Bugtraq mailing list archives
More info for E*TRADE users
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
Date: Fri, 22 Sep 2000 13:42:18 -0700
I have been rightly criticized by private email that my earlier User Alert regarding E*TRADE did not provide enough information about how the user can keep on using E*TRADE without being subject to this attack. Here are my extended recommendations: 1) Never use the six-month login feature of the E*TRADE site. 2) Always close and restart your browser before and after using E*TRADE. 3) Never visit any other web site while you are using E*TRADE. This includes E*TRADE's own web mail application and their message boards. 4) Search for and remove any cookies from *.etrade.com after using E*TRADE. Even if you explicitly tell E*TRADE not to set permanent cookies, it will still sometimes set them for six months. Do this step after every time you exit the browser after using E*TRADE. The best defense is of course to not use E*TRADE, but this is not an attractive shrot-term option for some people. The other online brokers are not much better (more on that later). The most effective defense for advanced users may be to make your cookies file read-only and firewall outgoing requests to all hosts which are not *.etrade.com when using the E*TRADE service. You may still be a victim of DNS spoofing, even with this advanced protection. Sweet dreams, Jeffrey Baker
Current thread:
- More info for E*TRADE users Jeffrey W. Baker (Sep 23)
- Re: More info for E*TRADE users Christian (Sep 25)
- Re: More info for E*TRADE users Lincoln Yeoh (Sep 27)
- Re: More info for E*TRADE users Greg A. Woods (Sep 27)
- Re: More info for E*TRADE users Lincoln Yeoh (Sep 27)
- <Possible follow-ups>
- Re: More info for E*TRADE users George, Michael (Sep 27)
- Re: More info for E*TRADE users Christian (Sep 25)