Friday, 26 June 2015

How secure is your bank?


The more traditional banks, do all offer internet banking (when they can keep their IT working - Yes I’m looking at you RBS Group) and all offer “helpful” tips about how you can be secure online… from installing software like Trusteer Rapport or Trust Defender, to keeping your system and security software up-to-date.

 However, your connection with your banks online banking service, can only be as secure as they make it. The question is… with more and more of us using online banking, is your bank doing everything it can to make those transactions secure?

 To test this, I have been using a tool provided by SSL Labs, called the SSL Server Test.  It inspects the configuration of any public SSL web server (such as those used by banks for their online banking services) and grades them from A+ - F.

 From the results below you will see that security implementation is hit and miss with only one bank scoring higher than B (mainly because they maintain backward compatibility).

 Most UK banks do not seem to support TLS 1.1 or 1.2 despite those standards being ratified in 2006 and 2008 respectively and being supported in all modern browsers.  Some banks still support the very antiquated and insecure SSL3.0 protocol.

 The problem is that everyone stuck on Windows XP and still using IE6 (IE: Mum & Dad) do not have support for TLS1.0+.  It is the desire to support of these antiquated OS’s and browsers which has resulted in most banks also supporting RC4 which SSL Labs have described as a “lesser evil” for those antiquated browsers which only support SSL3.0 or TLS1.0.

 My view is that they should just be left without support… after all, they could install firefox… Or upgrade their machine… But as there are no publicly-known feasible attacks against RC4 I suppose it is not unreasonable to keep that cipher alive for a little longer, although Mozilla and Microsoft recommend disabling it and TLS1.3 will ban it from use in the standard.

There will shortly be a new “challenger” bank called Atom which, will not have any physical branches or ATM’s, customers interaction with their bank will be entirely through a mobile phone app.

 If there are any banks which I have missed, let me know and I’ll add them in (All scores correct as of 26 June)

 The Winner!

 Virgin Money - A
https://www.ssllabs.com/ssltest/analyze.html?d=uk.virginmoney.com
Everyone else seemly need to copy what Virgin Money have done here and the world of internet banking would be a much better and safer place.  The only bank to Score an A rating.

 The Rest

 Barclays - B
https://www.ssllabs.com/ssltest/analyze.html?d=bank.barclays.co.uk&s=157.83.96.200
This is going to be a common theme… Barclays use the RC4 protocol, which SSL Labs do not like one bit and are advising that sites drop RC4 or see their score capped at B.
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan

 Barclays have dropped support for the insecure SSL3 protocol and support both TLS 1.2 & 1.0.  They don’t currently support forward secrecy (more about that is available here: https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy) simply dropping RC4 would see them achieve an A-.

 Nationwide - B
https://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk
Again, the grade is capped to a B for RC4 support.

 Smile - B
https://www.ssllabs.com/ssltest/analyze.html?d=banking.smile.co.uk
A current internet only bank (although part of the Co-op). It has the same RC4 support as Barclays & Nationwide though and for the same reasons is only a B.

 Co-operative Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.co-operativebank.co.uk
Much the same as smile - not surprising as they are part of the same organisation.

 Metro Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.metrobankonline.co.uk
Metro bank also supports RC4 but only at the bottom of a long list of other Cipher Suites. 

 Natwest - C
https://www.ssllabs.com/ssltest/analyze.html?d=nwolb.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4!! Proof that you can drop RC4 support and your customers can still access your service.

 HSBC - C
https://www.ssllabs.com/ssltest/analyze.html?d=hsbc.co.uk&s=193.108.75.106&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Royal Bank of Scotland - C
https://www.ssllabs.com/ssltest/analyze.html?d=rbsdigital.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4.

 Halifax - C (I personally think that Halifax should have been rated lower that C.)
https://www.ssllabs.com/ssltest/analyze.html?d=halifax-online.co.uk
Vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Lloyds Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk
Another which is vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 First Direct - C
https://www.ssllabs....firstdirect.com
Lacking support for TLS1.1 & 1.2 and supporting RC4

 Clydesdale Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=home2.cbonline.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Marks & Spencer Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=www7.marksandspencer.com
Lacking support for TLS1.1 & 1.2 and supporting RC4

 TSB - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Handlesbanken - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting RC4

 Santander - C
https://www.ssllabs.com/ssltest/analyze.html?d=retail.santander.co.uk
Supports RC4 but also orders the Cipher suites badly, resulting in RC4 being used in modern browsers instead of a more secure alternative, this downgrades Santander from B to C (NOTE: From September onwards this may result in a downgrade to an F).

 Sainsburys Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.sainsburysbank.co.uk&s=195.171.195.119&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Failures

 Tesco Bank - F
https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com
Oh dear, oh dear that pesky POODLE.  This is an SSL/TLS problem which came to light in October 2014 (and December 2014 for TLS) and had all decent sysadmins patching their servers as soon as humanly possible.  The patching is simple and doesn’t require protracted down time… there is no excuse not to apply it and because of the severity of the consequences (particularly the TLS version), SSL Labs cap any site with this problem to a FAIL.

 If Tesco Bank fixed that, they would still be capped at C as for reasons only known to them, they only support TLS 1.0.

 John Lewis: Partnership Card - F
https://www.ssllabs.com/ssltest/analyze.html?d=secure.partnershipcard.co.uk
Another big red F - This time for insecure client side renegotiation, but again there is only support for TLS1.0 and SSL3.

 The Post Office - F
https://www.ssllabs.com/ssltest/analyze.html?d=pofssavecredit.co.uk
Vulnerable to both POODLE attacks, this site also only supports SSL3 and TLS1.0, it also supports RC4, abjectly bad implementation. 
Posted by at No comments:

Thursday, 23 April 2015

Thoughts on Oil price for 2015 and beyond

1. The Saudi’s are pumping from strategic oil wells
2. A bigger income equality and rise to middle class in the developing world creates much bigger demand, it’s where China’s growth numbers keep coming from even as the west is declining.
3. Fracking is not economical viable in a few more years when all the easy stuff is gone and the first environmental problems pop up.
4. Inflation in general.
Deflation is only a local problem in certain communities that where lousy a decade ago. There’s more places where inflation is a bitch. 
Oil will be at 70 plus at year end, 90 by the end of next year and it will keep rising. 
All this CEO is talking the markets down so Exxon can do a few takeovers.
And there’s a even way bigger story that’s been under reported all over, and that’s the Saudi’s buying up huge oil field all over the world right now. 
They’re running low on oil and they’re pumping what they've got to lower prices to secure future income.
And why is nobody wonder why oil storage is rising in the US while it still needs to import oil?.....
Posted by at No comments:

Monday, 13 April 2015

Investing in Gold

1. Daily gold gains are capped at 1 percent (limit up) or 2 percent (expanded limit up).
2. Gold isn't allowed to have any follow-through rallies.
3. Gold is attacked at specific times -- 3 a.m. ET, pre-Comex and Comex open, NYSE open, London close, Comex close, 6 p.m. access trade open, and any opportune, thinly traded access markets.
4. Gold is attacked on all significant government data releases, especially the monthly nonfarm payrolls Friday report.
5. Gold is attacked on any ordinarily bullish news -- war, turmoil, economic crises, and Wall Street jitters.
6. Gold is attacked on all significant Comex option expiration and first-notice days, assuring that the maximum number of calls expire worthless, mitigating deliveries.
7. An attack on gold is frequently signaled by attacking either silver, HUI stocks, or both.
8. Flash crashes with no corresponding explanation always keep speculative longs stopped out or in losing positions.
9. New York and London are the centers of gold price suppression, so the London PM fix will be lower or no higher than $5 from the AM fix.
10. Comex margin changes, both higher and lower, are always to the detriment of gold longs.
11. Gold is never allowed to anticipate any bullish developments, nor is it allowed to be a barometer for currency largesse.
Posted by at No comments:

Saturday, 11 April 2015

Finding the right spot for position opening positions

Solution for such a common problem as finding the right spot for position opening is fairly simple – a confirmation candle. The first candle always triggers the strategy or indicator’s signal that informs you how you should open position according to the strategy rules. You have to wait for this candle to end in order to know what you deal with.

 This is where most of inexperienced traders make a mistake. They think how signal is activated; they open position just to see the candlestick to go in the opposite direction. So, the first step is to wait for candle to close. It is so-called alert candle which alerts you that strategy conditions are fulfilled. Then it’s necessary to wait for confirmation candle to confirm everything’s fine. This is when you open position.

 Use candlesticks in all the strategies and always wait for the second one to confirm the good signal you are receiving. If the signal is fake don’t open position. You should always wait for the second confirmation candle regardless of whether you use support and resistance lines, channels, pivot points or applying rules of any other strategy.

 When I say confirmation, what I mean is waiting for the second day, following the signal day, to prove the move.

 In other words, if a sell signal is given, traders who wait for confirmation, would take the trade on the third day, after the signal was created (day one), only if the day following the signal (day two), the instrument in question, closed below the signal day’s low.

 There are ‘Four Corners of Confirmation’ that must be addressed at this
point.

 1. Waiting for confirmation takes patience…and can sometimes lead to missing a trade.

 2. Missed money is always better than lost money. Even if waiting for confirmation means letting an opportunity slip by, it’s a whole lot better than jumping the gun into a losing trade.

 3. Confirmation does not mean a trade is a sure thing. Pre-determined stops are vital to profitable trading and effective money management.

 4. Even with confirmation, more work is required. Traders must take the time to research underlying fundamentals and news with every signal generated. Trading blindly on technicals is just plain stupid.

 Here’s what it all really comes down to, waiting for confirmation can save you money and potentially increase your profitability. Why?

 When a signal is ‘confirmed’, the market is saying Wall Street believes in the signal and a trend is likely to ensue.And that’s what it all really comes down to…knowing that a signal is more than volatility, something that happens all too often in today’s market.

 I want to now take a moment to show you a chart where the ‘signal’ lied, and traders who jumped the gun, probably may be losing.

 Signal called a Hammer. The signal is widely accepted as alluding to a pending reversal (the opposite of a Hammer bottom would be a Hangman top.)

 Confirmation traders, however, would have never taken a position at all, and would most likely be very happy that they didn't, as of now. At the end of the day, waiting for confirmation is just good housekeeping, at least when trading from candlestick chart-derived signals.
Posted by at No comments:

Thursday, 9 April 2015

Moving the blog onward....

I am going to move this blog along, Rather than Tech which is my main interest I am very interested in the Financial markets. 

 I am going to attempt to make some YouTube videos about trading. 

 If you are interested this is the first attempt. This tries to explain how to read the Candlestick Charts, Using Alert Candles and Confirmation Candles to spot an ongoing trend and how to find an entry point for a trade. 

 https://www.youtube.com/watch?v=CHPK12_Qk0M
Posted by at No comments:

Thursday, 12 February 2015

Two Quick Nmap Commands

This is a reminder for me more than anything else.

 nmap -v -sV -iR 10000 -sU -p 23 | grep '^23.*open' -B3 | grep '^Nmap scan' | cut -d\( -f2 | cut -d\) -f1 > output.txt

 nmap -v -sV -iR 10000 -sU -p 23|awk  '/(open)/{print $2}' RS="Nmap" FS="[)(]"

 Try work our what they are doing....
Posted by at No comments:

Tuesday, 27 January 2015

Some Quick Cisco Stuff - Greylog2

So I plan on updating this with ALOT of Cisco stuff....Eventually. If this helps ANYONE out there I will be a happy man. 

 For now this is a quick update.

 I am configuring Greylog2, Here is the Cisco Config Commands to set it up to send to Greylog2 using syslog. Obviously I dont need to tell you to change the Server IP of your Greylog Server and the logging level. 

 https://www.graylog2.org/resources/documentation/sending/syslog

conf t
service timestamps log datetime msec localtime
no logging message-counter syslog
logging origin-id hostname
logging facility syslog
logging <<<SERVER IP>>>
no service sequence-numbers
logging trap (emergencies/critical/errors/warnings/notifications/informational/debugging)
 

0
   

System unstable
   

LOG_EMERG

alerts
   

1
   

Immediate action needed
   

LOG_ALERT


   

2
   

Critical conditions
   

LOG_CRIT


   

3
   

Error conditions
   

LOG_ERR


   

4
   

Warning conditions
   

LOG_WARNING


   

5
   

Normal but significant condition
   

LOG_NOTICE


   

6
   

Informational messages only
   

LOG_INFO


   

7
   

Debugging messages
   

LOG_DEBUG
Posted by at No comments:
Subscribe to: Posts (Atom)