More than three months after security bugs were documented in more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a security researcher has unveiled a fresh batch of vulnerable websites. Russ McRee, a security consultant for HolisticInfoSec.org, documented cross-site scripting (XSS) errors in five sites that …
Does anybody actually believe those little tags?
Christ, the last time I checked one it just linked to a .gif on the 'security company' web site: They updated the .gif once a day so it listed the current date. You could stick 'em all over the place even if you WERE the hacker.
Macafee's website verification system is buggy... Like a lot of their other software.
I work for an ISP that includes the Macafee securty suite, the number of times it doesnt install correctly from the CD meaning that customers dont get updates after 14 days is crazy.
Almost as crazy as the number of times I've tried to get them to install it from their website, only to be told by its download manager "There are no programs to install".
Any program that makes you run a downloaded tool as a part of its recommended uninstall proceedure (and doesnt bother to tell you about it unless you look specificaly at the how to uninstall page on their website) shouldnt be anyones first choice.
Hacker Safe indeed..
A Hacker could feel right at home there..
re: Does anybody actually believe those little tags
"Does anybody actually believe those little tags?"
Among The Reg readers, probably not. Among the general populace, most certainly. Don't forget, there are many people who believe everything they read on the Internet, whether they've read it on a "respected" site like the NY Times or the Washington Post, or they've read it on MySpace. These types of people will blindly accept anything someone who is supposedly more knowledgeable tells them (say, for example, completely made up "information" used to justify starting a war with a foreign nation). Most people want to trust other people and want to think that other people aren't going to injure them (physically, mentally, or financially). There are also way too many people in the "it won't happen to me" camp.
Also don't forget, a lot of people assume privacy and security where technically-minded people know there is certainly no expectation of privacy or security. For example, many people think nothing of sending private (or even confidential) information in unencrypted email.
*sigh* what do you expect...
From a program that when you click on the link hot it works: http://www.scanalert.com/site/en/certification/howitworks/ consists of a document advising the best place to place the hacker safe image on your site for marketing benefits, rather than a synopsis of how it ensure your site is safe.....
The wrong thing to say!
Hmmm, I need to bolster confidence in our Hacker Safe certificate... I know!
"Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification."
There we go! Wait...
I mean, how stupid a statement is that? Currently, dangerous XSS exploits can't be detected by our crap system, so we simply say they don't count, and as a result give our customers a false sense of security.
This doesn't surprise me at all; nor, would I imagine, will it come as a shock to anyone who has had any professional dealings with a "Hacker Safe" site.
At my previous workplace, a collegue (who I'm sure is reading this - Hi, Dave!) was responsible for security audits on potential business partners' websites. One had passed the "hacker safe" tests and proudly displayed the logo on their site, yet he discovered the site itself and the processes in place behind it were laughable.
When you logged out of the site, it displayed a message reminding you of what your password was for the next time you visisted. Their policy regarding changing passwords was that the customer could email them with details of what they wanted their new password to be. All this was sent and stored in plain text. This was right up, in your face - you couldn't fail to notice this, yet someone at McAfee decided to still issue the "Hacker Safe" certificate.
And this was before we even got to the application errors, XSS, DoS opportunities, configuration files and information being left out in the open - and on a site storing VERY personal data as well. It just goes to show that whatever tests go on to certify a site as being "Hacker Safe", they're a joke at best; and incredibly damaging at worst.
Paris, because her "box" has probably been rooted less than many Hacker Safe sites.
I've got a highly visible sticker on my bike that says 'Coded Cycle'. Is the bike coded or not? Who's to tell.
"Hacker Safe" -- is that a guarantee or an invite?
Mine's the one with 'security protected' on the back
Not entirely accurate
I have a customer that subscribes to the HackerSafe service for his own peace of mind, it did find one (albeit blatant) XSS vulnerability I had missed in a piece of OSS we were using on his site. The problem isn't that HackerSafe doesn't test for XSS at all, it just can't test for all the possible variations (and thus only finds XSS exploits fitting a specific pattern).
HackerSafe is not a substitute for proper security precautions, I think it's safe to assume that no software is.
Re: Does anybody actually believe those little tags?
A quick Google for
<script src=http://www.nihaorr1.com hackersafe
shows three sites that were victims of SQL injection yet subscribe to Hacker Safe.
Currently the Hacker Safe logo shows as a blank space. But the link is still there on the page. Is this really adequate for the customer – the hackersafe logo or a blank? If a site fails to respond surely the image should become “Warning unsafe site”.
I wonder what sort of warning McAfee provided. Certainly these sites failed to modify their code and suffered the consequences.
McAfee may not be wrong
The point of the "Hacker Safe" certification is to announce that the server cannot be accessed by unauthorized "hackers", therefore submitting your credit card and personal details in the transaction is safe, as it will be stored in a purportedly secure environment. XSS vulnerabilities do not change this fact, and this is why McAfee did not give them so much emphasis and still insist they're not grounds for failing certification.
However, they did not considered that there are two parts to a secure e-commerce transaction: security in the transit and storage of the data, and security in dealing with the client. If your e-commerce site caused my computer to be infected with viruses, worms, and other malicious programs, then it doesn't matter if my credit card details are safe within your server, as they are now not safe in mine as a result of your lack of protection against XSS vulnerabilities.
So, technically, the physical server may be "Hacker Safe", yet the full e-commerce experience may not be.
I am willing to give the benefit of the doubt to McAfee and assume that this omission was due to just a lack of foresight, and was not intended: their certification program came amidst a time when servers of bank and other large organizations were being intruded upon to extract credit card and other valuable consumer data. I'm sure they will work on refining their process now that this has come to light.
This reminds me of a blog posting regarding a new PCI complience test that is reportedly 100% as effective as other leading PCI complience tests out there, but totally free of charge. The blog is here: http://jeremiahgrossman.blogspot.com/2008/04/my-blog-is-pci-certified-by-scanless.html and the offering is from the guys at: http://www.scanlesspci.com/ ScanlessPCI.
(As reported on Mike Rothmans blog on.....April the 2nd (A day late because of his hate of April 1st)....http://securityincite.com/blog)
(Paris, because McAfee makes your computer as open as....)
An entirely false premise
So you're an IT expert and actually sat in front of the machine and know everything about it. Can you certify the machine as 'hacker safe'? Certainly not. Now how the hell is an automated script, that is run by a third party who knows little or nothing about your site, supposed to do any better, or even match your own evaluation of the system's security.
The 'Hacker Safe' premise appeals to retards. I suppose that since nowadays retards go shopping online that is all that matters, but nothing a script can do can properly validate the security of a web site. Does the script check the company's garbage for credit card slips and other compromising data? I think not. Does it probe the system for previously unknown vulnerabilities? Doubtful.
In any case, the very name "Hacker Safe" is moronic. Security is always relative and never absolute as the name implies. Just as there isn't a lock in the world that can't at least theoretically be picked, IT security is always a measure of how difficult it is to break into a system, not a question whether it is possible at all.
There is no such thing as perfect security.....
I'm amazed that McAfee are naive enough to think they could get away with such a ridiculous assertion even if their services were capable of detecting 100% of vulnerabilities (which they patently arent).
Its not just sticking your neck out, its sticking your neck out and having a target painted on your forehead....
The alt text says alt="HACKER SAFE certified sites prevent over 99.9% of hacker crime." even if the image is not displayed (eg http://www.haworthpressinc.com/default.asp).
Does this mean that blind users will be told that the site has passed the test when it hasn't?
Re: McAfee may not be wrong
"The point of the "Hacker Safe" certification is to announce that the server cannot be accessed by unauthorized "hackers", therefore submitting your credit card and personal details in the transaction is safe, as it will be stored in a purportedly secure environment."
Nope, sorry, this is still totally wrong. A successful XSS attack can be used to gain access to a server and elevate privileges. It's not "just" a defacement vector.
Also, as I mentioned before, I've seen the results from a security audit on a "hacker safe" site, and it was a joke. There is no way I would ever let that site process my credit card details, or store any kind of personal information.
McAfee / HackerSafe = Morons
WTF were these nitwits in 05/06, when XSS "grew up"?
For all you gullible customers of HackerSafe processing credit cards (all of them?), the PCI DSS *cares* about XSS, so you'd best get to work closing those holes...and by the way, you're NOT HackerSafe and you're wasting your money.
@ Alistair Wall, Re: screen readers
It does indeed. Just checked with two popular Windows screen readers. Works in elinks (textmode on *nix) too. :-(
Of course, that's only a problem if you believe this ridiculous claim. Which I don't. Although I couldn't help digging into it, just in case I, er, missed anything.
I struggle to imagine a simple way of implementing this banner without using an image and static alt/title unless script were used, or a CGI, or something equally likely to cause grief to the performance-desiring webmaster. Web counters are often images, so we often don't get to read those, either.
I think there’s a cross-purpose (pun!) going on.
XSS can not attack a site, but rather can be leveraged to attack the user of a site. So really “Hacker Safe” is a company saying “We’re ok, but user beware”.
Of course the user does not know this.
Caveat Emptor, as true for the Romans as for us today.
Wow! You ain't kidding with 'what do you expect...'
The text on that web page you referenced - http://www.scanalert.com/site/en/certification/howitworks/ - is apparently as sloppy as the HackerSafe vetting:
Read 'er and weep:
"Income. The lower the average sale price to less the conversion increase, with expensive items sold to more affluent customers showed a pronounced in increase in willingness to transact."
Web App Sec 101
1. Go to the OWASP site, have a bit of a read.
2. Check out the most recent (stable) version of the OWASP top 10 web app sec flaws:
3. Oh look, XSS is number 1. Ahead of SQL inection.
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro