McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

Summary: Stay with me here readers, I'm stringing two stories about McAfee together here, a little out of the ordinary, so I hope it makes sense.  If you aren't interested in the tech details (of which there are very little), please do read for a good laugh.

SHARE:
11

Stay with me here readers, I'm stringing two stories about McAfee together here, a little out of the ordinary, so I hope it makes sense.  If you aren't interested in the tech details (of which there are very little), please do read for a good laugh.

Network World reported that McAfee conducted an experiment into what would happen if computer users really did respond to all those spam emails and click all those free virus scan popups.  The experiment, called S.P.A.M. (Spam Persistently All Month) took 50 volunteers, both male and female, from numerous countries and tried to determine what would really happen.  Of course, the end result will be exactly what you'd expect, but hey, I'm game for an experiment, and the volunteers get free computers, so let's read on!

The article states:

By the time it was all over, after every bank-account phishing scam, Nigerian bank scheme, and offer for medication, adult content and just plain free stuff had been pursued. "I was horrified," says Mooney, a realtor by profession. "It's all snake oil. I'm amazed at what true junk is out there when you're clicking through on e-mail."

Holy crap... so, what this article is telling me is that McAfee is actually pointing out snake oil to end users?  Whoa, this goes against all their marketing campaigns for HackerSafe certifications and their PCI solutions, but hey, that's cool I guess.  Oh wait, sorry, they're not pointing out their OWN snake oil. 

[Author's Note: Sorry guys and gals, this was like a slow-pitch Softball... I couldn't help myself]

The article goes on:

McAfee is releasing the results Tuesday of its free-wheeling month-long S.P.A.M. experiment, done largely to illustrate — if you didn't know already — how spam is connected to malware and criminal activity, not to mention some of the slimiest marketing ever devised.

Holy haberdashery, Batman!  Can you believe it?  Spam, popups, phishing, etc. actually lead to malware and criminal activity?  Not to mention some of the slimiest marketing ever devised?

Yeah, so about that slimy marketing... HackerSafe is popping up on my news radar again, as once again fearless friends of the people Russ McRee and Rafal Los have posted some very interesting comments on HackerSafe issues.  From McRee's newest blog entry, entitled "XSS Comedy at McAfee Secure's Expense":

In celebration of the deadline for PCI Requirement 6.6 compliance as of June 30, 2008, I thought I'd share a little web app sec comedy at McAfee Secure's expense.  As well you should know by know, the existence of XSS vulnerabilities in a site that is required to meet PCI DSS standards means that the site IS NOT PCI COMPLIANT. Very simple, right?

Let's consider the McAfee Secure/Hacker Safe-branded site for Organize-It. A seemingly handy site, perfect for your HGTV types, likely with healthy credit card limits. Uh-oh, here it comes. Oh yes, Organize-It handles credit cards and is thus beholden to PCI DSS. Organize-It is also proudly displaying a current McAfee Secure badge, indicating that it's tested daily. Given the focus of many a recent discussion it shouldn't shock you that Organize-It is vulnerable to XSS.

By the way, Russ as always has included video evidence, but yeah, it would seem that the McAfee Secure badge has failed us again.  It sort of reminds me of when children play peek-a-boo and hide behind their hands and actually believe that you can't see them... except that, yeah, they're children, so you can't blame them.  Oh and about that slimy marketing that they do?  Yeah, just check out that blog posting by Russ.

I will continue to say, you're better off with the cheaper "Nate McFeters Secure" certification, and I mean, come on, who doesn't want this picture proudly displayed on their site:

Nate McFeters Certified

-Nate

Topics: Storage, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • I get slammed for pronouncing the name wrong, but McAfee is the best

    McAfee is the only true voice on security. I have never once seen a computer with their AV software installed that has be overrun with viruses. If this is true it is natural to believe that any website with their certification is just as safe. It makes the website much like superman. If people are finding all these XSS vulnerabilities they must be mistaken.

    In truth I believe that your logo would be better. The site might not be safe but at least some people might find there way to you blog, which I usually find funny and many times very disturbing. Keep up the good work.
    Gardul
    • Yea but they still suck

      Not only is their AV/Internet "security" products resource hogs and in-your-face annoying...their AV sucks (Just like norton). I have had my computer infected (many MANY years ago i'll admit) ever since I stepped up to AVG Free (pure AV only) I havent had a problem. So i'll save my $40-80 per year and continue down this path as I suspect many others will do the same.

      This is bad that the company is basically sactioning XSS vulnerabilities..therefore making thier expensive seal worthless. When will the customers ACTUALLY understand this and dump them? Hm maybe McAffee feels that their "brand" is powerful enough so they can do what they want?
      JT82
      • If the shoe fits

        So far their brand has been powerful enough to let them do what they want. The average computer user doesn't understand that AV gives you crap for protection. Certainly the average company has not realized the same about HackerSafe.

        -Nate
        nmcfeters
    • Thanks

      Thanks for the kind words Gardul, but I do not agree that McAfee is the "one true voice" in security. There are so many voices in security with a much better message than McAfee. You should check out some other blogs too... for example, Matasano's, Billy Rios's, John Heasman's, Rob Carter's, the Liquid Matrix guys, etc. These are the true voices in security.

      McAfee is a company, and they have a great marketing department, that makes great pitches.

      By the way, there will always be viruses that slip past any AV. See the DEFCON competition this year, I'm sure it will result in some. The problem with AV is it's reactive, not proactive, so there's no way they can keep up with the hackers.

      Oh, and by the way, we've shown a ton of proof on this site about how their certification is doing next to nothing to protect your site. It ignores XSS, and I somewhat doubt it's even good at catching all of the SQL Injection, which are really the main two things an automated tool is looking for.

      -Nate
      nmcfeters
  • I agree

    I keep forgetting that dry sarcasim does not translate into words very well. I have been tracking all the information you have been posting on this. I typically have avoided comments since by the time I see the blog is comments have moved to pointless argements about Microsoft, apple, and linux.

    I personally think McAfee has to be opening themselves to lawsuits from either clients or a class action suit from people who actual trust that the seal means the site is protected from hackers.
    Gardul
    • Possibly

      I'd assume they have a legal cannon to handle that kind of thing... I'd never want to provide that service myself... but of course, I wouldn't want to provide PCI either... unlimited liability? No thanks.

      -Nate
      nmcfeters
  • RE: McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

    Nate - speaking of hiding behind your hands. I saw an awesome Robot Chicken episode where the kid was under a blanket and one monster says to the other "I guess we can't get him, he's hiding under his blankie"... then the other one whips out a bat and they both beat the snot out of the kid, still under the blanket.

    There is a lesson there... people are hiding under the blanket (McAfee, other crap) and saying to themselves "Hackers can't get me, I've got a HackerSafe seal!"... when in reality hackers are coming by and beating the snot out of 'em all day long and they're just too stupid to notice.

    Cheers.
    --Rafal
    http://preachsecurity.blogspot.com
    Rafal.Los (RX8volution)
    • Haha

      Hey Rafal, funny you mention it, I thought of the same episode when I posted this.

      -Nate
      nmcfeters
  • RE: McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

    Maybe YOU found it silly and obvious results, but ... the targets of a lot of that slimer are nto people like you ... the targets are newbies. And newbies need to be educated. It's newbies, and there are more every day added to the lists, that really NEED this kind of information.
    Instead of complaining and riduculing, you should be out finding ways to get that information to the inexperienced and the people that need it.
    Education is the cornerstone of fighting off the spammers; try spreading the word, cloak it as beneath you or whatever you want to do, but do not push it away. I plan to put the article on my web site; education for newbies. But look at the number of people you could cause to be reached. IF you were so inclined.

    Twayne
    twaynesdomain-22354355019875063839220739305988
    • Nope. I disagree.

      First off, I'm all for education of users. BUT this report does NOTHING to educate those users. What does it say that is new information? Even my dad knows that clicking spyware, spam, adware, crimeware, malware, name-your-ware is dangerous.

      The problem is: HE DOESN'T KNOW THE DIFFERENCE

      User's problems don't have to do with them not realizing they could be attacked, they've heard of phishing, they've heard of spam. They don't know how to prevent themselves from being attacked, and they can't legitimize the difference between bad site vs. good site.

      No my friend, the responsibility is on Information Security professionals and companies to come up with a better solution for these people. We don't have the right to expect people to protect themselves.

      -Nate
      nmcfeters
  • RE: McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

    their experiment is par with their product.
    Tmanisback