[ISN] 'Hacker Safe' seal: Web site shield, or target?

From: InfoSec News (alerts@private)
Date: Tue Jan 22 2008 - 22:38:25 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057878

By Jaikumar Vijayan
January 21, 2008
Computerworld

More than 80,000 Web sites worldwide display a small green logo that 
proclaims them to be "Hacker Safe." The logo is provided to them by 
ScanAlert Inc., a vendor that scans the sites of its clients daily in 
search of security vulnerabilities.

ScanAlert's logo is the most widely used security seal of its kind on 
the Web, and it can be found on dozens of marquee-brand sites, including 
those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment 
Inc. Such widespread use attracted the attention of security vendor 
McAfee Inc., which in late October agreed to acquire ScanAlert.

But Napa, Calif.-based ScanAlert was put on the defensive this month 
after online technology retailer Geeks.com warned an undisclosed number 
of customers that their personal and credit card data may have been 
compromised in a hacking incident. Geeks.com, whose formal name is 
Genica Corp., displays the Hacker Safe logo at the bottom of its home 
page.

A ScanAlert spokesman said "preliminary evidence" suggests that the 
breach likely occurred during one of several periods last year when 
ScanAlert had withdrawn its certification from Geeks.com after finding 
vulnerabilities on the Web site.

Even so, the incident at Geeks.com has rekindled a debate about the 
value of security seals such as the Hacker Safe logo.

ScanAlert users say that the scanning service can sniff out at least 
some security problems and that the logo is a valuable marketing tool 
for them.

On the other hand, ScanAlert's detractors say the service can give 
companies and their online customers a false sense of security. Indeed, 
hacker groups have claimed that they have targeted and broken into 
numerous Web sites displaying the Hacker Safe logo.

"Hacker Safe seals are completely ludicrous," said David Kennedy, who 
heads SecureState LLC's profiling and e-discovery practice. SecureState 
is a consulting firm in Cleveland that offers security risk assessment 
services and does manual penetration testing of systems and networks for 
its clients.

ScanAlert's automated probes offer a "very basic form of vulnerability 
identification," Kennedy claimed. They focus more on spotting network 
vulnerabilities than on detecting harder-to-find Web application flaws, 
such as SQL injection and cross-site scripting vulnerabilities, he said.

"Web applications are very dynamic and ever-changing," whereas 
vulnerability scans rely on static information to identify security 
issues, Kennedy said. He noted that after being asked to do security 
assessments by 10 companies with Hacker Safe logos on their Web sites, 
SecureState was able to break into nine of the sites and easily access 
financial and customer data.

Adriel Desautels, chief technology officer at Netragard LLC, a Mendham, 
N.J.-based company that offers manual vulnerability testing services, 
said automated scans can be useful in ensuring that a Web site is 
protected against known security flaws. "They make sure that network 
security is not a complete disaster," he said.

But automated scans don't work as well with customized Web applications 
and e-commerce environments, Desautels contended. And they do next to 
nothing to test Web sites against less commonly known vulnerabilities, 
he said, adding that those are the flaws most likely to be exploited by 
black-hat hackers.

"We had a major financial institution customer that had passed an 
automated vulnerability scan and intrusion testing," Desautels said. 
"Everything appeared to be working, but then we came in and by the end 
of the third day, [we] had penetrated 17 of their internal systems."

Tim Dowling, vice president of consumer growth initiatives at McAfee's 
Web security group, said it's unreasonable and naive to expect any IT 
security service to provide 100% protection against online threats.

"Hacker Safe is not perfect," Dowling acknowledged. But he said that 
ScanAlert's service does help users defend their Web sites against 
"thousands and thousands" of threats. And sites that sport the seal are 
far more readily trusted by consumers than ones that don't, he claimed 
-- a contention that was backed up by several ScanAlert users.

According to Dowling, a full 90% of the scans that ScanAlert performs on 
a daily basis are automated. But in cases where sites fail the 
vulnerability scans, the vendor may do manual penetration testing to 
help its clients understand and correct security problems, Dowling said. 
And contrary to the claims of Kennedy and Desautels, ScanAlert does look 
for problems such as SQL injection and cross-site scripting flaws, 
Dowling said.

He added that the date-stamped Hacker Safe seal is served and controlled 
entirely by ScanAlert and is withdrawn any time a Web site fails to pass 
the daily vulnerability scan. Since new vulnerabilities arise 
frequently, Dowling said, it isn't uncommon for sites to lose and regain 
their Hacker Safe status, as Geeks.com did last June and December.

The Hacker Safe service should be just one part of a multilayered 
security strategy, said Jay Greenberg, director of e-commerce at Spencer 
Gifts LLC, a novelty gifts retailer in Egg Harbor Township, N.J.

"This is one additional tool that you can utilize to help secure your 
site," Greenberg said, adding that IT and Web site managers also "have 
to be smart and diligent about making sure your developers are 
monitoring and checking" for security flaws as well.

In addition to helping secure Web sites at the back end, ScanAlert's 
service can boost sales by making consumers "feel comfortable" about 
doing business on a site, Greenberg said.

Before joining Spencer Gifts, he worked for another company that was a 
ScanAlert client. Greenberg said that to test how useful the Hacker Safe 
logo was from a marketing standpoint, the company -- which he declined 
to identify -- asked ScanAlert to make the seal visible to only about 
half of the visitors to its Web site. The test showed that more of the 
people who could see the logo bought products, he said.

Jay Cline, president of Minnesota Privacy Consultants and former chief 
privacy officer at hospitality industry conglomerate Carlson Companies 
Inc., has been a ScanAlert customer for about a year. Using the Hacker 
Safe service certainly doesn't guarantee that hackers will never be able 
to break into a Web site, said Cline, who also is a Computerworld 
columnist.

"What I'm buying is a service that keeps me safe from hackers that use 
known vulnerabilities," Cline said. "I'm aware that there's still [other 
risks] that I need to watch out for."

ScanAlert has helped identify security problems that might otherwise 
have been missed, Cline said. For example, during the initial sign-up 
process, a scan pointed him toward a cross-site scripting vulnerability 
that resulted from the way in which his site was being hosted by an 
external Web site developer.

A logo proclaiming that a site is safe from hackers could sometimes be 
seen as an open invitation for malicious attackers to try to crack the 
site, Cline acknowledged. But like Greenberg, he said that the Hacker 
Safe seal can be a valuable tool for convincing consumers to complete 
transactions and not be scared away by any security concerns.

"If you're looking for ROI, Hacker Safe on balance gives you more lift," 
Cline said.

Bill Cronin, manager of e-commerce at The Vermont Teddy Bear Co. in 
Shelburne, Vt., also said that he has been able to justify the cost of 
the ScanAlert service from a marketing standpoint.

When it comes to actually boosting the security of a Web site, though, 
the benefits are somewhat less obvious, Cronin said. He added that 
ScanAlert can help users identify some pretty obvious flaws that most IT 
departments really should be finding on their own in the first place.

"If they're coming up with vulnerabilities on your site, you really 
aren't doing your job as a security administrator," Cronin said. "The 
technical side of me says there is limited use here from a security 
perspective. The marketing guy in me says it's a no-brainer."

Eric Ogren, an independent consultant in Boston, said that the situation 
isn't black and white, because the IT security industry has yet to 
develop any metrics for measuring the effectiveness of different 
vulnerability detection approaches.

It's hard to say for sure how effective ScanAlert's automated scans are, 
Ogren said. But he added that it's equally hard to know if manual 
penetration testing and vulnerability assessments are as useful and 
scalable as their proponents claim.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Tue Jan 22 2008 - 22:57:25 PST