It always amazes me that unknown (to me anyway) 'security firms' go around 'checking' on companies security, in all probability without asking for permission first, and yet they're portrayed as the hero when there are laws to prevent 3rd parties just poking around. Why are they exempt from the law when people like me would be banged up?
Fifty per cent of UK high street financial institutions utilise weak SSL certificates on their secure authentication portals, according to a new study by Xiphos Research. An assessment of 84 UK- and foreign-owned banking institutions in November by the international information security firm, and published on Monday, found …
Tuesday 5th January 2016 10:07 GMT Chris Harden
Tuesday 5th January 2016 10:33 GMT Joe Harrison
Intent doesn't always mean very much. I was shocked several years ago when a bloke got found guilty purely for editing a URL in his browser address bar because he suspected there was a security problem and then reporting it to the site owner.
And surely by definition anyone capable of taking part in an SSL or security-related thread on El Reg is almost certainly qualified by experience? Not having a CISSP badge doesn't mean not qualified.
Tuesday 5th January 2016 15:04 GMT Anonymous Coward
"I was shocked several years ago when a bloke got found guilty purely for editing a URL in his browser address bar because he suspected there was a security problem and then reporting it to the site owner."
I Google'd his name. It was the Tsunami website that was a bit piss poor, run by British Telecom. He tried a directory traversal on it (e.g. http://theregister.co.uk/../. or some such), which BT logged as an attack, he'd just donated money, so it was trivial to track him down, they just pulled his address and credit card number.
UK law defines hacking as 'unauthorized use of a computer' but the definition of how that URL is turned into a web page is a defined web standard. He followed the web standard (directory traversals are allowed) and that forms the definition of 'authorized'. But the judge was technically incompetent sadly. Easily confused by the term 'directory traversal'.
Can you imagine trying to write a search engine in the UK? You'd be in jail for the web craw, City of London police would seize your domain for indexing copyrighted content. Linking to infringing content would be defined as "conspiracy to defraud" by Judge Evans after secretly hearing evidence without the defence presence (Anton Vickerman).
Tuesday 5th January 2016 10:50 GMT Doctor_Wibble
... and do theyt tell everyone afterwards?
> in all probability without asking for permission first
My question is whether they actually tell everyone they have 'probed' after they have done it, or just the ones with known vulnerabilities, or just the subset of those with vulnerabilities that they think will engage their consultancy services for apparently-urgent expensive work in the time between discovery and publication for all the script-kiddies to download.
Hi, I'm a security researcher and I have discovered a lucrative vulnerability in your corporate structure which I am prepared to help you close for a modest fee...
[ icon choice obvious given it's all about probing... ]
Wednesday 6th January 2016 00:34 GMT Captain DaFt
"It always amazes me that unknown (to me anyway) 'security firms' go around 'checking' on companies security, in all probability without asking for permission first"
And this is why it's hard to have nice things.
If they looked and found something, there's sure to be many, many more who've looked, said, "PAYDAY!" and got down to serious crime.
They don't get in trouble until/if they're eventually caught.
So naturally, people like you want the ones who look, find, and warn about problems arrested because then there'd be no problems, right?
Tuesday 5th January 2016 11:56 GMT Sproggit
And The Banks Don't Care
My bank is one of those UK financial institutions that use vulnerable cryptography. I have now contacted them across three separate occasions, going back almost a year, to warn them about the vulnerabilities. I have written emails and I have telephoned their customer services line and asked to be put through to technical support. All to no avail.
The best response I had came from a senior support supervisor, who took up my call after it was escalated from a first line specialist. After listening to me repeat my concern, their response was [and I'm paraphrasing since this was a while ago], "Look, Sir, we're very grateful that you've called and of course I'll pass the message along, but we employ top security professionals here. I know you're the customer and the customer is always supposed to be right, but what could you possibly know about cryptography - it's a very complex subject..."
To which my response was something along the lines of,
"Well, other than working in the field of IT Security for 20 years, other than being employed to set security policy for my employer and apart from holding a US Patent in cryptography, clearly I don't know enough to be able to call you and alert you to what I believe to be legitimate concerns in such a way that allows me to be taken seriously..."
They still weren't interested. If there was any practical way that I could function in our society without a bank account, I wouldn't have one...
Tuesday 5th January 2016 12:17 GMT Norm DePlume
Wednesday 6th January 2016 14:22 GMT Anonymous Coward
Re: And The Banks Don't Care
how many layers of organisation and different divisions do you think the call centre people are away from IT security in a large retail bank? there's no way the message is going to get through like that.
unless you have a back-channel to someone who works in IT security @ your bank via personal contacts, your options are
- assume IT security for your bank know what they are doing , are working on it, but have not been able to get it fixed yet for whatever reason. probably process, change control or politics.
- assume they don't know what they are doing , in which case your call..
Tuesday 5th January 2016 14:20 GMT Stevie
Tuesday 5th January 2016 22:54 GMT John Brown (no body)
"Kudos for the picture.
Dad's Army screenshot.
Walmington on Sea 333."
That sounds almost like it might have been a half way amusing picture to head the article instead the replacement which appears to be a single key standing proud from a sea of keys. It's almost as bad as the BBC always showing an image of an RJ45 plug for every story about computers, networking or hacking.
Tuesday 5th January 2016 16:34 GMT Bawsnia2
Guys I think we should all calm down a minute here, if you look at the report they have cut and pasted a Qualys SSL Labs score. You don't need to poke around anyone's web infrastructure. Just put the url into SSL Labs and they do it for you. By the way you should do it with any https sites you host.
Anyway cryptography relies on the being open to be tested to death, so vulnerabilities are outed quickly. The fact that some banks are running with 3 year old vulnerabilities should be criminal.
It is not even difficult to protect against Poodle and Crime. 3 seconds on google will tell you all you need to know.
Tuesday 5th January 2016 23:44 GMT Mr Flibble
It's not just the financial institutions.
3: badly broken. Vulnerable to POODLE, problems with the certificate chain, doesn't do anything newer than TLS 1.0, reported as failing to talk to some common browser/OS combinations…
O2: much better; only minor problems here.
(Links are to one well-known SSL testing service.)
Wednesday 6th January 2016 04:18 GMT DannyJr
It goes to show that banks have piss-poor security and hide behind draconian laws to hide their flaws. White hatters would be reluctant to report flaws knowing that British laws are crap. It reminds me of this one bloke who found a gun lying around. He picked it up and brought it to the police as a good citizen. He was charged for gun possession, was prosecuted, and convicted by a braindead jury of his peers. All because of badly written laws.
You can bet I won't be reporting online security flaws from UK firms. They got the laws they lobbied for, and they shall get the requisite response.
Wednesday 6th January 2016 11:46 GMT Sirius Lee
It's fashionable to be a bank basher...
Imagine you are an executive in a major bank, responsible for many billions of pounds. Sure you have one eye on your pocket but also an eye on your reputation. This is not a black and white issue. If a bank used stronger/better certificates, does that mean there will be no more hacking? Of course not.
So its a numbers game and banks are good with numbers. A bank will now have a good idea of the type and volume of hacks to which they are exposed given their current set of technology. When a new exploit becomes available, they will be able to see the impact on claims against their systems. This information will be handed to their actuaries who will provide statistics about and forecasts of likely losses. These can then be factored into the business plan.
Change the technology too soon and the statistics on which to base actuarial forecasts are not available. That's risky for the bank and for us. We don't want to have our accounts hacked but nor do we want the back to fail because the technology was too new to provide reliable hacking statistics.
Wednesday 6th January 2016 13:20 GMT Smooth Newt
Re: It's fashionable to be a bank basher...
Perhaps you should ask Dido Harding about the unwisdom of trusting to "we haven't been hacked badly enough yet to bother about it".
And this isn't New Technology - for instance the report says that more than 10% of institutions were using SSL 3, which has been obsolete for over 15 years.
Wednesday 6th January 2016 22:15 GMT Anonymous Coward
You might be interested to read http://www.bank-grade-security.uk/
> This page compares the SSL security of online banking websites of British banks. SSL (or more correctly TLS) is the encryption between your web browser and the bank’s web server. It protects against others reading or changing the page (a man-in-the-middle attack).