Mailing List Archive

Bank of the West security contact?
Anyone have security contact at Bank of the West?
--
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristian.hermansen
Re: Bank of the West security contact? [ In reply to ]
RFC 2142 offers a number of well known mailboxes that should be
monitored. Tyr secure@, security@, and support@.

WHOIS offers technical and administrative contacts.

$ whois bankofthewest.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BANKOFTHEWEST.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Name Server: A1.VERISIGNDNS.COM
Name Server: A2.VERISIGNDNS.COM
Name Server: A3.VERISIGNDNS.COM
Name Server: DNS1.BANKOFTHEWEST.COM
Name Server: DNS2.BANKOFTHEWEST.COM
Name Server: DNS3.BANKOFTHEWEST.COM
Name Server: DNS4.BANKOFTHEWEST.COM
Status: clientTransferProhibited
Updated Date: 13-jul-2013
Creation Date: 23-jan-1996
Expiration Date: 24-jan-2020

>>> Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to ...

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Domain Name: BANKOFTHEWEST.COM
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://www.networksolutions.com/en_US/
Updated Date: 2011-01-04T00:00:00Z
Creation Date: 1996-01-23T00:00:00Z
Registrar Registration Expiration Date: 2020-01-25T00:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: 800-333-7680
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: the West, Bank of
Registrant Organization: Bank of the West / William Scanlin
Registrant Street: 2527 Camino Ramon
Registrant City: San Ramon
Registrant State/Province: CA
Registrant Postal Code: 94583
Registrant Country: US
Registrant Phone: (925) 843-2358
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: registrar@bankofthewest.com
Registry Admin ID:
Admin Name: the West, Bank of
Admin Organization: Bank of the West / William Scanlin
Admin Street: 2527 Camino Ramon
Admin City: San Ramon
Admin State/Province: CA
Admin Postal Code: 94583
Admin Country: US
Admin Phone: (925) 843-2358
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: registrar@bankofthewest.com
Registry Tech ID:
Tech Name: the West, Bank of
Tech Organization: Bank of the West / William Scanlin
Tech Street: 2527 Camino Ramon
Tech City: San Ramon
Tech State/Province: CA
Tech Postal Code: 94583
Tech Country: US
Tech Phone: (925) 843-2358
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: registrar@bankofthewest.com
Name Server: DNS1.BANKOFTHEWEST.COM
Name Server: DNS2.BANKOFTHEWEST.COM
Name Server: DNS3.BANKOFTHEWEST.COM
Name Server: DNS4.BANKOFTHEWEST.COM
Name Server: A1.VERISIGNDNS.COM
Name Server: A2.VERISIGNDNS.COM
Name Server: A3.VERISIGNDNS.COM
DNSSEC: not signed
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of whois database: Sat, 08 Feb 2014 09:19:03 UTC <<<

The data in Networksolutions.com's WHOIS database ...

On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
<kristian.hermansen@gmail.com> wrote:
> Anyone have security contact at Bank of the West?
> --
> Kristian Erik Hermansen
> https://www.linkedin.com/in/kristianhermansen
> https://profiles.google.com/kristian.hermansen
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
<kristian.hermansen@gmail.com> wrote:
> Anyone have security contact at Bank of the West?

You might also try reaching out to Justin Ferguson. The impression I
got is he is masterful at infosec; and he can probably put you in
touch with someone in about 3 degrees - perhaps even 1 (that beats the
snot out of six degrees for other famous people).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
well, not to be outdone by the RFC parroting and amazing whois. If you
google "@bankofthewest.com" or "(at)bankofthewest(dot)com" you'll pull
a bazillion email addresses that you can spam. Alternatively
cfo@bankofthewest.com cio@bankofthewest.com or
Kirsten.Garen@bankofthewest.com or Duke.Dayal@bankofthewest.com as
firstname.lastname@bankofthwest.com is the apparent format.

That said, unlike turbo here, I recognize you're looking for confirmed
contacts, and I don't have any there. He thought you possibly didn't
know how to whois, I suggested to him that he could also look up their
CSR number in the phone book, because perhaps you didn't know how to
do that either; of course, American banks don't actually get that +1
is a country code.. so, yeah.

Best of Luck.

On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
> <kristian.hermansen@gmail.com> wrote:
>> Anyone have security contact at Bank of the West?
>
> You might also try reaching out to Justin Ferguson. The impression I
> got is he is masterful at infosec; and he can probably put you in
> touch with someone in about 3 degrees - perhaps even 1 (that beats the
> snot out of six degrees for other famous people).
>
> Jeff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
--

"Am I not destroying my enemies when I make friends of them?"
-- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 08, 2014 at 04:21:52AM -0500, Jeffrey Walton wrote:
> RFC 2142 offers a number of well known mailboxes that should be
> monitored. Tyr secure@, security@, and support@.

Doesn't look as it any of those addresses would work:

RCPT TO:<security@bankofthewest.com>
550 Mailbox unavailable or access denied - <security@bankofthewest.com>
RCPT TO:<secure@bankofthewest.com>
550 Mailbox unavailable or access denied - <secure@bankofthewest.com>
RCPT TO:<support@bankofthewest.com>
550 Mailbox unavailable or access denied - <support@bankofthewest.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson <jf@ownco.net> wrote:
> well, not to be outdone by the RFC parroting and amazing whois. If you
> google "@bankofthewest.com" or "(at)bankofthewest(dot)com" you'll pull
> a bazillion email addresses that you can spam. Alternatively
> cfo@bankofthewest.com cio@bankofthewest.com or
> Kirsten.Garen@bankofthewest.com or Duke.Dayal@bankofthewest.com as
> firstname.lastname@bankofthwest.com is the apparent format.
>
> That said, unlike turbo here, I recognize you're looking for confirmed
> contacts, and I don't have any there. He thought you possibly didn't
> know how to whois, I suggested to him that he could also look up their
> CSR number in the phone book, because perhaps you didn't know how to
> do that either; of course, American banks don't actually get that +1
> is a country code.. so, yeah.
You should also provide some of that crack legal advice, too.

Jeff

> On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton <noloader@gmail.com> wrote:
>> On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
>> <kristian.hermansen@gmail.com> wrote:
>>> Anyone have security contact at Bank of the West?
>>
>> You might also try reaching out to Justin Ferguson. The impression I
>> got is he is masterful at infosec; and he can probably put you in
>> touch with someone in about 3 degrees - perhaps even 1 (that beats the
>> snot out of six degrees for other famous people).
>>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
i think we need valdis' expert opinion here.

On Sat, Feb 8, 2014 at 6:33 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson <jf@ownco.net> wrote:
>> well, not to be outdone by the RFC parroting and amazing whois. If you
>> google "@bankofthewest.com" or "(at)bankofthewest(dot)com" you'll pull
>> a bazillion email addresses that you can spam. Alternatively
>> cfo@bankofthewest.com cio@bankofthewest.com or
>> Kirsten.Garen@bankofthewest.com or Duke.Dayal@bankofthewest.com as
>> firstname.lastname@bankofthwest.com is the apparent format.
>>
>> That said, unlike turbo here, I recognize you're looking for confirmed
>> contacts, and I don't have any there. He thought you possibly didn't
>> know how to whois, I suggested to him that he could also look up their
>> CSR number in the phone book, because perhaps you didn't know how to
>> do that either; of course, American banks don't actually get that +1
>> is a country code.. so, yeah.
> You should also provide some of that crack legal advice, too.
>
> Jeff
>
>> On Sat, Feb 8, 2014 at 5:45 AM, Jeffrey Walton <noloader@gmail.com> wrote:
>>> On Sat, Feb 8, 2014 at 12:27 AM, Kristian Erik Hermansen
>>> <kristian.hermansen@gmail.com> wrote:
>>>> Anyone have security contact at Bank of the West?
>>>
>>> You might also try reaching out to Justin Ferguson. The impression I
>>> got is he is masterful at infosec; and he can probably put you in
>>> touch with someone in about 3 degrees - perhaps even 1 (that beats the
>>> snot out of six degrees for other famous people).
>>>



--
--

"Am I not destroying my enemies when I make friends of them?"
-- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson <jf@ownco.net> wrote:
> well, not to be outdone by the RFC parroting and amazing whois. If you
> google "@bankofthewest.com" ...
Google does not allow you to search for the '@' symbol.
https://productforums.google.com/forum/#!topic/websearch/Dj-lKNCKK8o.

That's why there are email harvesters out there.

Perhaps you were using the amphora symbol, or you meant "bankofthewest.com".

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
> Google does not allow you to search for the '@' symbol.

funny, there is a marked difference between when you search for
"domain.com" and "@domain.com", one of which is that it includes a lot
of email addresses. Google is even so kind as to link in common email
address distortions.

Try before you speak please, turbo.

On Sat, Feb 8, 2014 at 6:57 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Sat, Feb 8, 2014 at 6:05 AM, Justin Ferguson <jf@ownco.net> wrote:
>> well, not to be outdone by the RFC parroting and amazing whois. If you
>> google "@bankofthewest.com" ...
> Google does not allow you to search for the '@' symbol.
> https://productforums.google.com/forum/#!topic/websearch/Dj-lKNCKK8o.
>
> That's why there are email harvesters out there.
>
> Perhaps you were using the amphora symbol, or you meant "bankofthewest.com".
>
> Jeff



--
--

"Am I not destroying my enemies when I make friends of them?"
-- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson <jf@ownco.net> wrote:
>> Google does not allow you to search for the '@' symbol.
>
> funny, there is a marked difference between when you search for
> "domain.com" and "@domain.com", one of which is that it includes a lot
> of email addresses. Google is even so kind as to link in common email
> address distortions.
>
> Try before you speak please, turbo.
Oh, got it. Google's policies and rules don't apply to you. Silly me.

You'll have to forgive me. I'm a slow learner at times.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
> Oh, got it. Google's policies and rules don't apply to you. Silly me.

feel free to try it yourself, probably takes less time than you know,
reading policies they quite obviously bend. I mean, seriously, this is
on the first page of hits:
http://webcache.googleusercontent.com/search?q=cache:_iETEKI6kCkJ:www.sharkonline.org/index.php/take-action/contact-corporate-sponsors/1332-get-bank-of-the-west-out-of-rodeo+&cd=12&hl=en&ct=clnk&gl=us

This is on the second:
http://webcache.googleusercontent.com/search?q=cache:h1khHCwhgBQJ:leasingnews.org/PDF/Email_Capitalwerks.pdf+&cd=19&hl=en&ct=clnk&gl=us

et cetera, but hey, cool story bro.

> You'll have to forgive me. I'm a slow learner at times.

probably because, per you, you dont read webpages due to evil ToS' ..

On Sat, Feb 8, 2014 at 7:07 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson <jf@ownco.net> wrote:
>>> Google does not allow you to search for the '@' symbol.
>>
>> funny, there is a marked difference between when you search for
>> "domain.com" and "@domain.com", one of which is that it includes a lot
>> of email addresses. Google is even so kind as to link in common email
>> address distortions.
>>
>> Try before you speak please, turbo.
> Oh, got it. Google's policies and rules don't apply to you. Silly me.
>
> You'll have to forgive me. I'm a slow learner at times.
>
> Jeff



--
--

"Am I not destroying my enemies when I make friends of them?"
-- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson <jf@ownco.net> wrote:
>> ...
>> You'll have to forgive me. I'm a slow learner at times.
>
> probably because, per you, you dont read webpages due to evil ToS' ..
That's not what I said when you were trolling offline. You could cite
it if you'd like.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
p.s.

add an additional word, any word, for instance +"the", magic happens.

try also CSO
http://vscso.org/pipermail/staff_vscso.org/2011-October/000054.html
http://nebraskafbla.org/contact-us/advisory-council/
https://www.bankofthewest.com/static_files/botw2/home/about-us/our-company/annual-reports/annual-report-current.pdf
http://www.sba.gov/sites/default/files/SBA%20Lender%20List%20for%20San%20Diego%20and%20Imperial%20Counties_1.pdf
http://www.oldtownchinatown.org/pdf/newsletter-2005-winter.pdf
http://sdsbdcnetwork.org/sponsors/

etc

some rules can be bent, others broken.

On Sat, Feb 8, 2014 at 7:07 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Sat, Feb 8, 2014 at 7:05 AM, Justin Ferguson <jf@ownco.net> wrote:
>>> Google does not allow you to search for the '@' symbol.
>>
>> funny, there is a marked difference between when you search for
>> "domain.com" and "@domain.com", one of which is that it includes a lot
>> of email addresses. Google is even so kind as to link in common email
>> address distortions.
>>
>> Try before you speak please, turbo.
> Oh, got it. Google's policies and rules don't apply to you. Silly me.
>
> You'll have to forgive me. I'm a slow learner at times.
>
> Jeff



--
--

"Am I not destroying my enemies when I make friends of them?"
-- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
> That's not what I said when you were trolling offline. You could cite
> it if you'd like.

its cool, i actually didnt click reply-all for a reason. you elected
to go for group consensus, old one.

On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson <jf@ownco.net> wrote:
>>> ...
>>> You'll have to forgive me. I'm a slow learner at times.
>>
>> probably because, per you, you dont read webpages due to evil ToS' ..
> That's not what I said when you were trolling offline. You could cite
> it if you'd like.
>
> Jeff



--
--

"Am I not destroying my enemies when I make friends of them?"
-- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 7:17 AM, Justin Ferguson <jf@ownco.net> wrote:
>> That's not what I said when you were trolling offline. You could cite
>> it if you'd like.
>
> its cool, i actually didnt click reply-all for a reason. you elected
> to go for group consensus, old one.
I thought it was selfish keeping your cornucopia of knowledge to
myself. Hence the reason I suggested Kristian engage you.

Jeff

> On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton <noloader@gmail.com> wrote:
>> On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson <jf@ownco.net> wrote:
>>>> ...
>>>> You'll have to forgive me. I'm a slow learner at times.
>>>
>>> probably because, per you, you dont read webpages due to evil ToS' ..
>> That's not what I said when you were trolling offline. You could cite
>> it if you'd like.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
Keep this list professional guys. I hate seeing it turn into an IRC chat room.

Justin, you should really stop this type of behavior, you're not doing yourself any favors. I let it go when you decided you wanted to repeatedly bash me privately over one of my CVE's posted here, however I can see it's starting to look like a pattern for you.

Daniel

On Feb 8, 2014, at 6:17 AM, Justin Ferguson <jf@ownco.net> wrote:

>> That's not what I said when you were trolling offline. You could cite
>> it if you'd like.
>
> its cool, i actually didnt click reply-all for a reason. you elected
> to go for group consensus, old one.
>
>> On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton <noloader@gmail.com> wrote:
>> On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson <jf@ownco.net> wrote:
>>>> ...
>>>> You'll have to forgive me. I'm a slow learner at times.
>>>
>>> probably because, per you, you dont read webpages due to evil ToS' ..
>> That's not what I said when you were trolling offline. You could cite
>> it if you'd like.
>>
>> Jeff
>
>
>
> --
> --
>
> "Am I not destroying my enemies when I make friends of them?"
> -- Abraham Lincoln
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
...

Oh noes. Owasp guy wants to admonish me.

And yes, I called your "local data at rest is not encrypted despite there
being no way to secure a key unless you think the subway app deserves it's
own password" bullshit because well it was bullshit. I was at least
respectful enough to tell you that it was bullshit clogging my inbox
privately instead of pulling some imaginary weight on the n3td3v all stars
mailing list.

There is nothing professional about F-D. But yes, from time to time when I
happen to read particularly absurd piles of crap sent to me, I do respond
by saying "this is a giant pile of crap". In all earnest if you Google a
bit, this is pretty tame, I've not once saw fit to include a picture of my
bare backside.

At any rate, I appreciate your maternal behavior, what the world needs is
more CISSP-esque discussion on professional behavior on the internet. I'm
fairly positive that at this point, anyone whose opinion I care about is
well aware that I am at times outspoken, and the rest (*@owasp.com) are
irrelevant.

You have to be polite to random people who don't deserve it, such is life
with subway app bug finders.

Sincerely,

Justin N. Ferguson I
On Feb 8, 2014 11:32 AM, "Daniel Wood" <daniel.wood@owasp.org> wrote:

> Keep this list professional guys. I hate seeing it turn into an IRC chat
> room.
>
> Justin, you should really stop this type of behavior, you're not doing
> yourself any favors. I let it go when you decided you wanted to repeatedly
> bash me privately over one of my CVE's posted here, however I can see it's
> starting to look like a pattern for you.
>
> Daniel
>
> On Feb 8, 2014, at 6:17 AM, Justin Ferguson <jf@ownco.net> wrote:
>
> >> That's not what I said when you were trolling offline. You could cite
> >> it if you'd like.
> >
> > its cool, i actually didnt click reply-all for a reason. you elected
> > to go for group consensus, old one.
> >
> >> On Sat, Feb 8, 2014 at 7:14 AM, Jeffrey Walton <noloader@gmail.com>
> wrote:
> >> On Sat, Feb 8, 2014 at 7:11 AM, Justin Ferguson <jf@ownco.net> wrote:
> >>>> ...
> >>>> You'll have to forgive me. I'm a slow learner at times.
> >>>
> >>> probably because, per you, you dont read webpages due to evil ToS' ..
> >> That's not what I said when you were trolling offline. You could cite
> >> it if you'd like.
> >>
> >> Jeff
> >
> >
> >
> > --
> > --
> >
> > "Am I not destroying my enemies when I make friends of them?"
> > -- Abraham Lincoln
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
Re: Bank of the West security contact? [ In reply to ]
On Sat, Feb 8, 2014 at 11:32 AM, Daniel Wood <daniel.wood@owasp.org> wrote:
> Keep this list professional guys. I hate seeing it turn into an IRC chat room.
>
> Justin, you should really stop this type of behavior, you're not doing yourself any favors. I let it go when you decided you wanted to repeatedly bash me privately over one of my CVE's posted here, however I can see it's starting to look like a pattern for you.
>
http://www.collegehumor.com/video/5817726/internet-bridge-troll

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
Just wanted to post a follow-up to this and provide some context to
make it known:

* Bank of the West was contacted in 2011 to report a security issue

* No response for 2 years

* In late 2013, I receive a breach notification saying my own
sensitive personal information was compromised via the EXACT SAME
ISSUES I REPORTED. I also am led to believe employee information was
compromised, which may include Social Security Number (SSN) details.

Conclusions?

* Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for
outside researchers and NO BUG BOUNTY PROGRAM

* Bank of the West does not seem to take security and privacy
seriously enough, as far as I can tell

You should know this if you are an existing or potential customer /
employee of Bank of the West...

On Fri, Feb 7, 2014 at 9:27 PM, Kristian Erik Hermansen
<kristian.hermansen@gmail.com> wrote:
> Anyone have security contact at Bank of the West?
> --
> Kristian Erik Hermansen
> https://www.linkedin.com/in/kristianhermansen
> https://profiles.google.com/kristian.hermansen



--
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
<kristian.hermansen@gmail.com> wrote:
> Just wanted to post a follow-up to this and provide some context to
> make it known:
>
> * Bank of the West was contacted in 2011 to report a security issue
>
> * No response for 2 years
>
> * In late 2013, I receive a breach notification saying my own
> sensitive personal information was compromised via the EXACT SAME
> ISSUES I REPORTED. I also am led to believe employee information was
> compromised, which may include Social Security Number (SSN) details.
>
> Conclusions?
>
> * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for
> outside researchers and NO BUG BOUNTY PROGRAM
>
> * Bank of the West does not seem to take security and privacy
> seriously enough, as far as I can tell
>
> You should know this if you are an existing or potential customer /
> employee of Bank of the West...
The risk equations favor "do nothing". Its cost effective to simply
persue profits and not spend money on data security.

If (when) they are breached, it only costs them the cost of a
notification. In the US, that's the cost of bulk mail [0]. 46 states,
DC, and Territories have Data Breach laws, and nearly none (none?)
have any useful provisions for damages. [1]

You can't recover for your time lost or services like credit
monitoring. Every class action get tossed out [2]. I've never seen one
go to court, and I've been watching them for years.

In the US, the risk equations must be unbalanced (or swayed to favor
of the consumer, who is the ultimate victim). That will take a policy
change. However, that likely won't happen as long as corporate america
and special interest purchase and trade politicians like sports
trading cards.

(I've been watching data breaches and responses for years because I
got burned somehow and it cost me over 10K to fix in the 1990s. I
never got a notification. I found out after I got sued for unpaid
bills and the collection agencies contacted me).

Jeff

[0] http://pe.usps.com/businessmail101/rates/welcome.htm
[1] State Security Breach Notification Laws,
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
[2] Once Again, Clapper Defeats Data Breach Class Action,
http://www.mondaq.com/unitedstates/x/294324/Data+Protection+Privacy/Once+Again+Clapper+Defeats+Data+Breach+Class+Action

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
* Kristian Erik Hermansen:

> Anyone have security contact at Bank of the West?

Is this an issue with their online banking? Then here's a hint:

/**********************************************************
* *
* Copyright ©2005 Corillian Corporation *
* *
* All rights reserved. *
* *
* Highly Confidential. *
* *
* No portion of this code may be reproduced, *
* transmitted or distributed without the express *
* written permission of Corillian Corporation. *
* *
**********************************************************/

Corillian is now Fiserv, and here's another hint:

<http://investors.fiserv.com/releasedetail.cfm?releaseid=667216>

If you suspect a software vulnerability in their online banking
application, you should contact Fiserv.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Bank of the West security contact? [ In reply to ]
On Mon, Mar 17, 2014 at 12:37 PM, Jeffrey Walton <noloader@gmail.com> wrote:
> On Mon, Mar 17, 2014 at 12:15 PM, Kristian Erik Hermansen
> <kristian.hermansen@gmail.com> wrote:
>> Just wanted to post a follow-up to this and provide some context to
>> make it known:
>>
>> * Bank of the West was contacted in 2011 to report a security issue
>>
>> * No response for 2 years
>>
>> * In late 2013, I receive a breach notification saying my own
>> sensitive personal information was compromised via the EXACT SAME
>> ISSUES I REPORTED. I also am led to believe employee information was
>> compromised, which may include Social Security Number (SSN) details.
>>
>> Conclusions?
>>
>> * Bank of the West has NO WORKING SECURITY REPORTING MECHANISM for
>> outside researchers and NO BUG BOUNTY PROGRAM
>>
>> * Bank of the West does not seem to take security and privacy
>> seriously enough, as far as I can tell
>>
>> You should know this if you are an existing or potential customer /
>> employee of Bank of the West...
> The risk equations favor "do nothing". Its cost effective to simply
> persue profits and not spend money on data security.
>
> If (when) they are breached, it only costs them the cost of a
> notification. In the US, that's the cost of bulk mail [0]. 46 states,
> DC, and Territories have Data Breach laws, and nearly none (none?)
> have any useful provisions for damages. [1]
>
> You can't recover for your time lost or services like credit
> monitoring. Every class action get tossed out [2]. I've never seen one
> go to court, and I've been watching them for years.
I might just stand corrected here (if it withstands appeal):

http://www.slyck.com/story2351_Data_Breach_Settlement_Class_Action_Lawsuit_Wins_Appeal_in_Court:

With so many recent data breaches and lacking security measures in
place, we know that there are likely to be many more lawsuits
forthcoming. However, in what’s believed to be a first win for a class
action lawsuit as a result of a data breach where none of the
plaintiffs suffered identify theft or direct losses, AvMed, a
Florida-based health insurer, lost its case in court to the tune of a
$3 million settlement agreement. On February 21, 2014, a federal judge
in the Southern District of Florida approved an Order granting motion
for final approval of a Class Action Settlement Agreement, and filed a
motion for attorneys' fees and expenses, as well as for incentive
awards.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/