Urgent Feedback Requested

March 28, 2009 at 13:45:01
Specs: Windows XP

Several days back, I posted a message on this forum in relation to a software security issue. I had hoped to get some feedback on a potential solution, but it seems that perhaps my post was a bit too broad in its scope. I have since come up with a different approach that might be simpler and easier to achieve. If anyone has any feedback on this, I would be very, very grateful. I really need help on this.

I will begin with a bit of background information:

I am using a program (Program-Z) that receives a continuous stream of data via the internet for several hours a day and so requires an active internet connection during those hours. Program-Z displays the information on a graph as the data arrives and also allows me to statistically analyse the data. My main concern is that I cannot be sure that the program isn’t surreptitiously sharing my statistical analysis with the developers of the program. In other words, the program could be engineered to take advantage of its constant access to the internet and participate in some sort of unauthorized transfer of data without my knowledge.

Program-Z has built in data-export and data-import features. To export data, I simply have to click on a menu and input the start and end date of the data I wish to export. The program then saves the data for that time period to a text file.

Theoretically, it would be possible to export data at regular intervals (possibly as low as once a second) and transport the data file that was created to a second computer that was not connected to the internet. The second computer would also have a copy of Program-Z on it, but no internet access. I could then import the data using the program's import facility and have a graph that would be constantly updated within an acceptable timeframe.

The big drawback to this approach is that to do this manually would be physically impossible. However, such an approach might be practical if it were automated. Do you think that it would be possible to write a computer program that could tell Program-Z to export the data and then have the file sent via Ethernet to the second computer? A similar program on the second computer could then automate the data import process on the copy of Program-Z on the second computer.

The copy of Program-Z on the second computer could function completely in offline mode without the need of an internet connection as it would rely on importing data rather than receiving it in real time. If one completely blocked any outbound Ethernet traffic via a firewall, such an approach would be as close as one could come to having a physical barrier between the two computers and therefore provide a very high level of security.

It would be similar to a macro in a word processing program--although I would imagine that it would have to be a kind of external macro and run "on top of" Program-Z. Perhaps the programming behind system-wide keyboard shortcuts or the safe shutdown software used when the electric power is cut would hold clues as to how this could be implemented?

As I have said, I would indeed be grateful if anyone has any feedback on this.

See More: Urgent Feedback Requested

Report •

March 28, 2009 at 14:13:45
Your question is still a bit unclear, are you saying that once you export the data to the text file then the text file could be sent back to the devs because at first i thought you were meaning that the real-time stream was (or could be) sent back to the devs??

As for automating the import/export fucntions that should be possible using API's like findwindow, sendmessage, etc....

What is the data, where is it coming from, what is program-z....?

You could just program a new program-z....

Report •

March 28, 2009 at 14:42:01
Andynet, thanks for taking the time to respond. It is good to know that there could be a solution using APIs--it might well be a simpler solution than the networking approach I had envisioned before. I will do some research on this.

The data that is exported to the text file is publicly available data, so my worry is not that it would be sent to the developers. So that you can understand my concern, here is a detailed explanation. I hope it gives a clear picture of what my concerns and objectives are.

The software in question is a specialized computer program for trading stocks/shares online. The program in question is developed by a reasonably well-known US company. The program uses the .Net framework and appears to rely heavily on XML as the means of storing data related to each stock chart. The program has built-in datafeed connectivity and is designed to be used with all of the major providers of stock market price data. If one has a subscription to a stock market data provider, it is simply a matter of entering one's user name and password. The program can then automatically connect to the data provider via the internet. As you can imagine, to do this, the stock trading program requires both inbound and outbound Internet access so that it can communicate with the datafeed provider and thereby display price data on any particular stock.

The stock trading program allows the user to add a variety of mathematical studies, known as indicators, to each stock chart. For instance, if one had a chart that showed a stock's price over a period of time, one could add a moving average of the price to the chart. Such indicators help traders identify buy and sell points.

The program also allows the user to create custom indicators by means of a wizard. Once a custom indicator is created by the wizard, it is possible to edit it and have quite a range of freedom without the necessity for a great deal of programming knowledge. Both the indicators included in the program--and any customised indicators that are created by the end-user--are written in a "script," which according to the program's help file, is an extension to the C# language. Before any custom indicator can be used, it has to be compiled. The program has a built-in facility for this function. The program's help file states that it uses C# and the .Net framework and runs compiled code rather than interpreted code.

Many people within the stock trading community are concerned about the potential for trading programs to take advantage of their connections to the internet. Indeed some very astute traders within the professional community have personally told me that this type of snooping activity does occur. I'm sure that it wouldn't take much programming savvy on the part of the developers to instruct the program to send the source code of any custom indicators back to the developers.

While I do not have the security resources available to professional traders, it would be irresponsible to simply turn a blind eye to this--it makes sense that a company could easily use the collective knowledge of professional traders to gain knowledge to help develop their stock trading software. I do not want to unwittingly enable the developers of the program to use my own indicators within their commercially available software.

In my efforts to tackle this problem, I have used a firewall (McAfee) to ban all ip addresses except the three that the datafeed uses. When I restrict internet traffic in this way, the program displays an error message that it can't connect to its licence servers, but otherwise seems to function without problems. Also, judging by what I see in WireShark there is no ip traffic except the data to the three datafeed ip addresses.

As someone who is not too familiar with networks, I am by no means certain that a lack of ip traffic would indicate that the computer is effectively locked down. I would think that there are other means of communicating that would be unaffected by an ip blocking firewall.

I had envisioned a two-computer set-up as a means to providing a higher level of security. My reasoning was that a network of two computers--one with an open connection to the internet and a second without a connection to the internet--would offer the advantage of isolating the program along with my custom indicators on the second computer. There must be a way of using the first computer to collect the data from the datafeed and then forward it on to the second computer without having the second computer send back any information.

I don't know if this reasoning is correct, but from my perspective it seems logical. Unfortunately, I don't know how to achieve this--or indeed if there is a better or easier way of achieving this.

So, in summary, my concern lies in whether the program is abusing its connection to the internet. And my objective is to somehow control the program so that it can receive price data through a datafeed, but neither send nor receive any other information via its connection to the internet.

I am not concerned about random attackers. I have always used a firewall/antivirus/antispyware to minimize exposure and use my trading computer only for trading. It is not connected to any other computers at home. When I'm not trading, it is unplugged from the internet.

I hope that this clarifies what my objectives are and the threats I am trying to avert.

With all that said, I think maybe I should spend some time on this API technique. It might well be simpler and easier to tackle.

Could I send you a private message once I have done a bit of research and have a better idea of the potential of the API approach?

Report •

March 29, 2009 at 06:19:18
Sorry for the wait in getting back but was doing some research, I think your worries are justifed as i downloaded one of these programs, possibly the one you are talking about and noticed right away that as well as trying to connect to yahoos and googles (and the rest)' servers it also tried to connect to a low key server that definatley could raise some eyebrows.

I think really all you can do is use a good software firewall and maybe have a look at various hardware firewalls. Be aware though that there are various ways of bypassing even firewalls if you really wanted too, thing called process injection for example, or simply killing the firewall process.

Make sure you have your software firewall prompt you to allow or dissallow all incoming and outgoing connections, and you can check the ip, or domain name, of each of these on websites like whois, or an ip whois, http://ws.arin.net/whois/ etc..

For example when i ran the program as first it immediatley wanted to connect to something like asd.yahooo.serv and src.google.com.as1 which i made the estimate that these sites looked valid, and then the firewall told me it wanted to connect to something like 217.12.312.32 so i did a whois on this ip before i allowed it to pass and as i said the site was very low key and didn't look too favourable.

Another option you have to go to rentacoder.com(i think) and get your own personal program made for you, for a program like that you may be looking at a week or so to code it, , and it could cost you up to $2000-$5000 i would guess (and the rest)

But in reality even though you have various connection running down port 80 (http connections) your firewall will still prompt you for every different IP on port 80 that a connection is trying to make, this isn't a 100% safegauard, but when using a commerical program like this i can't see how you would 100% safegauard it.

As for the 2 pcs idea that wont make any difference at all.

I would have thought in a sensitive areas such as trading, then someone would have had their own perosnal program made for them but trusted soures although who is to say what a trusted source is...

Maybe someone else in here has some ideas...

Report •

Related Solutions

Ask Question