Tuesday, January 8, 2008

False Sense of Security

I've had a few conversations with some friends in the industry around something that's been troubling me lately. Nothing annoys me more than a web site or eCommerce application giving its users a false sense of security. Caleb Sima (founder of SPIDynamics and noted Web App security expert) and I had this very same conversation around GameFly.com a few months ago, and I finally decided to write about it after some more research to get my facts straight.

When you hit an ecommerce site, one that wants to sell you something and take your persona/credit information you will see at least one of the following two logos -

this logo or this one typically appear somewhere on the sites. Typically, these are prominently displayed on the front pages of sites which ask for your money, personal information, or credit card data. Obviously, the ScanAlert "Hacker Safe" logo is meant to inspire confidence, and make the buyer feel safe and secure while parting with their information. The "Verisign Secured" logo is also meant to instill the same feelings - but is much less... "in your face" about it.


It's a bold claim to say that a site is "Hacker Safe", especially when a recent hack proves that some of these sites are anything but hacker safe. Maybe ScanAlert should change the logo to say "Hacker Resistant" - and quit flat-out lying to people? Here is the latest proof, from InformationWeek that "Hacker Safe" is obviously not. How exactly are they claiming that the site is Hacker Safe? Or does it mean that the site is "safe for hackers"? Take a look over at ScanAlert's "How it Works" page. It disturbs me that the only claim on this page isn't that your site will be secure - but that this little logo will get people to spend money on your site. It's not until you start to dig a little bit into their site (starting with this page) that you get a sense for what this logo really means. From the literature, it's an over-glorified automated scanning engine. I wonder if they use their own tools, or simply "re-used" something like WebInspect, or AppScan. As just about anyone with some experience in the Application Security sector can tell you, finding web vulnerabilities is a much deeper and more arduous task than simply running some automated crawler/scanner. I will go on record as saying if the "Hacker Safe" scanning tool is the only security a web site uses - they are in a world of trouble. If you read ScanAlert's marketing page on the guts of their "Hacker Safe" service (this page) you can basically get the following points:
  • You comply with an alphabet-soup of standards put out by VISA, AMEX, and others
  • Some automated scanning tool will scan your IP blocks and 'discover' your vulnerabilities
  • Some measure of 'manual testing' is involved to detect your vulnerabilities
  • Your logo ("Hacker Safe") is served up by Akamai, the fastest content network on the planet

Does any of this mean you're actually "Hacker Safe"? Of course not. I would argue that this service is obviously weak at best, and at worst puts a false sense of security into the minds of the unknowning end-users who go to these sites. Making an outrageous claim like "Hacker Safe" is akin to saying "Yes, your system is secure" when we all know the only way that can happen is with all cables (network, power) cut and data destroyed with an atom-smasher. I am really annoyed with ScanAlert making these outrageous claims and vendors effectively jumping on this bandwagon to flat-out lie to people who hit these sites. At very least ScanAlert should change that logo and program to say "Hacker Resistant" - if they have any integrity whatsoever.

Verisign, on the other hand - has a proven track record and doesn't make these idiotic claims that they protect your site from hackers. Verisign is indeed, as far as research and investigation can tell me, one of those rare companies that has not been infiltrated or hacked. In fact, Verisign's entire business model revolves around certificates, and trust. Basically VeriSign sells trust, much like ScanAlert but doesn't go to any outrageous (and obviously false) lengths to make these claims. One reason may be that Verisign is an established, long-time veteran of the IT space, and is as old as eCommerce itself. I would guess (and I'm no marketing genius here) that a good product, with a good reputation speaks for itself with a subtle logo and a grounded claim. While I have my issues with the whole claim that the little gold lock in your browser secures you from any real threat, at least it's a proven technology that does not make the media when it gets proven obviously weak.

Allow me to elaborate on my claim that that "gold lock" in the bottom-right corner of your browser, that tells you you're using SSL, actually protects you from "hackers". While "on-the-wire" encryption prevents someone from doing a packet capture of your data stream and decoding it to reveal all your information it does nothing on either end of the conversation. Further, this only addresses data in motion, which can be (as has been proven over and over) effectively broken with man-in-the-middle attacks against users not skilled in information security awareness. The VeriSign secured logo doesn't give me the warm and fuzzies either when I am about to buy something on a website - but at least I can have a degree of trust in the claim being made (even if it is a stretch) because of the proven track record.

So what's the bottom-line here? I give my friends and family advice as follows:

If you see the "Hacker Safe" logo - avoid the site as they are most-likely security lackeys, and are using the logo as a marketing ploy more than a security posture. The "VeriSign Secured" logo is a staple in eCommerce, if you don't see it somewhere, or at least see the nice gold lock in the corner of your browser - leave the site quick and don't give it any personal information. True security is a track record of proven hacker-resistant eCommerce applications and no flashy marketing gimmicks, in my humble opinion.

As a final thought - there are few things worse and less excusable than companies without an adequate and proven security strategy - but putting a false-sense of security as the front-page marketing logo on your site is definitely one of them. Shame on you ScanAlert for your blatant marketeering. Maybe I could respect the service if the website was less marketing crap and more actual substance and security information. Furthermore - shame on anyone, or any company that uses marketing fluff in place of actual strong security to "extort" your customers.

---------

Read more on the latest "HackerSafe" hack -

http://www.informationweek.com/news/showArticle.jhtml;jsessionid=EUJLSATAYCNWEQSNDLPCKH0CJUNN2JVN?articleID=205600099&subSection=All%20Stories#community

http://blogs.zdnet.com/security/?p=788

5 comments:

kenleonard0 said...

ScanAlert's Reply:
The allegation that Geeks.com was hacked while it was certified HACKER SAFE is false and misleading, and does not match the facts provided by Geeks.com to its customers. So far, no one knows exactly what happened, or whether this breach occurred on the web site or somewhere else. There is no evidence that this web site was hacked while it was certified HACKER SAFE. In fact, all of the information that ScanAlert has gathered so far indicates that this breach did not happen while Geeks.com was certified HACKER SAFE.

Rafal said...

Absolutely fascinating. Thanks for that insight Ken, and let me say it's a pleasure and a first to have a CEO comment on a blog posting for me. I'd like to take a moment and address what you say in your comment:

1. You decided to latch onto and attack a single line in a massive blog post (a piece that was simply offered as potential evidence to the overall theme of the blog)
2. You made no attempt to dispute or refute the claims I made that the "HackerSafe" logo is misleading. I'd like to hear a reply from you regarding this specific topic - perhaps you'd be open to an interview?
3. I would like to see evidence to back up your last sentence. Please provide that so that I may publicly post that fact.

So - in summary, thanks for reading, but you've obviously missed the point. You say the allegation is false, and if it is I'd love to see some evidence to that fact. I say you've missed the point because unless I've done a poor job expressing my view - the focus of my article was *not* that Geek.com was "hacked" while your company 'monitored' it - but rather that the company you run is significantly slanted towards marketing a 'feel-good placebo' to the public and making them feel safe where I feel you have no right to make this claim.

That sir, is what I would like your comments on.

(For the record, I rejected the other 2 comments - identical to the one you posted above with your real name - because they were posted anonymously and contained no different information other than what you finally posted with your real name).

Ecommerce Beginner said...

I have to agree that this is a false sense of security, but see it as a positive move, overall, in the ecommerce industry.

When one considers how many sites don't even meet up to minimal security standards, it's flat out amazing.

The new buzzword is PCI Compliance - meeting the standards set up by the payment card industry. Also a positive step, as more than the server is looked at. The network is also evaluated, and a security policy must be developed before one is certified as compliant.

Even so - nothing is ever completely invulnerable to intrusion by a hacker.

One area which isn't evaluated much is the software itself. Poorly designed shopping cart software running on a pci compliant server is still insecure.

I've always said that anyone, anywhere can be hacked at anytime. The best bet is kind of like the bear story. You don't need to outrun the bear...just the other guy. Try to make your own site or server or network an unattractive target by being just a little more secure than the other guy.

Anonymous said...

While I agree that the term "Hacker Safe" is very misleading I do use HackerSafe on my sites and it is handy as a scanning tool.

No automated tool is going to be anywhere near as good as employing a top class security expert to hack your site manually - but automated scanning is significantly better than nothing.

I think to say "avoid all sites using HackerSafe" is very extreme. At best the HackerSafe logo means the site at least takes security slightly seriously - and at worst the HackerSafe logo is meaningless. There is no evidence to show a HackerSafe site is less secure than one without the logo.

Rafal said...

@Anonymous (I really wish you read this)...

1) "HackerSafe" is "to be avoided" because it provides a false sense of security to the buyer. What you're doing by endorsing their market-ware is essentially telling your customers "yes, we are secure" when really, you are undoubtedly **not**. That's a problem. If you don't say anything about the security of your site, people will inherently be cautious... but if you have some fancy seal, and people simply don't know better, they'll think you've done the necessary things to protect their personal information - and in reality it's all 100% lip-service...
2) McAfee is at best false-advertising and at worst criminally negligent because they are a "certified PCI assessor" and not only is their **own site** vulnerable to all sorts of exploits, but their service is nothing but marketing fluff.

So to sum that up - yes - AVOID THE HACKER SAFE LOGO, that's not extreme... that's just a sad fact.

Google+