Article

Black Hat 2007: For financial firms, availability too often trumps security

Michael S. Mimoso, Editor, Information Security magazine

LAS VEGAS -- Financial services organizations are considered to be on the bleeding edge of information technology, but the market's widespread use of subpar security protocols for financial transactions could soon leave deep scars across the industry.

In a presentation Thursday at Black Hat 2007, researchers with Matasano Security lifted the shroud on some of the industry's common exchange protocols and found a shocking lack of security baked in. For many financial services firms, the overwhelming pressure to keep trading applications available coupled with the need to conduct the majority of their communications over private networks has nudged security to the back of the development line.

"When you look at the priorities around trading protocols, performance and availability are the most important parts. The faster they can communicate, the better they can capitalize on situations," said Dave Goldsmith, president of New York-based Matasano and a founding member of vaunted consultancy @Stake.

"With automated trading, microseconds do count," he said. "Any kind of security that introduces latency is going to be frowned upon in these systems."

Security with many of these protocols relies on insider trust, familiar security mechanisms like firewalls, and segregating communication over private networks. And within the financial services realm, this makes sense.

"As a pen-tester, we're concerned with traditional systems

    Requires Free Membership to View

about how we can get root [access]. When we found availability issues, we'd get their eye faster than when we found confidentiality issues," Goldsmith said. "The system must stay up and running. A bad trade will be caught, but if a server goes down, it costs them money."

Goldsmith and his partner, Matasano's Jeremy Rausch, dove into the Financial Information Exchange (FIX) protocol, one of the most transparent protocols used today -- FIX specifications are available online for anyone to review.

FIX runs over TCP and includes a messaging and application layer. It specifies, for example, how transactions are to be conducted using Web services over HTTP or other messaging standards, like MQ or other multicast UDP. Security, however, is never mentioned among the thousands of pages that make up the specification.

Special Black Hat coverage

Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.

Compounding the problem is the fact that while transactions run on a dedicated line, once they're inside an internal network, there's nothing preventing them from traversing other network segments where a transaction could be exposed.

Worse still, increasing awareness regarding FIX's security shortcomings is a challenge because unless an IT professional happens to be intimate with FIX -- or other financial protocols like QIX, OUCH, OTTO, RASHport, DROP, CTCI or ITCH -- it's unlikely that he or she would find much information about it.

One thing working in the financial industry's favor is that exploits haven't been publicly reported, but as Goldsmith pointed out, successful attacks on financial systems likely wouldn't be publicized.

"There isn't a lot of public information about what people should do, and there's good reason for that," Goldsmith said. "This has generally been between people who have been trading together since before computers. It's challenging because as more and more people are developing FIX applications, more people run the risk of getting it wrong."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: