How to Hack an Exchange! Mikael Simovits, Simovits Consulting AB Morten Lindeman, Co-Chair Nordic Subcommittee, FIX Trading Community, CTO and Co-Founder, Infront AS

Agenda • Development regarding IT-security risks • Examples: • Warszawa Stock Exchange • NASDAQ • BitCoin

• How to hack en exchange

Development Cyber Security Risks • During RSA Conference April 2015 the following conclusions were made during keynote: • Cyber security is now in an inflecion point • Current security solutions do not work • The threats/vulnerabilities/risks that were assumptions one year ago has been shown to be a real and frequent threat • ”Building walls” does not help

Development in the field of Cyber Security Risks • Lack of security is costly • Trading networks are private networks, but all networks are somehow connected to Internet • Outsider is now Insider

Examples: WSE October 24, 2014 • Home page of Warzaw stock exchange was hacked • Webpage defaced • Internal accounts were leaked (username and password hashes) • Information was leaked • Political statement (Islamic state)

Examples: Nasdaq 2010 • Directors Desk • Most management board have an account. Store board meetings and reports • Directors desk was controlled by hackers for a long time. (Detected in October 2010)

• Logic Bomb • A logic bomb was planted on the internal network

• Everyone was blamed. • The official version today: ”It was the Russians.”

Examples: BitCoin Year

Notes

2011

Mt.Gox - A Hong Kong based hacker compromised an account, and caused a massive sale. Price dropped from $32 to cents.

2012

BitCoinia - Hacked twice (March + May). Had to close down.

2012

BitFloor - Lost 24000 BTC. Went out of business, but paid back most clients.

2013

PicoStocks - Lost 6000 BTC

2014

Mt.Gox - Clients had ~7% of all BTC (750 000). All lost.

2014

FlexCoin, Poloniex, BitCurex, Canadian BitCoins and BitStamp

2015

BTER, MyCoin

Example: Bitcoin Attacks (120) Bitcoin Attacks to date Bitcoin Attacks to date

Other

DDoS

Remote exploitation 35 30 25 20 15 10 5 0

Insider threat

Mining resources theft

Fraud or scam

Wallet theft Crime or terrorism

Example: Bitcoin Attacks

Security in financial networks • Defense Capabilities

• It is up to the implementor of FIX to decide the security level (The weakest link will be the victim) • Security is built on infrastructure level, such as TLS and the use of mutual authentication (PKI)

• Internet is not recommended, but up to the user to decide • Fixed lines • VPN networl tunnels over private networks.

• Systems are built by experts on financial systems but not by experts on security

Denial of Service attack • Network • Quote stuffing (brute force) • Exploring exchange system flaws or limits • Locking orderbooks • Can be done by creating online accounts • Easier when online brokers creates APIs

• Has been demonstraded on major system in UAT • Temporary distruptive • Can be done to gain advantage (e.g. on related products (index, derivatives, etc)

Altering of reference data • Some exchange system uses ftp (or variants) to distribute reference data • Availability through public internet?

• Flaws in traditional systems can be used to alter the file • Either, make random changes • Better: swap a few ISIN/trading keys • Sit back, enjoy the chaos

Publish false news • Fingerprint case in Sweden • Easier to gain access to codes for publishing press releases • Publish a press release which will have an impact of the price • Trade in derived instruments – e.g. CFDs or derivatives, preferrably off exchange • Less risk of trades to be reverted

Possible attacks

Snapshot: Security Heatmap Probability of success 100%

Attack on encryption

Poor access Control

Zero-days exploits

DOS/DDOS Poor configuration (internal) Spearphishing

Spoofed trading Application Vulnerabilities

50%

Known exploits Poor configuration (external)

5

10

Simplicity

Snapshot: Security Heatmap Probability of success 100%

Attack on encryption

Poor access Control

Zero-days exploits

DOS/DDOS Poor configuration (internal) Spearphishing

Spoofed trading Application Vulnerabilities

50%

Known exploits Poor configuration (external)

5

10

Simplicity

Conclusion • Advanced Persistant Threats (APT) • Getting stronger and number of possible attackers are increasing • Financial sector is known for lack of security in internal systems

• Lessons learned from Bitcoin • Correlation between number of attacks and the value of Bitcoin • A fluctuating exchange would attract more attackers

• While we are waiting for a better solution, build stronger walls

Thank you for listening! Q&A Mikael Simovits [email protected]

Simovits Consulting AB www.simovits.com