Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : The New Qualcomm - write what you like thread. -- Ignore unavailable to you. Want to Upgrade?

To: Drew Williams who wrote (2245)	10/8/2000 11:07:44 PM
From: S100	Respond to of 12245

Here is a little more on security Traders warned of password pilferer Tuesday, September 26, 2000 EXPOSED: United States based users of online trading system ETrade have been warned of a vulnerability that allows a remote third party to "recover the usernames and plain text passwords of any ETrade user". A posting to the BugTRAQ network security newslist at the weekend said a malicious user could gain "arbitrary access to the account, including banking, securities trading, and other valuable access". ETrade Australia has more than 62,000 customers. It is not understood if the passwords and logins of Australian customers are also exposed. Earlier this month, ETrade Australia announced a fullyear loss of $11.7 million based on revenues of more than $21.5 million. The Eudora email client was placed under the microscope last week as a loophole allowing a malicious intruder to "easily take control of a Windows environment" was uncovered. A posting to the BugTRAQ list said a user could send one or more emails containing trojaned DLL file attachments to a Eudora user, and activate them using a Microsoft Word document. Eudora's vulnerability can easily be disabled by untagging Microsoft Internet Explorer's automatic file execution option. it.fairfax.com.au ------ Bugtraq post snip I have been rightly criticized by private email that my earlier User Alert regarding ETRADE did not provide enough information about how the user can keep on using ETRADE without being subject to this attack. Here are my extended recommendations: 1) Never use the six-month login feature of the ETRADE site. 2) Always close and restart your browser before and after using ETRADE. 3) Never visit any other web site while you are using ETRADE. This includes ETRADE's own web mail application and their message boards. 4) Search for and remove any cookies from .etrade.com after using ETRADE. Even if you explicitly tell ETRADE not to set permanent cookies, it will still sometimes set them for six months. Do this step after every time you exit the browser after using ETRADE. The best defense is of course to not use ETRADE, but this is not an attractive shrot-term option for some people. The other online brokers are not much better (more on that later). The most effective defense for advanced users may be to make your cookies file read-only and firewall outgoing requests to all hosts which are not .etrade.com when using the E*TRADE service. You may still be a victim of DNS spoofing, even with this advanced protection. snip