Belgian bank & SSL slashdot effect

Quick wrap up of the slashdot effect 10 days ago.

A peak of 12k views on Monday 16/02, with a small buildup on Sunday (15/02).

slashdot

The top pages were Part 3, Part 1, Part 4 and Part 2 respectively.

De Redactie is the highest referrer, surpassing De Morgen (first to publish in printed media, front page) & Datanews (first to publish online):

referrer

Second highest, after Twitter (t.co), was Tweakers (Dutch website, oddly enough).

OS wise, about 60% is Windows, 12% of OSX and 10% of iOS; 79% desktop, 15% phones, 6% tablets. Way more mobile than I expected to be honest.

This was easily handled on a Debian virtual machine: running a dual core Xeon vCPU (3.2Ghz) with 2Gb of RAM. Nginx as webserver. No slowdown was noticed. Google Analytics reported peaks of ~100 concurrent users (but not sure what timeframe they consider “concurrent”).

network

There was, what looks like, a DoS on Monday around 12h00 for about 30 minutes causing a 100% load (2.00 linux load, on 2 vCPUs), however there was no out of the ordinary traffic data peak — but I didn’t have time to look into it, and by the time I had notice it was already long over.

load

cpu

Interesting networks:

  • Usually Telenet & Belgacom consumer networks are high above anything else (they were still #1 and #2 respectively, this time), but closely following up where a lot of corporate networks, as as these:
  • Bank van Breda (177 pageviews)
  • ING (167)
  • Fortis (125)
  • KBC (114)
  • AXA (104)
  • And others (< 50 pageviews) Ogone, HP, Crelan, Argenta, Infrabel, Deutsche Bank, Microsoft, Vlaamse Overheid, AGFA, Getronics, De Post, etc.

Interesting referrers:

  • a bunch of intranets (fedict, kbc, ing),
  • a bunch of bank website & mailings: updated list on part 4.

Interesting reads:

  • Frank,
  • And a few comments on part 3 and part 4.

Ripple effect:

Belgian banks & SSL — part 4

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

  • 16/02/2015:
    • Keytrade: B to A
    • Hello Bank!: C to A
    • ING: F to A-
    • Record Bank: F to A-
  • 17/02/2015:
    • ABK: F to B
    • Bank Van Breda: C to B
  • 18/02/2015:
    • MeDirect: F to A
    • Added 6 new (small) banks
  • 27/02/2015
    • Ogone: C to A-
  • 02/03/2015
    • Fortuneo: C to B
  • 03/03/2015
    • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

I would like to apologise for every IT’er that had a crappy Monday morning, and thank you for fixing SSL so fast. 🙂

The entire list updated (last partial update 18/02/2015 around 20h00):

I’ve updated the sites to now correctly test the login page and not the main homepage. If that’s not the case somewhere, please tell me.

Grade A

Grade B

  • Argenta: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • ABK: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • Bank Van Breda: weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation. [update]
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • BKCP: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy. [newsletter]
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • DHB Bank: weak signature (SHA1), RC4 (insecure).
  • Fortuneo: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • NIBC Direct: weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy

Grade C

  • PSA Bank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • Optima Bank: vulnerable to POODLE attack in SSL3 and TLS format, weak signature (SHA1), RC4, no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Respect to those that send a mailing list to their customers with more detailed information. Communication++

Respect to Rabobank to be the only bank that directly contacted me (officially, not hiding behind a Gmail or Hotmail address) and thanked me for the work I did, asking for more details, etc.

And thank you for an anonymous person, working for one of the big banks, to give me more details about why they are slow at patching this, how legacy works, etc. I wish he could take this discussion public, but alas.

Belgian banks & SSL — part 3

EDIT: ING is now A- (not reflected in this blog post).
EDIT 2: Keytrade & Hello Bank also went to A. I’ll post a new blog post later tonight.
EDIT 3: Updated post here.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. 😉

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the time to check everything again.

TL;DR: Only Argenta’s status changed for the better.

Those that did not change:

  • Rabobank: A+
  • Triodos: A+
  • Belfius: A-
  • BNP Paribas Fortis: A-
  • bpost bank: A-
  • AXA: B
  • beobank: B
  • CPH: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
    • BvB no longer supports secure renegotiation (which, afaik, it did before). However, it’s still rated as C, as this isn’t a real issue.
  • ING: F
  • Record Bank (internet banking): F

Those that did change:

  • Argenta (internet banking): F to B
    • No longer vulnerable to POODLE,
    • Support for protocol downgrade attacks prevention,
    • Still using SSL3 (obsolete and insecure),
    • Weak signature (SHA1),
    • RC4 cipher is supported (insecure),
    • No Forward Secrecy.

Still a little way to go for Argenta, but it’s on the right path.

Those that I hadn’t tested before:


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no Forward Secrecy.
  • BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

  • Argenta: no SSL on main page.
    • internet banking: SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • VDK: SSL3 (insecure),no TLS 1.2, weak signature (SHA1), RC4 (insecure), no Forward Secrecy
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
  • Bank Van Bredano SSL on main page.
    • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy, no support for secure renegotiation.
  • Ogone: payment facilitator
    • weak signature (SHA1), RC4, vulnerable to POODLE, no Forward Secrecy

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ABK: SSL2 (insecure), vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure), no Forward Secrecy, no TLS 1.2.
  • ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • MeDirect Bank: vulnerable to POODLE attack, OpenSSL CCS vulnerability (quite bad),
  • Record Bankno SSL on main page.
    • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.

Also, shame on you ING. More than any other bank.

Belgian banks & SSL — part 2

I previously wrote about Belgian banks & SSL. Updated version (15/02/2015) here.

Going through my Google Analytics I noticed some noteworthy network domains, which Google discribes as “The fully qualified domain names of your visitors’ Internet service providers (ISPs)”.

Screen Shot 2015-02-01 at 01.35.01Screen Shot 2015-02-01 at 01.35.23Screen Shot 2015-02-01 at 01.35.34Screen Shot 2015-02-01 at 01.36.59Screen Shot 2015-02-01 at 01.37.32

There are a few more (Belgian) government institutions and universities, and the top in the list are “(not set)” and “unknown”.

Clearly some people at the banks read the post during their work time. So it’s only fair to recheck the websites… Here goes:

Those that I hadn’t tested before:

  • CPH: B
  • Record Bank (internet banking): F

Those that did not change:

  • Rabobank: A+
  • Belfius: A-
  • AXA: B
  • beobank: B
  • KBC: B
  • Keytrade Bank: B
  • Crelan (internet banking): B
  • Hello bank!: C
  • Bank Van Breda (internet banking): C
  • ING: F
  • Argenta (internet banking): F

Those that did change:

  • TriodosA to A+
    • downgrade prevention correctly applied.
  • BNP Paribas FortisF to A-
    • No longer vulnerable to POODLE,
    • Disabled SSL3 (insecure),
    • Disabled RC4 (insecure),
    • Still using a weak signature (SHA1),
    • No Forward Secrecy.
  • bpost bankF to A-
    • No longer vulnerable to POODLE,
    • Disabled SSL3 (insecure),
    • Disabled RC4 (insecure),
    • Still using a weak signature (SHA1),
    • No Forward Secrecy.

Huge thumbs up for these last three banks! Well done, especially BNP & bpost! 🙂

Keep on shaming the others.


The entire list updated:

Grade A

  • Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Triodos (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
  • Belfius (A-): weak signature (SHA1), no Forward Secrecy.
  • BNP Paribas Fortis: (A-) weak signature (SHA1), no Forward Secrecy.
  • bpost bank: (A-) weak signature (SHA1), no Forward Secrecy.

Grade B

  • AXA: weak signature (SHA1), SSL3 (insecure), RC4 (insecure), no Forward Secrecy.
  • beobank: weak signature (SHA1), no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • CPH: no TLS 1.2, RC4 (insecure), no Forward Secrecy.
  • KBC: weak signature (SHA1), no TLS 1.2, no Forward Secrecy.
  • Keytrade Bank: weak signature (SHA1), RC4 (insecure).
  • Crelan: no SSL on main page.
    • internet banking: weak signature (SHA1), SSL3 (insecure), no TLS 1.2, RC4, no Forward Secrecy.

Grade C

  • Hello bank!: vulnerable to POODLE attack, weak signature (SHA1), RC4 (insecure).
  • Bank Van Bredano SSL on main page.
    • internet banking: vulnerable to POODLE attack, weak signature (SHA1), no TLS 1.2, no Forward Secrecy.

Grade D

  • n/a

Grade E

  • n/a

Grade F

  • ING: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Argentano SSL on main page.
    • internet banking: vulnerable to POODLE attack, SSL3 (insecure), weak signature (SHA1), RC4 (insecure), no Forward Secrecy.
  • Record Bankno SSL on main page.
    • internet banking: vulnerable to POODLE attack, RC4 (insecure), no Forward Secrecy.

Information about SSL Labs grading can be found here. Grade A (+) being the best possible ranking, and F the worst.