How an Australian Hacker Used Information Leaks to Trade Stocks – Security
Security researcher Nik Cubrilovic has spent the past few years studying how company stocks can be traded using inadvertently leaked company information.
Hedge funds and investors are increasingly using technical tools that take advantage of information leaks and open source intelligence to stay ahead of other stock traders.
An example of a company serving this market is Silicon Valley start-up Second Measure, which inspects billions of credit card transactions to sell information on 1-2% of all credit card transactions in the United States. United.
This data revealed to traders earlier this year that US food chain Chipotle had struggled to recover from an e coli alert, despite analysts predicting otherwise.
Credit card transaction data showed food chain sales fell significantly afterwards, indicating customer numbers were down ahead of the company’s official earnings announcement – giving traders in stock market a chance to move before the figures are released.
“For years, hedge funds have invested heavily in new technologies to give themselves an informational advantage over competitors and ordinary stock market participants, and these efforts have now expanded into a suite of techniques and tactics that involve what can only be described as online surveillance. Cubrilovic told the AusCERT 2016 conference last week.
He calls these “stock market hacks” – trading strategies that are “built on the basis of non-public data obtained using information security techniques”.
Cubrilovic, who has made headlines for reporting security vulnerabilities with government site MyGov as well as Facebook, has been testing the viability of this approach over the past year.
The type of trading that lends itself best to stock market hacks, he found, is event-based trading – where investors trade stocks long or short for a single event, usually resulting in announcements for a company. listed.
Cubrilovic used this approach to track the number of Adobe Creative Cloud customers over the past 18 months.
The software giant has spent the past few years transitioning users from licensed desktop software to a cloud-based subscription model.
“The whole future of the company depended on this transition,” Cubrilovic said.
“Each quarter, analysts would look at this number – the number of Creative Cloud subscribers – to see if they were on the right track to save the software industry.”
Cubrilovic spotted Adobe using AWS as an infrastructure backend and inadvertently revealed large user IDs – meaning when Adobe last December reported 4.5 million more Creative Cloud subscribers than expected , Cubrilovic already knew that.
“I traded on the news and the stock jumped, 8, 9, 10%,” he said.
Merchants rely on a variety of metrics to make event-based transactions — including new things like tracking parking levels at Walmart to determine sales and therefore revenue — but information leaks and intelligence open source are emerging as growth areas.
Open source intelligence uses data collected through public websites, media reports, surveys, and geographic information. It can also include things like domain name search engines, IP address range scans, and indexing and crawling web applications.
Information leakage is the disclosure of any information describing a system – things like application architecture, internal business practices, application user data, and employee information.
“Data and information leaks can be described as design features or errors in an application that unintentionally expose the inner workings of an application or network,” Cubrilovic said in a post on the subject.
“Information leaks can be used to determine direct and indirect measures of a company – the size of a company or the popularity of its core product, and use this information to trade its stock with a significant advantage over others. on the market.”
Leave user IDs open
As in the case of Adobe, many modern web application frameworks expose auto-incrementing user IDs, which means that a user’s ID number is identifiable either in the URL or in the app itself.
This means that external parties can identify the number of app users, the rate of user growth, and the order in which credentials were created.
Facebook is often cited as an example – Mark Zuckerberg is identifiable as user ID 4 (the social network has since stopped this practice).
“To find or estimate the number of users, you wouldn’t iterate through every record, but rather sample IDs surrounding a known ID, or take a divide-and-rule approach to the entire namespace,” said Cubrilović said.
“The most famous example of this application is the British Army’s accurate estimate of German tank production during World War II, as tank serial numbers were incremented by 1.”
To determine how many tanks the Germans were producing, the Allies noted the serial number of passing tanks and applied an algorithm – take the largest number, add one to it, divide it, multiply it by a size of sample.
“Turns out you get a pretty good estimate of the number of tanks,” Cubrilovic said.
“The same goes for web apps. All you have to do to find out how many users they have is create a user account, get the user id, plug it into the German tank algorithm and come back with an accurate measurement.”
Marketers can use techniques like this along with namespace, username and email sampling, and network range scans to find live hosts that suggest the number of active servers and therefore the size of the application, he said.