[16902] in bugtraq
Re: User Alert: E*TRADE Usernames and Passwords Remotely
daemon@ATHENA.MIT.EDU (James Mancini)
Mon Sep 25 19:06:38 2000
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_004F_01C026F4.A1FC34F0"
Message-Id: <PNEMKPACPCPFPDEMDHEKMEIECAAA.jmancini@netreo.net>
Date: Mon, 25 Sep 2000 13:29:30 -0700
Reply-To: James Mancini <jmancini@NETREO.NET>
From: James Mancini <jmancini@NETREO.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.20.0009242335020.22726-100000@alive.znep.com>
This is a multi-part message in MIME format.
------=_NextPart_000_004F_01C026F4.A1FC34F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
If you couple the cookie vulnerability (and trivial obfuscation of
Username/password combinations) with the fact that E-Trade doesn't permit
strong passwords[1], it becomes clear that they don't have a real security
focus. When I pointed out the weak passwords to them, their response was
"no one else complained."
---
[1] since E-Trade only recognizes letters, numbers, "$", "_", and space in
passwords, and has a maximum password length of 6 characters, a
brute-force attack on the password (assuming a rate of 100,000
attempts/sec) it would take a maximum of 8 days 17 hours 29 mins 49 secs
to brute-force the password. This attack is impractical simply because the
cookie vulnerability already discussed allows for real-time access without
all the tedium of brute-force attacking.
____________________________________________________
James Mancini, CCIE #2006 Netreo
Chief Strategy Officer V: 714.560.8935
<jmancini@netreo.net> F: 714.560.8937
____________________________________________________
Rock-Solid Foundations for Internet Business
http://www.Netreo.net
____________________________________________________
------=_NextPart_000_004F_01C026F4.A1FC34F0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFvzCCAqMw
ggIMoAMCAQICAwNI7DANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE
CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAx
OTk5LjkuMTYwHhcNMDAwOTE5MTYxMjA3WhcNMDEwOTE5MTYxMjA3WjBFMR8wHQYDVQQDExZUaGF3
dGUgRnJlZW1haWwgTWVtYmVyMSIwIAYJKoZIhvcNAQkBFhNqbWFuY2luaUBuZXRyZW8ubmV0MIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDiDzmZa4dgT90eZsi2kXQ7UqMFvPaIXXBJyqBPK4eq
s4VkNvVMC7wecfxrbPssCkUpCqL1vr9hSpqoNdAtyzshjLtRqCdi+nFPTVPNX04JEzwubywQfoJh
xJslstMECVe42trd81u9zm8yVNdM3N8vtW9tsUmZtD3qQZzRLIpHYwIDAQABo1EwTzAeBgNVHREE
FzAVgRNqbWFuY2luaUBuZXRyZW8ubmV0MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUiKvxYINm
VfTkWMdGHcBhvSPXw4wwDQYJKoZIhvcNAQEEBQADgYEALoN6ATCjR5g4z7kXbBNjho0pGwKr895R
SsEotwVro4Zt/boXhfiPMPd4CsNg3ZP9tWG0dPgK9BH+HdGTOUfhrv7wSwC9jB086ZCgRv0RXll6
dDIWGs4NG7tv+WsjbdmJM499PP7xN7lVBpy3yRIsuRSc3sSclfJ5POkg1ZlZczkwggMUMIICfaAD
AgECAgELMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYD
VQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0
ZS5jb20wHhcNOTkwOTE2MTQwMTQwWhcNMDEwOTE1MTQwMTQwWjCBlDELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0
ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVt
YWlsIFJTQSAxOTk5LjkuMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALNpWpfU0BYLerXF
XekhnCNyzRJMS/d+z8f7ynIk9EJSrFeV43theheE5/1yOTiUtOrtZaeSBl694GX2GbuUeXZMPrlo
cHWEHPQRdAC8BSxPCQMXMcz0QdRyxqZd4ohEsIsuxE3x8NaFPmzzlZR4kX5A6ZzRjRVXjsJz5TDe
RvVPAgMBAAGjNzA1MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUcknCczTGVfQLdnKB
fnf0h+fGsg4wDQYJKoZIhvcNAQEEBQADgYEAa8ZZ6TH66bbssQPY33Jy/pFgSOrGVd178GeOxmFw
523CpTfYnbcXKFYFi91cdW/GkZDGbGZxE9AQfGuRb4bgITYtwdfqsgmtzy1txoNSm/u7/pyHnfy3
6XSS5FyXrvx+rMoNb3J6Zyxrc/WG+Z31AG70HQfOnZ6CYynvkwl+Vd4xggKuMIICqgIBATCBnDCB
lDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmls
bGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNV
BAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAxOTk5LjkuMTYCAwNI7DAJBgUrDgMCGgUAoIIBZzAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMDA5MjUyMDI5MjlaMCMG
CSqGSIb3DQEJBDEWBBRZjRMKNErVs6JxOLk5dqK/qv4GmDBYBgkqhkiG9w0BCQ8xSzBJMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAK
BggqhkiG9w0CBTCBrQYJKwYBBAGCNxAEMYGfMIGcMIGUMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM
V2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0wGwYD
VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNB
IDE5OTkuOS4xNgIDA0jsMA0GCSqGSIb3DQEBAQUABIGAsTvoxwTng01DYe/+qxz+FluAqvwdDQgw
pDHq9mf1+uk7ahP0mXIOpr0s2xCEdH5xsJ8cARSgOKY3Aa6++wHrJDQzG8OzEX49R1eQOfmT4r1x
2sC/ZSiw4m2gPSJr8SVezUmXzxDbm5chcKkemLLfHZ/SZuWFl+4QCgFAxFVNxIoAAAAAAAA=
------=_NextPart_000_004F_01C026F4.A1FC34F0--
