It's dangerously close to a passive-agressive pitchfork mob, but I propose that many people start tweeting to greek banks regarding their SSL configurations. The National Greek Bank, for example, scores an F on the SSL Labs Test because they are using TLS 1.0 and are vulnerable to POODLE:
Let's be crystal-clear: All of these fail PCI compliance, because they have RC4 enabled. These sites have no business processing anything, let alone personal or financial info.
Yeah. Worse, if RC4 being enabled was the only problem, it would be bad, but somewhat reasonable, as RC4 only recently became known to be weak. But POODLE? FREAK? TSL1.0? All the other crap? Absolutely incredible.
As an aside, bank websites don't necessarily fall in-scope for PCI.
I worked for a small credit union, and we were beholden to our state auditors, FFIEC guidance, and the like -- but PCI simply wasn't a thing we worried about.
Interesting. I know far, far less about the regulatory side than the practical side. I gather it's focused mainly on merchants, but the card providers themselves founded it?
I'm not sure what I can say except not every bank seems to share that view (although as said in other comments, quite a few banks do indeed have paleolithic systems in unexpected places, and that tends to extend to their security practices - I am not able to name any names, but I can wave in the vague general direction of things which involve VAXen, COBOL and DES-and-I-don't-mean-3DES, all of which thankfully predate me). But I'm not exactly familiar with US banking practices (thankfully): did the credit union just not issue any Visa/Mastercard/etc cards? Huh.
True, but this is because a large number of credit unions don't issue Visa / Mastercard credit cards directly; typically they do it through their banking partners (who are registered as banks as opposed to credit unions who for almost all cases are not banks), if they do it at all.
I usually complain when some site uses RC4 and I can't access it, but unlike the OP I don't do that via twitter
(one reason is that I don't even have an account there).
I've sent 2 emails regarding the use of ONLY RC4 on payment sites in my country, and although such emails aren't always acknowledged they did get fixed after I CC-ed their PCI auditors [1] :)
It was, part of it. RC4 had a CVE score below 4 (which many interpreted as an issue they could argue around, i.e. "we need to support Windows XP!"), but BEAST had a score above 4 (auto-fail). And what was the (horrible!) recommendation people got when asking how to mitigate BEAST but still let Windows XP connect? That's right: RC4.
That excuse has gone, on two counts. RC4's now thoroughly toast, and Windows XP's unsupported - and now finds itself without any secure ciphers at all.
Not long now. I think that will mostly depend on whether they give the issues a name and a logo! <g> (Seriously though, that does seems to get people off their arses!)
You might want to get ready to change passwords for sites that have used RC4 in the past. Or, despite as much warning as anyone can give, are inexplicably still using it.
I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.
20+ years I had some security discussions with a major exchange in the USA. In the same building were offices of Goldman Sachs and another bank (Morgan or Merril, don't remember). Anyway there was a single thinnet (10base2 ethernet) that connected them to the exchange. Yep, a quick sniff showed that everyone could see everyone else's traffic.
My contacts were genuinely surprised that this was even possible. But also I was told there would be no contract if I mentioned this to upper management in my report.
Why wouldn't I, from the other side of the world, from the wifi connection of a coffee shop on the other side of town, bounced through a couple VPNs? It's one thing if I have to walk inside the casino, but the internet isn't like that.
No, that that bank on the other side of the world is likely insured by a company in the US. The global financial system is intricately linked, and the bankers and insurance companies effectively run the global economy. Given that, do you think it's really a huge stretch to think that three letter agencies from the US - the ones with documented capabilities to de-anonymize your VPNs if your OpSec is even a little sloppy - might get involved? Jurisdiction wouldn't be an issue if the bank asked them for help.
There are many ways to ensure security: one is technical, and another is investigative. The amount of resources a bank can bring to bear on you if you steal money from them is immense - IMO it's just best not to mess with that shit. It may have been true at one time that you could outsmart the banks and get away with it, but there are just too many smart people watching anymore.
My other personal analysis, from looking at banks in a third world county, is that you can't easily get away with enough to make it worthwhile. Sure, it'd probably be trivial to get money moved around inside the bank's own system. But getting it out from there seems to involve actual competent actors that aren't third world. Getting it out directly from the bank also seemed unlikely, because they manually check things for such low amounts.
The problem is cashing out. Any method of transferring the money to somewhere you can spend it (including Bitcoin) is going to require an identity. Not impossible, but certainly not as easy as Tor.
You're all talking about the bank's response - but I actually think his employer's reaction was worse.
Threatening to fire him for a tweet from a personal account? What Kafkaesque bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an employer. The idea of pulling that kind of shit on anyone fills me with disgust.
"Some guy who is wrong is threatening to beat me up unless I hit you or you change your tweet"
It's not like the employer said "you wrote an unfriendly tweet now you are fired!" The bank was threatening the employer with legal action unless action was taken.
Yeah, and any employee with a shred of self respect would tell the bank to go hang. I've had clients complain about what staff say on social media (not about clients or work!), I just tell them it's none of their or my business, and if they really care, get your lawyers in touch.
But what kind of case could the bank possibly have against his employer of all people? I would think that any sane judge would dismiss that case as completely ridiculous pretty quickly. His employer is just as much at fault for being spineless and not sticking up for their employee who did nothing wrong as the bank is for harassing him.
I would sooner expect a bank to accidentally share their private key on social media. Banks aren't bad at security by accident. They don't have good, solid security people working for them being held back by management (as some industries do). Banks take the long view on most things and are ill-prepared for dealing with something like security, where the situation changes moment by moment. They are also extremely loathe (more than most industries I would say) to spend a penny on anything which they can not predict a tangible return on investment.
Hmm.. with the large number of security firms popping up every day, has anyone actually done some studies and statistical analysis so that it can be said "If you save $200,000 this year by not hiring a competent security professional, there is a 30% chance your bank will lose more than $10 million in either direct intrusion or public scandal"? That is the sort of thing a banker needs to hear before he can determine whether it is actually WORTH being safe. And even then... hiring competent security people is really hard. How is a normal HR person supposed to be able to judge whether an applicant is competent?
The response he got was the banks starting fixed their problems. He had one group of banks that he classified as you should stay away from. All those banks fixed things so they are not longer in that category
Interestingly, Nordea, which gets an A- in Sweden, still gives an F for their front page in Finland. So it looks that even if the same bank operates with the same brandname, the security level may be quite different.
Their internet banking front page domain name has a different environment which gets a B, but most people go to it via the front page that is still vulnerable to POODLE and what not.
> Firefox suggests some security concerns in the firefox console on both sites. Especially about how weak is sha1 algorithm. Both sites have a 2048 public cert, the one use TLS1.2 but the other TLS1.0 and one of them have a 128bit private key size. You all understand that from a security point of view, these things arent best practices. Especially if you are a bank !
128 bits for symmetric key ciphers is actually fine. Especially with AES.
TLS1.0 and SHA1 certificates? I'd expect better.
> The second bank has also a cross site javascript script and that’s for sure not a best practice. Again that’s not a security hole. They just pull a javascript from their official web page (although a different url/domain from their web banking).
It's a "128 bits private key", what means it's assymetric. I fully expect it to be an RSA key, but even for ECC that's at least half the size of something that could be considered secure.
TLS uses several algorithms, almost always both asymmetric and symmetric algorithms, in every session. For example, my current connection to HN is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. And that does mean that our underlying session key is 128 bits, independent of the size of HN's public key (which turns out to be 2048 bits).
There is a possible argument that a 128-bit AES key and a 2048-bit RSA key are mismatched, but a 1024-bit RSA key is clearly known to be dangerous now, while the same is not at all true for a 128-bit AES key.
Symmetric encryption does not have the concept of a "private key". A 128 bits private key in TLS can only vary from almost useless (if it's some ECC algorithm) to completely useless (in case it's RSA).
Too bad (but understandable) that the article does not give any detail. About a decade ago, 128 bits RSA keys were widely used (but not recommended anymore), I wouldn't be surprised to discover a bank didn't change their security procedures since then.
> Symmetric encryption does not have the concept of a "private key".
In the early days of public key cryptography, the NSA referred to it as "non-private key cryptography".
Even today, people often refer to symmetric vs asymmetric and private vs public interchangeably. (Yes, it can cause confusion and you will probably never see professional cryptographers like Bernstein, Green, Lange, Schwabe, Schneier, or Wilcox-O'hearn refer to it that way.)
Tad ironic seeing as one of the last sentences in the blog post is: "Hope this blog post stays up for some time." I hope the site is not down because his domain/hosting got "convinced" by the legal department of the bank.
It's more than ironic. I'm actually concerned about this guy. It appears he might be in the cross-hairs of some individuals who are willing to leverage whatever they have at their disposal to shut him up and maybe make an example out of him.
This is an excellent example of why censorship resistant name resolution and hosting are so necessary. With projects like Namecoin and Freenet, this wouldn't be a problem.
As a Greek, I find that rather unlikely, not only is this sort of censorship rare, but the government is too inefficient to get something done this quickly (or at all) even if they wanted to. I'm fairly sure this is just heavy load.
No, he writes that there were SSL related problems with two banks.
The first one was the National Bank of Greece. They contacted him directly and were nice about it.
The second bank was the one that showed this appalling behaviour and isn't mentioned in his blog post, probably out of fear.
I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue. Freedom of speech refers to government restrictions on limiting the right to voice your opinion. The government wasn't involved and he didn't legally have to remove the tweet (but I would have removed the tweet as well if it threatened my job). I totally support the author, but this is not a freedom of speech problem. Sometimes we limit what we say because there can be negative consequences that have nothing to do with the government.
I recommend creating an anonymous Twitter account to remove negative pressure that can affect employment.
> I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue.
I don't agree. In US terms, "Freedom of Speech" appears to be framed only in terms of the rights of someone relative to the government.
But in the UK, we don't have a first amendment, or even a written constitution. I would find it absolutely normal for someone to discuss freedom of speech issues about wider things than simply government overreach. In fact, the opposite is just as likely to be true: freedom of speech can be curtailed by things like private injunctions or the lack of space where it's safe to speak, which may be occuring due to lack of government action or regulation.
Freedom of Speech is a phrase that I've always thought has a wider application than it appears limited to in the US, where it seems mixed up with a lot of politics that don't appear anywhere else.
Anyway, just my opinion from the UK. I think this is very much something that can be discussed in terms of freedom of speech in the wider (non-US) sense, due to the power disparity of the actors being used (if true) to quash speech that would otherwise be freely available - and, given Greece is in Europe, I believe the author is right to frame it in those terms.
About that, when somebody threatens to sue a person and that is a credible threat, it's because the government is involved.
The minimum guarantee of a democratic legal system is that for an innocent that phrase isn't a threat. If there is no guarantee, it's not a democratic system.
Necessary conditions to ensure an innocent person need not feel threatened by the prospect of litigation include a time, money and irritation-free trial process and omniscient judges.
Your "minimum guarantee of a democratic legal system" is an impossibility, unless tort law is altogether abolished, and good luck seeking democratic approval for that...
There are several ways to make it happen in practice (where things are not boolean).
Imposing penalties to the suing party on stupid cases is one such way. One can also make the legal system cheaper, make it less irritating (as most of the irritation is accidental), level the playing field for people against giant corporations (and, while we are at that, also level for small corporations against big corporations)... There are probably hundreds of other actions that'll help, if none are taken, it's a huge sign that a legal system is already brought.
The idea that "freedom of speech" only applies to government actions is common, but nonsensical. Constitutional protection of that freedom only applies to the government, but that doesn't mean another entity taking the same actions isn't also abridging your freedom of speech, even in the US — it's just that the Bill of Rights was focused on limiting the government's power, not any other entity's, so it only prevents the government from abridging your freedom of speech.
It's worth noting, particularly given where the story occurred, that this is a US-centric take on what "Freedom of Speech" means, and really doesn't generalize well.
https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr
their twitter account is: https://twitter.com/ibanknbg
EDIT: The most effective outreach will be friendly and respectful, if anyone chooses to do this. Also, all the other major greek banks score poorly:
Piraeus Bank Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba... twitter:https://twitter.com/skepsouprasina
Alpha Bank: B https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&... twitter: https://twitter.com/alpha_bank
Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group