Commonwealth Bank HACKED - don't sign in!
Post Reply
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
30-03-2017, 09:52 PM
RE: Commonwealth Bank HACKED - don't sign in!
CommBank's own security guidelines:

Quote:NetBank website identity verification

When the address bar in your web browser turns green, it means the website you are visiting has an Extended Validation certificate.

NetBank has attained the highest level Extended Validation certificate through an extensive independent audit by VeriSign – the leading internet identity verification organisation based in the United States. The green address bar displaying ‘Commonwealth Bank of Australia (AU)’ is a clear visual sign you have reached the genuine NetBank website and your session is protected with encryption.

Like I said you can't make this shit up! What the hell are they thinking? If they have competent IT professionals they would have arranged for an alternate EV cert weeks ago when Google said they were going to revoke the EV status of ALL Symantec Certs immediately!

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
31-03-2017, 01:36 AM
RE: Commonwealth Bank HACKED - don't sign in!
(30-03-2017 07:42 PM)Aractus Wrote:  Symantec has wrongly issued 30,000 certificates. Not just one or two. And to make matters even worse, they were EV certificates! There is no coming back from that, boot their root certs and distrust them entirely - the game's up as far as I'm concerned. For comparison, DigiNotar only wrongly issued 500 certs and the company was swiftly seized by the Dutch government and dissolved.

That's google that claims that it's 30 000 wrongly issued. Symantec claims differently - a number in the low hundreds IIRC. There's no arbitration, yet google wield their power to "punish" Symantec arbitrarily. Fuck them, I say.

It's not like Symantec can get off this scott free either, but I really object when google throw their weight around like this.

Agree with you over the bank, they were caught napping.

We'll love you just the way you are
If you're perfect -- Alanis Morissette
(06-02-2014 03:47 PM)Momsurroundedbyboys Wrote:  And I'm giving myself a conclusion again from all the facepalming.
Find all posts by this user
Like Post Quote this message in a reply
31-03-2017, 03:07 AM
RE: Commonwealth Bank HACKED - don't sign in!
(31-03-2017 01:36 AM)morondog Wrote:  That's google that claims that it's 30 000 wrongly issued. Symantec claims differently - a number in the low hundreds IIRC. There's no arbitration, yet google wield their power to "punish" Symantec arbitrarily. Fuck them, I say.

I'm no fan of Google you know.

Let's be clear, Google alleges that at least 30,000 certs were wrongly issued in their blog post, and this included EV certs. Symantec denies this but there are several monumental fuck ups they cannot deny:

1. They issued a 24-hour EV cert for google.com for "internal testing purposes". Then when this was discovered they fired the employees making them the scapegoats to take the fall. Why didn't anyone in management take responsibility?

2. A severe security flaw was discovered in 2015 by Chris Byrne . The security flaw was that Symantec would send links in emails to their customers that would allow them to retrieve a certificate, revoke it, or renew it. As there was no customer validation performed on the server, users could simply modify the link and retrieve/revoke/renew certificates that other customers own.

Symantec claimed they would need TWO YEARS to fix the security flaw! Now it doesn't sound that bad, but what Chris had discovered was you could also retrieve private keys if they had been generated by a Symantec reseller for their customers. It is true of course that you shouldn't generate a private key for a customer - and there's no reason to because it can be just as easily generated in-browser, and that's much more secure since it doesn't involve sending the private key to the CA, if one needs to be generated at the time of certificate generation. In fact that's exactly how it works here if you let it generate a private key a CSR - it does it in your browser and only sends the CSR to the server.

Symantec has now denied that private keys could be accessed saying it's "not possible" when we know that it is possible and they're lying through their teeth. Here is a description of the problem direct from the guy that found it:

Quote:If you purchased a Symantec certificate (or a cert from any of their associated subsidiaries and partners) through a third party, from at least as far back as early 2013 until recently; their third party certificate generation, management, and retrieval API allowed those certificates... including in some cases private keys generated by third parties... to be retrieved without proper authentication, or in some cases any authentication at all.

Unless the third party added proper security around it, all you had to do was click a link sent in email, and you could retrieve a cert, revoke a cert, and re-issue a cert... and for some third party vendors, depending on the type of certificate, and how the certificate was issued, you could also retrieve private keys.
...
The third party that we tried to work with (before testing with other third party resellers to confirm it wasnt just the one) was entirely incompetent, to the point where they actually said they had no-one who could speak with us about the issue, and directed us to speak with Symantec, which we did.

Symantec told us at the time, that it was a third party security issue, and that it was up to the third parties to provide security around their certificate management... that the URI and UID were not supposed to be exposed to users. That if the third party were doing so, it was against their policies etc...
...
They terminated some third parties participation in their reseller program, and revoked and reissued many thousands of certs, but nowhere near all of those that may have been impacted... Unless they had some way of proving those certs were not compromised, that we are not aware of.

Take note of the parts I bolded. Symantec allowed completely incompetent resellers to generate private keys for their customers! A practise they never did themselves - why didn't they enforce better standards? I'm assuming here that some resellers (most maybe) are hosts, so of course hosts need to generate private keys - the issue is that it should only be generated in the server and never anywhere that's accessible to the web (other than cPanel, obviously).

3. Given what we know above, we know that Symantec failed to deliver their promise. They did not revoke and re-issue all certificates that could have been compromised. People were able to get customer's certificates reissued without providing any validation up until late 2016. I assume it was based on the previous CSR, so there's not a security risk there per-se, but it still represents a monumental failure for them to very domain ownership! Symantec could have fixed the immediate security problem by terminating third parties that had generated and stored the private keys for their customers. And finally, what needed to happen was to inform ALL customers that had their private keys generated by resellers that they need to stop using it, and generate a new one - THIS WAS NEVER DONE.

Sorry Dog, Symantec have absolutely no defence here. They clearly did not put the security of their customers first. People could be using private keys that have been compromised for years, or even decades now without ever knowing.

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes Aractus's post
31-03-2017, 03:10 AM
RE: Commonwealth Bank HACKED - don't sign in!
(31-03-2017 01:36 AM)morondog Wrote:  ...
Agree with you over the bank, they were caught napping.

I confess, this is slightly embarrassing... I was their main trainer for IT Best Practices 10 years ago.

But also for Westpac and ANZ so it can't be down to me alone.

Blush

Find all posts by this user
Like Post Quote this message in a reply
31-03-2017, 08:00 PM
RE: Commonwealth Bank HACKED - don't sign in!
Well, I was wrong about this. It wasn't due to Google revoking the EV status yet. It was due to this unrelated bug:

https://bugs.chromium.org/p/chromium/iss...?id=705285

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
01-04-2017, 06:00 AM
RE: Commonwealth Bank HACKED - don't sign in!
(31-03-2017 03:10 AM)DLJ Wrote:  
(31-03-2017 01:36 AM)morondog Wrote:  ...
Agree with you over the bank, they were caught napping.

I confess, this is slightly embarrassing... I was their main trainer for IT Best Practices 10 years ago.

But also for Westpac and ANZ so it can't be down to me alone.

Blush

Confirmed 100% DLJ's fault.
Find all posts by this user
Like Post Quote this message in a reply
[+] 2 users Like earmuffs's post
01-04-2017, 06:10 AM
RE: Commonwealth Bank HACKED - don't sign in!
This is why I never use personal info on line. If a bank can get hacked, remember, they have far more money to try to stop it than an individual at home layperson. I don't use my cell phone either. If I want something I go to the bank, or buy over the phone or go to the store directly. At least this way if they get hacked it is easier for me to prove if my ID gets stolen, that I don't use the web at all.

Poetry by Brian37(poems by an atheist) Also on Facebook as BrianJames Rational Poet and Twitter Brianrrs37
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
01-04-2017, 10:35 PM
RE: Commonwealth Bank HACKED - don't sign in!
The bank wasn't hacked, I used a click-bait title for the thread.

My Blog
Visit this user's website Find all posts by this user
Like Post Quote this message in a reply
02-04-2017, 08:01 AM
RE: Commonwealth Bank HACKED - don't sign in!
(01-04-2017 10:35 PM)Aractus Wrote:  The bank wasn't hacked, I used a click-bait title for the thread.

Confirmed 100% bank was hacked.
Find all posts by this user
Like Post Quote this message in a reply
Post Reply
Forum Jump: