Friday, June 27, 2008

PC Universe is shrinking thanks to McAfee Secure's cluelessness

My web app sec friends know exactly how to push my red buttons. "Heh-heh, send it to Russ, he'll go off." Yep. ;-) Thanks, Rafal. Now I'm all spun up. I was sent two moronic gems this morning; one on the merits of McAfee Secure / Hacker Safe and the 109% sales increase it resulted in for PC Universe, the other an interview with the Internet's single biggest dillweed, Cresta Pillsbury. These articles are both a bit dated, but they equally embrace the premise of "trust" logos as a predominant sales driver, rather than any actual motivation to secure a site and protect consumers.
An example:
"If you’re doing conversion marketing and statistical testing on your website and you haven’t explored trust logos yet, then you’re missing out."
I must be the most naive person in the world; this enrages me. When will the idiots who write this crap get a clue? They've bought right into the hype the snake oil salesmen hoped they would and are now complicit in their failures.
Case in point, as seen in the Internet Retailer piece. By the way, I realize that Internet Retailer and basic web application security practices are completely at odds (as proven here), but this one deserves direct abuse.
"PC Universe first tested Hacker Safe on its own site in an A/B split test in which half the visitors saw the Hacker Safe seal and half did not. During that test, 7.3% more orders came from Hacker Safe shoppers than from the control group. PC Universe, which operates on the web at, is No. 360 in the Internet Retailer Top 500 Guide."
Really? Let's see what McAfee Secure / Hacker Safe has done to actually provide any measurable security benefit.
How about absolutely nothing.
Here's PC Universe's very current, verified McAfee Hacker Safe cert.
Now, here are a few ridiculous examples of reality from the this universe as opposed to the McAfee-twisted alternate universe. Please note, this is the "accountid" variable, and the fact that the marquee is rendered no less than eight times.
1) Marquee Remediated 6/30/08
2) XSS Deface Remediated 6/30/08
3) Cookie Remediated 6/30/08
Kudos for the quick fix PC Universe.
If you rather just see a video of these vulns, it's here.
PC Universe, rather than lauding your sales increases thanks to some POS logo, try securing your site code. I guarantee you have other issues.
McAfee Secure, once more, you are simply fraudulent to the core. | digg


Anonymous said...

If we were to, theoretically, get the XSSEd link into a relatively high ranking with google for a major vendor, do you think it would make anybody listen.

I'm convinced that Everything we're saying is falling on deaf ears, and it's going to take a few prominent worms and attacks to make people listen.

Unfortunately, even when the attacks to get publicized, they never say *how* the credit cards were compromised, it's just 'OMFG the evil hackers are at it again! Nothing can stop them!'

Rafal Los said...

Sad, sad reality check though... while it's not possible to agree more with you sir - No one cares as long as the consumer laps this up.

This poses an interesting question. Are we, the security-conscious, approaching this from the wrong angle? Should we be educating the consumer that "Hacker Safe" is a fraud and does nothing to actually keep their identity and information secure? I'm guessing if people start to AVOID sites because of the "Hacker-Safe" logo... that'll drive some very serious points home and ring an alarm bell or two with those twits over at McAfee...

With people like that you have to make it hurt before they listen. An making them hurt means drying up their (miniscule) revenue stream.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...