By Matthew Broersma
09 July 2007
Security weaknesses in the Financial Information Exchange (FIX) protocol
have left many of the applications that power financial services
companies vulnerable to attack, according to Matasano Security.
FIX was first introduced in 1992 to handle equity trading communications
between Fidelity Investments and Salomon Brothers, and is now virtually
the industry's standard for front-office communications. It is designed
to handle real-time information exchange related to financial
transactions, and is used by both institutions on the buy-side and
brokers and dealers on the sell-side.
The protocol may handle securities trading, but wasn't necessarily built
for security, according to Matasano. Researchers said applications
supporting the protocol can be affected by remote denial-of-service,
session hijacking and man-in-the-middle attacks, as well as electronic
Matasano's Dave G and Jeremy Rauch plan to detail the vulnerabilities
discovered by the firm at the Black Hat USA security conference in Las
Vegas on 2 August.
While the company isn't releasing details at the moment, Matasano CEO
David Goldsmith gave a suggestion of the types of weaknesses present in
a report from security website Dark Reading on Friday. Goldsmith said
the problems are partly related to the fact that FIX has no built-in
session-layer encryption, that many FIX-enabled financial programs don't
use session passwords and that the applications are mostly written in C
and C++ code that isn't necessarily well audited.
Applications supporting FIX were often designed for internal use, and
thus weren't considered to need much security, the company said. Because
of its narrow focus, the protocol hasn't been well served by security
tools, and isn't generally supported by intrusion detection systems or
vulnerability scanners, Goldsmith said.
Nevertheless companies can help protect themselves with firewalls and
third-party session encryption, Goldsmith said.
FIX isn't the only financial industry protocol riddled with holes,
Matasano said. Despite the fact that such financial systems handle
trillions of dollars' worth of transactions, the protocols they're based
on aren't designed with security in mind.
"Unlike the protocols that comprise the Internet as a whole, these
haven't been scrutinised to death for security flaws," Matasano's Rauch
said in a statement. "They're written with performance in mind and
security is often just an afterthought, if present at all. And there are
dozens of them."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com