Freelance Writing Jobs | Today's Articles | Sign In

Articles
Writers
 
Browse Sections
Home Computer Security

Computer Security Weekly, Oct.1. 2000


Another entry for the "full disclosure" debate file. Last week we told you about the problems with E*Trade, and the ability of remote sites to obtain your username and password. The simple comment about JavaScript being a problem should have been enough to tell you what the exploit was. JavaScript can be used to obtain cookie information, and E*Trade was storing your username and password in a cookie. The information was encrypted, in a way, but it used an extremely simple substitution code, and so the system was vulnerable to a known plaintext attack.

The major point is that E*Trade was told about the exploit over a month ago, and did nothing. It was only after an announcement was made that the exploit existed, and several people, with minimal information, were able to duplicate it, that E*Trade acted. Within a day after one of the researchers published an exploit script, E*Trade had changed their operation to eliminate the current bug. Quite a coincidence, eh?

(This is not to say that E*Trade is now secure, per se. In fact, E*Trade actually does not allow you to choose anything like secure passwords for their site.)

Obviously, some companies simply will not respond unless their hands are forced. Obviously, even partial disclosure can generate attacks. But equally obviously, some level of disclosure does work in making companies clean up errors.

Jeffrey Baker is to be commended in his care and handling of a touchy situation.

And, again from last week, the new Palm virus. McAfee.com is trumpeting this as the world's first "wireless" virus. It isn't, of course: nothing in the virus is associated with any specific form of transmission. If this is a "wireless" virus then almost all viruses have been wireless in that they have all had instances of spread without using wired transmissions.

mailto:rslade@vcn.bc.ca
mailto:rslade@sprint.ca
mailto:robertslade@usa.net
mailto:p1@canada.com Robert Slade's Guide to Computer Viruses, 0-387-94663-2, (800-SPRINGER)
The copyright of the article Computer Security Weekly, Oct.1. 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, Oct.1. 2000 in print or online must be granted by the author in writing.

Go To Page: 1

Articles in this Topic    Discussions in this Topic