https://www.ssllabs.com/ssltest/analyze.html?d=nbg.gr
their twitter account is: https://twitter.com/ibanknbg
EDIT: The most effective outreach will be friendly and respectful, if anyone chooses to do this. Also, all the other major greek banks score poorly:
Piraeus Bank Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=www.piraeusba... twitter:https://twitter.com/skepsouprasina
Alpha Bank: B https://www.ssllabs.com/ssltest/analyze.html?d=www.alpha.gr&... twitter: https://twitter.com/alpha_bank
Eurobank: Score: F! https://www.ssllabs.com/ssltest/analyze.html?d=eurobank.gr twitter:https://twitter.com/Eurobank_Group
Yes, having RC4 enabled is now an instant PCI compliance fail as it has a die-die-die RFC and as a result NIST changed it, on request, to a CVE grade above a 4.0 - https://tools.ietf.org/html/rfc7465 - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-25... - web browsers have already started turning it off.
I worked for a small credit union, and we were beholden to our state auditors, FFIEC guidance, and the like -- but PCI simply wasn't a thing we worried about.
I work in security/privacy/premium snake oil trade. Bank security (and software in general) is _usually_ a joke. The main reason for not fucking with a bank is the same why you wouldn't fuck with casinos, or the mob.
Decided to see if I could still log in to any of them about a year ago. Still could on half of them. I left that gig a decade ago.
Oh, and a few of them have no trade limits or risk management.
Boggle.
Why wouldn't I, from the other side of the world, from the wifi connection of a coffee shop on the other side of town, bounced through a couple VPNs? It's one thing if I have to walk inside the casino, but the internet isn't like that.
By listing the nice bank's twitter first, you're going to cause a backlash against the one that actually responded nicely.
edit: woops, looks like I cant edit it any more. bummer
This one is interesting, as it shows IIS 5.0 (Win2000 SChannel) affected by POODLE TLS.
Threatening to fire him for a tweet from a personal account? What Kafkaesque bullshit is this? Frankly, I'd be taking them to a tribunal - and I'm an employer. The idea of pulling that kind of shit on anyone fills me with disgust.
It's not like the employer said "you wrote an unfriendly tweet now you are fired!" The bank was threatening the employer with legal action unless action was taken.
Nobody has.
Marketing opportunity for other banks to jump on the bandwagon and share there public keys on social media.
Hmm.. with the large number of security firms popping up every day, has anyone actually done some studies and statistical analysis so that it can be said "If you save $200,000 this year by not hiring a competent security professional, there is a 30% chance your bank will lose more than $10 million in either direct intrusion or public scandal"? That is the sort of thing a banker needs to hear before he can determine whether it is actually WORTH being safe. And even then... hiring competent security people is really hard. How is a normal HR person supposed to be able to judge whether an applicant is competent?
It's a Greek bank. They couldn't care less about 'bad publicity' nowadays.
The response he got was the banks starting fixed their problems. He had one group of banks that he classified as you should stay away from. All those banks fixed things so they are not longer in that category
Their internet banking front page domain name has a different environment which gets a B, but most people go to it via the front page that is still vulnerable to POODLE and what not.
128 bits for symmetric key ciphers is actually fine. Especially with AES.
TLS1.0 and SHA1 certificates? I'd expect better.
> The second bank has also a cross site javascript script and that’s for sure not a best practice. Again that’s not a security hole. They just pull a javascript from their official web page (although a different url/domain from their web banking).
Yay, watering hole attack vectors.
There is a possible argument that a 128-bit AES key and a 2048-bit RSA key are mismatched, but a 1024-bit RSA key is clearly known to be dangerous now, while the same is not at all true for a 128-bit AES key.
Some of these sites have large user bases too, and it's making it hard to disable RC4 in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1138101
Is there a browser plugin that could report on SSL health in real-time, when visiting a site?
http://webcache.googleusercontent.com/search?q=cache:BJedQ1n...
EDIT: Yeah, it's back up.
It has a built-in 'tweet to this entity' link, similar to what this guy did by himself.
Perhaps someone can open a Greek sub-section on the site, with links to these banks.
The second bank was the one that showed this appalling behaviour and isn't mentioned in his blog post, probably out of fear.
> The first bank contacted almost immediately with me and I respect National Bank of Greece for that.
The first bank contacted almost immediately with me and I respect National Bank of Greece for that.
The second bank took another approach.
I recommend creating an anonymous Twitter account to remove negative pressure that can affect employment.
I don't agree. In US terms, "Freedom of Speech" appears to be framed only in terms of the rights of someone relative to the government.
But in the UK, we don't have a first amendment, or even a written constitution. I would find it absolutely normal for someone to discuss freedom of speech issues about wider things than simply government overreach. In fact, the opposite is just as likely to be true: freedom of speech can be curtailed by things like private injunctions or the lack of space where it's safe to speak, which may be occuring due to lack of government action or regulation.
Freedom of Speech is a phrase that I've always thought has a wider application than it appears limited to in the US, where it seems mixed up with a lot of politics that don't appear anywhere else.
Anyway, just my opinion from the UK. I think this is very much something that can be discussed in terms of freedom of speech in the wider (non-US) sense, due to the power disparity of the actors being used (if true) to quash speech that would otherwise be freely available - and, given Greece is in Europe, I believe the author is right to frame it in those terms.
About that, when somebody threatens to sue a person and that is a credible threat, it's because the government is involved.
The minimum guarantee of a democratic legal system is that for an innocent that phrase isn't a threat. If there is no guarantee, it's not a democratic system.
Your "minimum guarantee of a democratic legal system" is an impossibility, unless tort law is altogether abolished, and good luck seeking democratic approval for that...
