Infrastructure
News
1/17/2008
02:20 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Many 'Hacker Safe' Web Sites Found Vulnerable

Computer scientists say that more than 60 sites certified as safe by McAfee's ScanAlert service have been vulnerable to cross-site scripting attacks.

In an e-mail, McRee countered that while that may be true, "this issue still indicates a shortcoming in the 'Hacker Safe' service." Pointing to ScanAlert's online explanation of its scanning procedure, which specifically identifies cross-site scripting among the flaws the service attempts to detect, he dismissed the company's "Hacker Safe" labeling as "a grandiose and inaccurate marketing claim."

"By [ScanAlert's] own claim, the Toastmasters site is scanned daily, yet this vulnerability has and continues to exist," said McRee. "This is really about ScanAlert accurately providing the service they claim to offer and aiding companies with online interests in following secure coding best practices."

The merits of the ScanAlert service came into question just over a week ago following the publication of a letter from the parent company of Geeks.com, a site also certified "Hacker Safe." The letter warned the site's customers of a data breach last December and said it was possible "that an unauthorized person may be in possession of your name, address, telephone number, e-mail address, credit card number, expiration date, and card verification number." In the letter, the company said it was still investigating the incident, "but it appears that an unauthorized individual may have accessed this information by hacking our eCommerce Web site."

ScanAlert spokesman Nigel Ravenhill subsequently asserted in an e-mail that "no one knows exactly what happened, or whether this breach occurred on the [Geeks.com] Web site or somewhere else." And he said, "There is no evidence that this Web site was hacked while it was certified 'Hacker Safe'."

To date, Genica, which runs Geeks.com, hasn't provided further details about last year's data breach. Peter Green, director of marketing at the company, said that the breach is still under investigation and that there is no further information beyond what has already been publicly disclosed. He said the company hopes to conclude its investigation in a week or two.

Someone posting under the name "kenleonard0" -- Ken Leonard is the name of the CEO of ScanAlert -- echoed Ravenhill's comments about the Geeks.com breach on the blog of Illinois-based IT consultant Rafal Los, who published an assessment of ScanAlert that's similar to McRee's. "There is no evidence that this Web site was hacked while it was certified 'Hacker Safe,' " the post says. "In fact, all of the information that ScanAlert has gathered so far indicates that this breach did not happen while Geeks.com was certified 'Hacker Safe.' "

Los contends that the issue isn't whether the Geeks.com site was breached while certified by ScanAlert. Rather, he sees the use of the label "Hacker Safe" as untenable given the realities of computer security. "I would argue that this service is obviously weak at best, and at worst puts a false sense of security into the minds of the unknowing end users who go to these sites," he said in a Jan. 8 blog post. "Making an outrageous claim like 'Hacker Safe' is akin to saying 'Yes, your system is secure' when we all know the only way that can happen is with all cables (network, power) cut and data destroyed with an atom-smasher."

Editor's Note: This story was modified Jan. 18 to clarify the extent to which sites were hackable while certified.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.