Bank harrasses user because he tweeted screenshot of their SSL certificate
ebalaskas.grIt's dangerously close to a passive-agressive pitchfork mob, but I propose that many people start tweeting to greek banks regarding their SSL configurations. The National Greek Bank, for example, scores an F on the SSL Labs Test because they are using TLS 1.0 and are vulnerable to POODLE:
https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr
their twitter account is: https://twitter.com/ibanknbg
EDIT: The most effective outreach will be friendly and respectful, if anyone chooses to do this. Also, all the other major greek banks score poorly:
Piraeus Bank Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba... twitter:https://twitter.com/skepsouprasina
Alpha Bank: B https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&... twitter: https://twitter.com/alpha_bank
Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group
Let's be crystal-clear: All of these fail PCI compliance, because they have RC4 enabled. These sites have no business processing anything, let alone personal or financial info.
Yes, having RC4 enabled is now an instant PCI compliance fail as it has a die-die-die RFC and as a result NIST changed it, on request, to a CVE grade above a 4.0 - https://tools.ietf.org/html/rfc7465 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-25... - web browsers have already started turning it off.
Yeah. Worse, if RC4 being enabled was the only problem, it would be bad, but somewhat reasonable, as RC4 only recently became known to be weak. But POODLE? FREAK? TSL1.0? All the other crap? Absolutely incredible.
As an aside, bank websites don't necessarily fall in-scope for PCI.
I worked for a small credit union, and we were beholden to our state auditors, FFIEC guidance, and the like -- but PCI simply wasn't a thing we worried about.
Interesting. I know far, far less about the regulatory side than the practical side. I gather it's focused mainly on merchants, but the card providers themselves founded it?
I'm not sure what I can say except not every bank seems to share that view (although as said in other comments, quite a few banks do indeed have paleolithic systems in unexpected places, and that tends to extend to their security practices - I am not able to name any names, but I can wave in the vague general direction of things which involve VAXen, COBOL and DES-and-I-don't-mean-3DES, all of which thankfully predate me). But I'm not exactly familiar with US banking practices (thankfully): did the credit union just not issue any Visa/Mastercard/etc cards? Huh.
True, but this is because a large number of credit unions don't issue Visa / Mastercard credit cards directly; typically they do it through their banking partners (who are registered as banks as opposed to credit unions who for almost all cases are not banks), if they do it at all.
Yea, I hope PCI DSS clarifies this matter soon.
For a long time I thought PCI DSS/NVD was the culprit for all RC4 on payment sites, but luckily this was solved, I see they updated the score on 03/12/2015: https://code.google.com/p/chromium/issues/detail?id=375342#c... https://code.google.com/p/chromium/issues/detail?id=375342#c...
I usually complain when some site uses RC4 and I can't access it, but unlike the OP I don't do that via twitter (one reason is that I don't even have an account there).
I've sent 2 emails regarding the use of ONLY RC4 on payment sites in my country, and although such emails aren't always acknowledged they did get fixed after I CC-ed their PCI auditors [1] :)
[1] which you can find publicly on Visa's site at 'PCI DSS validated Member Agent Weblisting' http://www.visaeurope.com/receiving-payments/security/downlo...
It was, part of it. RC4 had a CVE score below 4 (which many interpreted as an issue they could argue around, i.e. "we need to support Windows XP!"), but BEAST had a score above 4 (auto-fail). And what was the (horrible!) recommendation people got when asking how to mitigate BEAST but still let Windows XP connect? That's right: RC4.
That excuse has gone, on two counts. RC4's now thoroughly toast, and Windows XP's unsupported - and now finds itself without any secure ciphers at all.
It's zmap time…
Lets hope that the new RC4 attacks that will hit the news in a few weeks will help also.
Not long now. I think that will mostly depend on whether they give the issues a name and a logo! <g> (Seriously though, that does seems to get people off their arses!)
You might want to get ready to change passwords for sites that have used RC4 in the past. Or, despite as much warning as anyone can give, are inexplicably still using it.
https://twitter.com/ansimionescu/status/576425676036780032
I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.
I used to write trading software - had test FIX accounts on live cbot, cme, xetra, Liffe, lme, etc.
Decided to see if I could still log in to any of them about a year ago. Still could on half of them. I left that gig a decade ago.
Oh, and a few of them have no trade limits or risk management.
Boggle.
20+ years I had some security discussions with a major exchange in the USA. In the same building were offices of Goldman Sachs and another bank (Morgan or Merril, don't remember). Anyway there was a single thinnet (10base2 ethernet) that connected them to the exchange. Yep, a quick sniff showed that everyone could see everyone else's traffic.
My contacts were genuinely surprised that this was even possible. But also I was told there would be no contract if I mentioned this to upper management in my report.
There was no contract.
> you wouldn't fuck with casinos, or the mob.
Why wouldn't I, from the other side of the world, from the wifi connection of a coffee shop on the other side of town, bounced through a couple VPNs? It's one thing if I have to walk inside the casino, but the internet isn't like that.
No, that that bank on the other side of the world is likely insured by a company in the US. The global financial system is intricately linked, and the bankers and insurance companies effectively run the global economy. Given that, do you think it's really a huge stretch to think that three letter agencies from the US - the ones with documented capabilities to de-anonymize your VPNs if your OpSec is even a little sloppy - might get involved? Jurisdiction wouldn't be an issue if the bank asked them for help.
There are many ways to ensure security: one is technical, and another is investigative. The amount of resources a bank can bring to bear on you if you steal money from them is immense - IMO it's just best not to mess with that shit. It may have been true at one time that you could outsmart the banks and get away with it, but there are just too many smart people watching anymore.
My other personal analysis, from looking at banks in a third world county, is that you can't easily get away with enough to make it worthwhile. Sure, it'd probably be trivial to get money moved around inside the bank's own system. But getting it out from there seems to involve actual competent actors that aren't third world. Getting it out directly from the bank also seemed unlikely, because they manually check things for such low amounts.
The problem is cashing out. Any method of transferring the money to somewhere you can spend it (including Bitcoin) is going to require an identity. Not impossible, but certainly not as easy as Tor.
The article states the the National Bank of Greece was the nice bank, NOT the one harassing him. It was the SECOND one that harassed him.
By listing the nice bank's twitter first, you're going to cause a backlash against the one that actually responded nicely.
You're right, I noticed that in the article. I'll reorder them. They still desperately need to fix their security though.
edit: woops, looks like I cant edit it any more. bummer
Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group
This one is interesting, as it shows IIS 5.0 (Win2000 SChannel) affected by POODLE TLS.
That being said, www.eurobank.gr is just a redirect to http. The actual banking uses https://www.ssllabs.com/ssltest/analyze.html?d=https://ebank...
You're all talking about the bank's response - but I actually think his employer's reaction was worse.
Threatening to fire him for a tweet from a personal account? What Kafkaesque bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an employer. The idea of pulling that kind of shit on anyone fills me with disgust.
"Some guy who is wrong is threatening to beat me up unless I hit you or you change your tweet"
It's not like the employer said "you wrote an unfriendly tweet now you are fired!" The bank was threatening the employer with legal action unless action was taken.
Yeah, and any employee with a shred of self respect would tell the bank to go hang. I've had clients complain about what staff say on social media (not about clients or work!), I just tell them it's none of their or my business, and if they really care, get your lawyers in touch.
Nobody has.
But what kind of case could the bank possibly have against his employer of all people? I would think that any sane judge would dismiss that case as completely ridiculous pretty quickly. His employer is just as much at fault for being spineless and not sticking up for their employee who did nothing wrong as the bank is for harassing him.
I really hope the bank gets a lot of bad publicity out of this.
Marketing opportunity for other banks to jump on the bandwagon and share there public keys on social media.
I would sooner expect a bank to accidentally share their private key on social media. Banks aren't bad at security by accident. They don't have good, solid security people working for them being held back by management (as some industries do). Banks take the long view on most things and are ill-prepared for dealing with something like security, where the situation changes moment by moment. They are also extremely loathe (more than most industries I would say) to spend a penny on anything which they can not predict a tangible return on investment.
Hmm.. with the large number of security firms popping up every day, has anyone actually done some studies and statistical analysis so that it can be said "If you save $200,000 this year by not hiring a competent security professional, there is a 30% chance your bank will lose more than $10 million in either direct intrusion or public scandal"? That is the sort of thing a banker needs to hear before he can determine whether it is actually WORTH being safe. And even then... hiring competent security people is really hard. How is a normal HR person supposed to be able to judge whether an applicant is competent?
> I really hope the bank gets a lot of bad publicity out of this.
It's a Greek bank. They couldn't care less about 'bad publicity' nowadays.
I wonder if they received help offers too. Shedding light on security holes is useful, but fixing them is even better.
Did the second (bad behaving) bank get named?
A friend went through the Swedish banks and ranked them (post in Swedish https://friendlybit.com/security/hur-sakra-ar-svenska-banker... and Google translate https://translate.google.com/translate?sl=auto&tl=en&js=y&pr... )
The response he got was the banks starting fixed their problems. He had one group of banks that he classified as you should stay away from. All those banks fixed things so they are not longer in that category
Interestingly, Nordea, which gets an A- in Sweden, still gives an F for their front page in Finland. So it looks that even if the same bank operates with the same brandname, the security level may be quite different.
Their internet banking front page domain name has a different environment which gets a B, but most people go to it via the front page that is still vulnerable to POODLE and what not.
Ditto for Denmark: https://www.ssllabs.com/ssltest/analyze.html?d=www.netbank.n...
> Firefox suggests some security concerns in the firefox console on both sites. Especially about how weak is sha1 algorithm. Both sites have a 2048 public cert, the one use TLS1.2 but the other TLS1.0 and one of them have a 128bit private key size. You all understand that from a security point of view, these things arent best practices. Especially if you are a bank !
128 bits for symmetric key ciphers is actually fine. Especially with AES.
TLS1.0 and SHA1 certificates? I'd expect better.
> The second bank has also a cross site javascript script and that’s for sure not a best practice. Again that’s not a security hole. They just pull a javascript from their official web page (although a different url/domain from their web banking).
Yay, watering hole attack vectors.
It's a "128 bits private key", what means it's assymetric. I fully expect it to be an RSA key, but even for ECC that's at least half the size of something that could be considered secure.
TLS uses several algorithms, almost always both asymmetric and symmetric algorithms, in every session. For example, my current connection to HN is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. And that does mean that our underlying session key is 128 bits, independent of the size of HN's public key (which turns out to be 2048 bits).
There is a possible argument that a 128-bit AES key and a 2048-bit RSA key are mismatched, but a 1024-bit RSA key is clearly known to be dangerous now, while the same is not at all true for a 128-bit AES key.
Symmetric encryption does not have the concept of a "private key". A 128 bits private key in TLS can only vary from almost useless (if it's some ECC algorithm) to completely useless (in case it's RSA).
Too bad (but understandable) that the article does not give any detail. About a decade ago, 128 bits RSA keys were widely used (but not recommended anymore), I wouldn't be surprised to discover a bank didn't change their security procedures since then.
> Symmetric encryption does not have the concept of a "private key".
In the early days of public key cryptography, the NSA referred to it as "non-private key cryptography".
Even today, people often refer to symmetric vs asymmetric and private vs public interchangeably. (Yes, it can cause confusion and you will probably never see professional cryptographers like Bernstein, Green, Lange, Schwabe, Schneier, or Wilcox-O'hearn refer to it that way.)
https://en.wikipedia.org/wiki/Symmetric-key_algorithm#cite_n...
The author had multiple errors; it isn't beyond the limits of intellectual generosity to assume they meant symmetric key instead of private key.
> A 128 bits private key in TLS can only vary from almost useless (if it's some ECC algorithm) to completely useless (in case it's RSA).
128 bit EdDSA would have about the same security as a 64 bit block cipher, which we would consider broken. So I'm in full agreement there.
128 bit RSA? Totally useless.
128 bit AES? Not a concern. Usually you look at the padding, block mode, and authentication instead.
Yea, more important is the RC4 at the top of the list with nbg.gr.
Along the same line, there are currently around 4,000 sites in Alexa's top 1 million that only support RC4. Nothing else.
Some of these sites have large user bases too, and it's making it hard to disable RC4 in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1138101
That list includes Priceline, Orbitz and American Airlines. Hard to believe.
Is there a browser plugin that could report on SSL health in real-time, when visiting a site?
Site seems to be down.
That's what google cache is for:
http://webcache.googleusercontent.com/search?q=cache:BJedQ1n...
Tad ironic seeing as one of the last sentences in the blog post is: "Hope this blog post stays up for some time." I hope the site is not down because his domain/hosting got "convinced" by the legal department of the bank.
It's more than ironic. I'm actually concerned about this guy. It appears he might be in the cross-hairs of some individuals who are willing to leverage whatever they have at their disposal to shut him up and maybe make an example out of him.
This is an excellent example of why censorship resistant name resolution and hosting are so necessary. With projects like Namecoin and Freenet, this wouldn't be a problem.
As a Greek, I find that rather unlikely, not only is this sort of censorship rare, but the government is too inefficient to get something done this quickly (or at all) even if they wanted to. I'm fairly sure this is just heavy load.
EDIT: Yeah, it's back up.
Someone created a site called https-watch, to list banks, government sites etc. that aren't using HTTPS properly but should be.
It has a built-in 'tweet to this entity' link, similar to what this guy did by himself.
Perhaps someone can open a Greek sub-section on the site, with links to these banks.
Which bank was it?
It doesn't look like anyone knows, but the author has mentioned it's NOT the National Bank of Greece.
National Bank of Greece (https://www.nbg.gr/en, @ibanknbg)
No, he writes that there were SSL related problems with two banks. The first one was the National Bank of Greece. They contacted him directly and were nice about it.
The second bank was the one that showed this appalling behaviour and isn't mentioned in his blog post, probably out of fear.
That's incorrect:
> The first bank contacted almost immediately with me and I respect National Bank of Greece for that.
What's incorrect?
If you read the article, the National Bank of Greece is not the one that harassed the author/their employer, the unnamed "second bank" did.
Interesting - looks like you are correct. Could have sworn it was different when I first read it!
Actually, to quote the article:
The first bank contacted almost immediately with me and I respect National Bank of Greece for that.
The second bank took another approach.
I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue. Freedom of speech refers to government restrictions on limiting the right to voice your opinion. The government wasn't involved and he didn't legally have to remove the tweet (but I would have removed the tweet as well if it threatened my job). I totally support the author, but this is not a freedom of speech problem. Sometimes we limit what we say because there can be negative consequences that have nothing to do with the government.
I recommend creating an anonymous Twitter account to remove negative pressure that can affect employment.
> I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue.
I don't agree. In US terms, "Freedom of Speech" appears to be framed only in terms of the rights of someone relative to the government.
But in the UK, we don't have a first amendment, or even a written constitution. I would find it absolutely normal for someone to discuss freedom of speech issues about wider things than simply government overreach. In fact, the opposite is just as likely to be true: freedom of speech can be curtailed by things like private injunctions or the lack of space where it's safe to speak, which may be occuring due to lack of government action or regulation.
Freedom of Speech is a phrase that I've always thought has a wider application than it appears limited to in the US, where it seems mixed up with a lot of politics that don't appear anywhere else.
Anyway, just my opinion from the UK. I think this is very much something that can be discussed in terms of freedom of speech in the wider (non-US) sense, due to the power disparity of the actors being used (if true) to quash speech that would otherwise be freely available - and, given Greece is in Europe, I believe the author is right to frame it in those terms.
> The government wasn't involved
About that, when somebody threatens to sue a person and that is a credible threat, it's because the government is involved.
The minimum guarantee of a democratic legal system is that for an innocent that phrase isn't a threat. If there is no guarantee, it's not a democratic system.
Necessary conditions to ensure an innocent person need not feel threatened by the prospect of litigation include a time, money and irritation-free trial process and omniscient judges.
Your "minimum guarantee of a democratic legal system" is an impossibility, unless tort law is altogether abolished, and good luck seeking democratic approval for that...
There are several ways to make it happen in practice (where things are not boolean).
Imposing penalties to the suing party on stupid cases is one such way. One can also make the legal system cheaper, make it less irritating (as most of the irritation is accidental), level the playing field for people against giant corporations (and, while we are at that, also level for small corporations against big corporations)... There are probably hundreds of other actions that'll help, if none are taken, it's a huge sign that a legal system is already brought.
The idea that "freedom of speech" only applies to government actions is common, but nonsensical. Constitutional protection of that freedom only applies to the government, but that doesn't mean another entity taking the same actions isn't also abridging your freedom of speech, even in the US — it's just that the Bill of Rights was focused on limiting the government's power, not any other entity's, so it only prevents the government from abridging your freedom of speech.
It's worth noting, particularly given where the story occurred, that this is a US-centric take on what "Freedom of Speech" means, and really doesn't generalize well.