More bad news for McAfee, HackerSafe certification

More bad news for McAfee, HackerSafe certification

Summary: Dan Godin posted a great article that was picked up by The Register a couple days ago about continued challenges for McAfee's newly purchased HackerSafe division.  I find the article interesting as HackerSafe uses a scanning tool that probes for web application security flaws...

SHARE:
TOPICS: Security
16

Dan Godin posted a great article that was picked up by The Register a couple days ago about continued challenges for McAfee's newly purchased HackerSafe division.  I find the article interesting as HackerSafe uses a scanning tool that probes for web application security flaws... of course, tools are limited in that they can only check for easy to automate issues like SQL Injection.  Similar to Web Application Firewalls, they provide a measure of security, but are not, by any means, a complete solution.

Godin's article states:

More than three months after security bugs were documented in more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a security researcher has unveiled a fresh batch of vulnerable websites.

Russ McRee, a security consultant for HolisticInfoSec.org, documented cross-site scripting (XSS) errors in five sites that prominently carry a logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites.

All five of the sites subscribe to McAfee's HackerSafe certification service, which audits the security of websites on a daily basis to give visitors confidence they'll be safe when doing business there. Yet McRee was able to find the bugs by using advanced Google searches to pinpoint vulnerable web applications, and in at least one case, the XSS vulnerability has been on the customer's site since January.

"There's a responsibility to the consumer that really seems to be missing in that service," McRee told us. "The average consumer assumes that because I see that label I must be safe."

The five vulnerable sites include Alsto.com, Delaware Express, BlueFly, Improvements Catalog and Delightful Deliveries.

A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," she said. "When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities."

Seriously?  XSS doesn't cause a site to fail the HackerSafe certification?  It damn well should... if it's vulnerable to XSS it is definitely NOT hacker safe.  The article continues:

These are only the latest Hacker Safe sites to be outed. In January, researchers from XSSed.com, documented 62 websites subscribing to the service that were vulnerable to XSS vulnerabilities. A Hacker Safe spokesman told InformationWeek at the time the bugs couldn't be used to hack a server.

Really?  Can't be used to hack a server?  Ok, I'll buy that, but they can one hundred percent be used to compromise a victim's personal information, authorized account, operating system, and possibly even local area network. 

Actually, in fact, cross-site scripting allows a lot more.  When you combine it with my protocol handler abuse research or some of the ActiveX attacks, it may allow compromise of visiting client machines.  Combine it with anti-DNS pinning attacks, it might allow you to attack resources internal to the victim's network. Since cross-site scripting attacks can be persistent in nature (i.e. the attack is stored into a database and can then be used to hit every user who visits that page), they can become viral in nature when combined with the protocol handler/browser compromise exploits.

So what McAfee is officially saying here is that all they care about is the security of the people who are paying for the HackerSafe logo, as they obviously don't care about the security of the users of these sites, or else they'd have a more hard-lined approach to XSS.  Given the prevelance of XSS on the web, I'd suspect this is more the case that they'd have no business at all if they removed the logo due to XSS vulnerabilities, as companies pay them to use that logo, so in the end, all they really care about is the almighty $.

Goodin continues:

The vulnerabilities also raise the question of so-called payment card industry (PCI) requirements for businesses that process credit card payments. Websites that contain XSS vulnerabilities almost certainly don't comply, McRee says, and yet most of the sites continue to accept credit cards. But we'll leave deficiencies in that set of requirements for another day.

McAfee has had three months to fix the deficiencies of this program, but so far we see no evidence it's done so. We're all for services that help websites stay on top of rapidly moving security threats. But there's a term for programs that declare their customers Hacker Safe while failing to catch easily spotted XSS flaws. It's called a rubber stamping, and it's time it stopped.

You're 100% spot on Dan.  Can't wait till people realize that WAF and scanning tools are simply not enough.  Can't wait till people realize they need real security, not a silver bullet that's really snake oil.

-Nate

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Speaking of Payment Card Industry...

    Do you know that [url=http://blogs.zdnet.com/security/?p=941]PCI security standard endangers wireless LANs[/url]? :)
    Grayson Peddie
  • This is similar to problems...

    with financial auditors be paid by the company they are auditing. The auditors don't like issuing qualified opinions on financial statements prepared by the company signing the auditors check. This conflict of interest leads to many unqualified opinions that should be qualified.

    I'm sure McAfee doesn't want to forgo issuing certification when they are being paid by the company whose site they are examining.
    bjbrock
  • The almighty $

    [i] ... so in the end, all they really care about is the almighty $.[/i]

    It's become the nature of the modern corporate beast. Do just enough to get by, and nothing more (as *gasp* that might affect their almighty profit margin).
    klumper
  • So I notified one site which uses HackerSafe...

    When I came across the title, I decided to read the article. After reading that I asked myself if the users of the service even knew about this vulnerability, because I thought it was a sure bet MacAfee wouldn't tell them (not good for the corporate image and all that, you know...)

    So I took it upon myself to advise one site I know of which "prominently displays the HackerSafe logo". Now they know about this, too.

    My advice to everyone who reads these comments is to advise at least one such site and preferably every one you know of which uses this service (HackerSafe).

    After all, as the writer stated, your computer could be at risk, too! And that's the last thing any one of us wants or needs.

    Just email those you want to warn and send them the url of the article in the address bar (copy/paste) in the notification email. (Some people still don't know how to do this, would you believe, which is why I gave directions.)

    Nate: Do you think we should keep track of which sites have thus been notified? (I'm turning on notification of activity on this thread, so I'll know if you answered.)
    bart001fr
    • I like it

      Be responsible though, let's not post full blown attack vectors here, but if you notify the sites that were found to be vulnerable, we can bring this back to McAfee and demand action.

      -Nate
      nmcfeters
    • Second business site notified

      I just notified a second business site of this article. I believe that it is our responsibility to do so as I doubt that McAffee will.

      I'm not saying who I notified because they're just as much a victim as you or me in this case, even more so because they're paying for security they don't get.
      bart001fr
  • RE: More bad news for McAfee, HackerSafe certification

    Well then. Apparently, it seems, We're not safe to do business on-line. Your good at pointing out these flaws. So why not give a solution?
    DABaker1956
    • I have

      Yeah, it's not so difficult and I think I have. I think the thing to do is be doing at a minimum a blackbox security review on the applications that face the Internet, combine that with a deep source code review for those Internet facing apps that are critical in terms of data stored.

      Using a Web Application Firewall or a simple scanning tool alone is not acceptible.

      -Nate
      nmcfeters
      • So what protection do I need?

        Nate,

        I have Avast!, ZoneAlarm, Spybot S&D, plus ZoneAlarm ForceField

        [u]http://download.zonealarm.com/bin/forcefield_x/index.html[/u]

        (a browser add-on which acts as a shield), so do I need anything else?

        If this keeps up, we'll all end up having more protection than regular apps unless we start having a computer dedicated for firewall duties!

        Right now I still trust my router (SMC Barricade 7004ABR) to do the job.
        bart001fr
  • RE: More bad news for McAfee, HackerSafe certification

    To dismiss XSS as just something that "can't be used to hack a server" represents a lack of understanding of what "hackers" do to steal customer data. I would expect that a company that sells a service called "hacker safe" would take any vulnerability on the OWASP Top Ten as a serious issue and not dismiss it because it does not allow entry into a server. In my opinion, if a vulnerability on my website causes one customer to lose the confidentiality of their personal information, then I failed to do my job to protect my customer.

    Note to McAfee/Hacker Safe Group, the OWASP Top Ten is there for a purpose.
    jdv330459
  • RE: More bad news for McAfee, HackerSafe certification

    Companies continue to ask us if they should use services like hackersafe. The service aside, we have never been a fan of putting a "badge" or label on your site saying you are secure. It can serve to entice hackers, and potentially create a sense of false security (see article above). We continue to tell our customers that they can use applications like hackersafe, or whatever it's called now, as long as they understand both the positives and negatives. With that said, it would be nice for once for a company to clearly explain what its service does... and does not do. Until then the world will continue to rely on news sites, bloggers, etc to uncover the issues that companies should be more up-front with.

    MBridge, LLC
    www.mbridge.com
    MBridge llc
  • RE: More bad news for McAfee, HackerSafe certification

    I think SafeInput certificate is more useful than HS. At least SafeInput can protect critical information on client-side.
    gooloomoo
  • RE: More bad news for McAfee, HackerSafe certification

    How about we (software authors) all go back to the basics where we spend the same amount of effort/time/money testing the systems we generate as we do designing and writing them. Maybe then, with properly tested systems, these problems of hacker intrusion and any other future situations would be minimized. But then (call me cynical) but I wonder how may software authors have been trained in the rigorous science of software testing, (maybe I should have typed the word "rigorous" in capitals, as I really don't thinks most know what it entails.)
    koala1515
    • Software Test ing - a lost discipline?

      How about we (software authors) all go back to the basics where we spend the same amount of effort/time/money testing the systems we generate as we do designing and writing them. Maybe then, with properly tested systems, these problems of hacker intrusion and any other future situations would be minimize. But then (call me cynical) but I wonder how may software authors have been trained in the rigorous science of software testing, (maybe I should have typed the word "rigorous" in capitals, as I really don't thinks most know what it entails.)
      koala1515
  • RE: More bad news for McAfee, HackerSafe certification

    Thank you for telling it like it is. Not only is this an informative article about the truth of the problem, it is a red light to surfers. To me it is interesting that in tests done on various internet security suites, McAfee consistently is rated very low to start with. I believe there should be some way to force both McAfee and the vulnerable sites to take a learning course concerning such breaches, and then be forced to fix the problem immediately. That will not happen of course but it should.
    bill_stanley@...
  • RE: More bad news for McAfee, HackerSafe certification

    I agree with what you said about McAfee being weak with their testing. I have read about a new and up coming company called Online Trusted. They say they do a better job and have a lot better technologie,and also run more tests. What do you think about them? (onlinetrusted.com)
    jimlestrange@...