Event
Summary
In late August computer programmer Jeff Baker discovered scenarios in
which cybercriminals could compromise the password security of the users
of E*Trade, an online securities trading portal. Mr. Baker reported these
scenarios to the Director of System Security, and Manager of Security
Threat Analysis at E*Trade in an exchange of e-mails that took place on
August 21st, 22nd, and 23rd. The E*Trade management team acknowledged
the vulnerabilities, but were unable to offer a timely solution. E*Trade's
Security Director Clifford Reeser later called the problem "minor," and
indeed there were no reports of any customer's security having actually
been violated.
The
problem centers around a feature of the site that lets users store their
passwords in a cookie on their own PC; such cookies expire after six months.
The encryption technique used for the passwords is a weak one. While appropriate
for many sites this weak encryption seems to TEC and others as inappropriate
for a site that enables large financial transactions. The problem is exacerbated
by the existence of a well-known security vulnerability known as the "cross
site scripting" attack. This technique allows a villain to get access
to a cookie by planting an HTML link on an unrelated site.
On
Friday, September 22, approximately 30 days later, these vulnerabilities
were made public by Mr. Baker via a posting to the Bugtraq security mailing
list hosted by, SecurityFocus.Com. Upon release of this posting, E*Trade
stock dipped approximately one full point after the announcement. Mr.
Baker explained that he was posting the vulnerability to a public list
because E*Trade had failed to notify its users or take any corrective
action. Mr. Baker retained certain details of the vulnerability in his
posting so as not to open E*Trade to a flurry of attacks.
However,
another programmer, Marc Slemko, who read Mr. Baker's posting reported
that it only took him two minutes to verify and only 30 minutes to understand
the algorithm being used and write a program to decode it. According to
Mr. Slemko, "When you choose to save your login information, E*Trade sets
a cookie on your system that consists of your username and password, trivially
encoded. Anyone can easily steal that cookie via the well known 'cross
site scripting' attack."
Soon
after the news of the vulnerability broke E*Trade announced a new system
for handling password storage.
Market
Impact
We do not believe that this incident will lead to an increased market
for security services among large web sites. Sadly, the pattern continues
that sites make changes only after an intrusion is detected and made public,
although of course it is not possible to tell how many sites have had
intrusions that were hushed up.
User
Recommendations
TEC recommends that any company that deals with user information, whether
it is stored only on their own site or is kept in a cookie on the user's
computer, conduct a comprehensive security analysis, using security specialists,
to evaluate their vulnerability.
E*Trade
users should log into the E*Trade site so that new modifications to the
cookie format can be written to their machine. We do not believe that
the likelihood of any individual's account being compromised is high enough
to warrant extraordinary actions, but those who wish to take them, can
limit their browsers to reduce or eliminate any risk. Doing this, however,
will limit your browser's capabilities for all sites.
For
Internet Explorer the following steps will tighten the security of your
browser.
If
using Internet Explorer 5: go into the
Tools » Internet Options » Security » Custom Level;
If
using Internet Explorer 4: go into the
View » Internet Options » Security » Custom Level; and
- Change
"Java permissions" to "high-safety."
- Disable
"cookies" (not under "Custom Level" in IE4)
- Under
Scripting of Java applets, select "disable."
If using
Netscape Communicator:
- Press
the security button.
- Go into
the Java/Javascript parameter and make sure that you have explicitly
forbidden access to the E*Trade website.