Wednesday, March 26, 2008

"Hacker Proof" - Update 2

UPDATE March 28th, 11:00am CDT
Judy was kind enough to try and get an answer to concrete questions I posed in my last reply (via comment). At this point, I think there is still some marketing "fluff" to cut through, so I will persist onward to try and get the answers I think you, the readers (and me) want.
UPDATE March 27th, 1:00pm CDT

I got another reply from Judy (see comments section) and she continues to address, some of my concerns from the original and subsequent posts. I have replied with my own comment to hers, this time in the comment section and not a new blog entry. Please take a read, her reply is worth the time it takes to read, and I hope mine is as well. Thanks!

After a very lengthy and rather well-written response from the folks over at Comodo (as you'll see in the comment to Update 1), I thought it through and have a response - which I would continue to welcome open debate on.

My response:
I understand that the Comodo brand and "HackerProof" program is all about creating trust. I've gather that from marketing material, and your rather lengthy explanation of your business model. I get it. What concerns me here is that there is still a rather gaping hole where an explanation of the "security services" should be. Let me address the 3 points that you brought up:
  1. "The Hacker-Proof seal confirms the site is safe from vulnerabilities that hackers can exploit" - I have yet to have someone or some piece of marketing literature explain this to me. I understand how verifying identity of a company, auditing its books, etc makes them more trustworthy - yes I understand that clearly - in fact, I wish ChoicePoint would have done that... but I digress. Please explain to me the how of this point. Enough marketing already, let's get to the meat of the product offering. Do you use scanners, ex-hackers, a combination of the two, some home-grown tools... what?
  2. b? (just picking on you now...) "The identity of the business has been authenticated and verified" - This service is very much needed, and should be a well-regarded piece of your business that I would actually pay for, as a customer. I, an avid online shopper, would actually pay a premium on goods (as much as 5% maybe?) to know for certain that some [trustworthy] 3rd party has verified that the company I'm sending my credit card information to, and buying goods/services from is legit. I applaud this piece of your business and I think, if well executed, this is a worthy service to the Internet.
  3. "that the site is worthy of a seal issued by a brand that over 100 people associate with security" - I'm not sure where you're going with this one, so I'm just going to leave it be. I understand you sell desktop protection tools - in fact, that's how I came across your site! I've yet to find your products (although this should not be entirely attributed to your company's lack of recognition) available or reviewed on a "well-known" publication, review, etc. Again, this may just mean I've not read enough, or haven't looked hard enough.
OK, so what have we learned here from Judy's reply? I indeed did miss the point slightly in my comparison of ScanAlert to Comodo in that while ScanAlert is merely a marketing machine, Comodo does provide a trustworthy Certification Authority as a business service. This lends credibility to the company, but does not give it a free pass on the finer points of my argument. While here and now I will concede that Comodo's "HackerProof" isn't necessarily a scam, I will still content that it is misleading. From what I have read so far, and heard from opinions offered to me - Comodo still only offers a "trustworthy certification" and can say very little for a site's ability to be "Hacker Proof", as stated on the seal. Therefore, I offer this opinion - Rather than the mis-leading "Hacker Proof" seal that's there now, change the shield logo to say "Certified Trustworthy by Comodo" or something of that nature. You're still mis-leading people into believing you're verifying the actual security of the applications/sites that affixes this seal to their splash pages. I see a half-hearted effort to say that there is some "security" done here - but I have no idea how you can honestly say that "The Hacker-Proof seal confirms the site is safe from vulnerabilities that hackers can exploit".

Let's clear it up. I think you, Comodo, needs to do one of 2 things here:
  • Demonstrate and make more transparent your "ability to confirm a site is safe from vulnerabilities that hackers can exploit" - how do you do this? I'm not asking for the secret sauce - just give me enough to make me sleep better
  • Change your seal to quit mis-leading people.
I thank Judy for her prompt reply, and I hope I have been able to continue to make my point clear, and not sound like I'm attacking the company without due cause. I am simply disgusted for what passes as "Security" these days in the online world - and something has to be done about it. At this point, I've decided to start with those that give out these "Hacker Safe"/ "Hacker Proof" seals... because I honestly believe they're misleading the public. Thanks for your reply - I welcome more dialogue.


Anonymous said...

Healthy debate in the areas of security is always a good thing (you can never be too rich or too secure :). It makes us service providers smarter about practical realities and it gets better solutions out there that can really do some good. What a great to make living. :) In that spirit, therefore, let me offer my perspective on your observations.

Overall, I have always believed that it is misleading to suggest that a single seal can assign a whole level of trust to a site. There are, after all, many dimensions to trust -- there is merchant performance trust (will they deliver), site security trust (will sensitive information be secure), trust that a person’s info won’t get stolen from hackers. I believe the “scam” that has been perpetuated is to suggest that a single seal such as a vulnerability seal from ScaAlert covers the whole trust waterfront.

At Comodo, we offer different type of seals (a lot for free BTW) to allow eMerchants to convey trust on many dimensions. For instance, we offer UserTrust platform (with a seal). This is a free consumer feedback platform that lets prospects view consumers’ experience with that eMerchant which acts as an authentication of merchant performance. Then we offer site security trust that is conveyed by the padlock. The seal you get with an EV SSL confers identity trust when a user sees the green indicator in the address bar if an EV SSL certificate is detected.

Comodo’s HackerProof seal is a vulnerability seal that confirms the site does not have vulnerabilities that are potential back doors for hackers. There is real security technology working behind the scenes and the service (and the seal) actually reflects highly technical set of vulnerability tests that have been standardized by PCI – the credit card folks. So this is not a smoke and mirror marketing seal. If someone has HackerProof service their server is scanned every day for vulnerabilities that may have gotten into the server. Here is the technical info from the site…
 Remote audits which run over 14,000 individual tests on an organization's servers and networks
 Schedule Daily, weekly or other user defined time-interval audit reports
 Audit Reports contain clear advice on how to fix any security vulnerabilities
 Scans for weaknesses both at the perimeter and beyond the firewall
 Fine tunes audits to network requirements with over 60 user definable parameters
 Allows customers to target and test specific ports and services for specific vulnerabilities
 Tests all 64,535 ports of an IP for open ports and potential Trojan attacks

The service uses our sophisticated scanning engine based on PCI requirements, daily updates from our own AV labs and industry sources. So what does the Hacker Proof seal mean? While it provides one layer of trust – that is just part of what an eMerchant needs to do to create a fully trusted transaction. My take away from you is that we are probably not doing a good job on the site of explaining the real technology that drives whether the merchant can display the seal, (I should point out that if our service finds a vulnerability which is not patched within a certain time frame, the seal is revoked).

Finally, my only point about the 100 million thing is that brand recognition has value if people recognize a brand as meaning something. A seal on a site from a company no one ever heard of it does nothing to promote trust. That’s as it should be otherwise there would be many more “scam” seals out there than there are today. And that’s the last thing our industry needs.

Rafal Los said...

Judy - Once again, thank you for the intelligent reply. I really do appreciate you taking your time to walk me through this.

Now, let me get back to it. First, I'm going to leave the cheap shots at the folks at ScamAlert, oops, ScanAlert out, since they're easy targets. Second, I'm going to agree with what you've said so far about trust and providing end-users (consumers) a way to trust their vendors online. You certainly [for the most part] can tell when you walk into a retail store (brick & mortar) that you're not going to be scammed and lose your money. Now, that being said, the TJX issue can be seen from a few different lights, mainly, their business model & appearance of their retail outlets. But I digress.

Let me address your product's offerings, and pointedly tell you why I'm still a little concerned. Today market analysts (not just us security geeks) will tell you that the majority of the big rip-offs (GAP, many others) happen without a single exploit attempt at a missing server patch, or mis-configured port on a firewall. These attacks happen at the web layer, layer 7 (some would argue layer 8). Web application's generally don't validate their input, sanitize user supplied data, and thus are subject to a whole host of attacks that the best firewall perimeter in the world does nothing to protect. That being said - I would like you to address and assure me specifically that you are, as a company and a service, addressing web application security issues at the application layer. Assure me that you're checking for:
- SQL Injection
- XSS (Cross-Site Scripting)
- Parameter tampering
- Improper session handling
- ... and many, many more on the OWASP list

I simply want to know that when I visit a site that has the Comodo seal "HackerProof" that Comodo has scanned the IP address for open ports, probed for missing patches and misconfigurations at the server level, and audited and blackbox tested the application layer as well. What tools do you use? What methodology do you use? What vulnerability classification do you use?

Anyone can say "yes, I've checked and your site does not have any holes in it" - but I want the proof.

Sadly, I don't sell anything but my own knowledge and subject-matter expertise and have no site to test your product on... but I may propose a slightly different angle. Do you have a reference customer that's willing to have their website/application independently tested by a FoundStone, NeoHapsis, or some other reputable web application penetration testers *while being "HackerProof" *? To me, and the readers and the industry at large - receiving a passing mark from an independent 3rd party of your services would not only serve to further your credibility - but make me feel much, much better about the services you provide. I would feel better about selling "Hacker Proof" if you can actually back that up with independent, 3rd party verification of one of your customers.

Thoughts? Please contact me directly, if you're able to, or leave your contact info in a comment and I'll moderate out the email/phone number/etc.

Thanks again, I look forward to continuing our conversation.

Anonymous said...

Hi again –
Sorry for the interruption in our dialogue – I know my technical limits and some of your comments required more technical bench strength than I could command.
So was able to get thinking from our technical and support teams (support teams offer the most valuable insight into the real world).

You asked a few tough questions, but the gist of your issue questions the credibility of a vulnerability management solution promising to protect against the myriad of threats that by-pass protections and scanning services.

To be blunt – it can’t. But here’s a more technically oriented response that will be more satisfying for you from our technical team, (if you’re a technical person read on – if you’re not – you can try and slug through this but be forewarned – it is not for the faint hearted).

“It is worthy to note that our PCI scanning service has earned us an Approved Scanning Vendor (ASV) certification from a third party independent testing organization, PCIDSS.ORG, independently charted and recognized by the global Credit card Industry and all related technology providers. Certainly a responsible group with an important mission. Our ASV certification has verified our ability to evaluate and identify conditions such as cross-site scripting errors and other layer 7 (application) flaws. This is managed through an exceptionally large and constantly updated database of tests that are performed.

However, xss, sql, and input validation aside, what he says about PCI compliance is somewhat accurate. The notion of 'compliance standards' that will guarantee security across an infinitely diverse set of systems is an utter falsehood. Attacks against systems are as diverse as the systems themselves and the only limit that exists is that of human creativity and imagination...which are the very antithesis of regulation.

One serious issue is that compliance driven vulnerability management let’s attackers know which exploits NOT to waste their time with. Resources are as precious in the fraudster’s world as in our world because in reality, a successful attack against a deliberately chosen target requires considerable computing power...e.g.
TIME elapsing where my system is crunching ya see on TV when the screens are spitting out reams of plain text and numbers in terminal windows. Real attacks take days, weeks, sometimes MONTHS with anywhere from 20 to 95% the time spent waiting for processes to terminate.

Having been said, HackerGuardian CAN be used to achieve a very high level of security when configured correctly. It can be configured to scan for fairly comprehensive list of vulnerabilities. In the real world, you're pretty much protected against script kiddies and reasonably skilled amateur hackers. As for professional fraudsters, if your organization is a target for a pro, it will only slow him down a little. If HG/Nessus is used in conjunction with an intrusion detection system as recommended by those very same security professionals, it can provide a level of security where only a well organized TEAM of testers could compromise the network.

Finally, I see no compromise between management's appetite for regulation and the need for real world security. Only companies with a vested interest in providing it can be trusted to implement security firms whose own reputation hangs on their customers’ security. At the end of the day, only good ol' fashioned Capitalism can work here. If you want to be secure hire the best security firm you can find (the one that has the most creative programmers who are given the most freedom to do their
R&D) and let THEM pentest and tell you how to secure your network.”

In more laymen’s terms, good security in the virtual world works just the same as it does in the real world - in "layers". We protect our homes with first doors and locks, then alarms, then monitoring devices and so on – as is appropriate to the risk involved. The same applies for network and hardware security – a multi-layered approach is not a nice to have – but downright necessary. It is sadly a sign of these digital times.

A final note – as an ASV, our system’s ability to detect vulnerabilities are in fact tested by an independent, industry recognized standards body. But your point about refenece customers is something we should highlight on our site. After all, customers can authetnicate how well a solution works better than anything I can say. That's an action for us to go off and work on.


Judy Shapiro