http://oregonmag.com/LeafySeaDragon.jpg
What an amazing creature if you ever saw a real one!
Sea dragon picture
March 10, 2008 by michaelxinBlowfish encryption
March 5, 2008 by michaelxinAn Java implementation of Blowfish encryption:
http://www.koders.com/java/fid3CAADD04E226273E16CA252D9A0AFDA46D55DB45.aspx?s=blowfish
Blowfish is a symmetric block cipher that can be used as a drop-in replacement for DES or IDEA. It takes a variable-length key, from 32 bits to 448 bits, making it ideal for both domestic and exportable use. Blowfish was designed in 1993 by Bruce Schneier as a fast, free alternative to existing encryption algorithms. Since then it has been analyzed considerably, and it is slowly gaining acceptance as a strong encryption algorithm. Blowfish is unpatented and license-free, and is available free for all uses. …..
Blowfish source code:
- Reference source code from SSLeay 0.6.6
- C by Bruce Schneier
- C by Paul Kocher
- C++ (author unknown)
- C# and Java by Markus Hahn (very fast implementations)
- C++ by Jim Conger (note)
- C++ by Samuel Kabak
- Forth by Pierre Abbat
- Perl
- PIC16F877 by Edi Permadi
- VHDL
- Visual Basic by David Ireland
Cold Boot Attack
March 3, 2008 by michaelxinThe abstract of the paper: “Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.“
So what does that mean to us ?
- We might have a new way down the road to do forensics and extract memory images of corrupted systems more reliably than to have to trust the infected system to create the image.
- Encryption keys in memory might not be safe or be possible to be protected by the OS from access. While some keys might not absolutely be needed in RAM for a long term, e.g. keys to decrypt hard disk images are non-trivial to only keep for very short time in memory.
- Other secrets kept in memory are likely to have the same problems, think about ssh-agent keeping a copy of your private ssh key ready to let you log in on a remote system, think about pgp keeping the private key ready to not bother you with the passphrase for every email you send or read.
http://isc.sans.org/diary.html?storyid=4006
More information:
- The paper itself: http://citp.princeton.edu.nyud.net/pub/coldboot.pdf
- More information: http://citp.princeton.edu/memory/
Identity thieves hit customers at TD Ameritrade, E-Trade in 2006
March 2, 2008 by michaelxinhttp://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9004416
October 24, 2006 (Computerworld) Overseas hackers broke into customer accounts at two popular online stock brokerages, TD Ameritrade Holding Corp. and E-Trade Financial Corp., in a “pump and dump” stock-trading scheme that led to at least $22 million in losses.
The attacks, which took place during the last three months, were launched by identity thieves in Eastern Europe and Asia who primarily used keylogging software delivered via Trojan horses or other malware to steal users’ confidential information as they logged onto public computers or their own infected machines, TD Ameritrade CIO Jerry Bartlett said in an interview today.
The hackers then logged into existing customer accounts — or created dummy accounts — to buy shares in little-traded stocks, driving prices up so they could sell their own previously purchased shares for a profit.
TD Ameritrade said in its investor conference call today that it had spent $4 million to compensate customers who suffered losses after their accounts were broken into.
E-Trade confirmed in an investor conference call on Oct. 18 that it had spent $18 million to compensate customers. CEO Mitchell Caplan told investors that E-Trade has cut its losses to “almost zero” in the past three weeks after beefing up its security. The FBI, U.S. Securities and Exchange Commission and the National Association of Securities Dealers are working together to uncover the fraud.
“This is an industrywide issue,” said TD Ameritrade Chief Operating Officer Randy MacDonald.
Charles Schwab Corp., the largest online broker in terms of assets, told Bloomberg News it did not suffer significant losses, while Fidelity Investments declined to comment.
E-Trade ranked 17th out of 23 financial institutions for its efforts to protect consumers from identity theft, according to a study released earlier this month by Javelin Strategy & Research of Pleasanton, Calif. The study, which mostly ranked banks, did not rank TD Ameritrade.
Identity theft in all of its forms last year caused an estimated $56.6 billion in losses, according to Javelin, with one in 25 people affected by it.
“Fighting identity theft is a cat and mouse game — there’s always room for improvement,” said James Van Dyke, president of Javelin.
While the Federal Deposit Insurance Corp. covers bank accounts with up to $100,000 against fraud or bank bankruptcy, brokerages get no such protection. E-Trade and TD Ameritrade both guarantee customers against losses caused by fraud.
E-Trade said it is unsure whether its losses will be covered by insurance. TD Ameritrade’s CFO, Bill Gerber, said he is confident the company could “get a nice healthy chunk of the $4 million back if we can prove the fraud was from the same source.”
Bartlett said that while account fraud using customers’ personal details is an “ongoing” problem, he emphasized that no data had been stolen from TD Ameritrade’s own databases, nor had its servers been breached, during this incident.
But he acknowledged that the company’s antifraud efforts, which include a dedicated security team using special software to monitor for anomalous activity such as users logging in from unusual IP addresses and large withdrawals of money, had failed to detect the stock scams quickly enough. “We could identify it, but certainly not to the sophistication of what we can do now,” he said.
Bartlett declined to say what technology TD Ameritrade uses to protect against identity fraud. E-Trade uses antifraud software from Cyota, now a part of RSA Security Inc., that helps it monitor accounts for unusual behavior. Since February 2005, E-Trade has also offered optional RSA tokens that generate six-digit codes that change every 60 seconds and that users must enter with their usernames and passwords when logging in, according to Tina Martineau, an E-Trade spokeswoman.
But Ryan Sherstobitoff, CTO at security vendor Panda Software, said that software such as Cyota, which relies in part on checking whether purported users are logging in from their usual IP address, can be tricked by skillful hackers. Meanwhile, tokens are ineffective against identity thieves who use names and Social Security numbers to create new bank or stock trading accounts, he said.
“I think it’s half-and-half. We can protect against certain scenarios now, but there are certain ones we can’t protect well against at all,” Sherstobitoff said. Even so, Bartlett said a new generation of anti-fraud tools on the horizon could help bolster companies’ defenses. “It’s been a lot of back and forth between vendors and the bad guys,” he said. “But I’ve recently seen a lot of products in beta that should leapfrog and keep vendors ahead in the arms race.”
Ameritrade lost several tapes with customer information in 2005
March 2, 2008 by michaelxinTD Ameritrade data definitely compromised
In April 2005, Ameritrade reported that several tapes with customer information were lost.
From an article on the incident:
The company discovered the loss in February when it received a
damaged package containing a number of backup tapes shipped
from its secure facilities in the U.S. Katrina Becker, an Ameritrade
spokeswoman, said the shipping company caused the damage
to the package.Ameritrade immediately launched an investigation and learned
four tapes were missing, three of which were subsequently
recovered at the shipper’s facility. The fourth, containing personal
information on customers who used the company’s service between
2000 and 2003, hasn’t been recovered, she said.“Those tapes were all found within the shipper’s facility, which
was also secure, so it is highly likely that the remaining tape
was lost or destroyed within that facility, but we are still
monitoring it,” she said. “We do not believe foul play was involved.”
A Google search will reveal many other articles stating how the lost tape was likely lost or destroyed.
After the tape incident, Ameritrade notified me of the possible breach and I was given a year of an identity watch service. I was reassured by the comment that the tape was in “secure” areas, and my calculated odds that I wouldn’t be one of the accounts on the missing tape. Well, I can now report that my data was compromised and found its way into the hands of stock tip spammers. I think the Ameritrade tape wasn’t destroyed or lost. Here’s my evidence.
I’ve been getting spam stock tips for a while, but I recently noticed that similar spam was being sent to two very infrequently used accounts. The first compromised e-mail address was only used for my Datek trading account. (Datek went through mergers and eventually became part of TD Ameritrade.) The second spammed account was a personal address that only close friends & associates and secure financial institutions possessed. I don’t recall getting spam in either account. Now, I get similar stock tip spam in both accounts. The spam consists of an image with stock spam text followed by nonsensical text.
Spam in my Datek-only account is pretty much a smoking gun, but it’s not the only evidence. When I get spam in one of my aliased accounts, I simply remove that alias and update the associated web site account. If the new e-mail gets spammed again, I stop doing business with the company. So I went to my TD Ameritrade account to change the datek-associated address and noticed that my secondary e-mail in their database was the second, personal e-mail address that was getting spammed. Pretty clear sign that the breach was at Ameritrade’s end. None of my other accounts have the same combination of primary and secondary e-mail addresses. Considering the increased security at Ameritrade after the tape loss, I think the breach is most likely the missing tape.
Update: Jason’s comment (below) indicates that the data is currently being compromised. TD Ameritrade recently responded to my e-mail and said “several spam methods do not depend on using purchased or intercepted lists of existing or valid e-mail accounts. Spammers also use known ‘brute forcing’ or dictionary techniques.” I don’t know of spam techniques or dictionary attacks that work across unknown domains… that # of possible variations is too large and wouldn’t target only Ameritrade customers.
Other people have been getting spam. One victim filed a complaint with the BBB. Here’s the response from Ameritrade:
We received correspondence from the Better Business Bureau
about your Ameritrade account.I wanted to follow up with you about the Spam e-mails you received.
I apologize for the delayed response and understand any frustration
you may have experienced in this matter. Although we have been
unable to determine the exact cause of the Spam, I wanted to inform
you of what we do know.We thoroughly reviewed our systems and data sent
to third parties with access to e-mail addresses and found no
misuse or compromises of any of our systems or storage
mediums for e-mail addresses. Additionally, after further
review of our systems, there is no indication that your account
information held with Ameritrade has been compromised.
Please be assured that we regularly contract leading edge security
firms to conduct network and application penetration tests to test
the security of our network and web presence. We also employ a
staff of full time employees solely dedicated to Information Security.At this time, we continue to work with the U.S. Securities and Exchange
Commission to investigate this matter and the source of the Spam
e-mails. Should further information become available, we will notify
you of our findings. You may review our Privacy Statement at
http://www.ameritrade.com/privacy.html and our Security Statement at http://www.ameritrade.com/tell_me_more/index.html…We would appreciate your continued support in this matter. Should you
receive further Spam to the above referenced e-mail address we ask that
you please print and forward the information as soon as possible to:Ameritrade Compliance
Attn: Jeffrey Plummer
P.O. Box 2148
Omaha, NE 68103-2148I personally thank you for the opportunity to be of service in this matter.
Sincerely,
Jeffrey K. Plummer
Client and Regulatory Relations Analyst
Corporate Compliance
Ameritrade, Division of Ameritrade, Inc. Member NASD/ SIPC
Sorry Jeffrey. But our data really was compromised. If all the security measures above are being done by Ameritrade, I think the most likely source of the data compromise is the missing tape. That tape found its way into bad hands. Now I have to escalate my safeguards against identity theft.
Update 8/13/06
My new ameritrade e-mail account, switched from the old compromised account on Jul 31, hasn’t been spammed yet. My secondary e-mail account is starting to get increasing numbers of stock spam with an image of text at the beginning followed by actual text (nonsense words). I’ve been contacted by several people who have only their ameritrade alias compromised out of large numbers of aliases. I’m not sure where the leak originated, but there’s definitely been a leak. It’s unlikely that they are tapping Ameritrade’s e-mails, because my secondary e-mail address with Ameritrade isn’t used for any official communications, yet it’s been spammed heavily.
Update 5/31/07
Uh oh, just got slashdotted 
One visitor left a possible lead to the leak. Feel free to comment over there.
Hacker Gained Access To Data On Millions Of TD Ameritrade Customers in 2007
March 2, 2008 by michaelxin The online brokerage is blaming the database breach on “unauthorized code” that was found in the network. E-mail addresses, names and phone numbers were stolen.
By Sharon Gaudin
InformationWeek
September 14, 2007 01:46 PM
Online brokerage TD Ameritrade Holding Corp. announced today that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers. An online advisory and letters to account holders disclosed that names, e-mail addresses, phone numbers and home addresses were taken in the data breach. Client assets, along with user IDs, personal identification numbers and passwords, were not stored in the compromised database.
However, the advisory noted that it’s unclear if account numbers, dates of birth and Social Security numbers were stolen. The company said there is no evidence that any customers were the victim of identity theft because of this security breach.
TD Ameritrade did not say when the hackers got into the database or how long they remained there.
“While the financial assets our clients hold with us were never touched, and there is no evidence that our cleints’ Social Security numbers were taken, we understand that this issue has increased unwanted spam, which is annoying and inconvenient for them,” said Joe Moglia, chief executive officer of TD Ameritrade, in a statement. “We sincerely apologize for that and any added concern this may have caused.”
TD Ameritrade tracked down the break-in while doing an internal investigation into stock-related spam. The company called in forensic investigators and they discovered “unauthorized code” in their system that provided access for the hacker or hackers. According to the advisory, the code has been eliminated from the system.
Moglia, speaking in an online video-taped message to customers, said he is “confidant” that they have figured out how the information was taken.
“This is an issue of the global e-commerce that will be with us the rest of our lives,” he said in the video message. “You have my promise that we will remain totally committed to protecting the trust you’ve placed in us.”
According to the Privacy Rights Clearinghouse’s list of data breaches, TD Ameritrade lost a backup tape in 2005 that contained 200,000 records. And in December of 2006, a missing laptop contained unencrypted information, including names, addresses, birthdates and Social Security numbers. That incident affected about 300 current and former employees.
Today, the company is telling customers that they don’t have to do anything with their accounts. They can change their passwords, but it’s not necessary, according to an advisory.
http://www.informationweek.com/showArticle.jhtml?articleID=201806604
Scottrade eCHECK 3rd party HACKED in 2005
March 2, 2008 by michaelxinNovember 11, 2005
Re: Alert for users of the eCheck Secure™ Service
Dear Customer:
We are contacting you to inform you that Scottrade has experienced a data security issue with the eCheck Secure™ service. Our records indicate that you have used eCheck Secure™ for the purpose of electronically moving funds from your bank to Scottrade. We will detail what we know about the situation and also what steps you should consider taking to safeguard your information.
On October 25, 2005, Troy Group Inc., the provider of the eCheck Secure™ service and other services to the financial services industry, reported to us that a computer hacker had compromised its eCheck Secure™ servers. As a result, some of your personal information, including your name, driver’s license or state ID number, date of birth, phone number, bank name, bank code, bank number, bank routing number, bank account number and Scottrade account number may have been compromised. If you used your Social Security number as your driver’s license or state ID number, your Social Security number may have been compromised as well. We do not know whether the hacker has actually accessed and/or used any of your personal information. However, Troy has notified us that it has blocked further unauthorized access to the information. The eCheck Secure™ service cannot be used to withdraw funds from your Scottrade account. Troy has filed a report with the FBI and is investigating in conjunction with a forensic analysis firm that it has retained. Scottrade has also contacted the FBI on this matter, and has a dedicated team to work on this issue and assist our customers who may have been affected.
We suggest taking the following steps for all your accounts that have eCheck Secure™ activated.
Contact your local Scottrade branch office for additional information or to change your Scottrade account number. If it is not possible or convenient for you to contact your local Scottrade branch office, then you can reach our Service Center at 866-476-6500. Our Service Center is open Monday – Friday, 7 a.m. to 11 p.m. EST. Although this is not a situation where Scottrade’s network was breached, you may, nevertheless, want to consider changing your Scottrade account number for additional protection.
Remember to review your Scottrade account activity regularly and statement promptly. Report any suspicious activity to us.
Although this was not an Internet security issue, you may want to change your Scottrade account access password periodically (a secure password that is easy for you to remember, but difficult for others to guess) by using our online change password process.
Since your bank information could have been accessed, contact your bank immediately so it is aware of the situation and can monitor for unusual activity in your bank account.
Review your bank activity and statements promptly to detect and prevent fraud. Look for transactions with strange payees or amounts you do not recognize. The more frequently you review your activity and statements, the easier it will be to detect suspicious transactions.
If you use your Social Security number for your driver’s license or state ID card, we strongly urge you to change your account number and place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. For more information on placing a fraud alert on your credit file, please see www.scottrade.com/security, a website that we have dedicated to this issue.
We are extremely sorry about this matter and will strive to rectify the situation to the best of our abilities. If you have any questions or concerns, please contact us, so we may be of assistance.
Sincerely,
Ellis Hough
Manager
Risk Management
Scottsave.com Trade History Exploit in 2005
March 2, 2008 by michaelxinScottsave.com Trade History Exploit
From: Ben Efros <befros_at_gmail.com>
Date: Tue, 15 Feb 2005 14:21:11 -0800
Date: Tue, 15 Feb 2005 14:21:11 -0800
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
*****************************************************************************
SCOTTSAVE.COM TRADE HISTORY EXPLOIT
*****************************************************************************
RISK TO CUSTOMER
Extremely High
***********
BACKGROUND
Scottrade, Inc. is a discount online brokerage firm with over 1.4 million
customers. Scottrade began online trading in 1996 and has received high
satisfaction ratings since the release of their online trading application
called Scottrader.
********
SUMMARY
A serious vulnerability exists in the Trade History feature of the
Scottsave.com website allowing an anonymous third party to gain
confidential information about customers and their trading habits.
The information available could be used to perform identify theft,
fraud, and other possibly criminal actions through social engineering.
**************
PREREQUISITES
None
******************
TECHNICAL DETAILS
Scottrade provides web-based access to customer trade history
through the Scottsave.com website which requires a valid username
and password to access.
All trades recorded by Scottrade are assigned an auto-incrementing
identifier in their database. Normally a customer browses their
entire trade history summary and then clicks a FORM submit button
that brings up details on individual trades.
The page that provides trade details is:
https://www1.scottsave.com/Scripts/Confirms.dll?DisplayPage
On this page, the following information is displayed:
- Scottrade Account Number
- Account Holder Name
- Account Holder Address (at the time of execution)
- Trading Symbol
- Security Description (Name of the company being traded)
- Trade Number
- Account Type (Broker Dealer, Cash, Margin, Short, etc)
- Market of Execution (Over-the-Counter, NYSE, Nasdaq, etc)
- Capacity in which Scottrade acted
- Account Instructions (Hold Funds in Account, Mail Security, etc)
- Trade Date
- Settlement Date
- Office Code
- Action (Buy or Sell)
- Quantity (# of shares traded)
- CUSIP Number
- Coupon Maturity
- Price
- Principal
- Commission Paid
- State Tax / Interest
- SEC Fee
- Trans Fee
- Misc Fees
- Interest
- Net Amount
- Additional Information (Text field used to specify any additional info)
This information can be retrieved by performing an HTTP POST to:
https://www1.scottsave.com/Scripts/Confirms.dll?Summary?OPTIMIZED=
The only field required during this post is named “ID1234567″ and the
value is the string “Details” where 1234567 is an ID number used to
identify your trade.
Because the ID number appears to be an auto-incrementing value, one can
easily guess an entire range of valid trade numbers. One can systematically
retrieve records from all trades made, collecting the above information
about each customer.
Someone with malicious intent could possible use the obtained info to:
- Gain detailed trading habit analysis of individual customers
- Gain private personal information about Scottrade customers
- Impersonate Scottrade customers and possibly be able to socially engineer
the wiring of money from the account into a private bank account of
another
- Enumerate valid Account Numbers for use in the Scottrader Applet exploit
- And many other possible things…
****************
EXAMPLE EXPLOIT
The exploit is extremely simple to execute for even an inexperienced user.
To use this exploit, simply create an html file containing the following.
<html><head></head>
<base
href=”https://www1.scottsave.com/Scripts/Confirms.dll?Summary?OPTIMIZED=”>
<body>
<form action=”Confirms.dll?DisplayPage” method=”post”
name=”frmHeader”>
<input type=”submit” value=”Details” name=”ID1234567″>
</form></body></html>
*******
STATUS
Scottrade was contacted January 3rd, 2005. Scottrade was provided
vulnerability details the evening of January 24th, 2005.
A coordinated disclosure would have been ideal, but Scottrade has
ignored all communications from me since January 24th. I believe
enough time has elapsed that the security holes reported have now
been corrected.
For more information, contact Scottrade at (800) 619-7283.
**************
PERSONAL RANT
As a previously happy customer of Scottrade, I am also a victim
to the issues discussed. I am not satisfied with Scottrade’s
response (actually, a lack thereof) when attempting to report
the issue and hope that making it public will ensure that
it is properly addressed and the timely notifications are sent
to customers affected.
******************
LEGAL INFORMATION
The information provided is subject to change at any time without
notification. This information is believed to be correct.
The reporter of this issue shall not be held liable for any
downtime, lost profits, or damages due to this report
or the issues contained within it.
*****************************************************************************
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCBb77LQa1lBNB5R0RAkCNAJ99GRc+OQbeoz2Kh6SqR+ALyQ1JDQCfbcN0
wgQRt42yBq+6qXq15XnpsQw=
=jKkS
—–END PGP SIGNATURE—–
Received on Feb 15 2005
Scottrader Application Exploit in 2005
March 1, 2008 by michaelxinScottrader Application Exploit
From: Ben Efros <befros_at_gmail.com>
Date: Tue, 15 Feb 2005 14:21:02 -0800
Date: Tue, 15 Feb 2005 14:21:02 -0800
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
*****************************************************************************
SCOTTRADER APPLICATION EXPLOIT
*****************************************************************************
RISK TO CUSTOMER
Extremely High
***********
BACKGROUND
Scottrade, Inc. is a discount online brokerage firm with over 1.4 million
customers. Scottrade began online trading in 1996 and has received high
satisfaction ratings since the release of their online trading application
called Scottrader.
********
SUMMARY
The Scottrader java applet provides real-time access to market quotes,
news services, online ordering, and execution confirmation.
Due to an unchecked password field on the server-side, an anonymous
user could obtain elevated access to a customer’s private account.
**************
PREREQUISITES
A valid Scottrade account number
******************
TECHNICAL DETAILS
The Scottrader java applet provides an interface to a custom server-side
application at Scottrade that provides real-time quote information,
account balances, portfolio access, watch lists, orders, order
confirmation, news service feeds, and a lot more.
The custom server-side application fails to properly validate new
connections, thus allowing an anonymous third party to establish a
valid Scottrader connection without the verification of any secret
data, password, or other authentication mechanism.
The Scottrader Java applet takes a parameter specified in the HTML
page that initiates the applet loading. This parameter is an encoded
representation of various account details, including the username and
password of the account holder.
The encoding format is easily deciphered by converting the hex string
into a byte array and then XOR’ing the bytes with the value 5.
An attacker, armed with the knowledge of a valid account number, can
easily start the java applet with the password field NULL or invalid
and access any customer account.
I am not aware of any pattern to the way account numbers are assigned,
but there are a few ways to identify a customer account number:
- Dumpster Dive (Yuck, who wants to dig through trash)
- Exploitation of the SCOTTSAVE.COM TRADE HISTORY EXPLOIT
- Random guessing of account numbers (described below)
Guessing account numbers might at first sound near impossible, until
you realize that Scottrade identifies all customers with an 8 digit
number. Scottrade boasts 1.4 million accounts on their website.
Do the math: 1400000 / (99999999 – 10000000) = 0.01555
The numbers show that you are at least likely to guess right 1.55% of
the time.
****************
EXAMPLE EXPLOIT
No example exploit demonstration was provided to Scottrade at the
time of notification.
*******
STATUS
Scottrade was contacted January 3rd, 2005. Scottrade was provided
vulnerability details the evening of January 24th, 2005.
A coordinated disclosure would have been ideal, but Scottrade has
ignored all communications from me since January 24th. I believe
enough time has elapsed that the security holes reported have now
been corrected.
For more information, contact Scottrade at (800) 619-7283.
**************
PERSONAL RANT
As a previously happy customer of Scottrade, I am also a victim
to the issues discussed. I am not satisfied with Scottrade’s
response (actually, a lack thereof) when attempting to report
the issue and hope that making it public will ensure that
it is properly addressed and the timely notifications are sent
to customers affected.
********************
FURTHER INFORMATION
On November 10, 2004 Wanda Fish commented “Scottrade’s ’security’
amuses me” when she unknowingly was discussing a matter related to
the issue above.
Her post has a Message-ID of 4192b565$1_at_nntp0.pdx.net and is available
on groups.google.com
******************
LEGAL INFORMATION
The information provided is subject to change at any time without
notification. This information is believed to be correct.
The reporter of this issue shall not be held liable for any
downtime, lost profits, or damages due to this report
or the issues contained within it.
*****************************************************************************
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCBb7zLQa1lBNB5R0RAhJCAKDREOvwKnRPM4Gg/udYtYeJV/ynOgCePhrQ
VpNBm1uuPpVtoOXsyzmDvqs=
=63zK
—–END PGP SIGNATURE—–
Received on Feb 15 2005
Link:
How to defeat automatic form submission attack
February 29, 2008 by michaelxinCAPTCHA Image seems like a good solution as long as the images could not be recognized by automatic software package.
