'Hacker Safe' seal: Web site shield, or target?

Computerworld - More than 80,000 Web sites worldwide display a small green logo that proclaims them to be "Hacker Safe." The logo is provided to them by ScanAlert Inc., a vendor that scans the sites of its clients daily in search of security vulnerabilities.

ScanAlert's logo is the most widely used security seal of its kind on the Web, and it can be found on dozens of marquee-brand sites, including those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment Inc. Such widespread use attracted the attention of security vendor McAfee Inc., which in late October agreed to acquire ScanAlert.

But Napa, Calif.-based ScanAlert was put on the defensive this month after online technology retailer Geeks.com warned an undisclosed number of customers that their personal and credit card data may have been compromised in a hacking incident. Geeks.com, whose formal name is Genica Corp., displays the Hacker Safe logo at the bottom of its home page.

A ScanAlert spokesman said "preliminary evidence" suggests that the breach likely occurred during one of several periods last year when ScanAlert had withdrawn its certification from Geeks.com after finding vulnerabilities on the Web site.

Even so, the incident at Geeks.com has rekindled a debate about the value of security seals such as the Hacker Safe logo.

ScanAlert users say that the scanning service can sniff out at least some security problems and that the logo is a valuable marketing tool for them.

On the other hand, ScanAlert's detractors say the service can give companies and their online customers a false sense of security. Indeed, hacker groups have claimed that they have targeted and broken into numerous Web sites displaying the Hacker Safe logo.

"Hacker Safe seals are completely ludicrous," said David Kennedy, who heads SecureState LLC's profiling and e-discovery practice. SecureState is a consulting firm in Cleveland that offers security risk assessment services and does manual penetration testing of systems and networks for its clients.

ScanAlert's automated probes offer a "very basic form of vulnerability identification," Kennedy claimed. They focus more on spotting network vulnerabilities than on detecting harder-to-find Web application flaws, such as SQL injection and cross-site scripting vulnerabilities, he said.

"Web applications are very dynamic and ever-changing," whereas vulnerability scans rely on static information to identify security issues, Kennedy said. He noted that after being asked to do security assessments by 10 companies with Hacker Safe logos on their Web sites, SecureState was able to break into nine of the sites and easily access financial and customer data.