Computer Security: The Ultimate Inside Trader

I went to a talk on computer security. A few interesting case studies were brought up by the lead engineer of the server access and virtualization group at Cisco. Two case studies stuck out to me.

Someone suspected that there was an issue between two electronic trading centers between Asia and the USA, he wouldn’t say exactly where in the US and Asia, or who their client was. Anyway, they did some research in fact they called in their physicists to calculate the curvature of the Earth between the two continents to figure out how fast the data transfer rate should be, then they had their EEs look at the transmission line characteristics. Initially the IT engineer for the trading company told them, that the transfer rate should be 1.5 * the speed of light.

Cisco Engineer: What do you mean that the transfer rate is 1.5 * the speed of light, that’s physically impossible, it defies the laws of physics.
IT engineer: Well, I guess we must have a very robust router.
CE: Your are an idiot.

Eventually, they found that the transactions between one of the servers was being delayed by milliseconds, the packets sent were being slowed down. So, they did some more research, turns out that data connection between the two continents were over a undersea cable (there are a lot of undersea data cables between continent to continent that’s how we transfer data usually, please see attachment). Sidenote: Investment advice buy land in Africa, where the cable interconnect is routed from Asia.

They did more research, and discovered a man-in-the-middle attack, someone actually got access to the undersea cable as it was routed through French Polyonesia in the Pacific Ocean. As a result, the person could intercept the data being transmitted, see what types of trades were being placed (all he needed was those millisecond delays) and have an algorithm to decide whether to buy or sell shares based on what types of trades were being executed. All I have to say for the criminals brilliant, but illegal.

Second thing, power supplies. We often think of computer security in terms of protecting the data inputs and outputs of the computer/system, but what about the power inputs? What happens when Vcc(the input voltage) is not equal to what it’s suppose to be weird stuff starts happening at the logic level. The system might spit out a incorrect calculation, or spill out too much info with over or under voltage. Basically, he said it was very hard to design power supplies that are intolerant to slight signal variations.

In high school physics and basic college electromagnetics, we learn that AC signals are sinusoidal, with some constant amplitude, and when you convert from AC to DC with the use of a transformer and bridge diode rectifier (I’ve attached an oversimplified circuit found on google), you get a constant DC output. As a power professor I had once pointed out, what a fairy tale. For one in real life power is outputted in three phases (not just 1 sinusoidal signal), and two as shown in the plot from wikipedia, you superposition all the waves, then rectify it, no way are you going to get a perfectly constant DC output. You get close, but not close enough. So in short he argued that any input voltage signal variation should be logged no matter how small.