McAfee's HackerSafe certification called into question
McAfee's HackerSafe is a service that looks for vulnerabilities on websites using automated tools. If websites pass the test, they may bear the HackerSafe logo. Certification is intended to make customers trust the websites by increasing their faith in the protection of their data, for instance for payment transactions.
To receive the HackerSafe label, websites must, for instance, patch published vulnerabilities in the web applications used. According to a description of HackerSafe, the security service provider uses port scans and other methods to check server security; it also looks for SQL injection holes in Web applications and for vulnerabilities that allow for cross-site scripting. Certified websites are inspected daily. On the HackerSafe websites, the security provider also claims PCI compliance, which means that certified websites must comply with the Payment Card Industry Data Security Standard (PCI-DSS), which itself is somewhat controversial.
But apparently, protection from cross-site scripting (XSS) is not a prerequisite for the HackerSafe logo. Recently, Russ McRee discovered cross-site scripting vulnerabilities in five HackerSafe-certified websites, all of which allow attackers to grab customer access data or redirect visitors to other malicious websites. In a video, McRee demonstrates how he managed to inject arbitrary JavaScript code into HackerSafe-certified websites, read the user's cookies, and display third-party page content within an iframe. To be PCI-compliant, websites are not allowed to contain cross-site scripting vulnerabilities at all. Yet, the websites in McRee's video accept credit card data to pay for orders. He points out that the websites may have been vulnerable to XSS attacks for months; after all, he says he has repeatedly informed the operators of the websites of these flaws.
A spokesperson for McAfee total British media that the company does not find cross-site scripting holes to be as critical as SQL injection or other vulnerabilities. She said that at the moment the mere existence of an XSS hole would not be grounds for revocation of HackerSafe certification, though whenever McAfee finds XSS, the company informs its customers. She added that the XSS holes in question cannot be exploited to break into enterprise servers.
In the end, the HackerSafe certificate merely indicates that a company's servers are protected against known attacks. Certification does not, however, mean that customers of these websites are not in any danger of losing their data and – especially when it comes to the use of credit cards for payment transactions – their money to cyber-criminals.
See also:
* Still not Hacker safe, roll the video, Russ McRee's blog entry
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
