How to Hack an Exchange! Mikael Simovits, Simovits Consulting AB Morten Lindeman, Co-Chair Nordic Subcommittee, FIX Trading Community, CTO and Co-Founder, Infront AS
Agenda • Development regarding IT-security risks • Examples: • Warszawa Stock Exchange • NASDAQ • BitCoin
• How to hack en exchange
Development Cyber Security Risks • During RSA Conference April 2015 the following conclusions were made during keynote: • Cyber security is now in an inflecion point • Current security solutions do not work • The threats/vulnerabilities/risks that were assumptions one year ago has been shown to be a real and frequent threat • ”Building walls” does not help
Development in the field of Cyber Security Risks • Lack of security is costly • Trading networks are private networks, but all networks are somehow connected to Internet • Outsider is now Insider
Examples: WSE October 24, 2014 • Home page of Warzaw stock exchange was hacked • Webpage defaced • Internal accounts were leaked (username and password hashes) • Information was leaked • Political statement (Islamic state)
Examples: Nasdaq 2010 • Directors Desk • Most management board have an account. Store board meetings and reports • Directors desk was controlled by hackers for a long time. (Detected in October 2010)
• Logic Bomb • A logic bomb was planted on the internal network
• Everyone was blamed. • The official version today: ”It was the Russians.”
Examples: BitCoin Year
Notes
2011
Mt.Gox - A Hong Kong based hacker compromised an account, and caused a massive sale. Price dropped from $32 to cents.
2012
BitCoinia - Hacked twice (March + May). Had to close down.
2012
BitFloor - Lost 24000 BTC. Went out of business, but paid back most clients.
2013
PicoStocks - Lost 6000 BTC
2014
Mt.Gox - Clients had ~7% of all BTC (750 000). All lost.
2014
FlexCoin, Poloniex, BitCurex, Canadian BitCoins and BitStamp
2015
BTER, MyCoin
Example: Bitcoin Attacks (120) Bitcoin Attacks to date Bitcoin Attacks to date
Other
DDoS
Remote exploitation 35 30 25 20 15 10 5 0
Insider threat
Mining resources theft
Fraud or scam
Wallet theft Crime or terrorism
Example: Bitcoin Attacks
Security in financial networks • Defense Capabilities
• It is up to the implementor of FIX to decide the security level (The weakest link will be the victim) • Security is built on infrastructure level, such as TLS and the use of mutual authentication (PKI)
• Internet is not recommended, but up to the user to decide • Fixed lines • VPN networl tunnels over private networks.
• Systems are built by experts on financial systems but not by experts on security
Denial of Service attack • Network • Quote stuffing (brute force) • Exploring exchange system flaws or limits • Locking orderbooks • Can be done by creating online accounts • Easier when online brokers creates APIs
• Has been demonstraded on major system in UAT • Temporary distruptive • Can be done to gain advantage (e.g. on related products (index, derivatives, etc)
Altering of reference data • Some exchange system uses ftp (or variants) to distribute reference data • Availability through public internet?
• Flaws in traditional systems can be used to alter the file • Either, make random changes • Better: swap a few ISIN/trading keys • Sit back, enjoy the chaos
Publish false news • Fingerprint case in Sweden • Easier to gain access to codes for publishing press releases • Publish a press release which will have an impact of the price • Trade in derived instruments – e.g. CFDs or derivatives, preferrably off exchange • Less risk of trades to be reverted
Possible attacks
Snapshot: Security Heatmap Probability of success 100%
Attack on encryption
Poor access Control
Zero-days exploits
DOS/DDOS Poor configuration (internal) Spearphishing
Spoofed trading Application Vulnerabilities
50%
Known exploits Poor configuration (external)
5
10
Simplicity
Snapshot: Security Heatmap Probability of success 100%
Attack on encryption
Poor access Control
Zero-days exploits
DOS/DDOS Poor configuration (internal) Spearphishing
Spoofed trading Application Vulnerabilities
50%
Known exploits Poor configuration (external)
5
10
Simplicity
Conclusion • Advanced Persistant Threats (APT) • Getting stronger and number of possible attackers are increasing • Financial sector is known for lack of security in internal systems
• Lessons learned from Bitcoin • Correlation between number of attacks and the value of Bitcoin • A fluctuating exchange would attract more attackers
• While we are waiting for a better solution, build stronger walls
Thank you for listening! Q&A Mikael Simovits
[email protected]
Simovits Consulting AB www.simovits.com