Barclays, Halifax and Tesco still being gnawed by POODLE Major banks are still open to POODLE attacks months after being called out as vulnerable. The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw surfaced October and affects the Secure Sockets Layer (SSL) 3.0 algorithm and versions of TLS (Transport Layer Security). Ivan Ristic's SSL Labs site revealed at …
This post has been deleted by its author
This post has been deleted by its author
I wonder if there's any correlation between response time to this and in-house/outsourced IT?
If you have an in-house IT department you can tell them to drop the current work, routine upgrades etc., and get patching. If the fault is in a 3rd-party switch or router and the manufacturer isn't responsive you can swap it out. Some network admin will have to spend a day with the user manual figuring out how to configure it, but overall cost and inconvenience are likely to be low-ish in bank terms.
If it's all outsourced, you can file a P1 trouble ticket but, assuming you're not the only people impacted, what happens after that is going to depend on where you are in the "big client" pecking order. Also, if the outsourcer has based their business model on using kit from one supplier, and that's what all their support techs are trained in, they'll have little interest in swapping it for a different brand and so making your company the special case that only one re-trained support tech can deal with. They'll just keep stalling until their suppliers come up with a fix. There's almost certainly nothing in your SLA that guarantees a fix to all security issues within, say, 48 hours.
IT in big business has long been the department that gets a beating every time there's any kind of financial strife. Profits dipped? Sack some IT. Regulations increased? Sack some IT. CEO has a headache? Sack some IT.
IT is seen purely as a cost centre by many bean-counters, rather than a driver of the business. It doesn't have any sales people, therefore it can't be making any money.
So, IT ends up outsourced to the cheapest bidder or the teams face reorganisation so that the knowledgeable people are made redundant (as they cost too much) and young, inexperienced, people.
If you can count on one kind of website giving you a red shield on Calomel it's a bank website. Given the profits they make year after year you'd think they'd pony up the costs for a decent SSL certificate and the small amount of time it takes to configure the webserver properly.
And they do the minimum to make it work with browsers, you'd have to be mad to trust a banking app.
Yes, and? This is a discussion board with no private-messaging facility. Everything you post on here is public, except for the ranty/legally troublesome stuff that me and the other mods remove. What good would implementing SSL achieve?
I've said it before, I'll say it again. If you're reusing your El Reg login creds elsewhere, you're doing it ALL wrong.
"I've said it before, I'll say it again. If you're reusing your El Reg login creds elsewhere, you're doing it ALL wrong."
You have to be honest though. What AC stated is true and really it does not call for a presumptuous, hypothetical and seemingly defensive retort.
In my world, requiring users to enter personal information such as first name, last name, email address, password, job role etc when registering without tls/pfs is about as bad as bad can be.
Still, I suppose if you are entering real-world details here, you're doing it all wrong ;)
I still see no excuse for ignoring good/best practice here on El Reg.
I still see no excuse for ignoring good/best practice here on El Reg.
They're using cheapie shared hosting for the site; adding SSL would require a change in the arangement with the hosting provider (rackspace).
I often wonder whether it would be cheaper to do that than to carry on typing messages to try to defend the indefensiblecurrent situation...
Vic.
I still see no excuse for ignoring good/best practice here on El Reg.
Cargo-cult security.
There are no "best practices" in a vacuum. Security measures are only meaningful in the context of a threat model. What threats are you trying to protect against? How probable are they versus the rest of the attack tree? What are the incremental costs to attackers and the Reg?
Of course, we can't expect most Reg readers to pay attention to such niceties. It's much easier to simply whinge about a lack of TLS for signing into the forums.
"Cargo-cult security. There are no "best practices" in a vacuum. (blah, blah...)"
Seems to me that you are being a bit fast and loose with the word vacuum. To me, a vacuum is devoid of anything. If it has just an ickle something in it, then it ain't no vacuum. Maybe you define it otherwise.
But yeah, you are surely right. I am in a cult where daily life involves words and phrases such as tls, pfs, encryption, hashing, key stretching, timing attacks etc. Nasty little cult it is. Really pernicious stuff going on in this cult. The bastards just don't let up about security, privacy and respect for other peoples' data. The m***er fcukers. But hallelujah brother. We shall be saved by the Vacuum! All hail the Vacuum!
*Sigh* Oh, how I long to belong to the cult of the 90's again. Flat files, plaintext passwords, no security and no respect for others personal data (no matter how small)*.
* Oh, hang on... I'm talking shit again. Anyway, enjoy the 90s... They are like so last century ;)
That's insane!
I cannot reasonably be expected to remember more than one username/password across all the websites I use!
It's not like I can carry my whiteboard around with me. (Although thinking about it, I could take a photo of it and save it somewhere safe, like facebook or google+)
Security is critical, you and I both know that. If it were within our power we'd have fixed these vulnerabilities within days of the fix being released.
Sadly (and I'm not defending it) it's not always IT who call the shots. Marketing and Customer Relations also have a say, and you cannot "upset the customers". Requiring a "modern browser" is not always as easy as it sounds, and having seen the browser usage statistics there are still substantial proportions of users who cannot use websites that we might consider as sufficiently secure.
Bring in a Regulator who measures service above security and suddenly your business decisions point to a less secure platform that supports a wider range of customers without introducing complex end user technical requirements.
Not saying I like it, but that is the reality of limited budgets and resources.
and I've been remediating some POODLE vulnerabilities, but it's a bt of a nightmare. Customer facing websites are easy though, you just need a modern browser, so I can't see why those wouldn't have been done, other than it would prevent employees connecting from their machines running old internet explorer versions :)
The big issue I've had are with webservices that are consumed by applications that don't support verions of TLS over 1.0. Upgrading these isn't always straightforward, epecially in a risk averse bank. So you end up having to route serrvice calls all over, through other systems that do support it.
I've just joined The National Bank of Aus...That's Yorkshire Bank ybonline.co.uk and or clydesdalebank.co.uk AND I brought this up to them on the phone. "Errrm! You're a bank" No contact back of course..
(150 quid + 2% on a current acc if anybody is interested).
Here's the thing though. Their internet banking won't load at all in either FF or Palemoon and I'm forced to use OLD browsers. Either Opera 12 or IE...Just for them mind.. HSBC, Lloyds, HBOS all happy to load..
So when you say 'use a modern browser' I just don't get it. Aren't FF and Palemoon actually saying 'this site is so insecure I'm not even prepared to load it' (Poodle and a SHA1 Intermed cert).
They both throw me this
"Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)"
So what gives with the old vs modern browser thing. Any of you clever pepol (sic) able to shed light on my puzzlement?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
