Friday, January 25, 2008

An Open Letter to Ken Leonard, CEO, ScanAlert

Dear Mr. Leonard,

As well you are aware; the Hacker Safe brand has long been viewed by those in the information security field with varying levels of skepticism, if not vehement disdain. As there are a plethora of blogs, articles, and exposed vulnerabilities available for you to review, I will not waste your time with excerpts validating our position. Suffice it say, the community at large shares certain doubt about the service offering ScanAlert arrogantly calls Hacker Safe.
It is our view that this is a marketing position only. Nothing, I repeat, nothing, is truly "hacker safe". You claim that websites are free of vulnerabilities when they are clearly not. This is disingenuous and is at the root of what angers information security professionals. If a site is vulnerable while under the auspicious care of ScanAlert's Hacker Safe program should it not lose its Hacker Safe credential until such a time as the vulnerability is remediated? If I take this down to a fundamentally simple premise, saying a site is Hacker Safe while vulnerable to SQL injection, XSS, CSRF, etc. is, in essence, a misrepresentation. If a consumer commits a transaction on a site that is vulnerable, are they not at risk due to vulnerabilities your service claims to scan for? While we understand that you are in the business of growing revenue by indicating websites as “hacker safe”, we believe you are also beholden to the consumers using those sites.
We ask of you this: if a site is found to be vulnerable during your scans, or as reported by third parties, then enforce the findings and suspend their certification. Strive to improve your scan engine where possible. It is your responsibility to NOT label a site “Hacker Safe” when it is not. Then, at least, you are telling the truth, and a consumer can make an informed choice as to how confident they feel about the site's security practices.
There are, at the time of this writing, sites still vulnerable to XSS, yet branded Hacker Safe, that were identified as vulnerable MORE THAN A YEAR AGO. These sites should not be reported as Hacker Safe, period.
Please don't insult us with more of Joseph Pierini’s pearls of wisdom like “XSS vulnerabilities aren't material to a site's certification”. Adopting a view like this is ridiculous and blatantly ignorant given the risks to consumers. You scan for XSS and clearly denote it in your How We Scan section. Therefore, if a site is vulnerable to XSS it is not “Hacker Safe”.
This is far from the first round, credit sla.ckers.org with driving this point home in 2006, only to be shrugged off by Pierini then too. I think there may be a job opening for him over at Zango. Perhaps he could change his mantra from “XSS is not our problem” to “We don’t make spyware.”
What about the PCI argument? If a site is vulnerable to XSS, it’s simply not compliant. See this post for details. It all adds up to consumers at risk. ScanAlert should remember, above all, that safety for the consumer is paramount. Why not live up to your marketing hype and offer a service that truly, honestly, and with integrity, lives up to even a fraction of its namesake.
"What gets us into trouble is not what we don't know. It's what we know for sure that just ain't so. - Mark Twain"

Sincerely,

Russ McRee

Those information security professionals wishing to lend your name to this plea, please add your name as a comment.

del.icio.us | digg

12 comments:

Unknown said...

I'll put my name to it, though I'm not a tried and true security professional yet. Just a lowly Associate of (ISC)² trying to work up the work experience to make it a full CISSP.
I am curious though, I was reading an article about this on Darkreading http://www.darkreading.com/document.asp?doc_id=110363
and they claim ScanAlert has such customers as Nike, Northrop Grumman, and Sony, but when I visited those sites, briefly, I didn't see the Hackersafe logo. Did those companies pull the logo themselves due to this?

Aaron Wignall, Associate of (ISC)²

Russ McRee said...

Good question, Aaron but I have only a speculative answer for you. ScanAlert claims that their "auditing technology allows the HACKER SAFE mark to appear only when a web site's current security status meets the highest published government standards. A maximum of 72 hours is allowed to patch vulnerabilities before the certification mark is replaced by a single-dot "clear" gif image. The certification mark will reappear as soon as a new audit is passed."
So, we can conclude two possibilities. One, those sites are still out of compliance and ScanAlert has followed through with their claim, or two, that the company simply dropped the Hacker Safe service. I tend to favor the latter as to this day their are numerous sites still Hacker Safe branded that are vulnerable and thus not adhering to ScanAlert's "standards" and not PCI compliant.

Unknown said...

I would like to add my support to the cause. I am merley a student in the ISS field working toward a degree and one day a CISSP cert. but I'm truly upset by the fact that a company would claim that a web site is "Hacker Free" when it clearly isn't. In my opinion that is blatent false advertising. When an individual who dosen't fully understand information security views the Hackersafe logo, they will fully believe it. They will submit their private information believing it to be 100% secure. If this is not true then you are lying to them and taking advantage of their ignorance. If your going to ask a client or end user to trust your ability to keep their information secure then you should be respectfull of the trust they give you. Simply informing your clientel of the true level of threat to their information will go a long way gaining that trust. Of coarse this may just be the ranting of the Joe Everyman who is tired of being lied to by corprate america.

Anonymous said...

Hello

I am an ex employee of ScanAlert

I can concur with comments here.

I have first hand knowledge of the systems and also their network

Ken Leonard has been able to con his way through to various countries and use groups with access to banks etc to build his business

He is a smart man in some circles

However, if you know ScanAlert you know how to also Hack it.

Anonymous said...

Dimitris Pagkalos and Kevin Fernandez, XSSed.com

Anonymous said...

Russ you're making complete sense, and they aren't. They should come clean or be exposed for the fraud they apparently are.

Anonymous said...

Uber0n

http://xssed.com/archive/author=Uber0n/

Anonymous said...

I'll sign it as well. And I've always thought "Hacker Safe" was a somewhat hilarious exaggeration.

Grant Bugher
perimetergrid.com

Anonymous said...

Dr.Optix

http://xssed.com/archive/author=Dr.Optix

Anonymous said...

Dear Russ,

Thank you for your open letter. It makes most interesting reading. However, I would like to clarify one point - the intention of the 'Hacker Safe' branding has always been to ensure the 'Hacker' is safe and should in no way be interpreted that the customer is safe. We are considering a 'Customer Safe (TM)' branding to compliment our offerings to the black hat community and this should boost our market share by a good 200%.

Best regards,

Ken

Unknown said...

I'm not truly a security professional how ever I do study it on my own time.

And I 100% agree with this I my self have witnessed a company where information was able to be obtained from it along with access to the servers owned by the company hosting various things such as the service they provide or the database for customer information varying from credit cards,addresses ,first names,last names,etc.

And honestly if such things are marked as hacker safe yet you can gain access over the entire network
that truly shows how dishonest these scan alert messages are to the consumers.

Chris Richardson - TheDefaced.org.

Rafal Los said...

I've also written about ScanAlert, and now Comodo - who both offer the same service which seeks to increase your conversion rate (buyers vs. browsers) but apparently does little for the security of the sites.

http://preachsecurity.blogspot.com/2008/01/ive-had-many-conversations-with-some.html
-- and --
http://preachsecurity.blogspot.com/2008/03/this-time-its-hackerproof-oh-boy.html
-- and --
http://preachsecurity.blogspot.com/2008/03/hacker-proof-update-1.html
-- and --
http://preachsecurity.blogspot.com/2008/03/hacker-proof-update-2.html

-- If you read these entries, and the associated replies from the company representatives - you'll notice that they carefully avoid all questions about how they really function, and focus on marketing fluff.
-yikes.

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...