Reveal Poor Web Security... Have RSA Threaten You With Trademark Infringement

from the not-cool dept

Scott Jarkoff recently discovered a problem with the Navy Federal Credit Union website, in that it allows users to login from an unsecured webpage. That's the type of stuff that we thought pretty much all banks had figured out ages ago. However, what's fascinating is what happened after that. Scott received an angry email from RSA, the well-known security company, who apparently built the NFCU website, claiming trademark infringement and demanding that he take down the post. RSA was upset with the implication that the site was insecure, but rather than either fixing the problem or explaining why the site is actually safe (which they insist), they threaten Scott with a trademark claim because he has a small screenshot of the NFCU website. Doesn't that make you feel secure? Since when is RSA in the business of sweeping security concerns under the rug by threatening those who point out problems with a trademark infringement claim?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Dark Helmet (profile), Aug 13th, 2009 @ 9:48am

    Yay for security

    Ok, first of all let me get this out of the way: if my last name was Jarkoff, I would have such an incredible amount of fun with it, it would be astounding. "Hey, Jarkoff, stop Jarking off..."

    Secondly, security has never been about being secure. I know, I'll take a moment while you read that again....got it? Ok, now here's what I mean: security firms in a plethora of specialties (airport security, malware security, bank security, etc.) aren't there PRIMARILY to keep things secure, they're primarily there to create the ILLUSION of security.

    Part of that means doing some real securty work: scanning bags, releasing zero-day pathes, carrying guns in the bank. However, you'll notice that none of that stops the determined criminal. Drug traffickers, weapons, and terrorists still make it on the plane. Malware is still relatively effective in infecting computers. Banks still get robbed with a frequency that would probably surprise the hell out of most people.

    But we fly. We visit websites. We put our money in banks.

    So no worries, little sheeple. Trust the establishment: you're safe.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    The Infamous Joe (profile), Aug 13th, 2009 @ 9:54am

    So..

    So The RSA is alleging that Scott is trying to start a Credit Union called Navy Federal Credit Union and it might mislead some customers?

    Or.. is that not what trademarks are for these days?

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Lonzo5 (profile), Aug 13th, 2009 @ 9:55am

    The thing that gets me is: RSA will actually pay lawyers to defend this if it goes to court. Disquieting. Do they even care how this makes them look?

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    This is getting f***king rediculous, Aug 13th, 2009 @ 9:57am

    Seriously.

    Screenshots should NOT be trademark infringement. It's so stupid I can't even begin to rant about it.

    This just furthers my already existing hatred for stupid people.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Dark Helmet (profile), Aug 13th, 2009 @ 10:00am

    Re: Yay for security

    I just noticed that I forgot to round out the entire point with my final statement in relation to the article:

    Obviously this has nothing to do with trademark. This Jarkoff (hahahaahha) is messing with RSA's created illusion of security....

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Paul Brinker, Aug 13th, 2009 @ 10:05am

    Navy Fed Customer

    As a Customer I am not happy at all at this event, I worry a lot because most of Navy Fed's services can be done via its web portal with no face time (its main customers are military)

    So yes, I would be really mad if this got out and was not fixed.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    barrenwaste (profile), Aug 13th, 2009 @ 10:05am

    Re: Lonzo5

    The truly stupid thing is, it's all image related, Lonzo. The only legal way they could get him for trademark infringement is if they claim his use of thier name endorsed or improved marketing of his product. In other words, they don't want to be associated with or potentially endorsing thier own screw up. To top it all off, legaly there is no way they can win the case on these grounds, and I am certain they know that.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Aug 13th, 2009 @ 10:08am

    Re: Yay for security

    On the other hand, the illusion of security is far more effective at creating safety than actual security.

    Banks don't care about getting robbed. A few thousand dollars stolen won't shut a bank down, but customers scared to make bank deposits will.

    Most malware is only found through extensive use of computers and after a large number of infections (just like a biological disease), and malware security is most effective when a problem has already been discovered. If everyone was afraid of getting infected, the chances of discovering issues would be less and less.

    And on a more pessimistic note, the more people that fly on airplanes, the safer you personally will be. Granted, if very few people used airplanes, then security would be more effective...but since that extreme isn't possible, the other extreme ends up being almost as good.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    The Infamous Joe (profile), Aug 13th, 2009 @ 10:11am

    Re: Re: Yay for security

    Rants can do that, I'm told.

    In regard to your point, while I agree that much of security if based on *feeling secure* instead of actually *being secure* (I'm looking at you, Every-Airport-In-America!) I think that another side of it is that "Security" is a constant, on-going battle. Also, there needs to be a balance of usuablity and convienence when regarding security. Your house would be pretty damn secure if it had no doors or windows, but it wouldn't be a very useful house.

    With that in mind, I wouldn't freak out about a flaw discovered in my bank's online site as long as it was quickly patched instead of hushed up-- If I were NavyFCU, I'd look for someone else to build my website, pronto.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Jess, Aug 13th, 2009 @ 10:14am

    Printscreen

    I say Microsoft should be sued for allowing the print screen key to allow for the possibility of trademark infringement

    :)

    -J

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Sean T Henry (profile), Aug 13th, 2009 @ 10:36am

    Re: So..

    Also, I would assume that RSA was contracted to create the site. So if it was created under contract the completed work would be the property of the Navy Federal Credit Union, and it would be NFCC who could claim infringement. RSA does not own said website just created it.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Greg, Aug 13th, 2009 @ 10:37am

    Well, I guess this is the first time I've ever actually been glad I moved all my accounts out of NFCU.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Trails, Aug 13th, 2009 @ 10:40am

    A technical point

    "explaining why the site is actually safe (which they insist)"

    It's not. It cannot be.

    The page html being sent from the nfcu server to the user's machine is sent in the clear, and subject to man-in-the-middle injection attacks.

    The request upon login, going from the user's machine to nfcu server is encrypted, but that's shutting the barn door after the horses have run off.

    I do this stuff for a living, and I can assert that this is a very well known, obvious, exploitable, and basic insecurity. It flouts common best practices, and is stunning in its obviousness. It's a no-brainer for anyone involved in web security.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Mike Masnick (profile), Aug 13th, 2009 @ 10:45am

    Re: A technical point

    It's not. It cannot be.

    Right. I agree. But in the correspondence RSA seemed to insist it was... so I wanted to leave that open to them as an out. But, yeah, it sure looks like this is a really really old and basic mistake.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    PRMan, Aug 13th, 2009 @ 10:56am

    Those who can't innovate, litigate

    I guess RSA is done innovating...

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Fushta, Aug 13th, 2009 @ 11:01am

    Re: A technical point

    Indeed. I think we all agree that the webmaster made a mistake. Mike is pointing out the improper reaction from RSA in going after the guy for trademark infingement.


    Is it being used for commercial purposes? nope


    Is it being used to trick people into thinking the RSA endorses the "exposer?" nope

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    David Johnson (profile), Aug 13th, 2009 @ 11:05am

    Re: Navy Fed Customer

    I've noticed this as well for quite a while (it's been this way for at least a year). that's why i always put https://navyfcu.org in the address bar instead.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Overcast (profile), Aug 13th, 2009 @ 11:11am

    Streisand Alert:

    Thanks for letting me know, I work for a Fortune 100, and feel obligated to pass on the information - because security for the network I work on is greater than caressing RSA's ego.

    Should have quietly fixed it RSA.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Trails, Aug 13th, 2009 @ 11:56am

    Re: Re: A technical point

    I'm not trying to point out a perceived flaw in your article, just adding a technical point.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Keven Sutton, Aug 13th, 2009 @ 12:29pm

    Re: Re: A technical point

    It's possible to have the log-in page on a HTTP site, fill out the field and have all of the field data sent over HTTPS. that would make the log in safe.
    that being said, if it reverts to http, the the page being displayed afterwards get's cached. which can lead to insecurity. perhaps this is what they meant when they said it was secure anyway.

    Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn't forget something as simple as making the log-in go over a secure connection.

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    chris (profile), Aug 13th, 2009 @ 12:39pm

    Re: So..

    Or.. is that not what trademarks are for these days?

    trademark might have been used to help consumers in like the 60's or something, but today copyright and trademark are about stifling free speech.

    you use trademark and copyright to force people to remove content that you don't like.

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    Dark Helmet (profile), Aug 13th, 2009 @ 12:47pm

    Re: Re: Re: A technical point

    "Either way, having the log-in page as HTTPS is still a good Idea. It provides a reassurance that the web engineer didn't forget something as simple as making the log-in go over a secure connection."

    Kevin, totally NOT saying you're wrong or anything, just asking for an opinion on what you said: doesn't that sound like EXACTLY what I was saying about creating the illusion or appearence of safety being a chief priority?

    [patting self on back]

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    NotFromToronto (profile), Aug 13th, 2009 @ 12:49pm

    Re: Re: Re: A technical point

    I work for a large financial services company. I can assure you that having the login page under SSL is more than just a good idea... it's an absolute requirement.

    The problem with an initial page has nothing to do with where it is supposed to post it's contents to. The problem is that because it is sent unsecured, the contents could be altered in-flight, and the posting destination could be changed. If done well, the customer doesn't even know his account details have been compromised.

    Shameful way to deal with this from RSA.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Freedom, Aug 13th, 2009 @ 1:24pm

    Old School and High Priced...

    This logic just amazes me:

    Public site/public author makes creditable criticism about a relatively high-profile site your company was contracted to make....

    What are your options:

    Option A. Threaten individual author with bogus trademark case. After all, someone that has already gone public won't release our threat letter in a public forum and make the issue worse or anything - nah, definitely not that. Of course, lawyers are cheap as well so this will be a slame dunk - low cost, easy fix - hear no security flaws, see no security flaws - the lawyers can make it all go away! Hmmm.. I wonder if the guy might be right, never mind, legal will take care of it for us!

    Option B. Take two minutes (or more likely with overhead - 4 weeks), fix the initial page so that it is SSL based and take this as an opportunity to show how you handle mistakes in a professional manor.

    Option C. Just ignore it...

    With the economy like it is, I sure hope that the person at RSA that made this decision has some backup options as I wouldn't want to be part of the soon-to-be upcoming meeting on this issue!

    Freedom

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Keven Sutton, Aug 13th, 2009 @ 4:46pm

    Re: Re: Re: Re: A technical point

    As far as a User perspective of security, yes; the appearance of security is very important.

    From the other side though, as a bit of a I.T. security specialist (mostly a hobby) There needs to be some substance behind that perceived security. You can create the Illusion of security, but if you try to monetize that illusion it might be successful for a very short period, but will have no long term profitability. If you have High Security and the Illusion of Insecurity, you'll have to fight against people's concepts that you are a poor security solution. (see many open source security solutions, the best thing out there, but because you can see the source code managers who have little understanding of the programs themselves think that they are inherently more insecure.)

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    Bobby Boulders (profile), Aug 14th, 2009 @ 9:00pm

    WTF everyone? Why does it have to be this way? I have been with Navy Fed for over 12 years. Never ONCE have I had a problem, an issue, or a security concern. Please DON'T make NFCU the bad guy here... If the RSA is gonna be on "A-Hole Mode" then blame RSA. Besides, if NFCU has a security concern, they will take care of it. So STFU you haters and don't worry about MY credit union. They are awesome.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    magreet, Aug 17th, 2009 @ 3:54am

    This information is worthy as I had no idea of posting a comment on the blog.So this one is the blog which I like most,I would like to thanks that master brain who make all this for the readers like me.keep up the good works.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Dave, Sep 2nd, 2009 @ 9:18am

    NFCU ignores us

    I got my first NFCU account almost 40 years ago. I still do most of my banking there. BUT be aware, their only, repeat only claim to fame is to being the largest credit union. They are no where near the best. Indeed, they are simply a marginal organization that has let the world pass them by when it comes to on-line services and a willingness to quickly react to problems and clearly respond to complaint.

    NFCU is now sooooo big, they contract out most of their services just like any other multinational. The layers of management make it almost impossible to get quick resolution to any problems an individual member may have.

    In fact, they have the best "form answer" letters in the business that make it seem they care, when they really just want you to go away. Complain, and they will bluntly tell you something like "moving forward, you need to use the proper" whatever....

    This week, you can hardly get around their web site to do your on-line banking without locking up. I began just today the lengthy process of severing my relation with them. And guess what? They will not even care.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    johnboy, Jan 25th, 2011 @ 11:22am

    Re: Yay for security

    would like to see stats on how "secure " the web really is or as I feel "is not" Can someone tell me who is legally liable for "web security? How safe are bank and credit card
    security systems. Seems as thought "idenity theft" is rampant or at minimum not very risky for hacker crooks!

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This