[ISN] Many 'Hacker Safe' Web Sites Found Vulnerable

From: InfoSec News (alerts@private)
Date: Thu Jan 17 2008 - 23:02:48 PST


http://www.informationweek.com/news/showArticle.jhtml?articleID=205900444

By Thomas Claburn
InformationWeek
January 17, 2008

More than 60 Web sites certified to be "Hacker Safe" by McAfee's 
ScanAlert service have been vulnerable to cross-site scripting (XSS) 
attacks over the past year, including the ScanAlert Web site itself. 
While the XSS hole in the ScanAlert site and others have been addressed, 
some apparently have not been, leaving visitors potentially vulnerable 
to client-side attacks.

Joseph Pierini, director of enterprise services for the ScanAlert 
"Hacker Safe" program, maintains that XSS vulnerabilities can't be used 
to hack a server.

Still, Kevin Fernandez and Dimitris Pagkalos, two computer scientists 
who maintain XSSed.com, a site that has been tracking XSS 
vulnerabilities since February 2007, provided InformationWeek with a 
list of 62 Web sites certified as "Hacker Safe" on which XSS holes have 
been reported. The list includes brookstone.com, cafepress.com, 
cduniverse.com, gnc.com, mysecurewallet.nl, petsmart.com, and 
sportsauthority.com, among other familiar brands.

The XSSed.com site tracks whether reported XSS flaws have been fixed, 
but such information may not be accurate if the site making the repairs, 
or the initial discoverer of the hole, fails to report the fix. While 
XSSed.com data doesn't specifically correlate the presence of a "Hacker 
Safe" badge on a site with the time when an XSS vulnerability was active 
-- the certification could have been withdrawn while the hole was 
present and then reinstated -- security researchers report that some 
sites currently certified as "Hacker Safe" also are currently vulnerable 
to XSS attacks.

As of Wednesday, Toastmasters.org, a Web site certified to be "Hacker 
Safe" by McAfee's ScanAlert service, was one such site.

Russ McRee, a Seattle-based computer security researcher, on Wednesday 
published information on his blog detailing a cross-site-scripting 
vulnerability that affects the Toastmasters.org site.

Toastmasters International aims to help people overcome their fear of 
public speaking. An employee of the organization said that no one was 
immediately available to speak about the group's Web site. Further calls 
to the organization weren't returned.

McRee said that he alerted Toastmasters that its Web site was 
vulnerable.

Cross-site scripting is a type of Web application vulnerability. A 
successful cross-site scripting attack allows an attacker to inject HTML 
code or client-side scripts into a target Web page.

"XSS vulnerabilities do present a serious risk. However, to date their 
real-world use has been limited," said Oliver Friedrichs, director of 
Symantec Security Response in an e-mail. "XSS vulnerabilities can result 
in the theft of session cookies, Web site login credentials, and 
exploitation of trust. XSS vulnerabilities are site-specific, and 
therefore their life cycle is limited; they become extinct once they're 
discovered and repaired by the Web site owners."

Pierini maintains that XSS vulnerabilities aren't material to a site's 
certification. "Cross-site scripting can't be used to hack a server," he 
said. "You may be able to do other things with it. You may be able to do 
things that affect the end-user or the client. But the customer data 
protected with the server, in the database, isn't going to be 
compromised by a cross-site scripting attack, not directly."

Pierini dismisses the suggestion that certifying a site as "Hacker Safe" 
when it remains vulnerable to XSS attacks could be confusing to 
consumers. He insists that the meaning of the certification is clear and 
notes that his company's scanning service reports the XSS flaws it finds 
to its clients.

"We definitely identify this [XSS] and we definitely bring this to our 
customers' attention," he said." And we provide our customers with the 
information. Our customers are allowed to make the decision where to put 
their resources. I personally want them to put their resources where 
they're needed most, in things that can affect the confidentiality, the 
integrity, or the availability of that system that we're certifying. 
Cross-site scripting can be used to do a variety of things, but it's all 
on the client side. And that's an area that we don't have control over." 
In an e-mail, McRee countered that while that may be true, "this issue 
still indicates a shortcoming in the 'Hacker Safe' service." Pointing to 
ScanAlert's online explanation of its scanning procedure, which 
specifically identifies cross-site scripting among the flaws the service 
attempts to detect, he dismissed the company's "Hacker Safe" labeling as 
"a grandiose and inaccurate marketing claim."

"By [ScanAlert's] own claim, the Toastmasters site is scanned daily, yet 
this vulnerability has and continues to exist," said McRee. "This is 
really about ScanAlert accurately providing the service they claim to 
offer and aiding companies with online interests in following secure 
coding best practices."

The merits of the ScanAlert service came into question just over a week 
ago following the publication of a letter from the parent company of 
Geeks.com, a site also certified "Hacker Safe." The letter warned the 
site's customers of a data breach last December and said it was possible 
"that an unauthorized person may be in possession of your name, address, 
telephone number, e-mail address, credit card number, expiration date, 
and card verification number." In the letter, the company said it was 
still investigating the incident, "but it appears that an unauthorized 
individual may have accessed this information by hacking our eCommerce 
Web site."

ScanAlert spokesman Nigel Ravenhill subsequently asserted in an e-mail 
that "no one knows exactly what happened, or whether this breach 
occurred on the [Geeks.com] Web site or somewhere else." And he said, 
"There is no evidence that this Web site was hacked while it was 
certified 'Hacker Safe'."

To date, Genica, which runs Geeks.com, hasn't provided further details 
about last year's data breach. Peter Green, director of marketing at the 
company, said that the breach is still under investigation and that 
there is no further information beyond what has already been publicly 
disclosed. He said the company hopes to conclude its investigation in a 
week or two.

Someone posting under the name "kenleonard0" -- Ken Leonard is the name 
of the CEO of ScanAlert -- echoed Ravenhill's comments about the 
Geeks.com breach on the blog of Illinois-based IT consultant Rafal Los, 
who published an assessment of ScanAlert that's similar to McRee's. 
"There is no evidence that this Web site was hacked while it was 
certified 'Hacker Safe,' " the post says. "In fact, all of the 
information that ScanAlert has gathered so far indicates that this 
breach did not happen while Geeks.com was certified 'Hacker Safe.' "

Los contends that the issue isn't whether the Geeks.com site was 
breached while certified by ScanAlert. Rather, he sees the use of the 
label "Hacker Safe" as untenable given the realities of computer 
security. "I would argue that this service is obviously weak at best, 
and at worst puts a false sense of security into the minds of the 
unknowing end users who go to these sites," he said in a Jan. 8 blog 
post. "Making an outrageous claim like 'Hacker Safe' is akin to saying 
'Yes, your system is secure' when we all know the only way that can 
happen is with all cables (network, power) cut and data destroyed with 
an atom-smasher."

Copyright 2007 CMP Media LLC


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Jan 17 2008 - 23:08:28 PST