Thursday, March 20, 2008

This time, it's "HackerProof"... oh boy

Company Name: Comodo Group
Slogan: Creating Trust Online
Product: "HackerProof" logo

You have got to be kidding me! I'm can't believe my eyes. Someone else figured they should get in on the scam ScanAlert ( aka McAfee is running. Exploiting the Internet buying public's desperate need to trust someone or something in the online world - these companies are falling all over themselves to give people that sense of security. Of course, this sense of security is, as far as I can tell, entirely false. As my previous blog on "Hacker Safe" mentioned (and was poorly rebutted to by their CEO) , "ScanAlert" is exploiting people's need to have something to trust and making money out of it -but they are doing relatively nothing to earn this trust.

These people, over in the UK, at Comodo Group are pulling the scam, it seems. I will admit - maybe I'm entirely wrong (and if so *someone from Comodo please set me straight*), but this service has very little to do with security, and everything to do with luring and converting web hits into purchases. Look over at this page if you want evidence of that.

Comodo's range of solutions gives businesses the ability to create online trust through proprietary technology that help e-businesses convert more customers, retain more customers and increase lifetime value.

OK then, please tell me about this proprietary technology you're using. I'd love to hear more! Does Comodo employ web scanning tools, automated scanners, both, none of the above? What's the frequency Kenneth? I found this PDF called "FastFacts" which tells a little more about the services Comodo offers, but now I'm slightly confused. So, Comodo is a "one stop shop" for all things security ... OK. It's obvious that the majority of the services are geared towards SSL certificates and creating bi-directional trust between user and site, so let's continue. Wait! There is a tiny, little blip on Page 4 of the above referenced PDF that says this:

Hacker Guardian
Vulnerability scanning solutions affording your customers
extra protection from hackers and malware threats.
Hrmm.... I don't feel all that much better about their "security offering". I still have no idea how their product/service works, besides putting a logo on my site to get people to trust it and buy from me. I'm sure there is some secret sauce here, some magic that happens. In my book, if you're going to give me a "HackerProof" logo (and let me start out by saying that anything that's Proof means its guaranteed not to happen) you're doing the following things to assure you can say that:

  1. Scanning the site's servers, hardware and entire environment for known defects or configuration flaws ranging from too many open ports, default account, missing patches and open services

  2. Scanning the web application itself extensively; this means source code, black-box testing and extensive scanning and re-testing

  3. Verifying my company's identity, URL and DNS parameters to be legitimate 24x7x365
Are the "HackerProof"-ers doing this? I honestly can't say. Would I put a paycheck on the fact that they aren't... hrmm. I'll tell you readers one thing. This one I'm going to get to the bottom of. I'm going to get someone at Comodo to give me an interview, so I can ask the questions that need to be asked, and hopefully get straight answers. Stay tuned.

Folks at Comodo Group, please contact me - I'd be thrilled to post a follow-up piece that says I was dead wrong!


Anonymous said...

Yes, there is also a validation process required to get set-up and affiliated with HackerProof. If you are unsure about its effectiveness, or would like to test it out, a free trial is available.

Anonymous said...

HackerGuardian and HackerProof are actually two completely different products. HackerProof is just as you said, a trustmark that is displayed on a merchant's website. HackerGuardian, on the other hand, is a product geared toward PCI compliance, providing a merchant with so many scans over so many IP addresses which test for compliancy to the standards set by the PCI Council (, which the merchant would then give to their bank and/or remedy whatever vulnerabilities were detected.