Monday, July 19, 2010

ISSA LA gets some press

Our very own Stan Stahl has been quoted in the LA Business Journal:

It seems starting Internet security companies has become something of a gold rush, according to Stan Stahl, chief executive of L.A. cybersecurity firm Citadel Information Group and president of the Information Systems Security Association.

“In the last year, all of a sudden this industry has taken off,” Stahl said. “Legally, anyone can hang up a shingle and say they are a computer security expert.”

This is in an announcement for a new independent information security firm headed by Hemu Nigam called SSP Blue.

A new infosec boutique isn't in itself so newsworthy - but the mention of ISSA along with some positive business prognostications about infosec in general make the article worth a read.

Friday, July 09, 2010

News from 2009 - SSL Cert Atrocities from WAMU/CHASE

For historical reasons I'd rather not detail, I had an account with WAMU (now Chase). During the middle of the Chase acquisition, I noticed the ssl cert error displayed in this post. This was during the process of setting up an online savings account, which the bank was heavily touting at the time. I wish I had saved a screenshot, but at a slightly later time in the acquisition process, the cert error changed from expired cert to cert not matching URL.

I called customer support at WAMU/Chase and got absolutely nowhere. I went as far as to send a complaint to the OCC. Their response was that they can't do anything, as they do not regulate Internet banking.

Now think about this a bit. This is a bank. You trust them to hold your money - lots of it. This particular bank is heavily pushing their Internet-only services. They then commit the most atrocious ssl cert error possible - a cert that does not match the URL for their heavily-promoted online savings enrollment. This is an error that every modern browser screams loudly about - for good reason. This type of cert error is the one encountered with a man-in-the-middle attack. I've just entered all the information required for major identity theft, and I then have my browser telling me the site I've encountered is likely fake. When the error is reported the response is - crickets chirping. Not just from the bank itself, but from the regulators.

You may accuse me of being a luddite, but I still do a minimal amount of electronic banking. Most of my bills are paid with old fashioned checks sent via the US Postal Service. If banks want to gain the trust of customers like me, they need to start getting the very basics of security right - regardless of whether or not they are undergoing a merger.

Monday, July 05, 2010

Where does Windows 7 hide GnuPG keys?

Look under C:\Users\yourName\Application Data\gnupg