McAfee SiteAdvisor blocks SANS

McAfee SiteAdvisor blocks SANS

Summary: Showing you just how much they understand about security, McAfee blocked the SANS website, sans.org, as well as giac.

SHARE:

Showing you just how much they understand about security, McAfee blocked the SANS website, sans.org, as well as giac.org and sans.edu, with their SiteAdvisor application, listing it as a "bad" site.

Interestingly enough, SANS sites are some of the best sites to go to for security related news.  Several people count on SANS for training on many security topics, and SANS also hosts one of my favorite websites, the Internet Storm Center Handler's Diary.  This site catalogs the daily events of Incident Handlers and provides intuitive thoughts on new attacks and how to deal with them.

Of course, I was not surprised when I browsed to their site today and saw that it was flagged by SiteAdvisor... it's not the first time they've shown us just how useful their tools are.

From the Handler's Diary, the comments on being blocked by McAfee:

When we look at the site reports, giac.org and sans.edu are bad simply because they have links to the sans.org web site.  The sans.org web site is now considered bad because of two links in CVA newsletters that point to exploit samples on 3rd party web sites.

We have submitted a comment via the SiteAdvisor web site and are simply waiting to hear back if they change the site status in their database.

[See related stories on McAfee's blunders]

  1. More bad news for McAfee, HackerSafe certification
  2. McAfee’s HackerSafe: When all else fails, rebrand it!
  3. McAfee isn’t “McAfee Secure” or “Hacker Safe”
  4. McAfee’s HackerSafe: “Um… we go in like a super hacker”
  5. McAfee partner isn’t McAfee secure
  6. McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures

Just in case you were starting to forget McAfee's blunders, they step up to the plate and remind us why Joseph Pierini, director of enterprise services for the "Hacker Safe" program is the obvious front-runner for the Pwnie Award for lamest vendor response and make us question why they are not also up for the Most Epic FAIL pwnie award, where they'd likely give Lifelock CEO Todd Davis a run for his money. -Nate

Topics: Software Development, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Block us too

    HP Application Security Center tools sites are also blocked for distributing "hacking tools"... R O F L.

    IDIOTS
    Rafal.Los (RX8volution)
  • McAfee 'understands' security ...

    Is SiteAdvisor politically correct or just plain stupid?
    Either way it doesn't reflect well on McAfee.
    infoaccess
    • Agreed (NT)

      -Nate
      nmcfeters
  • RE: McAfee SiteAdvisor blocks SANS

    I have the McAfee SiteAdvisor add-on running in Firefox and as of 31st July 2008 at 13:00 BST all the sites you mentioned are showing as green.

    I'm not a member of the McAfee fan club, but if you make an allegation, please include a screenshot as anecodtal evidence. A picture paints a thousand words after all.

    Otherwise keep up the good work, and oooh this is my first posting :)
    johnsmithbitter
    • If you bothered to read the entire article

      You would've seen that SANS requested that McAfee remove the sites from the bad list, which they must have done. I don't run SiteAdvisor, as I consider it a worthless piece of software, so there's no way for me to personally validate the SANS claim; however, I think we can reasonably believe SANS would have no good reason for lying about this.

      -Nate
      nmcfeters
      • Name that logical fallacy ..

        correlation vs causation - The reported 'fact' that SANS requesting a change, doesn't make it so.

        straw man - the SANS rep could have been mistaken, who said anything about lying.

        argument from authority - you imply expertise, yet have no experience of the product.

        Anyway the SANS rep was probably correct that McAfee screwed up, and you're just sharing the love.

        I also agree that SiteAdvisor (and it's ilk) aren't brilliant (and this from actual first hand experience), but consdering it worthless is demonstrably a bit harsh; or perhaps it's another logical fallacy 'poisoning the well'

        poisoning the well - if I use a worthless peice of software, then presumably by extension my ideas and opinions are also worthless. Naa ... you didn't mean that. ;)

        Anyway Nate you might not always be right, but you're never dull!

        Cheers mate.;)
        johnsmithbitter
        • I do seek to entertain

          So I'm glad you think I'm never dull, but we'll have to work on
          your thoughts that I might not always be right.

          -Nate
          nmcfeters
  • RE: McAfee SiteAdvisor blocks SANS

    And you work for E&Y? sorry but have to ask doesn't your organisation provide consulting and other professional services simular to McAfee/Foundstone?

    So explain to me this if thats the case why dont you remove your status with E&Y from your introduction and play on a level field?

    My thoughts is this is just a very very cheap marketing ploy based on an end-user product to try and gain E&Y traction.

    Love to see you respond to this!

    P.S E&Y never make any mistakes do they?
    daniel.thomas
    • Level Field?

      I disclose the fact that I work for EY so we ARE playing on a level field. Do we compete with McAfee/Foundstone for professional services work, sure. Have I ever commented bad about McAfee/Foundstone's professional services? No.

      If I were to remove my "status with E&Y", I'm assuming that you mean remove that from my signature on the stories. What point would that serve? I'm proud of the fact that I work for E&Y and I won't hide it, and if that shades your opinion of one of my stories, so be it. At least I'm not hiding the fact I work for E&Y from you.

      With regards to your comment about "a very very cheap marketing ploy"... I'm not a salesman, I'm simply a consultant. I do the work that's given to me, which is entirely attack & penetration work. I have no interest in marketing.

      Glad that you will love to see me respond to this. Enjoy.

      When E&Y makes a mistake that is in the security realm, that I feel is worth talking about, I will comment on the story. My job here at ZDNet is independent of my job at EY.

      -Nate
      nmcfeters
  • RE: McAfee SiteAdvisor blocks SANS

    Seems to me that the advisor site is working. When SANS hosted links to sploitz on their web site, site advisor should have and did detect it...
    "The sans.org web site is now considered bad because of two links in CVA newsletters that point to exploit samples on 3rd party web sites."
    And we all know SANS has placed more than two links to malicious code on their site in the past. Placement of malicious links on the diary was a bit of a debate for the handlers for a while. Some did, some didn't place them. Some added dashes or somewhat obfuscated the links.

    Nate, don't you think that you're blowing this complaint up out of proportion here? The guys at McAfee are quality talent, and this criticism "Showing you just how much they understand about security" is a bit unfounded. It's not like they have blacklisted your blog. Yet. :)

    If a McAfee SiteAdvisor customer visits the SANS site and clicks on exploit links hosted there and gets 0wned, which have been hosted on the diary, my guess is that you would criticize their oh-so blatant security ignorance in that case as well.
    Come on, come clean, what's your beef with McAfee? An earlier post criticizing your status as an Ernst and Young employee probably needs to be responded to, and what portion of the contractual web site work you guys (pen-testing, etc) do should be transparently discussed.
    One arguably correct link rating in the SiteAdvisor haystack doesn't amount to much here.
    TF_kj
    • My response back

      You said:
      "Seems to me that the advisor site is working. When SANS hosted links to sploitz on their web site, site advisor should have and did detect it..."

      I challenge that if you block a site simply because it hosts a link to exploit code, that's ridiculous. Just because they host a link to exploit code doesn't mean the site is malicious. If we are working off that basis, why don't they block SecurityFocus?

      You said:
      "Nate, don't you think that you're blowing this complaint up out of proportion here? The guys at McAfee are quality talent, and this criticism "Showing you just how much they understand about security" is a bit unfounded. It's not like they have blacklisted your blog. Yet."

      Nope, I don't think I'm blowing it out of proportion at all. I think McAfee is involved in far too many products that are NOT providing customers with security (see HackerSafe). I can agree with you that McAfee does have some quality people in the security space. I think they do have teams with exceptional talent, see the Foundstone guys. I stand by my criticism. There are clearly teams at McAfee with less talent and with far less understanding of security concerns, see the pwnie awards this year for lamest vendor response.

      You said:
      "If a McAfee SiteAdvisor customer visits the SANS site and clicks on exploit links hosted there and gets 0wned, which have been hosted on the diary, my guess is that you would criticize their oh-so blatant security ignorance in that case as well."

      What regular person is going to go to the SANS diary and click on an exploit link? If you are into security and interested in these types of things, you might go to the SANS site, but you should know enough to be cautious about clicking exploit code links. You should at least understand the exploit and know if it is a browser-based attack, or if it is simply a link to source code which isn't going to hurt you at all. How many hits do you think SANS gets a day from people who wouldn't understand this? Also, I'm not sure I've ever seen SANS link to code that would CAUSE the exploit. They might link to source code or binaries, but this isn't going to hurt you unless you run it against yourself.

      You said:
      "Come on, come clean, what's your beef with McAfee? An earlier post criticizing your status as an Ernst and Young employee probably needs to be responded to, and what portion of the contractual web site work you guys (pen-testing, etc) do should be transparently discussed."

      My 'beef' with McAfee stems primarily from them selling the snake oil product HackerSafe and other products which I believe provide no security to customers. Anyone who wishes can criticize my status as an Ernst & Young employee, but the fact of the matter is, we don't sell HackerSafe or SiteAdvisor, so there's no competition there. We may compete in some cases with Foundstone, but I have a huge amount of respect for their team, and you will see I have never commented poorly on McAfee's professional services offerings, which is the only place where we compete with them.

      My group does all of the Attack & Penetration type work for Ernst & Young, that is the extent of the work I do. Primarily I'm doing deep source code reviews of web applications, or black box reviews of web applications, we also do other services like wireless and infrastructure assessments, social engineering, etc.

      My position with E&Y does not impact any of the statements I make on this blog. In fact, I've had to make comments about our clients before. I treat this site as completely independent of my work with Ernst & Young.

      Challenge it all you like, you'll find no leg to stand on.

      -Nate
      nmcfeters
      • Re: My Response Back

        Hey Nate-

        Thanks for your thoughtful response.

        You wrote:
        "I challenge that if you block a site simply because it hosts a link to exploit code, that's ridiculous. Just because they host a link to exploit code doesn't mean the site is malicious. If we are working off that basis, why don't they block SecurityFocus?"

        Sure. But take a couple minutes and google up previously posted malicious links on the SANS site. They used to post them more often (not just to exploit source or 'educational/dev' pages):
        http://isc.sans.org/diary.html?date=2005-03-11
        and here:
        http://isc.sans.org/diary.html?storyid=496
        Don't have the time to chase them all down, but the site has maintained malicious links (not just development links that you are writing about).
        And I agree with you, a link to mw0rm isn't going to hurt a user and shouldn't be tagged as malicious.

        Nate wrote:
        "What regular person is going to go to the SANS diary and click on an exploit link? If you are into security and interested in these types of things, you might go to the SANS site, but you should know enough to be cautious about clicking exploit code links. You should at least understand the exploit and know if it is a browser-based attack, or if it is simply a link to source code which isn't going to hurt you at all. How many hits do you think SANS gets a day from people who wouldn't understand this? Also, I'm not sure I've ever seen SANS link to code that would CAUSE the exploit. They might link to source code or binaries, but this isn't going to hurt you unless you run it against yourself."

        Diary handler John Bambanek's post from today has a headline in it:
        "Users will click anything".
        http://isc.sans.org/diary.html?storyid=4808
        You can explain away the facts that user's click on anything even though they "should" not, but the fact remains that they do. Your response contains way too many "should's" about user's behavior on any site, including the SANS site.
        I've seen sales people click on malicious stuff because they "just wanted to see what it would do". We can tell them what they "should" do, but it doesn't really help security concerns in all cases.


        Nate wrote:
        ""My 'beef' with McAfee stems primarily from them selling the snake oil product HackerSafe and other products which I believe provide no security to customers. "

        Sounds like a reasonable opinion to me.
        To me, that opinion just isn't strongly supported by one arguably correct link in the SiteAdvisor haystack.

        Thanks for keeping the EY status transparent. I'm sure you guys are doing some great work. Heh, and I haven't seen you slam the PWC guys anywhere.

        Along that line, how doesn't this piece compete with the cheaper approach of "HackSafe"?:
        "Primarily I'm doing deep source code reviews of web applications, or black box reviews of web applications"

        Anyways, your blog is great. And thanks again for your thoughts.
        TF_kj
        • No problem, more thoughts

          Thanks for your response to my response. It's good to clear the air on the subjects.

          You wrote:
          "Sure. But take a couple minutes and google up previously posted malicious links on the SANS site. They used to post them more often (not just to exploit source or 'educational/dev' pages):
          http://isc.sans.org/diary.html?date=2005-03-11
          and here:
          http://isc.sans.org/diary.html?storyid=496
          Don't have the time to chase them all down, but the site has maintained malicious links (not just development links that you are writing about).
          And I agree with you, a link to mw0rm isn't going to hurt a user and shouldn't be tagged as malicious."

          Sure, those are browser based attacks, and that MIGHT make sense, except for the fact that the SANS diary is for incident handlers, these are completely legitimate things for an incident handler to be looking into. I don't think that it is necessary for McAfee to block a SANS site for this, as I don't think my Mom and Dad will go view it.

          You said:
          "Diary handler John Bambanek's post from today has a headline in it:
          "Users will click anything".
          http://isc.sans.org/diary.html?storyid=4808
          You can explain away the facts that user's click on anything even though they "should" not, but the fact remains that they do. Your response contains way too many "should's" about user's behavior on any site, including the SANS site."

          Yep, but that makes my point for me. Regular Internet users are NOT going to view the SANS Diary. People who NEED to see this level of information are. That's why I say it is completely reasonable for SANS to have those links. If a security person clicks on one of them without thinking, then I definitely say they should've known better.

          You wrote that my response to my 'beef' with McAfee:
          "Sounds like a reasonable opinion to me.
          To me, that opinion just isn't strongly supported by one arguably correct link in the SiteAdvisor haystack."

          You're correct. This one link doesn't amount to much in the grand scheme. It's just another example, and you can see from the links I added in pointing to previous works I've written on McAfee, it is not this singular point alone.

          You wrote:
          "Thanks for keeping the EY status transparent. I'm sure you guys are doing some great work. Heh, and I haven't seen you slam the PWC guys anywhere.

          Along that line, how doesn't this piece compete with the cheaper approach of "HackSafe"?:
          "Primarily I'm doing deep source code reviews of web applications, or black box reviews of web applications""

          To be fair, if I had something positive or negative to blog about with PWC, I wouldn't hesitate. You ask how the source code reviews or black box reviews of web applications that I perform stack up to HackerSafe, and they don't. It is a hamburger to Kobe Steak comparison. They're both from the same animal, but one is just far higher quality. I don't believe that HackerSafe provides the client with any reasonable level of security.

          Thanks for reading the blog and for getting involved in a good discussion.

          -Nate
          nmcfeters
          • Motivation & Context

            [i]Sure, those are browser based attacks, and that MIGHT make sense, except for the fact that the SANS diary is for incident handlers, these are completely legitimate things for an incident handler to be looking into.[/i]

            That brings up a good point. According to siteadvisor.com, the software contains [i]"a system of automated testers which continually patrol the Web"[/i] (although it looks like there is also some human review involved). This type of solution may well be capable of finding content that it would term malicious but to have any real value, it would also have to determine the context the content has been found in.

            What's the best way to handle this? A 'trusted sites' style solution? Human review? What might work here is something based on a PageRank-like technology where the site containing malicious content is "PageRanked" based on what trusted sites (again, based on PageRanking) link to it. ie, if CERT and ISC link to the tested site it may be flagged as "containing expoit code" rather than a straight "malicious site".

            Can't say I know of anything that works this way offhand tho.
            AndyMcK
          • How about...

            don't buy this software??

            Just a thought. I don't feel like you need it.

            -Nate
            nmcfeters
          • Not for me

            I'm doing alright on my own, I wouldn't be buying it :)

            My point being, if people are going to shell out for this type of software then place their trust in it then it can/should be improved to the point where that trust is justified. Telling your users that a site is malicious, when it isn't, really doesn't cut it.

            Hate it or love it, I can't see this type of solution disappearing any time soon.
            AndyMcK
  • Also

    See the above thread from Rafal Los, where SiteAdvisor blocks his companies sites cause they sell a web application assessment tool, which McAfee has classified as a "hacking tool".

    Blocking things like this is ridiculous, and shows little understanding of security. What risk does Rafal's application assessment tool pose to me as a user? NONE.

    Perhaps McAfee should be the one you are calling out about marketing. Maybe they seek to block Rafal's site in anticipation of putting out their on web application assessment tools.

    -Nate
    nmcfeters
  • RE: McAfee SiteAdvisor blocks SANS

    Organizations need to do more than take steps to show their websites are secure; the real challenge is taking steps to actually be secure.

    Automated <a href="http://www.boonbox.net/devfense.htm?Znet">Web application security scans</a>are one way to go, but they have to be followed up with expertise to actually plug the vulnerability holes. Both steps must be followed.

    Otherwise, you've just got a big fat report on your desk when the auditor comes around proving that you knew about the problem... and didn't do anything about it.
    jnarvey
  • RE: McAfee SiteAdvisor blocks SANS

    SiteAdvisor is an automated process using a number of rules that determines, in its own eyes, if a site poses a risk to the average user. The folks who manage SiteAdvisor at McAfee cannot possibly be expected to analyze every single supposedly "bad" site by hand to determine the validity of their rating, much as any antivirus vendor cannot be expected to get a 100% accurate detection rate considering the millions of possibilities and combinations and permutations of malware in the wild.

    Given the above, while it is unfortunate and ironic, and perhaps mildly amusing that SiteAdvisor labaled SANS' site as it did, to blanket the entire McAfee organization with incompetency in the field of security is a bit harsh to say the least.

    Also, unless you're talking about the "pro" version of SiteAdvisor, it does not "block" anything. Your headline is misleading in this regard.
    watgm7d02
    • Details

      You obviously read the article really really well. I did not blast ALL of McAfee for not understanding security. I've been generous in my praise of some of their teams like the Foundstone guys. Further, it is NOT this one isolated instance of incompetence.

      Finally, the original SANS article said that their site was blocked.

      -Nate
      nmcfeters