Two days after E*TRADE claimed it had
sealed a security hole that had pointed out to them a month previously, a
watch dog said users’ safety is still compromised.
It was made known to the public last Friday that one Jeffrey Baker, a
software developer who has discovered several JavaScript-related security
holes on the Net, found flaws in E*TRADE’s system that enable third parties
to recover user names and plain-text passwords of any user.
The popular, but often embattled broker, said Sunday it had changed its
encryption technology, effectively gluing the loophole shut. But Weld Pond,
manager of research and development for Internet security consulting firm
@Stake, said even though the company has fixed the hole Baker found, it
shows other signs of poor security design, such as six-character limit on
passwords. This makes accounts susceptible to what are called “brute force”
or “dictionary” password cracking attempts.
“These are just signs that the people who are building the site aren’t
really experts in security and they haven’t had someone come in and do an
assessment of the site of the security of the site,” Pond said. “So, it’s
always been a target and it will continue to be a target. This is just one
problem that they’re fixing — there are many different problems that Web
applications can have so if it has this problem, I would say there is a good
chance that it has other problems.”
Chief Strategy Officer for Netreo Inc.,
James Mancini, Tuesday agreed, with Pond’s assessment. He said a standard
formula for password cracking shows that E*TRADE’s six-character password
limit and character set does not pass muster for the amount of security
needed.
“If you took that same password and just made it eight characters long it
would take an average of 50 years to crack the password and a maximum of 101
years to crack the password just by adding 2 extra characters because you
increase the potential entropy of the system by that much more,” Mancini
said. “So by limiting it to six characters and limiting the character set,
they’re creating an environment where it’s practically very possible to
brute force the passwords.”
E*TRADE did not return calls Tuesday afternoon.
This latest loophole appears to have been caused by the way in which E*TRADE
encrypts and stores passwords on users’ PCs using a cookie mechanism. By
using a “cross-site
scripting attack,” an attacker could create a Web link allowing access
to the cookie and the passwords it contains if an E*TRADE customer were to
click on that link.
“If someone wanted to take advantage of the security hole, they would be
able to trade securities or transfer money away from E*TRADE accounts or
purchase securities in someone else’s name,” Baker told InternetNews Radio this week. “I
understand this is insured against, but it certainly is a serious problem if
your only business is trading securities.
Baker had notified E*TRADE of the hole in mid-August, but the firm did not
bear down on and command closure until a couple days after news of the flaw
was made public on BugTraq.
E*TRADE was besieged by a series of attacks by hackers earlier this year,
although no customer accounts were compromised.