[ISN] Financial systems 'riddled with security holes'

From: InfoSec News (alerts@private)
Date: Mon Jul 09 2007 - 23:15:31 PDT


By Matthew Broersma
09 July 2007

Security weaknesses in the Financial Information Exchange (FIX) protocol 
have left many of the applications that power financial services 
companies vulnerable to attack, according to Matasano Security.

FIX was first introduced in 1992 to handle equity trading communications 
between Fidelity Investments and Salomon Brothers, and is now virtually 
the industry's standard for front-office communications. It is designed 
to handle real-time information exchange related to financial 
transactions, and is used by both institutions on the buy-side and 
brokers and dealers on the sell-side.

The protocol may handle securities trading, but wasn't necessarily built 
for security, according to Matasano. Researchers said applications 
supporting the protocol can be affected by remote denial-of-service, 
session hijacking and man-in-the-middle attacks, as well as electronic 

Matasano's Dave G and Jeremy Rauch plan to detail the vulnerabilities 
discovered by the firm at the Black Hat USA security conference in Las 
Vegas on 2 August.

While the company isn't releasing details at the moment, Matasano CEO 
David Goldsmith gave a suggestion of the types of weaknesses present in 
a report from security website Dark Reading on Friday. Goldsmith said 
the problems are partly related to the fact that FIX has no built-in 
session-layer encryption, that many FIX-enabled financial programs don't 
use session passwords and that the applications are mostly written in C 
and C++ code that isn't necessarily well audited.

Applications supporting FIX were often designed for internal use, and 
thus weren't considered to need much security, the company said. Because 
of its narrow focus, the protocol hasn't been well served by security 
tools, and isn't generally supported by intrusion detection systems or 
vulnerability scanners, Goldsmith said.

Nevertheless companies can help protect themselves with firewalls and 
third-party session encryption, Goldsmith said.

FIX isn't the only financial industry protocol riddled with holes, 
Matasano said. Despite the fact that such financial systems handle 
trillions of dollars' worth of transactions, the protocols they're based 
on aren't designed with security in mind.

"Unlike the protocols that comprise the Internet as a whole, these 
haven't been scrutinised to death for security flaws," Matasano's Rauch 
said in a statement. "They're written with performance in mind and 
security is often just an afterthought, if present at all. And there are 
dozens of them."

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 09 2007 - 23:26:46 PDT