Reveal Poor Web Security... Have RSA Threaten You With Trademark Infringement
from the not-cool dept
Scott Jarkoff recently discovered a problem with the Navy Federal Credit Union website, in that it allows users to login from an unsecured webpage. That's the type of stuff that we thought pretty much all banks had figured out ages ago. However, what's fascinating is what happened after that. Scott received an angry email from RSA, the well-known security company, who apparently built the NFCU website, claiming trademark infringement and demanding that he take down the post. RSA was upset with the implication that the site was insecure, but rather than either fixing the problem or explaining why the site is actually safe (which they insist), they threaten Scott with a trademark claim because he has a small screenshot of the NFCU website. Doesn't that make you feel secure? Since when is RSA in the business of sweeping security concerns under the rug by threatening those who point out problems with a trademark infringement claim?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: security, trademark
Companies: navy federal credit union, rsa
Reader Comments
Subscribe: RSS
View by: Time | Thread
Yay for security
Secondly, security has never been about being secure. I know, I'll take a moment while you read that again....got it? Ok, now here's what I mean: security firms in a plethora of specialties (airport security, malware security, bank security, etc.) aren't there PRIMARILY to keep things secure, they're primarily there to create the ILLUSION of security.
Part of that means doing some real securty work: scanning bags, releasing zero-day pathes, carrying guns in the bank. However, you'll notice that none of that stops the determined criminal. Drug traffickers, weapons, and terrorists still make it on the plane. Malware is still relatively effective in infecting computers. Banks still get robbed with a frequency that would probably surprise the hell out of most people.
But we fly. We visit websites. We put our money in banks.
So no worries, little sheeple. Trust the establishment: you're safe.
[ link to this | view in chronology ]
Re: Yay for security
Obviously this has nothing to do with trademark. This Jarkoff (hahahaahha) is messing with RSA's created illusion of security....
[ link to this | view in chronology ]
Re: Re: Yay for security
In regard to your point, while I agree that much of security if based on *feeling secure* instead of actually *being secure* (I'm looking at you, Every-Airport-In-America!) I think that another side of it is that "Security" is a constant, on-going battle. Also, there needs to be a balance of usuablity and convienence when regarding security. Your house would be pretty damn secure if it had no doors or windows, but it wouldn't be a very useful house.
With that in mind, I wouldn't freak out about a flaw discovered in my bank's online site as long as it was quickly patched instead of hushed up-- If I were NavyFCU, I'd look for someone else to build my website, pronto.
[ link to this | view in chronology ]
Re: Yay for security
Banks don't care about getting robbed. A few thousand dollars stolen won't shut a bank down, but customers scared to make bank deposits will.
Most malware is only found through extensive use of computers and after a large number of infections (just like a biological disease), and malware security is most effective when a problem has already been discovered. If everyone was afraid of getting infected, the chances of discovering issues would be less and less.
And on a more pessimistic note, the more people that fly on airplanes, the safer you personally will be. Granted, if very few people used airplanes, then security would be more effective...but since that extreme isn't possible, the other extreme ends up being almost as good.
[ link to this | view in chronology ]
Re: Yay for security
security systems. Seems as thought "idenity theft" is rampant or at minimum not very risky for hacker crooks!
[ link to this | view in chronology ]
So..
Or.. is that not what trademarks are for these days?
[ link to this | view in chronology ]
Re: So..
[ link to this | view in chronology ]
Re: So..
trademark might have been used to help consumers in like the 60's or something, but today copyright and trademark are about stifling free speech.
you use trademark and copyright to force people to remove content that you don't like.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Seriously.
This just furthers my already existing hatred for stupid people.
[ link to this | view in chronology ]
Navy Fed Customer
So yes, I would be really mad if this got out and was not fixed.
[ link to this | view in chronology ]
Re: Navy Fed Customer
[ link to this | view in chronology ]
Re: Lonzo5
[ link to this | view in chronology ]
Printscreen
:)
-J
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A technical point
It's not. It cannot be.
The page html being sent from the nfcu server to the user's machine is sent in the clear, and subject to man-in-the-middle injection attacks.
The request upon login, going from the user's machine to nfcu server is encrypted, but that's shutting the barn door after the horses have run off.
I do this stuff for a living, and I can assert that this is a very well known, obvious, exploitable, and basic insecurity. It flouts common best practices, and is stunning in its obviousness. It's a no-brainer for anyone involved in web security.
[ link to this | view in chronology ]
Re: A technical point
Right. I agree. But in the correspondence RSA seemed to insist it was... so I wanted to leave that open to them as an out. But, yeah, it sure looks like this is a really really old and basic mistake.
[ link to this | view in chronology ]
Re: Re: A technical point
[ link to this | view in chronology ]
Re: Re: A technical point
that being said, if it reverts to http, the the page being displayed afterwards get's cached. which can lead to insecurity. perhaps this is what they meant when they said it was secure anyway.
Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn't forget something as simple as making the log-in go over a secure connection.
[ link to this | view in chronology ]
Re: Re: Re: A technical point
Kevin, totally NOT saying you're wrong or anything, just asking for an opinion on what you said: doesn't that sound like EXACTLY what I was saying about creating the illusion or appearence of safety being a chief priority?
[patting self on back]
[ link to this | view in chronology ]
Re: Re: Re: Re: A technical point
From the other side though, as a bit of a I.T. security specialist (mostly a hobby) There needs to be some substance behind that perceived security. You can create the Illusion of security, but if you try to monetize that illusion it might be successful for a very short period, but will have no long term profitability. If you have High Security and the Illusion of Insecurity, you'll have to fight against people's concepts that you are a poor security solution. (see many open source security solutions, the best thing out there, but because you can see the source code managers who have little understanding of the programs themselves think that they are inherently more insecure.)
[ link to this | view in chronology ]
Re: Re: Re: A technical point
The problem with an initial page has nothing to do with where it is supposed to post it's contents to. The problem is that because it is sent unsecured, the contents could be altered in-flight, and the posting destination could be changed. If done well, the customer doesn't even know his account details have been compromised.
Shameful way to deal with this from RSA.
[ link to this | view in chronology ]
Re: A technical point
Is it being used for commercial purposes? nope
Is it being used to trick people into thinking the RSA endorses the "exposer?" nope
[ link to this | view in chronology ]
Those who can't innovate, litigate
[ link to this | view in chronology ]
Thanks for letting me know, I work for a Fortune 100, and feel obligated to pass on the information - because security for the network I work on is greater than caressing RSA's ego.
Should have quietly fixed it RSA.
[ link to this | view in chronology ]
Old School and High Priced...
Public site/public author makes creditable criticism about a relatively high-profile site your company was contracted to make....
What are your options:
Option A. Threaten individual author with bogus trademark case. After all, someone that has already gone public won't release our threat letter in a public forum and make the issue worse or anything - nah, definitely not that. Of course, lawyers are cheap as well so this will be a slame dunk - low cost, easy fix - hear no security flaws, see no security flaws - the lawyers can make it all go away! Hmmm.. I wonder if the guy might be right, never mind, legal will take care of it for us!
Option B. Take two minutes (or more likely with overhead - 4 weeks), fix the initial page so that it is SSL based and take this as an opportunity to show how you handle mistakes in a professional manor.
Option C. Just ignore it...
With the economy like it is, I sure hope that the person at RSA that made this decision has some backup options as I wouldn't want to be part of the soon-to-be upcoming meeting on this issue!
Freedom
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
NFCU ignores us
NFCU is now sooooo big, they contract out most of their services just like any other multinational. The layers of management make it almost impossible to get quick resolution to any problems an individual member may have.
In fact, they have the best "form answer" letters in the business that make it seem they care, when they really just want you to go away. Complain, and they will bluntly tell you something like "moving forward, you need to use the proper" whatever....
This week, you can hardly get around their web site to do your on-line banking without locking up. I began just today the lengthy process of severing my relation with them. And guess what? They will not even care.
[ link to this | view in chronology ]
Secure Internet Gateway Solutions from Comodo
Great information..! Here is a similar information i got
Comodo Dome offers Secure internet gateway the best-in-class security suite with functionalities to identify and prevent all malware types from accessing your network. The Default approach backed by auto-containment technology ensures safety for the user and the data stored on the computer. This prevention mechanism analyzes the unknown files when they are delivered to the users. Comodo Dome Secure Internet Gateway uses a comprehensive technology that is flexible, end-user friendly and easy to set up.
https://cdome.comodo.com/secure-internet-gateway.php?afid=10110&utm_source=google&utm_me dium=referral&utm_campaign=lookup
[ link to this | view in chronology ]