RSA tries to silence blogger who exposed security flaw

RSA tries to silence blogger who exposed security flaw

Security vendor RSA has demanded a blogger takes down a post exposing a vulnerability with the Web site of one of its customers, Navy Federal Credit Union, accusing him of trademark infringement.

Last month Scott Jarkoff posted a blog on TechMiso, warning that the Navy Federal Credit Union site lets customers enter their online banking passwords directly into an unsecured home page, rather than making them go to a secure log-in page.

"This is a huge security risk because it is ripe for phishing. By allowing users to login to an online bank from an unsecure, unverified site, those same customers could be tricked in to entering their credentials from just about any domain," he says.

Days after posting his blog, Jarkoff received an e-mail from RSA's Anti Fraud Command Center, which is contracted by the credit union to help monitor and prevent fraudulent activity on the site.

The e-mail - which Jarkoff has posted - claims the blog's domain name "violates Navy Federal Credit Union's copyright, trademarks and other intellectual property rights".

In addition, RSA claims the blog - warning about a vulnerability to phishing - "may become a host to a phishing attack, or other fraudulent scams against the bank and the bank's clients".

"Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website," says the e-mail.

Jarkoff replied, refusing to take down the blog post before receiving a second message from RSA.

This e-mail makes no mention of intellectual property rights, instead asserting: "The problem with the material on the blog is that it suggests that Navy Federal's website is not secure."

The e-mail also says the credit union has asked RSA to get the blog taken down, yet someone purporting to work in public relations for Navy Federal has commented on Jarkoff's post, thanking him for pointing out the vulnerability and revealing plans to address the security issue raised.

Despite this, Jarkoff has now received an e-mail from his hosting company notifying him that RSA has sent it a complaint and asked for the post to be taken down, claiming trademark infringement.

Jarkoff says the claim probably relates to a screenshot of the bank's site on the post.

He has again refused to remove the blog, saying: "I am very interested in pursuing this and seeing how far the rabbit hole leads and where we end up."

An RSA spokesman told Finextra the firm is unable to comment on the issue at present.

Read Jarkoff's blog here.

Comments: (1)

A Finextra member
A Finextra member 14 August, 2009, 16:45Be the first to give this comment the thumbs up 0 likes

Surely exposing this poor security is educational and fair use would come into play?

Aren't RSA the security arm of EMC and aren't they the storage company which provides services for that stock exchange where it was found all sorts of information was unsecured for ages?

Didn't they come up with some encryption thing in the early days of computing. Is it obsolete now? What do they actually do now, apart from police copyright infringment?

Seems a little foolish to attack the blogger, pehaps actually providing some security for the client would be more productive than trying to chase a blogger for alleged copyright infringement which is the last bastion of the censor and snake oil salesman.

If RSA were worried about their logo appearing on the bloggers screen capture of their client's insecure site they should have made sure it was at least supercficially secure before they sold themselves.

Embarrassed about putting your name on an insecure site? Too late for that.