built into it, so it isn't easy to encrypt the sessions. "So most people encrypt using external devices like VPNs or tools like 'stunnel,'" Goldsmith says. Although the FIX protocol was updated in the past year to free FIX apps from that session layer, he says, most of these apps are still running the FIX session layer.

And many FIX-enabled financial apps don't even use passwords for their sessions, mainly because the apps were originally mostly built for use internally for a private connection between business partners -- rather than over the Internet, which is increasingly becoming the preferred method.

Plenty of financial firms may be at risk of these types of attacks. According to the FIX Protocol Website, 75 percent of buy-side and 80 percent of sell-side financial services firms use FIX for electronic trading, with both types of organizations planning to expand FIX, according to a survey taken by TowerGroup. The site says more than three fourths of all financial exchanges surveyed support FIX in their applications, and that most major stock exchanges and investment banks use FIX for their electronic trading. Mutual fund, money manager, and small investment firms also deploy FIX.

Unlike credit-card theft, which ultimately can be stopped before causing much financial damage, an attack on FIX could be silent and deadly: "If a hacker was monitoring or viewing [the transactions], you may never know they are there," Goldsmith says. "[He] could take that information and use it to their advantage for insider trading... or to cause significant financial damage."

So what should financial institutions do in the meantime to protect themselves from attackers that hone in on financial protocols? Goldsmith says start by taking a look at applications "you haven't looked at in a while... When was the last time you changed passwords on applications built on FIX?"

"Even doing basic due-diligence goes a long way," he says. "It's very easy to treat these as internal apps and to not consider all the security ramifications. But these apps need to be treated very seriously."

And security tools really don't help here, Goldsmith says, although strong firewalling and external session-layer encryption are helpful. "You're not going to find that the IDSes of today are supporting FIX, or vulnerability scanners are finding FIX vulns," he says. "It's a little more narrow market."

Plus it's tough for researchers to even gain access to FIX-based systems to study their weaknesses since you can't just take down a financial trading app to test it, for instance. "These systems cannot be [taken] offline," he says.

FIX is just the tip of the iceberg for financial protocols at risk, however. "We'll be tightly focused on FIX" in the Black Hat talk, entitled "Hacking Capitalism," Goldsmith says. "But there's more to talk about."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Matasano Security LLC Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-30481
    PUBLISHED: 2021-04-10
    Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
    CVE-2021-20020
    PUBLISHED: 2021-04-10
    A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
    CVE-2021-30480
    PUBLISHED: 2021-04-09
    Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
    CVE-2021-21194
    PUBLISHED: 2021-04-09
    Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
    CVE-2021-21195
    PUBLISHED: 2021-04-09
    Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.