Tuesday, January 8, 2008

False Sense of Security

I've had a few conversations with some friends in the industry around something that's been troubling me lately. Nothing annoys me more than a web site or eCommerce application giving its users a false sense of security. Caleb Sima (founder of SPIDynamics and noted Web App security expert) and I had this very same conversation around GameFly.com a few months ago, and I finally decided to write about it after some more research to get my facts straight.

When you hit an ecommerce site, one that wants to sell you something and take your persona/credit information you will see at least one of the following two logos -

this logo or this one typically appear somewhere on the sites. Typically, these are prominently displayed on the front pages of sites which ask for your money, personal information, or credit card data. Obviously, the ScanAlert "Hacker Safe" logo is meant to inspire confidence, and make the buyer feel safe and secure while parting with their information. The "Verisign Secured" logo is also meant to instill the same feelings - but is much less... "in your face" about it.

It's a bold claim to say that a site is "Hacker Safe", especially when a recent hack proves that some of these sites are anything but hacker safe. Maybe ScanAlert should change the logo to say "Hacker Resistant" - and quit flat-out lying to people? Here is the latest proof, from InformationWeek that "Hacker Safe" is obviously not. How exactly are they claiming that the site is Hacker Safe? Or does it mean that the site is "safe for hackers"? Take a look over at ScanAlert's "How it Works" page. It disturbs me that the only claim on this page isn't that your site will be secure - but that this little logo will get people to spend money on your site. It's not until you start to dig a little bit into their site (starting with this page) that you get a sense for what this logo really means. From the literature, it's an over-glorified automated scanning engine. I wonder if they use their own tools, or simply "re-used" something like WebInspect, or AppScan. As just about anyone with some experience in the Application Security sector can tell you, finding web vulnerabilities is a much deeper and more arduous task than simply running some automated crawler/scanner. I will go on record as saying if the "Hacker Safe" scanning tool is the only security a web site uses - they are in a world of trouble. If you read ScanAlert's marketing page on the guts of their "Hacker Safe" service (this page) you can basically get the following points:
  • You comply with an alphabet-soup of standards put out by VISA, AMEX, and others
  • Some automated scanning tool will scan your IP blocks and 'discover' your vulnerabilities
  • Some measure of 'manual testing' is involved to detect your vulnerabilities
  • Your logo ("Hacker Safe") is served up by Akamai, the fastest content network on the planet

Does any of this mean you're actually "Hacker Safe"? Of course not. I would argue that this service is obviously weak at best, and at worst puts a false sense of security into the minds of the unknowning end-users who go to these sites. Making an outrageous claim like "Hacker Safe" is akin to saying "Yes, your system is secure" when we all know the only way that can happen is with all cables (network, power) cut and data destroyed with an atom-smasher. I am really annoyed with ScanAlert making these outrageous claims and vendors effectively jumping on this bandwagon to flat-out lie to people who hit these sites. At very least ScanAlert should change that logo and program to say "Hacker Resistant" - if they have any integrity whatsoever.

Verisign, on the other hand - has a proven track record and doesn't make these idiotic claims that they protect your site from hackers. Verisign is indeed, as far as research and investigation can tell me, one of those rare companies that has not been infiltrated or hacked. In fact, Verisign's entire business model revolves around certificates, and trust. Basically VeriSign sells trust, much like ScanAlert but doesn't go to any outrageous (and obviously false) lengths to make these claims. One reason may be that Verisign is an established, long-time veteran of the IT space, and is as old as eCommerce itself. I would guess (and I'm no marketing genius here) that a good product, with a good reputation speaks for itself with a subtle logo and a grounded claim. While I have my issues with the whole claim that the little gold lock in your browser secures you from any real threat, at least it's a proven technology that does not make the media when it gets proven obviously weak.

Allow me to elaborate on my claim that that "gold lock" in the bottom-right corner of your browser, that tells you you're using SSL, actually protects you from "hackers". While "on-the-wire" encryption prevents someone from doing a packet capture of your data stream and decoding it to reveal all your information it does nothing on either end of the conversation. Further, this only addresses data in motion, which can be (as has been proven over and over) effectively broken with man-in-the-middle attacks against users not skilled in information security awareness. The VeriSign secured logo doesn't give me the warm and fuzzies either when I am about to buy something on a website - but at least I can have a degree of trust in the claim being made (even if it is a stretch) because of the proven track record.

So what's the bottom-line here? I give my friends and family advice as follows:

If you see the "Hacker Safe" logo - avoid the site as they are most-likely security lackeys, and are using the logo as a marketing ploy more than a security posture. The "VeriSign Secured" logo is a staple in eCommerce, if you don't see it somewhere, or at least see the nice gold lock in the corner of your browser - leave the site quick and don't give it any personal information. True security is a track record of proven hacker-resistant eCommerce applications and no flashy marketing gimmicks, in my humble opinion.

As a final thought - there are few things worse and less excusable than companies without an adequate and proven security strategy - but putting a false-sense of security as the front-page marketing logo on your site is definitely one of them. Shame on you ScanAlert for your blatant marketeering. Maybe I could respect the service if the website was less marketing crap and more actual substance and security information. Furthermore - shame on anyone, or any company that uses marketing fluff in place of actual strong security to "extort" your customers.


Read more on the latest "HackerSafe" hack -



Friday, January 4, 2008

Random thought: Anonymizer Proxies

I was asked by a friend earlier today to help her find an anonymizer proxy, since she can't get to MySpace and FaceBook from work. I googled around a little and gave her some options (all of which were blocked by her web filter, by the way) but then something else struck me.

I wondered how many people use these "proxies" every day, and what juicy information pumps through them.

By nature, "anonymizer proxies" are a man-in-the-middle type of node, which is typically presented in the form of a web-page which opens the user's desired site or page in a frame. Think about that. How many people do you suppose use those proxies to do things like browse MySpace, Facebook, ESPN and other typically-blocked sites? I suspect that there are many, many people who do this. Then on the extreme end of this example, how many people use those proxies to check their bank balance? I'm sure that number isn't huge, and hopefully people know better - but do they?

I get that 90% of anonymizer proxy traffic is to sites that are typically blocked from where you're browsing (actually... lots of these anonymizer sites are blocked too, so...) but there are user IDs, passwords, and other credentials floating through these proxies... and I wonder if there's someone that's set one of these up, with a full request/response dump happening there for certain web sites, or simply looking for specific credentials or passwords. I've thought about it and then thought of doing a project. What if I set one of these up, and advertised it as an open, fully-anonymous proxy (meaning I don't log the sources of requests) but then put a EULA clause that allows me to 'monitor' traffic, and by that I mean dump logins, passwords, and other juicy information - for research purposes only, of course.

I wonder how long it would take to get traffic on this hypothetical site, and how much cool stuff I could collect. And I wonder how many sites are already out there doing this...

This fascinates me, so if you have any information that would be enlightening - post a comment or email me directly.