More bad news for McAfee, HackerSafe certification

Dan Godin posted a great article that was picked up by The Register a couple days ago about continued challenges for McAfee's newly purchased HackerSafe division.  I find the article interesting as HackerSafe uses a scanning tool that probes for web application security flaws... of course, tools are limited in that they can only check for easy to automate issues like SQL Injection.  Similar to Web Application Firewalls, they provide a measure of security, but are not, by any means, a complete solution.

Godin's article states:

More than three months after security bugs were documented in more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a security researcher has unveiled a fresh batch of vulnerable websites.

Russ McRee, a security consultant for HolisticInfoSec.org, documented cross-site scripting (XSS) errors in five sites that prominently carry a logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites.

All five of the sites subscribe to McAfee's HackerSafe certification service, which audits the security of websites on a daily basis to give visitors confidence they'll be safe when doing business there. Yet McRee was able to find the bugs by using advanced Google searches to pinpoint vulnerable web applications, and in at least one case, the XSS vulnerability has been on the customer's site since January.

"There's a responsibility to the consumer that really seems to be missing in that service," McRee told us. "The average consumer assumes that because I see that label I must be safe."

The five vulnerable sites include Alsto.com, Delaware Express, BlueFly, Improvements Catalog and Delightful Deliveries.

A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," she said. "When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities."

Seriously?  XSS doesn't cause a site to fail the HackerSafe certification?  It damn well should... if it's vulnerable to XSS it is definitely NOT hacker safe.  The article continues:

These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman told InformationWeek at the time the bugs couldn't be used to hack a server.

Really?  Can't be used to hack a server?  Ok, I'll buy that, but they can one hundred percent be used to compromise a victim's personal information, authorized account, operating system, and possibly even local area network. 

Actually, in fact, cross-site scripting allows a lot more.  When you combine it with my protocol handler abuse research or some of the ActiveX attacks, it may allow compromise of visiting client machines.  Combine it with anti-DNS pinning attacks, it might allow you to attack resources internal to the victim's network. Since cross-site scripting attacks can be persistent in nature (i.e. the attack is stored into a database and can then be used to hit every user who visits that page), they can become viral in nature when combined with the protocol handler/browser compromise exploits.

So what McAfee is officially saying here is that all they care about is the security of the people who are paying for the HackerSafe logo, as they obviously don't care about the security of the users of these sites, or else they'd have a more hard-lined approach to XSS.  Given the prevelance of XSS on the web, I'd suspect this is more the case that they'd have no business at all if they removed the logo due to XSS vulnerabilities, as companies pay them to use that logo, so in the end, all they really care about is the almighty $.

Goodin continues:

The vulnerabilities also raise the question of so-called payment card industry (PCI) requirements for businesses that process credit card payments. Websites that contain XSS vulnerabilities almost certainly don't comply, McRee says, and yet most of the sites continue to accept credit cards. But we'll leave deficiencies in that set of requirements for another day.

McAfee has had three months to fix the deficiencies of this program, but so far we see no evidence it's done so. We're all for services that help websites stay on top of rapidly moving security threats. But there's a term for programs that declare their customers Hacker Safe while failing to catch easily spotted XSS flaws. It's called a rubber stamping, and it's time it stopped.

You're 100% spot on Dan.  Can't wait till people realize that WAF and scanning tools are simply not enough.  Can't wait till people realize they need real security, not a silver bullet that's really snake oil.

-Nate