Wednesday, 12 March 2008

A call to use “Hacker Safe” scanning services.

McAfee’s “Hacker Safe” states that it they will “certify our merchants to the PCI standard”. This is an amazing claim for a remote scan service. It is amazing in that the PCI standard is not just about vulnerability scanning that is rather about security. I find it interesting how a remote vulnerability service can claim that they will ensure you have compliant security policies, that the database they never check is encrypted, but the firewall has been validated internally and externally, and that user awareness training has been conducted. On top of this, the idea of claiming that a site is secured to PCI-DSS requirements on wireless when you don’t verify wireless in your test is astounding at best.

To quote Queen, “it’s a kind of magic”. This is the only way can see that it could work. Maybe they waved their fingers, so some magic words hey presto… security magic.

For this reason I would call all vendors that are not PCI compliant to use Scan alert.

After all, they claim you will be compliant if you pass the scan. Why bother actually doing all the costly expense work to become compliant when you can pay a small fee and set up filters.

Why do state my disbelief? Well real world experience helps. As I have demonstrated in research, external vulnerability scans find very few if any vulnerabilities when compared with a proper, competent audit. The service only goes to prove my claim In the field.

Why would you want to go with a service that probably won’t find much if anything leaving you noncompliant? Because they claim to find and stop nearly all attacks. They make a promise claim that you will be compliant. The consequence is that when Visa comes knocking you’ll have another party to join into the lawsuit. Why worry about Ashley making site secure when you can join a party and add a cross-claim?

So what is actually the problem?
Well, the reality is that nearly all the sites I have seen the run the “Hacker Safe” logo are not secure. On top of that they are not compliant with PCI in any sense of the word. The problem is that an external scan just does not show this. None of the sites that I have seen running the “Hacker Safe” logo use and IDS, monitor their logs, maintain their logs adequately riven patch effectively.

A number of sites I’ve seen actually filter the addresses that they are being scanned from. Yet they still bear the logo. This does not mean that they actively filter everything from HackerSafe, just that they are selective. In particular, I know of one site that has gone to a fair bit of effort creating access control lists, web filters and a variety of controls designed to bypass the checks made by HackerSafe. In fact, the effort that they had gone to enabled to ensure that HackerSafe does not remove their certification exceeds the level of effort that would be required to stop the problem in the first place.

It is quoted that “since Hacker Safe checks the server daily if it finds a vulnerability that is not corrected within 72 hours your seal is removed until the problem is fixed”. I find this amazing as well. I have seen a site running this logo with a regular patch process. The process is regular as it occurs every three months. Once every three months the patches that are considered at the site to be “acceptable” are installed. This site is running on IIS. I would ask how often patches come out from Microsoft IIS on Windows 2000)? I seem to remember the more than quarterly.

So again, use scan alert. I want to see a class action from people when their non-compliance with PCI comes to fruition. I want to see the actions from consumers.


Ryan Greenier said...

I work for a company that provides services for banks and other financial institutions. They do everything from check processing to network security. I work in the internet security department, which also encompasses the web hosting environment.

We have several clients that use this service and it's something we offer to other clients as well should they inquire about it. The HackerSafe service is a useful tool when used with other techniques to help find potential vulnerabilities. Like you said, it is definitely not the only thing you need to be compliant - but I think it is definitely useful in addition to other mechanisms to provide a website that has inherently less risk by using such services. It also provides a marketing play.

One thing I have always disagreed on is their name, since you can never really be... but I find leveraging their services is a good tool in addition to other security checks/audits to help make a site more secure. I don't agree with their claims as you mention above, but their services are useful.

Craig S Wright said...

I have no issue with them being sold as a external vulnerability testing service. If it is stated as such and they admit the limitations – all is ok.

The issue is twofold;
1 “HackerSafe” implies to the average user of the service that it is Safe from Hackers.
2 There is no requirement or need for other services. This service states that you will be compliant with PCI-DSS if you have no vulnerabilities. This is false and misleading.

On top of this, MOST modern websites are not in fact tested by this service. An ASP based page derived and compiled using .Net will return a customised view for the users going to the site. The scan service does not get this version of the page nor does it see the any of the dynamically compiled pages.

See the blog entry for 13 Mar 2008 for more.