'Hacker Safe' seal: Web site shield, or target?
Geeks.com breach fuels debate on value of automated vulnerability scans
Computerworld - More than 80,000 Web sites worldwide display a small green logo that proclaims them to be "Hacker Safe." The logo is provided to them by ScanAlert Inc., a vendor that scans the sites of its clients daily in search of security vulnerabilities.
ScanAlert's logo is the most widely used security seal of its kind on the Web, and it can be found on dozens of marquee-brand sites, including those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment Inc. Such widespread use attracted the attention of security vendor McAfee Inc., which in late October agreed to acquire ScanAlert.
But Napa, Calif.-based ScanAlert was put on the defensive this month after online technology retailer Geeks.com warned an undisclosed number of customers that their personal and credit card data may have been compromised in a hacking incident. Geeks.com, whose formal name is Genica Corp., displays the Hacker Safe logo at the bottom of its home page.
A ScanAlert spokesman said "preliminary evidence" suggests that the breach likely occurred during one of several periods last year when ScanAlert had withdrawn its certification from Geeks.com after finding vulnerabilities on the Web site.
Even so, the incident at Geeks.com has rekindled a debate about the value of security seals such as the Hacker Safe logo.
ScanAlert users say that the scanning service can sniff out at least some security problems and that the logo is a valuable marketing tool for them.
On the other hand, ScanAlert's detractors say the service can give companies and their online customers a false sense of security. Indeed, hacker groups have claimed that they have targeted and broken into numerous Web sites displaying the Hacker Safe logo.
"Hacker Safe seals are completely ludicrous," said David Kennedy, who heads SecureState LLC's profiling and e-discovery practice. SecureState is a consulting firm in Cleveland that offers security risk assessment services and does manual penetration testing of systems and networks for its clients.
ScanAlert's automated probes offer a "very basic form of vulnerability identification," Kennedy claimed. They focus more on spotting network vulnerabilities than on detecting harder-to-find Web application flaws, such as SQL injection and cross-site scripting vulnerabilities, he said.
"Web applications are very dynamic and ever-changing," whereas vulnerability scans rely on static information to identify security issues, Kennedy said. He noted that after being asked to do security assessments by 10 companies with Hacker Safe logos on their Web sites, SecureState was able to break into nine of the sites and easily access financial and customer data.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!