"You'd think electronic financial trading would be extra secure, but
not so much: One of the most popular application-layer protocols in the
financial industry leaves these money applications wide open to attack,
according to researchers.
The application-layer FIX (financial information exchange)
protocol is used by financial services firms, stock exchanges, and
investment banks for automated financial trading. But apps written to
the protocol can be vulnerable to denial-of-service, session hijacking,
and man-in-the middle attacks over the Internet, as well as an attacker
actually able to "watch" the transactions, says David Goldsmith, CEO of
Matasano Security, who will present the firm's new research on FIX at
the upcoming Black Hat USA briefings later this month.
Goldsmith says he can't divulge details on the specific
vulnerabilities Matasano found in applications deploying FIX, as well
as other financial industry-specific protocols, but the bottom line is
that these protocols weren't built with security in mind. "For the most
part, when you look under the hood of these protocols, we find almost
no means of security," he says. The FIX spec, for instance, barely
touches on how to secure data as it travels over the Internet. "
Article Link: http://www.darkreading.com/document.asp?doc_id=128474
