'Hacker Safe' seal: Web site shield, or target?
Geeks.com breach fuels debate on value of automated vulnerability scans
Computerworld - More than 80,000 Web sites worldwide display a small green logo that proclaims them to be "Hacker Safe." The logo is provided to them by ScanAlert Inc., a vendor that scans the sites of its clients daily in search of security vulnerabilities.
ScanAlert's logo is the most widely used security seal of its kind on the Web, and it can be found on dozens of marquee-brand sites, including those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment Inc. Such widespread use attracted the attention of security vendor McAfee Inc., which in late October agreed to acquire ScanAlert.
But Napa, Calif.-based ScanAlert was put on the defensive this month after online technology retailer Geeks.com warned an undisclosed number of customers that their personal and credit card data may have been compromised in a hacking incident. Geeks.com, whose formal name is Genica Corp., displays the Hacker Safe logo at the bottom of its home page.
A ScanAlert spokesman said "preliminary evidence" suggests that the breach likely occurred during one of several periods last year when ScanAlert had withdrawn its certification from Geeks.com after finding vulnerabilities on the Web site.
Even so, the incident at Geeks.com has rekindled a debate about the value of security seals such as the Hacker Safe logo.
ScanAlert users say that the scanning service can sniff out at least some security problems and that the logo is a valuable marketing tool for them.
On the other hand, ScanAlert's detractors say the service can give companies and their online customers a false sense of security. Indeed, hacker groups have claimed that they have targeted and broken into numerous Web sites displaying the Hacker Safe logo.
"Hacker Safe seals are completely ludicrous," said David Kennedy, who heads SecureState LLC's profiling and e-discovery practice. SecureState is a consulting firm in Cleveland that offers security risk assessment services and does manual penetration testing of systems and networks for its clients.
ScanAlert's automated probes offer a "very basic form of vulnerability identification," Kennedy claimed. They focus more on spotting network vulnerabilities than on detecting harder-to-find Web application flaws, such as SQL injection and cross-site scripting vulnerabilities, he said.
"Web applications are very dynamic and ever-changing," whereas vulnerability scans rely on static information to identify security issues, Kennedy said. He noted that after being asked to do security assessments by 10 companies with Hacker Safe logos on their Web sites, SecureState was able to break into nine of the sites and easily access financial and customer data.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts