McAfee's HackerSafe: When all else fails, rebrand it!

McAfee's HackerSafe: When all else fails, rebrand it!

Summary: Not to beat a dead horse, that's already been beaten to death time and time again, but...Update 05/12/08: Russ McRee has actually just posted a story about "Why PCI DSS is Doomed".

SHARE:
TOPICS: Servers
13

Scanless PCINot to beat a dead horse, that's already been beaten to death time and time again, but...

Update 05/12/08: Russ McRee has actually just posted a story about "Why PCI DSS is Doomed".

Came across this page on McAfee's site about their "McAfee Secure", "McAfee Secure Search", and "McAfee PCI Compliance Service".  My favorite quote from this promotional page is the following:

"With the integration of Hacker Safe and other ScanAlert products and the partnership with Yahoo!, McAfee positions itself as a leader in the Secure Internet arena."

Which seems to really contradict what we've actually seen, which is tons of sites left open to Cross-Site Scripting, etc. and proudly displaying the Hacker Safe logo, as covered here.

I also find it interesting that they term the tools "McAfee Secure"... I mean, even after you rebrand it, it still stinks of a tool that knows only how to look for SQL Injection and XSS, oh and by the way, it doesn't even strip certification from someone vulnerable to cross-site scripting.

Going back to my previous article, which covered a great article by Dan Goodin, there was a really interesting section where I gave my thoughts on some of the irresponsible comments made by McAfee spokespeople:

A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. “Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification,” she said. “When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”

Seriously?  XSS doesn’t cause a site to fail the HackerSafe certification?  It damn well should… if it’s vulnerable to XSS it is definitely NOT hacker safe.  The article continues:

These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman told InformationWeek at the time the bugs couldn’t be used to hack a server.

Really?  Can’t be used to hack a server?  Ok, I’ll buy that, but they can one hundred percent be used to compromise a victim’s personal information, authorized account, operating system, and possibly even local area network. So, to date, I've seen nothing change in McAfee's stance on XSS as a serious issue.  Also, what's probably even scarier, is that these tools are very much like the other web application scanning tools and web application firewalls in that the are only capable of preventing certain issues.  I covered this in my comments on the PCI standard and how openly flawed it is on what it forces companies to protect both here and here.

I thought you all might like to see a few more examples of these problems though. I've been in touch with two sharp characters, Russ McRee (of holisticinfosec.blogspot.com) and Rafal Los (of preachsecurity.blogspot.com), who have covered the blunders of PCI and Certification companies even more extensively than I have. The following host of blog postings are absolutely excellent, and you should bookmark these guys sites:

From Russ: http://holisticinfosec.blogspot.com/2008/04/still-not-hacker-safe-roll-video.html http://holisticinfosec.blogspot.com/2008/01/open-letter-to-ken-leonard-ceo.html http://holisticinfosec.blogspot.com/2008/01/xss-and-pci-not-compliant-or-hacker.html http://holisticinfosec.blogspot.com/2008/01/hacker-safe-not-so-much.html

From Rafal: [HackerProof saga]

http://preachsecurity.blogspot.com/2008/05/mcafee-security-web.html http://preachsecurity.blogspot.com/2008/03/this-time-its-hackerproof-oh-boy.html http://preachsecurity.blogspot.com/2008/03/hacker-proof-update-1.html http://preachsecurity.blogspot.com/2008/03/hacker-proof-update-2.html

[HackerSafe] http://preachsecurity.blogspot.com/2008/01/ive-had-many-conversations-with-some.html

XSSed.com has hit this pretty hard too: http://xssed.com/news/67/Hacker_Safe_or_not_Read_on_watch_the_video_and_vote_now/ http://xssed.com/news/59/Open_letter_to_ScanAlerts_CEO_about_Hacker_Safe_label/ http://xssed.com/news/55/ScanAlerts_Hacker_Safe_badge_not_so_safe_and_PCI_compliant/

Don't buy the hype, a rebrand is just a rebrand.  The only Shakespere line I remember from high school says, "What's in a name?  That which we call a rose by any other name would smell as sweet."  Of course, in this case, it isn't a rose and it doesn't smell very good at all.

Wouldn't it be hilarious if tomorrow they decided to call PCI something like SSC (Super Secure Certification), or Web Application Firewalls (WAFs) something like SMBPTSAYP (Super Magic Blue Pill That Solves All Your Problems)?

-Nate

Topic: Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • It doesn't surprise me.

    McAfee and all the security companies are failing miserably at times to keep up with the cracker community.

    Simply put, they don't have 1 thousandth the required resources to mitigate the cracker community, and that is assuming they actually know all the threat vectors. On the desktop, which no single suite protects better than 88% (many many reviews), leading to recommendations of at least 2 to get the overlap and hope for the best, on the server, where it is not just a client, but both sides of the transaction, I would be amazed if they didn't do more harm than good giving a false sense of security.

    I am not picking on McAfee, I have seen many instances where an up to date Norton has allowed malware and viruses that were only detected after installing AVG. What's the solution, root jails, apparmor or equivalent, isolated VMs and rock solid, truly knowledgeable IT. Until that happens, we really won't see a more secure internet anywhwere.

    TripleII
    TripleII-21189418044173169409978279405827
  • RE: McAfee's HackerSafe: When all else fails, rebrand it!

    Thanks for the links Nate - but I have to say... as a consumer I'm offended. I'm absolutely outraged. (Flashback to OJ trial!)... As consumers we should all band together to fight this sort of stupidity for the greater good of online shoppers. It's an absolute mockers of our profession.

    ./Rafal (http://preachsecurity.blogspot.com)
    Rafal.Los (RX8volution)
    • I agree

      PCI, WAFs, and these kinds of certification scans are never going to kill the problem of web application security. The only thing that can do that is a good assessment process with consultants who know what they are doing, continuing education for developers, and a strong secure SDLC.

      I can't understand why everyone falls into the trap of believing in the silver bullet, it doesn't exist.

      -Nate
      nmcfeters
  • RE: McAfee's HackerSafe: When all else fails, rebrand it!

    Appreciated, Nate...thanks for drawing further attention to a practice that I contend borders on fraudulent. I'd like to see some serious scrutiny of these offerings by entities that could demand change and improvement on behalf of consumers left at risk and overconfident thanks to a worthless logo. Cheers!
    rmcree
    • I'd like to see...

      an XSS or SQL Injection on their site. That would clinch it. Of course, they've put the nail in the coffin for themselves by claiming XSS is not an issue... that's just moronic. It's like claiming global warming or cancer isn't an issue.

      -Nate
      nmcfeters
  • Shakespere

    How about this: "To be secure, or not to be secure? That is the question?"

    Or this: "But soft! What hacker through yonder firewall breaks?"

    Or even this: "Is this a router I see before me?"

    I'm sure there are other good, relevant quotes from The Bard, but I can't think of any off the top of my head. Anybody?
    doodlius
    • Hahaha

      nice!
      nmcfeters
    • How About...?

      "Out, out damned malware!"
      MichP
  • RE: McAfee's HackerSafe: When all else fails, rebrand it!

    But it they fixed the problem, would they not be cutting off future sales of their products, which are made to combat these vunerabilities?
    As in any other business ecosystem, this is the way it works if you want to profit.
    spywarebiz@...
  • McAfee's "Hacker Safe"...

    Seeing [b]McAfee and Secure[/b] as used in that article. My reaction:

    [b]ROFLMAO[/b]

    [b]PIMP[/b] (for those who are not aware = P--ing In My Pants)

    [b]WTF[/b]

    [b]Ya Gotta Be F---ing Kidding[/b]

    Those are two words that should [b]never[/b] appear in the same sentence; and even more so in the same context (McAfee = Secure) [b]NOT!!!![/b]
    fatman65535
  • Re: McAfee's HackerSafe: When all else fails, rebrand it!

    Nate,

    As I proposed in your previous article on the subject (re: HackerSafe), I suggest that each time any of us who comes across a HackerSafe, and now the new PCI logo on a site, we direct the owners of the site to these blogs and articles and let them decide if they still want McAffee protection or not. Simply cut and paste the URL of the article into the email. It's up to them to take action after that.

    As you can see in the previous article's discussions, I notified two site with that logo. Both sent me an automatic response and that's that. Any action they take or don't take is their affair, as it is their business they are protecting (or not, as the case may be). Both my emails were polite and factual.

    If I should come across a new site with either of the logos, I will even make a copy of the warning email, and post it here, minus the company particulars to "protect the innocent".

    And, BTW, thanks for telling us about this strategy of McAffee's. Methinks maybe my emails may have had some small effect.

    bart
    bart001fr
    • Well done

      Yes, certainly customers should be aware they are buying snake oil.

      -Nate
      nmcfeters
  • RE: McAfee's HackerSafe: When all else fails, rebrand it!

    That what marketing and C-level people when they have nothing new but need to "produce" new sales.
    Feces is still feces if you call it brown organic material, shit, schit, excrement, manure, cocka, dookie and insert your languages word for this type a material but is still the same material.
    It is a pity that these companies don't really develop new products or update their products so address these issues, however, it cost too much and re-marketing is much cheaper.
    phatkat