Bugtraq mailing list archives
Re: More info for E*TRADE users
From: Christian <christian () dijkstra murdoch edu au>
Date: Mon, 25 Sep 2000 10:29:29 +0800
On Fri, Sep 22, 2000 at 01:42:18PM -0700, Jeffrey W. Baker wrote:
I have been rightly criticized by private email that my earlier User Alert regarding E*TRADE did not provide enough information about how the user can keep on using E*TRADE without being subject to this attack. Here are my extended recommendations: 1) Never use the six-month login feature of the E*TRADE site. 2) Always close and restart your browser before and after using E*TRADE. 3) Never visit any other web site while you are using E*TRADE. This includes E*TRADE's own web mail application and their message boards. 4) Search for and remove any cookies from *.etrade.com after using E*TRADE. Even if you explicitly tell E*TRADE not to set permanent cookies, it will still sometimes set them for six months. Do this step after every time you exit the browser after using E*TRADE.
I think most people would appreciate that you're trying to do the right thing in terms of both protecting e-trade customers and also giving the company a second chance but I wonder whether this half-full-disclosure approach will really have the desired effect. Consider that the information you've given above is *probably* enough for people who would like to find out the specific vulnerabilities with the e-trade system to go away and do that. (If you found it *without* the extra help, why shouldn't other people now?) Given that the fact the specifics of the vulnerability are "out" may not become widely known then the situation could well end up being worse than if you'd revealed everything from the beginning. Furthermore, if it happened that you had missed additional ways the vulnerability might be exploited (for example, in combination with one or more other vulnerabilities) then it could turn out that your advice for minimising exposure will not protect e-trade customers as much as you thought. By not revealing all information and allowing open discussion the situation may even be worse than if you'd said nothing at all. I'm inclined to think that if a company does not fix a problem and does not have a very good reason for leaving their customers exposed (and, to me, "corporate inertia" doesn't sound like a good reason!) then full-disclosure and the resulting public presssure seems the best course of action. However, since I don't know the specifics of the vulnerabilities or the company's reason for not moving swiftly the fix them, I am obviously not in a position to say one way or the other. Only you can decide that. Regards, Christian.
Current thread:
- More info for E*TRADE users Jeffrey W. Baker (Sep 23)
- Re: More info for E*TRADE users Christian (Sep 25)
- Re: More info for E*TRADE users Lincoln Yeoh (Sep 27)
- Re: More info for E*TRADE users Greg A. Woods (Sep 27)
- Re: More info for E*TRADE users Lincoln Yeoh (Sep 27)
- <Possible follow-ups>
- Re: More info for E*TRADE users George, Michael (Sep 27)
- Re: More info for E*TRADE users Christian (Sep 25)