More info for E*TRADE users

["Jeffrey W. Baker" <jwbaker () ACM ORG>]

I have been rightly criticized by private email that my earlier User Alert
regarding E*TRADE did not provide enough information about how the user
can keep on using E*TRADE without being subject to this attack.  Here are
my extended recommendations:

1) Never use the six-month login feature of the E*TRADE site.

2) Always close and restart your browser before and after using E*TRADE.

3) Never visit any other web site while you are using E*TRADE.  This
includes E*TRADE's own web mail application and their message boards.

4) Search for and remove any cookies from *.etrade.com after using
E*TRADE.  Even if you explicitly tell E*TRADE not to set permanent
cookies, it will still sometimes set them for six months.  Do this step
after every time you exit the browser after using E*TRADE.

The best defense is of course to not use E*TRADE, but this is not an
attractive shrot-term option for some people.  The other online brokers
are not much better (more on that later).  The most effective defense for
advanced users may be to make your cookies file read-only and firewall
outgoing requests to all hosts which are not *.etrade.com when using the
E*TRADE service.

You may still be a victim of DNS spoofing, even with this advanced
protection.

Sweet dreams,
Jeffrey Baker