Friday, May 30, 2008

Hacker Safe

Does McAfee's Hacker Safe badge (aka ScanAlert) really suggest a consumer is safer shopping at a site displaying this badge? By now you've probably heard the answer is no.

Russ McRee's blog post and video show that "Hacker Safe" should not be taken too literally: the websites displaying this badge are not necessarily safe from hacking. Many are explicitly vulnerable.

Rather than adding to the emotion and arm waving, I thought it might be helpful to look at a couple of specific points.

Assuming "Hacker Safe" is intending to suggest the site is safe from hackers; nevertheless, security professionals know, as should the general public, that perfect security and perfect safety are not possible in an imperfect world populated with error prone people.

Scanning a site and finding no known vulnerabilities has never meant the site was safe, and it never really showed a completely accurate view of risk. Although five or ten years ago this type of scan offered more assurance than it does today. Why? The growth of criminal hacking activity, 0-day attacks, targeted attacks, and the increase in browser- and malware-based attacks means the other attack vectors and unknown attacks are more likely to be used now than they used to be.

So what gives an accurate picture, other certifications like TRUSTe? Maybe. Any certification, whether of website's security or a security professional's skills and experience, or a Jeep's off-road capability, are a shortcut to highly detailed, long term, careful, knowledgeable evaluation of real world performance. Certifications are, in a sense, a mechanism for transferring trust (or, call it confidence), from the certifier in the subject under scrutiny to the individual evaluating the subject. If the individual trusts (has confidence in) the certification, then they can transfer their trust (confidence) to the certified subject.

The key question is how much trust you have in the certification. The hacker doesn't care if you're certified, she just finds a vulnerability and uses it. A person can have an alphabet soup after their name but what matters is whether they can do a good job as a security pro. The rocks that you hang up your Jeep on probably knocked the Trail Rated badge off already.

But if the certification is objective, considers enough factors, and tests thoroughly enough, then the certification more closely approaches a measure of real world performance without taking the time necessary for each person to evaluate the subject in depth. All we have to do is evaluate the evaluation.

Some type of certification is usually better than nothing at all but in the case of "Hacker Safe" it appears to be more focused on marketing than on a useful, objective evaluation. Combined with the name of the program itself, trust in this certification probably should be fairly low. Perhaps McAfee will improve it as ScanAlert, looking for XSS, and denying use of the banner to sites that don't pass the tests.

Meanwhile we continue to rely on personal methods for risk mitigation: watching our bank and credit card statements, checking credit ratings periodically, etc.

Saturday, May 24, 2008

Targeting Restaurants

Just in case we forgot that modern computer criminals are intelligent, motivated human beings, likely to select whatever target works best to meet their goals, here's an article on several who decided to put the crosshairs on Dave & Busters restaurants for financial info and came away with thousands of credit cards. As internet crime becomes more of a widespread daily threat to the average Joe, I guess we all need to get better at personal risk mitigation.

Wednesday, May 21, 2008

You Know about KnujOn?

Who loves spam? Anyone? Well, some boneheads out there actually send money to attempt to buy stuff listed in spam. Grr. The rest of us hate it and want it gone.

There's a guy out there who decided to fight back and formed KnujOn (spell it backwards). Anyway, he's been really successful in shutting down sites and turns out most of the spam is concentrated among a small number of registrars, some in China and one, Dynamic Dolphin, not far from my home here in Colorado if one is to believe the address information.

Here's his article on the top 10 worst offenders. Want to help? Have a look at his website and start reporting your spam to him per the directions.

Thursday, May 01, 2008

The Insider Threat

How many times have you heard it? Insider threat makes up 75% of cyber attacks. Or, is it 80% ? Or 85%?

Enough already! I can't take it any more!

I first heard this 10 years ago as a fledgling infosec geek from a company called Trident Data Systems who quoted a government study pegging the number at 80%. Since then I've heard this type of statistic quoted at anywhere from 50% to 90%. Studies and surveys seem to post lower, but similarly diverse, numbers.

So, I'm getting a wee bit weary of hearing people quoting this apocryphal statistic, passing it around. So much so that now I have to coin a new term: "urban statistic."

...On the other hand, being able to play the FUD card at any time is kind of handy. Why analyze threats and risk and apply appropriate controls? That's too hard. It's so much more fun to just scare people. F-U-D -- that spells "security"!

And besides, everyone knows 90% of all statistics can be made to say anything....

50% of the time.