'Hacker Safe' seal: Web site shield, or target?
Geeks.com breach fuels debate on value of automated vulnerability scans
Computerworld - More than 80,000 Web sites worldwide display a small green logo that proclaims them to be "Hacker Safe." The logo is provided to them by ScanAlert Inc., a vendor that scans the sites of its clients daily in search of security vulnerabilities.
ScanAlert's logo is the most widely used security seal of its kind on the Web, and it can be found on dozens of marquee-brand sites, including those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment Inc. Such widespread use attracted the attention of security vendor McAfee Inc., which in late October agreed to acquire ScanAlert.
But Napa, Calif.-based ScanAlert was put on the defensive this month after online technology retailer Geeks.com warned an undisclosed number of customers that their personal and credit card data may have been compromised in a hacking incident. Geeks.com, whose formal name is Genica Corp., displays the Hacker Safe logo at the bottom of its home page.
A ScanAlert spokesman said "preliminary evidence" suggests that the breach likely occurred during one of several periods last year when ScanAlert had withdrawn its certification from Geeks.com after finding vulnerabilities on the Web site.
Even so, the incident at Geeks.com has rekindled a debate about the value of security seals such as the Hacker Safe logo.
ScanAlert users say that the scanning service can sniff out at least some security problems and that the logo is a valuable marketing tool for them.
On the other hand, ScanAlert's detractors say the service can give companies and their online customers a false sense of security. Indeed, hacker groups have claimed that they have targeted and broken into numerous Web sites displaying the Hacker Safe logo.
"Hacker Safe seals are completely ludicrous," said David Kennedy, who heads SecureState LLC's profiling and e-discovery practice. SecureState is a consulting firm in Cleveland that offers security risk assessment services and does manual penetration testing of systems and networks for its clients.
ScanAlert's automated probes offer a "very basic form of vulnerability identification," Kennedy claimed. They focus more on spotting network vulnerabilities than on detecting harder-to-find Web application flaws, such as SQL injection and cross-site scripting vulnerabilities, he said.
"Web applications are very dynamic and ever-changing," whereas vulnerability scans rely on static information to identify security issues, Kennedy said. He noted that after being asked to do security assessments by 10 companies with Hacker Safe logos on their Web sites, SecureState was able to break into nine of the sites and easily access financial and customer data.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts