-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________ S4R - A Managed Services Company Security - Systems - Storage - Solutions http://www.s4r.com info@s4r.com ________________________________________ Title: Stock portfolio sent via clear text in Datek Streamer® application Date: November 9, 2001 1. Description Although the user's primary Datek account page is protected using a secured SSL tunnel, upon launching the "Portfolio" portion of Streamer®, the user's entire portfolio composition is transmitted from Datek to the application in clear text. This allows anyone able to access the data stream between the client and the Datek's server to view client portfolio's and determine their current portfolio values. 2. Description of vulnerable systems http://www.datek.com/education/streamer.html Streamer® allows Datek investors the ability to graphically monitor and manage their online stock portfolio's. This issue was first discovered on October 16, 2001 and is still present as of November 9, 2001. It is unknown how long prior to this the issue existed. 3. Flawed/Vulnerable process When you connect to the Datek Web Site (http://www.datek.com) click on login, you are then given the choice to either go to the "investment site" or to the Streamer® application. In either case, you connect to an SSL site https://investments.datek.com. Upon choosing Streamer®, either from the initial login screen, or from the resource pull down on the investment site, another SSL protected Browser window is opened for the Streamer Java applet. Yet, the Applet itself is download via HTTP. Once Streamer® is downloaded and the client launches the "Portfolio" monitoring application, an HTTP GET request containing the user's login ID, as well as some additional information, is sent to STREAMERAPP.DATEK.COM. STREAMERAPP.DATEK.COM then responds back in clear text with user's login ID and the entire portfolio composition, and subsequent information. Specifically, the stock symbol and the number of shares of each owned. Using this information and current stock prices, its extremely easy to determine the client's portfolio valuation. 4. Example Below is a sample payload of a packet from STREAMERAPP.DATEK.COM to the client: S.......BARNES82145...3...........CSCO....142600....Cisco Sys Inc Com........Q....22700... Qwest Communications Intl In Com........CHK....16412....Chesapeake Energy Corp Com..S.G.....EXTR.A*.\.A+.=.A+.=......Jah....\....[.A733.A#...A-....q. A$Q..A+.=..S.%.....^INX.D.<.......D.R=.D..=.D./\..x..S.<.....CHK.=u... A.ff.@..H........H.........).@..H.@.(..@.....n..S.:.....Q.At...A.p..A. .H......Z.............A....A.33.A.\)..n..S./.....^INDU.F.........>.... .&..F..=.F.=..F..q..x..S.G.....CSCO.A..{.A.ff.A.ff........H........... A..\.A.33.A.....q.A..{.A.ff..S.'.....^COMPX.D......"..D....D....D..... x..... This discloses the username is BARNES82145, they currently hold 142,600 shares of Cisco, 22,700 shares of Qwest and 16,412 shares of Chesapeake Energy Corp. CSCO @$19.2 * 142,600 shares = $2,737,920 Q @$11.85 * 22,700 shares = $268,995 CHK @$6.83 * 16,412 shares = $112,093 Total stock portfolio value of $3,119,008 Since it is common for the username to be the client's last name followed by numbers, its also becomes possible to determine who this specific user is. And since humans are creatures of habit, they are likely to use the same password elsewhere. 5. Concerns Users of the Datek Streamer application are led to believe that their personal account information is secured throughout the use of this application, which is not the case. Our belief is that this loss of privacy presents a serious breach of confidentiality of account information. In addition, HTTP traffic is often stored for extended periods of time by proxy servers, third party logging/reporting software, or intrusion detection systems and therefore even after this issue is addressed, the private information that was exposed may still be available. We believe this is a serious problem. 6. Vendor response Datek has acknowledged that the above described problem exists and that it affects its Streamer® application. Datek has not provided us a timeline regarding when this issue will be resolved. 7. History Discovered by Chris Grout on October 14, 2001. Additional forensics by Scott C. Kennedy and Todd Suiter on October 15, 2001. Initial contact with Datek on October 16, 2001. Informed Datek of our intention to announce on November 1, 2001. ________________________________________________ S4R offers a comprehensive suite of services that include complete infrastructure design and implementation, 24/7 customer data center management and support, network security, firewall management, enterprise storage management as well as data backup and disaster recovery services. S4R also provides value-added services that enable co-location and data center facility providers to develop new sources of revenue from existing assets by leveraging S4R's storage and managed services solutions. The company's team of in-house engineers has extensive experience in all areas of IT infrastructure management, security, system modeling and implementation. Company executives and top management have broad technology industry expertise, with prior experience at industry-leading companies such as IBM Research, Qualcomm, AT&T, DreamWorks and MTI Corp. Additional information about S4R can be found at www.s4r.com. -----BEGIN PGP SIGNATURE----- iQA/AwUBO+yOLC4fK7wDLJKlEQLFvwCaAz8Rj55DCqvMa5xlyL/oyqh7/xoAn1Vw iVAHl9gN+gLCqapy9BeNyrt6 =nFLi -----END PGP SIGNATURE-----
