Friday, September 14, 2007

Ameritrade

More information about the TD Ameritrade breach is slowly dribbling out. Even thought TD Ameritrade had been receiving complaints about spam (users would create special email addresses unknown to anyone but Ameritrade), since 2006, it wasn't until a lawsuit was filed by lawyer Scott A. Kamber which forced the company to investigate. According to the lawsuit, Ameritrade's servers were vulnerable as far back as October (and reportedly fixed July 18th).
The plaintiffs in the lawsuit had wanted the court to order Ameritrade to tell its customers about the data problem, but Ameritrade issued its release before a hearing could be held. The plaintiffs are also seeking damages and are trying to qualify as a class-action lawsuit. "They preferred putting out a press release with their own language in it rather than have the court order them to put out a release with our language," Kamber said.
I am totally stunned that a public company would display so many ethical traits that I despise.

Powered by ScribeFire.

Labels:

Posted by Joe Turner at 11:02 PM | | Comments

TD Ameritrade Hacked.

I just received this email from TD Ameritrade (below) and I'm fuming mad.   Let me parse and summarize the email I recieved:  Someone breached TD Ameritrade's security, and left behind some "unauthorized code," and made off with social security numbers, email addresses, ACH account numbers, and more. 
 
Interestingly enough, I found a postings from 2006 which suggest that this has been going on for more than a year (here too), before they caught on and disclosed the problem.  They have denied the problem or blamed it as an "industry wide problem".  
 
Dear Joe Turner,

Let me tell you why I am sending you this email. While investigating client reports about the industry-wide issue of investment-related SPAM, we recently discovered and eliminated unauthorized code from our systems. This code allowed certain client information stored in one of our databases, including email addresses, to be retrieved by an external source.

Please be assured that UserIDs and passwords are not included in this database, and we can confirm that your assets remain secure at TD AMERITRADE.

What we want you to know:
  • Once we discovered the unauthorized code, we took immediate action to eliminate it. We are confident that we have identified the means by which the information was accessed and have taken appropriate steps to prevent this from reoccurring.
  • You continue to be covered by our Asset Protection Guarantee, which protects you and your assets from any unauthorized activity that may occur in your account through no fault of your own. If you lose cash or securities as a result of such activity, we will reimburse you for the cash or shares of securities you lost.
While Social Security Numbers are stored in this particular database, we have no evidence to establish that they were retrieved or used to commit identity theft. To further protect you, we have hired ID Analytics, which specializes in identity risk, to investigate and monitor potential identity theft. ID Analytics provides identity risk services to many of the country's largest banks and telecommunication companies, as well as government agencies. Following its initial evaluation, ID Analytics found no evidence of identity theft as a result of this data breach. We will retain its services on an ongoing basis to support your TD AMERITRADE accounts and to monitor for evidence of identity theft. We will alert and advise you if any is found. As always, we encourage you to remain alert in guarding your personal information, regularly review your account statements and monitor your credit activity from the major reporting agencies.

For more information on protecting yourself against the possibility of security threats, please visit our online Security Center.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your assets and information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and we will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Questions (FAQs) and an additional message from me, please go to www.amtd.com or contact Client Services. Please note that we are anticipating increased call volume during this period, which may lead to long wait times. We encourage you to review the FAQs and, if you have a question, to log on to your account and send us a secure email. Once again, please be assured that your assets are secure at TD AMERITRADE.

Sincerely,
[image]
Joe Moglia
CEO
TD AMERITRADE

Labels:

Posted by Joe Turner at 10:50 AM | | Comments

Friday, August 24, 2007

Roll Your Own Firewall, Part II

The 12U rack arrived this week and I assembled it in about 15 minutes, and due to the small size, it rack will fit under most desks. I hesitated on pulling the trigger on the purchase of the 1GHz VIA 1U bare bones system. I wanted to look for a cheaper/"better" solution. I even looked at FPGA development kits, but quickly concluded that anything I chose would only be cost effective in large quantities. After some serious research, it appears that the quiet, passively cooled VIA processor is exactly what I want. The 1GHz via combo is is powered by a passively cooled x86 processors that use just 7W at clock speeds up to 1GHz. The chips also feature hardware-based AES encryption and dual Random Number Generators (RNGs). With a powered disk drive, the entire unit can pull less than 50 W -- that is less than most light bulbs. Additionally, I believe I will have enough CPU left over there to make the server a Asterisk/VOIP server as well. So, the evil plan is now:
  • Purchase the 1U/1Ghz via server
  • install Linux from scratch
  • install/setup SmoothWall
  • install/setup Asterisk

Labels: , ,

Posted by Joe Turner at 11:15 AM | | Comments

Tuesday, August 21, 2007

Roll Your Own Firewall, Part I

Now that my rack is ordered and on the way, I pondered the value of rolling my own dedicated 1U firewall/VPN appliance. Given how fragile the Linksys and Netgear firewall/VPN routers I have used, I decided I wanted my own, dedicated perimeter firewall, with the following requirements:
  • Cost. The entire solution must be under $500. My expense policy is that anything under $500 can be expensed, rather than depreciating it on a schedule.
  • Heat. Currently my computers are clustered together in my home office, which lacks a separate air conditioner. Adding a stack of 350 watt servers is not an option I would look forward to. If at all possible, I would like it to be a nice, quiet embedded server.
  • Linux. As a Microsoft Partner, I would love to have used ISA server – and written a step by step guide to doing it. However, it wasn't included in my stack of DVDs, and the thought of installing Windows 2003 headless was a little daunting. As a result, I chose to go with Linux. ISA server can be used here as well.
Firewall Hardware Requirements The only reasonable article available that I could find about right sizing the hardware requirements, relates the minimum tested requirements for implementing Microsoft ISA server. Given my experience, the Linux requirements should be about the same, if not more lenient. My own network is currently connected to the Internet via a 6MBits interface (DSL or Cable). Given a throughput in the range of 3 Mbps to 44Mbps, the minimum requirements are (drum roll please) -- one computer, Pentium III, 550 MHz processor. This should satisfy a T3 connection to the Internet. You do remember the Pentium III computers right? Well, translated in layman's terms, almost anything will do. Since I want a low power, quiet embedded computer that leaves quiet a few choices. After much searching I have narrowed the field down to the Halcom 1U Rackmount VIA 1Ghz Nehemiah Padlock 3-LAN Firewall/VPN/VoIP Platform. It is a 1U case which contains a VIA C3 running at 1GHZ. In addition there are 3 LAN ports onboard. So far it is on the top of my list, while I continue to search for a cheaper solution.

Powered by ScribeFire.

Labels: ,

Posted by Joe Turner at 12:04 AM | | Comments