You also know how much I hate it when these people sell "security" carefully wrapped in bullshit and smoke... under the pretense that their "scan" will actually do anything to achieve some measure of security.
While looking for some new hockey pants (yes, I have destroyed my current ones) on HockeyMonkey.com I saw this interesting seal. Clicking on it made me cringe even more. This is a measure of PCI Compliance? ... and this is supposed to make me feel good about the actual security of the site? Clicking on the damn thing brought up the "Site Certificate" which should be an immediate red light for anyone looking to do business on this site.
First off, this is a quarterly certification... holy crap! The last "Certification Date" is shown as May 14, 2009... which immediately makes me worry since I can't recall the last time I saw an e-commerce site that stayed static for almost 45 days... but let's move past that because after all, compliance is a point-in-time thing... right?
Alright, this next part really gets my blood pumping and feeling like a bull out of the chute... read the first sentence of the text dead center of the Site Certificate carefully...
"On May 14, 2009 www.hockeymonkey.com met the PCI dada security requirements by passing a Securitymetrics Site Certification vulnerability scan"Come again? Maybe I read that wrong. Nope... read it again and it still sounds just as idiotic.
So, let me get this straight... SecurityMetrics has managed to figure out how to achieve the full spectrum of PCI-DSS Security Requirements via a vulnerability scan? How is that even possible? Since SecurityMetrics is scanning the site from the "outside"... how do they know if the various sections are all met properly? Are desktops being equipped with properly updated anti-malware agents? Are default passwords not used? Something smells like a steaming pile of bullshit.
At least these guys don't make outrageous claims such as that they are "Hacker Proof" or "Hacker Safe"... and instead do say that the scan "significantly reduces the risk that this site will be compromised..." and while I wouldn't give them significantly, I may agree that it does reduce overall risk but only as much as me wearing goloshes in the rain reduces my risk of catching the H1N1 (Swine Flu) bug.
So let's investigate this genius PCI Compliance scanning service that will magically achieve PCI Compliance for their customers a little further, shall we?
From the Site Certification Overview page...
Is Site Certification Easy? It is easy. Site Certification does not require any software installation, software configuration, training or costly maintenance. All your technical support is included and there are no hidden fees. SecurityMetrics does not require confidential system information or access to your systems. You simply enroll and the service is scheduled to run at your convenience.D'oh! I'm going to ask again... how do they determine any measure of PCI-DSS compliance without access to merchant systems?! Are we doing Scanless PCI again?
Their FAQ Page has a priceless little illustration of the devilish "hacker" exploiting "security holes" in the web server... which is so funny I had to stop a minute to quit laughing. Bulletpoint 3 appears to hint that SecurityMetrics does some measure of web site security testing... to me that means testing for things like SQL Injection, Cross-Site Scripting (XSS), CSRF and other common security vulnerabilities, yet there seems to be no mention of these common vulnerabilities. Instead the site's Product Comparison talks about how many ports they can scan and how many "vulnerabilities" they can identify and scan for.
My absolute *favorite* page on their entire site is the Sample Test Results.I love it! Take a look at this for 5 seconds and tell me this isn't a blatant rip from the Nessus results reports? Take that back... Nessus looks much better these days than this poorly-constructed "report". My guess... they're just Nessus scanning sites and calling them PCI Compliant. [bangs head on keyboard].
One last thing I need to point out, this page which is a List of Vulnerabilities that SecurityMetrics scans for. Out of the total of 5,882 checks (as of today) they break down to 4,486 vulnerabilities, and "if telnet or ftp is enabled the vulnerability assessment engine will test 698 names and passwords common to these services." [mouth wide open... *gasp*]
Let me just say that I read through this list of vulnerabilities and it amounts to nothing more than some basic pattern-checking and typical vulnerability scanner type crap. There are no checks for CSRF (Cross-Site Request Forgery), no checks for XSS (Cross-Site Scripting) that don't involve a vulnerability in a particular application package (i.e. .Net XSS), and no checks for non-specific SQL Injection vulnerabilities... once again - a complete failure of a security service.
The thing I have to wonder is (and I already know the sad answer) why do site owners keep using these services?! For example, JetBlue is apparently one of their customers [not to self: avoid JetBlue website/services at all cost]. SecurityMetrics is not a known brand in security and they have a non-starter product so what draws people to use them? Is it the prospect of having a "PCI Certification" seal somewhere on their website causing them to lose their better judgement?
Logic fails here ladies and gentlemen. Why doesn't someone from the PCI Council do something about companies like this? Isn't it [or shouldn't it be] illegal to claim you can certify someone as PCI Compliant with this rediculous service - when in actuality that's not even close to true?
So... anyone know of any fun XSS vulnerabilities in JetBlue's site, or any of the other SecurityMetrics testimonial customers they'd care to share?