It's dangerously close to a passive-agressive pitchfork mob, but I propose that many people start tweeting to greek banks regarding their SSL configurations. The National Greek Bank, for example, scores an F on the SSL Labs Test because they are using TLS 1.0 and are vulnerable to POODLE:
Let's be crystal-clear: All of these fail PCI compliance, because they have RC4 enabled. These sites have no business processing anything, let alone personal or financial info.
I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.
You're all talking about the bank's response - but I actually think his employer's reaction was worse.
Threatening to fire him for a tweet from a personal account? What Kafkaesque bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an employer. The idea of pulling that kind of shit on anyone fills me with disgust.
"Some guy who is wrong is threatening to beat me up unless I hit you or you change your tweet"
It's not like the employer said "you wrote an unfriendly tweet now you are fired!" The bank was threatening the employer with legal action unless action was taken.
I would sooner expect a bank to accidentally share their private key on social media. Banks aren't bad at security by accident. They don't have good, solid security people working for them being held back by management (as some industries do). Banks take the long view on most things and are ill-prepared for dealing with something like security, where the situation changes moment by moment. They are also extremely loathe (more than most industries I would say) to spend a penny on anything which they can not predict a tangible return on investment.
Hmm.. with the large number of security firms popping up every day, has anyone actually done some studies and statistical analysis so that it can be said "If you save $200,000 this year by not hiring a competent security professional, there is a 30% chance your bank will lose more than $10 million in either direct intrusion or public scandal"? That is the sort of thing a banker needs to hear before he can determine whether it is actually WORTH being safe. And even then... hiring competent security people is really hard. How is a normal HR person supposed to be able to judge whether an applicant is competent?
The response he got was the banks starting fixed their problems. He had one group of banks that he classified as you should stay away from. All those banks fixed things so they are not longer in that category
Interestingly, Nordea, which gets an A- in Sweden, still gives an F for their front page in Finland. So it looks that even if the same bank operates with the same brandname, the security level may be quite different.
Their internet banking front page domain name has a different environment which gets a B, but most people go to it via the front page that is still vulnerable to POODLE and what not.
> Firefox suggests some security concerns in the firefox console on both sites. Especially about how weak is sha1 algorithm. Both sites have a 2048 public cert, the one use TLS1.2 but the other TLS1.0 and one of them have a 128bit private key size. You all understand that from a security point of view, these things arent best practices. Especially if you are a bank !
128 bits for symmetric key ciphers is actually fine. Especially with AES.
TLS1.0 and SHA1 certificates? I'd expect better.
> The second bank has also a cross site javascript script and that’s for sure not a best practice. Again that’s not a security hole. They just pull a javascript from their official web page (although a different url/domain from their web banking).
It's a "128 bits private key", what means it's assymetric. I fully expect it to be an RSA key, but even for ECC that's at least half the size of something that could be considered secure.
Tad ironic seeing as one of the last sentences in the blog post is: "Hope this blog post stays up for some time." I hope the site is not down because his domain/hosting got "convinced" by the legal department of the bank.
I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue. Freedom of speech refers to government restrictions on limiting the right to voice your opinion. The government wasn't involved and he didn't legally have to remove the tweet (but I would have removed the tweet as well if it threatened my job). I totally support the author, but this is not a freedom of speech problem. Sometimes we limit what we say because there can be negative consequences that have nothing to do with the government.
I recommend creating an anonymous Twitter account to remove negative pressure that can affect employment.
> I support the author and what the bank did is just absolutely wrong and outrageous, but I just want to clarify that this is not a freedom of speech issue.
I don't agree. In US terms, "Freedom of Speech" appears to be framed only in terms of the rights of someone relative to the government.
But in the UK, we don't have a first amendment, or even a written constitution. I would find it absolutely normal for someone to discuss freedom of speech issues about wider things than simply government overreach. In fact, the opposite is just as likely to be true: freedom of speech can be curtailed by things like private injunctions or the lack of space where it's safe to speak, which may be occuring due to lack of government action or regulation.
Freedom of Speech is a phrase that I've always thought has a wider application than it appears limited to in the US, where it seems mixed up with a lot of politics that don't appear anywhere else.
Anyway, just my opinion from the UK. I think this is very much something that can be discussed in terms of freedom of speech in the wider (non-US) sense, due to the power disparity of the actors being used (if true) to quash speech that would otherwise be freely available - and, given Greece is in Europe, I believe the author is right to frame it in those terms.
About that, when somebody threatens to sue a person and that is a credible threat, it's because the government is involved.
The minimum guarantee of a democratic legal system is that for an innocent that phrase isn't a threat. If there is no guarantee, it's not a democratic system.
The idea that "freedom of speech" only applies to government actions is common, but nonsensical. Constitutional protection of that freedom only applies to the government, but that doesn't mean another entity taking the same actions isn't also abridging your freedom of speech, even in the US — it's just that the Bill of Rights was focused on limiting the government's power, not any other entity's, so it only prevents the government from abridging your freedom of speech.
It's worth noting, particularly given where the story occurred, that this is a US-centric take on what "Freedom of Speech" means, and really doesn't generalize well.
He simply played chicken with an opponent that has a way bigger political/legal car.
And how is that not to do with money? Banks don't have political and legal clout from factors like posh parentage or celebrity, they have it from being very rich.
spectre256|11 years ago
https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr
their twitter account is: https://twitter.com/ibanknbg
EDIT: The most effective outreach will be friendly and respectful, if anyone chooses to do this. Also, all the other major greek banks score poorly:
Piraeus Bank Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba... twitter:https://twitter.com/skepsouprasina
Alpha Bank: B https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&... twitter: https://twitter.com/alpha_bank
Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group
AlyssaRowan|11 years ago
Yes, having RC4 enabled is now an instant PCI compliance fail as it has a die-die-die RFC and as a result NIST changed it, on request, to a CVE grade above a 4.0 - https://tools.ietf.org/html/rfc7465 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-25... - web browsers have already started turning it off.
simi_|11 years ago
I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.
ChrisClark|11 years ago
By listing the nice bank's twitter first, you're going to cause a backlash against the one that actually responded nicely.
yuhong|11 years ago
This one is interesting, as it shows IIS 5.0 (Win2000 SChannel) affected by POODLE TLS.
yuhong|11 years ago
madaxe_again|11 years ago
Threatening to fire him for a tweet from a personal account? What Kafkaesque bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an employer. The idea of pulling that kind of shit on anyone fills me with disgust.
wodenokoto|11 years ago
It's not like the employer said "you wrote an unfriendly tweet now you are fired!" The bank was threatening the employer with legal action unless action was taken.
simonmales|11 years ago
Marketing opportunity for other banks to jump on the bandwagon and share there public keys on social media.
otakucode|11 years ago
Hmm.. with the large number of security firms popping up every day, has anyone actually done some studies and statistical analysis so that it can be said "If you save $200,000 this year by not hiring a competent security professional, there is a 30% chance your bank will lose more than $10 million in either direct intrusion or public scandal"? That is the sort of thing a banker needs to hear before he can determine whether it is actually WORTH being safe. And even then... hiring competent security people is really hard. How is a normal HR person supposed to be able to judge whether an applicant is competent?
ExpiredLink|11 years ago
It's a Greek bank. They couldn't care less about 'bad publicity' nowadays.
agumonkey|11 years ago
cordite|11 years ago
WizKid|11 years ago
The response he got was the banks starting fixed their problems. He had one group of banks that he classified as you should stay away from. All those banks fixed things so they are not longer in that category
ptaipale|11 years ago
Their internet banking front page domain name has a different environment which gets a B, but most people go to it via the front page that is still vulnerable to POODLE and what not.
some_furry|11 years ago
128 bits for symmetric key ciphers is actually fine. Especially with AES.
TLS1.0 and SHA1 certificates? I'd expect better.
> The second bank has also a cross site javascript script and that’s for sure not a best practice. Again that’s not a security hole. They just pull a javascript from their official web page (although a different url/domain from their web banking).
Yay, watering hole attack vectors.
marcosdumay|11 years ago
yuhong|11 years ago
jvehent|11 years ago
Some of these sites have large user bases too, and it's making it hard to disable RC4 in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1138101
walterbell|11 years ago
Is there a browser plugin that could report on SSL health in real-time, when visiting a site?
andrewrice|11 years ago
mod|11 years ago
http://webcache.googleusercontent.com/search?q=cache:BJedQ1n...
zo1|11 years ago
sandstrom|11 years ago
It has a built-in 'tweet to this entity' link, similar to what this guy did by himself.
Perhaps someone can open a Greek sub-section on the site, with links to these banks.
https://httpswatch.com/global
woah|11 years ago
StavrosK|11 years ago
cgtyoder|11 years ago
BillyBob1|11 years ago
[deleted]
VieElm|11 years ago
I recommend creating an anonymous Twitter account to remove negative pressure that can affect employment.
summerdown2|11 years ago
I don't agree. In US terms, "Freedom of Speech" appears to be framed only in terms of the rights of someone relative to the government.
But in the UK, we don't have a first amendment, or even a written constitution. I would find it absolutely normal for someone to discuss freedom of speech issues about wider things than simply government overreach. In fact, the opposite is just as likely to be true: freedom of speech can be curtailed by things like private injunctions or the lack of space where it's safe to speak, which may be occuring due to lack of government action or regulation.
Freedom of Speech is a phrase that I've always thought has a wider application than it appears limited to in the US, where it seems mixed up with a lot of politics that don't appear anywhere else.
Anyway, just my opinion from the UK. I think this is very much something that can be discussed in terms of freedom of speech in the wider (non-US) sense, due to the power disparity of the actors being used (if true) to quash speech that would otherwise be freely available - and, given Greece is in Europe, I believe the author is right to frame it in those terms.
marcosdumay|11 years ago
About that, when somebody threatens to sue a person and that is a credible threat, it's because the government is involved.
The minimum guarantee of a democratic legal system is that for an innocent that phrase isn't a threat. If there is no guarantee, it's not a democratic system.
chc|11 years ago
ska|11 years ago
unknown|11 years ago
[deleted]
unknown|11 years ago
[deleted]
lotsofmangos|11 years ago
And how is that not to do with money? Banks don't have political and legal clout from factors like posh parentage or celebrity, they have it from being very rich.