Shostack + Friends Blog Archive


Business Process Hacking

Business process hacking is the act of using weaknesses in the way an application is exposed to garner information or break in. Recent examples include the ChoicePoint and Lexis-Nexis attacks.

Here is a new one. A couple of young traders at an Estonion bank got a Businesswire account and proceeded to dig around until they found they could see stuff that had not been released yet. Now comes the hard part. If you know a company is going to release earnings of X how do you know what the stock is going to do? These guys were savvy enough to evidently earn over $7 million in profits.

So writes Richard Stiennon in “More Business Process Hacking.” This was interesting, because of the denials that business wire issued, as Paul Kedrosky reports in “pidering for Fun and Profit — and Why Traders Don’t Read:”

Interestingly, Business Wire itself says that the SEC story is inaccurate. Almost certainly splitting technical hairs, it claims that Business Wire’s main news system was not compromised. Instead, here is what it says happened:

Certain individuals gained access to a screen shot of limited background information. This information did not include the content of news releases.

I’m guessing this means that there is a central admin screen somewhere in the system where Business Wire staff manage upcoming press releases, and where you can see the issuer and the intended headline. That must have been what the Estonian hackers accessed…

Security. It’s not just about sploits anymore.

2 comments on "Business Process Hacking"

  • Chris Walsh says:

    Press release services have been used similarly way before. I remember Emulex getting hammered when someone was able to sneak a false press release about restated earnings into (IIRC) PR Newswire’s system.
    There’s a paper [.DOC — Warning, Will Robinson!] about this “cognitive hacking” at ISTS that looks interesting

  • Adam says:

    I think this is actually fundamentally different. Here, the users didn’t insert anything into the data. Assuming you believe BusinessWire — and at this point, we have only the sacchirine content of their denials to convince us they’re lying — then what these folks did was to relatively passively exceed their access, not to insert data.

Comments are closed.