Reveal Poor Web Security… Have RSA Threaten You With Trademark Infringement
from the not-cool dept
Scott Jarkoff recently discovered a problem with the Navy Federal Credit Union website, in that it allows users to login from an unsecured webpage. That’s the type of stuff that we thought pretty much all banks had figured out ages ago. However, what’s fascinating is what happened after that. Scott received an angry email from RSA, the well-known security company, who apparently built the NFCU website, claiming trademark infringement and demanding that he take down the post. RSA was upset with the implication that the site was insecure, but rather than either fixing the problem or explaining why the site is actually safe (which they insist), they threaten Scott with a trademark claim because he has a small screenshot of the NFCU website. Doesn’t that make you feel secure? Since when is RSA in the business of sweeping security concerns under the rug by threatening those who point out problems with a trademark infringement claim?
Filed Under: security, trademark
Companies: navy federal credit union, rsa
Comments on “Reveal Poor Web Security… Have RSA Threaten You With Trademark Infringement”
Yay for security
Ok, first of all let me get this out of the way: if my last name was Jarkoff, I would have such an incredible amount of fun with it, it would be astounding. “Hey, Jarkoff, stop Jarking off…”
Secondly, security has never been about being secure. I know, I’ll take a moment while you read that again….got it? Ok, now here’s what I mean: security firms in a plethora of specialties (airport security, malware security, bank security, etc.) aren’t there PRIMARILY to keep things secure, they’re primarily there to create the ILLUSION of security.
Part of that means doing some real securty work: scanning bags, releasing zero-day pathes, carrying guns in the bank. However, you’ll notice that none of that stops the determined criminal. Drug traffickers, weapons, and terrorists still make it on the plane. Malware is still relatively effective in infecting computers. Banks still get robbed with a frequency that would probably surprise the hell out of most people.
But we fly. We visit websites. We put our money in banks.
So no worries, little sheeple. Trust the establishment: you’re safe.
Re: Yay for security
I just noticed that I forgot to round out the entire point with my final statement in relation to the article:
Obviously this has nothing to do with trademark. This Jarkoff (hahahaahha) is messing with RSA’s created illusion of security….
Re: Re: Yay for security
Rants can do that, I’m told.
In regard to your point, while I agree that much of security if based on *feeling secure* instead of actually *being secure* (I’m looking at you, Every-Airport-In-America!) I think that another side of it is that “Security” is a constant, on-going battle. Also, there needs to be a balance of usuablity and convienence when regarding security. Your house would be pretty damn secure if it had no doors or windows, but it wouldn’t be a very useful house.
With that in mind, I wouldn’t freak out about a flaw discovered in my bank’s online site as long as it was quickly patched instead of hushed up– If I were NavyFCU, I’d look for someone else to build my website, pronto.
Re: Yay for security
On the other hand, the illusion of security is far more effective at creating safety than actual security.
Banks don’t care about getting robbed. A few thousand dollars stolen won’t shut a bank down, but customers scared to make bank deposits will.
Most malware is only found through extensive use of computers and after a large number of infections (just like a biological disease), and malware security is most effective when a problem has already been discovered. If everyone was afraid of getting infected, the chances of discovering issues would be less and less.
And on a more pessimistic note, the more people that fly on airplanes, the safer you personally will be. Granted, if very few people used airplanes, then security would be more effective…but since that extreme isn’t possible, the other extreme ends up being almost as good.
So..
So The RSA is alleging that Scott is trying to start a Credit Union called Navy Federal Credit Union and it might mislead some customers?
Or.. is that not what trademarks are for these days?
Re: So..
Also, I would assume that RSA was contracted to create the site. So if it was created under contract the completed work would be the property of the Navy Federal Credit Union, and it would be NFCC who could claim infringement. RSA does not own said website just created it.
Re: So..
Or.. is that not what trademarks are for these days?
trademark might have been used to help consumers in like the 60’s or something, but today copyright and trademark are about stifling free speech.
you use trademark and copyright to force people to remove content that you don’t like.
The thing that gets me is: RSA will actually pay lawyers to defend this if it goes to court. Disquieting. Do they even care how this makes them look?
Seriously.
Screenshots should NOT be trademark infringement. It’s so stupid I can’t even begin to rant about it.
This just furthers my already existing hatred for stupid people.
Navy Fed Customer
As a Customer I am not happy at all at this event, I worry a lot because most of Navy Fed’s services can be done via its web portal with no face time (its main customers are military)
So yes, I would be really mad if this got out and was not fixed.
Re: Navy Fed Customer
I’ve noticed this as well for quite a while (it’s been this way for at least a year). that’s why i always put https://navyfcu.org in the address bar instead.
Lonzo5
The truly stupid thing is, it’s all image related, Lonzo. The only legal way they could get him for trademark infringement is if they claim his use of thier name endorsed or improved marketing of his product. In other words, they don’t want to be associated with or potentially endorsing thier own screw up. To top it all off, legaly there is no way they can win the case on these grounds, and I am certain they know that.
Printscreen
I say Microsoft should be sued for allowing the print screen key to allow for the possibility of trademark infringement
🙂
-J
Well, I guess this is the first time I’ve ever actually been glad I moved all my accounts out of NFCU.
A technical point
“explaining why the site is actually safe (which they insist)”
It’s not. It cannot be.
The page html being sent from the nfcu server to the user’s machine is sent in the clear, and subject to man-in-the-middle injection attacks.
The request upon login, going from the user’s machine to nfcu server is encrypted, but that’s shutting the barn door after the horses have run off.
I do this stuff for a living, and I can assert that this is a very well known, obvious, exploitable, and basic insecurity. It flouts common best practices, and is stunning in its obviousness. It’s a no-brainer for anyone involved in web security.
Re: A technical point
It’s not. It cannot be.
Right. I agree. But in the correspondence RSA seemed to insist it was… so I wanted to leave that open to them as an out. But, yeah, it sure looks like this is a really really old and basic mistake.
Re: Re: A technical point
I’m not trying to point out a perceived flaw in your article, just adding a technical point.
Re: Re: A technical point
It’s possible to have the log-in page on a HTTP site, fill out the field and have all of the field data sent over HTTPS. that would make the log in safe.
that being said, if it reverts to http, the the page being displayed afterwards get’s cached. which can lead to insecurity. perhaps this is what they meant when they said it was secure anyway.
Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn’t forget something as simple as making the log-in go over a secure connection.
Re: Re: Re: A technical point
“Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn’t forget something as simple as making the log-in go over a secure connection.”
Kevin, totally NOT saying you’re wrong or anything, just asking for an opinion on what you said: doesn’t that sound like EXACTLY what I was saying about creating the illusion or appearence of safety being a chief priority?
[patting self on back]
Re: Re: Re:2 A technical point
As far as a User perspective of security, yes; the appearance of security is very important.
From the other side though, as a bit of a I.T. security specialist (mostly a hobby) There needs to be some substance behind that perceived security. You can create the Illusion of security, but if you try to monetize that illusion it might be successful for a very short period, but will have no long term profitability. If you have High Security and the Illusion of Insecurity, you’ll have to fight against people’s concepts that you are a poor security solution. (see many open source security solutions, the best thing out there, but because you can see the source code managers who have little understanding of the programs themselves think that they are inherently more insecure.)
Re: Re: Re: A technical point
I work for a large financial services company. I can assure you that having the login page under SSL is more than just a good idea… it’s an absolute requirement.
The problem with an initial page has nothing to do with where it is supposed to post it’s contents to. The problem is that because it is sent unsecured, the contents could be altered in-flight, and the posting destination could be changed. If done well, the customer doesn’t even know his account details have been compromised.
Shameful way to deal with this from RSA.
Re: A technical point
Indeed. I think we all agree that the webmaster made a mistake. Mike is pointing out the improper reaction from RSA in going after the guy for trademark infingement.
Is it being used for commercial purposes? nope
Is it being used to trick people into thinking the RSA endorses the “exposer?” nope
Those who can't innovate, litigate
I guess RSA is done innovating…
Streisand Alert:
Thanks for letting me know, I work for a Fortune 100, and feel obligated to pass on the information – because security for the network I work on is greater than caressing RSA’s ego.
Should have quietly fixed it RSA.
Old School and High Priced...
This logic just amazes me:
Public site/public author makes creditable criticism about a relatively high-profile site your company was contracted to make….
What are your options:
Option A. Threaten individual author with bogus trademark case. After all, someone that has already gone public won’t release our threat letter in a public forum and make the issue worse or anything – nah, definitely not that. Of course, lawyers are cheap as well so this will be a slame dunk – low cost, easy fix – hear no security flaws, see no security flaws – the lawyers can make it all go away! Hmmm.. I wonder if the guy might be right, never mind, legal will take care of it for us!
Option B. Take two minutes (or more likely with overhead – 4 weeks), fix the initial page so that it is SSL based and take this as an opportunity to show how you handle mistakes in a professional manor.
Option C. Just ignore it…
With the economy like it is, I sure hope that the person at RSA that made this decision has some backup options as I wouldn’t want to be part of the soon-to-be upcoming meeting on this issue!
Freedom
WTF everyone? Why does it have to be this way? I have been with Navy Fed for over 12 years. Never ONCE have I had a problem, an issue, or a security concern. Please DON’T make NFCU the bad guy here… If the RSA is gonna be on “A-Hole Mode” then blame RSA. Besides, if NFCU has a security concern, they will take care of it. So STFU you haters and don’t worry about MY credit union. They are awesome.
This information is worthy as I had no idea of posting a comment on the blog.So this one is the blog which I like most,I would like to thanks that master brain who make all this for the readers like me.keep up the good works.
NFCU ignores us
I got my first NFCU account almost 40 years ago. I still do most of my banking there. BUT be aware, their only, repeat only claim to fame is to being the largest credit union. They are no where near the best. Indeed, they are simply a marginal organization that has let the world pass them by when it comes to on-line services and a willingness to quickly react to problems and clearly respond to complaint.
NFCU is now sooooo big, they contract out most of their services just like any other multinational. The layers of management make it almost impossible to get quick resolution to any problems an individual member may have.
In fact, they have the best “form answer” letters in the business that make it seem they care, when they really just want you to go away. Complain, and they will bluntly tell you something like “moving forward, you need to use the proper” whatever….
This week, you can hardly get around their web site to do your on-line banking without locking up. I began just today the lengthy process of severing my relation with them. And guess what? They will not even care.
Yay for security
would like to see stats on how “secure ” the web really is or as I feel “is not” Can someone tell me who is legally liable for “web security? How safe are bank and credit card
security systems. Seems as thought “idenity theft” is rampant or at minimum not very risky for hacker crooks!
Secure Internet Gateway Solutions from Comodo
Great information..! Here is a similar information i got
Comodo Dome offers Secure internet gateway the best-in-class security suite with functionalities to identify and prevent all malware types from accessing your network. The Default approach backed by auto-containment technology ensures safety for the user and the data stored on the computer. This prevention mechanism analyzes the unknown files when they are delivered to the users. Comodo Dome Secure Internet Gateway uses a comprehensive technology that is flexible, end-user friendly and easy to set up.
https://cdome.comodo.com/secure-internet-gateway.php?afid=10110&utm_source=google&utm_medium=referral&utm_campaign=lookup