After researching material for a monthly column, Russ McRee, a consultant for HolisticInfoSec.org, discovered that McAfee’s “Hacker Safe” logos are offering up a false since of security, to the point that he made a video demonstrating five sites, each verified this month to be “Hacker Safe,” to be vulnerable to XSS (Cross-Site Scripting) attacks.
McAfee has more issues with Hacker Safe program. (IMG: J.Anderson)
A little history, In January the news about the Hacker Safe sites being vulnerable to XSS garnered lots of attention online. The news and attention was surrounding a claim by McAfee’s ScanAlert, “HACKER SAFE certification is achieved by passing rigorous daily network security audits… The web site is then "deep crawled," including flash embedded links and password protected pages, to find forms and other potentially dangerous interactive elements.”
The objective is to ensure sites whom display the logo are secure and thus Hacker Safe. Many sites use this logo to tell customers that they are secure, and that they are protected. Some companies also use the Hacker Safe logo to claim PCI compliance. ScanAlert, (McAfee acquired them awhile back) countered the news, minimizing the XSS vulnerabilities saying that they, “can't be used to hack a server.”
In an interview with Dark Reading, ScanAlert said, “Cross-site scripting is a problem in the Web browser and the site, but all code is executed on the client side,” said Joseph Pierini, director of enterprise services for ScanAlert. “It requires some social engineering...to entice users to follow a link or click on a link sent via an email.”
“Cross-site scripting can't be used to hack a server,” he added. “You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.”
All of this was just under four months ago. Now, Russ McRee has more evidence that McAfee has done little or nothing about the issue. In a video (link below) and a new blog post McRee says, “Unknowing consumers deserve far more than false claims of security and empty assurances designed to grow McAfee/ScanAlert revenues.”
McRee isn’t the only security expert to take issue with the Hacker Safe logo. Rafal Los posted a note on his blog showing a website designed to sell “popover” technology as branding itself as Hacker Safe. “I've pointed out over the past that the Hacker Safe shield is nothing but a sham - but check this out folks. Just like ScanAlert is all about conversions and marketing, this says it all.” Los said. (hxxp://popover.generatorsoftware.com/)
McRee points out in his criticisms that the Hacker Safe logo is being falsely used to assume a company is PCI-DSS compliant.
“Sites that are vulnerable to XSS are not PCI compliant. All of the sites in this video take [Credit Card] payments and store customer information. The sites in this video have been vulnerable for months. Additionally, some have been advised multiple times [that they are vulnerable to XSS attack] and have simply ignored my notices. Their McAfee Hacker Safe branding is active and has not been removed at any time. The McAfee Hacker Safe service claims XSS as part of its vulnerability checks; sites that are vulnerable to it should not be showing the McAfee Hacker Safe label in perpetuity.”
The charge that consumers are at risk is true, as anyone with malicious intent can attack these sites. Currently there is no proof that anyone has suffered because of the breakdown in security on the websites. The PCI compliance claim is legit, if you look at the current rules governing compliance, (http://tinyurl.com/5mlk48) where you see “6.5.4 Cross-site scripting (XSS) attacks.”
McAfee told The Register that, “Currently, the presence of an XSS vulnerability does not cause a web site to fail Hacker Safe certification. When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities.”
It is unknown if this education mirrors the comments made in January by Joseph Pierini.
Aside from the canned response given to The Register, there is no other comment from McAfee.
There is one interesting bit of information, if you read the legal text from Hacker Safe; it appears that even they know there are problems.
“This information is intended as a relative indication of the security efforts of this web site and its operators. While this, or any other, vulnerability testing cannot and does not guarantee security, it does show that [company name removed] meets all [PCI] guidelines for remote web server vulnerability testing to help protect your personal information from hackers.”
Adding, “HACKER SAFE does not mean hacker proof…While ScanAlert makes reasonable efforts to assure its certification service is functioning properly, ScanAlert makes no warranty or claim of any kind, whatsoever, about the accuracy or usefulness of any information provided herein. By using this information you agree that ScanAlert shall be held harmless in any event.”
XSSed.com list of Hacker Safe sites (2008/01/21)http://xssed.com/news/55/
McRee’s posting:http://holisticinfosec.blogspot.com/2008/04/still-not-hacker-safe-roll-video.html
Video of XSS attacks:http://holisticinfosec.org/video/HS_ISSA/ISSA_Regional_HackerSafe.html
Alsto.com, BlueFly, Delaware Express, Delightful Deliveries, and Improvements Catalog each demonstrated.
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!