OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Doug Nakatomi (dougnakLYCOS.COM)
Date: Tue Mar 20 2001 - 08:44:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Company: REDIProducts, a division of Spear, Leeds and Kellogg

    Program: REDI.exe

    Background: REDI is a real time stock trading software used by active
    traders to execute stock orders very rapidly. From their web site
    (www.redi.com) bullet points of REDI include; "Optimal execution,
    immediate access to maximum liquidity, and a full view of the marketplace
    at all times.", "Consolidated, consistent display of all the necessary
    decision-making information and order entry capability.", "One screen
    has it all: news, charts, order entry, position tracking, and real-time
    P&L.". Many companies that provide the software have minimum account
    balances considerably higher than an average online broker, many are $25,000+.

    Seriousness: Very. Access to personal accounts and large amounts
    of money is trivial once read file system access is achieved.

    Problem: User name and password are stored in a clear text file
    on the users computer every time the user logs in. The file, defaulting
    to E:\Program Files\SLK\REDI\Logon\StartLog.txt contains information
    about the programs startup useful for troubleshooting.

    Temporary Workaround: I would recommend users of Windows 2000 use
    EFS to limit access to the file (right click, properties, advanced,
    check encrypt contents to secure data, ok,
    ok, ok). This will still allow you, and any process you own or that
    runs as you, access to the file so it's not a perfect fix.

    Suggested fix: Vendor should remove password and user name from logging.

    Vendor contacted: 3/7/01 via email.
    Vendor response: Vendor responded promptly, and released a fixed
    version of the software, available from, although no public notification of the problem has been seen, and problem still exists in versions resold by other companies. http://www.redi.com/rpdownload.html

    Thank you for your time,

    Doug Nakatomi
    Information Systems Security Consultant
    dougnaklycos.com

    Get 250 color business cards for FREE! at Lycos Mail
    http://mail.lycos.com/freemail/vistaprint_index.html