[ISN] McAfee 'Hacker Safe' cert sheds more cred

From: InfoSec News (alerts@private)
Date: Tue Apr 29 2008 - 22:23:20 PDT


http://www.theregister.co.uk/2008/04/29/mcafee_hacker_safe_sites_vulnerable/

By Dan Goodin in San Francisco
The Register
29th April 2008

Comment More than three months after security bugs were documented in 
more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a 
security researcher has unveiled a fresh batch of vulnerable websites.

Russ McRee, a security consultant for HolisticInfoSec.org [1], 
documented cross-site scripting (XSS) errors in five sites that 
prominently carry a logo declaring them to be Hacker Safe. As McRee 
documented in a blog post [2] and accompanying video [3], the bugs make 
it possible for attackers to steal authentication credentials and 
redirect visitors to malicious websites.

All five of the sites subscribe to McAfee's HackerSafe certification 
service [4], which audits the security of websites on a daily basis to 
give visitors confidence they'll be safe when doing business there. Yet 
McRee was able to find the bugs by using advanced Google searches to 
pinpoint vulnerable web applications, and in at least one case, the XSS 
vulnerability has been on the customer's site since January.

"There's a responsibility to the consumer that really seems to be 
missing in that service," McRee told us. "The average consumer assumes 
that because I see that label I must be safe."

The five vulnerable sites include Alsto.com [5], Delaware Express [6], 
BlueFly [7], Improvements Catalog [8] and Delightful Deliveries [9]. We 
asked all five for comment but only one of them, Delightful Deliveries, 
responded. "As the #1 leading seller of Gift Baskets, security is a top 
priority to us and our customers, we will work with HackerSafe and our 
development team to resolve this issue," a representative said. He is 
unaware of any breaches affecting the site, he added.

A McAfee spokeswoman said the company rates XSS vulnerabilities less 
severe than SQL injections and other types of security bugs. "Currently, 
the presence of an XSS vulnerability does not cause a web site to fail 
HackerSafe certification," she said. "When McAfee identifies XSS, it 
notifies its customers and educates them about XSS vulnerabilities."

These are only the latest Hacker Safe sites to be outed. In January, 
researchers from XSSed.com [10], documented 62 websites subscribing to 
the service that were vulnerable to XSS vulnerabilities. A Hacker Safe 
spokesman told InformationWeek [11] at the time the bugs couldn't be 
used to hack a server.

The vulnerabilities also raise the question of so-called payment card 
industry (PCI) requirements for businesses that process credit card 
payments. Websites that contain XSS vulnerabilities almost certainly 
don't comply, McRee says, and yet most of the sites continue to accept 
credit cards. But we'll leave deficiencies in that set of requirements 
for another day.

McAfee has had three months to fix the deficiencies of this program, but 
so far we see no evidence it's done so. We're all for services that help 
websites stay on top of rapidly moving security threats. But there's a 
term for programs that declare their customers Hacker Safe while failing 
to catch easily spotted XSS flaws. It's called a rubber stamping, and 
it's time it stopped.

[1] http://holisticinfosec.org/
[2] http://holisticinfosec.blogspot.com/2008/04/still-not-hacker-safe-roll-video.html
[3] http://holisticinfosec.org/video/HS_ISSA/ISSA_Regional_HackerSafe.html
[4] http://www.scanalert.com/site/en/about/overview/
[5] http://www.alsto.com/
[6] http://delexpress.hudsonltd.net/
[7] http://bluefly.com/
[8] http://www.improvementscatalog.com/
[9] http://www.delightfuldeliveries.com/ 
[10] http://www.xssed.com/
[11] http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=205900444


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Apr 29 2008 - 22:40:13 PDT