Friday, May 30, 2008

Hacker Safe

Does McAfee's Hacker Safe badge (aka ScanAlert) really suggest a consumer is safer shopping at a site displaying this badge? By now you've probably heard the answer is no.

Russ McRee's blog post and video show that "Hacker Safe" should not be taken too literally: the websites displaying this badge are not necessarily safe from hacking. Many are explicitly vulnerable.

Rather than adding to the emotion and arm waving, I thought it might be helpful to look at a couple of specific points.

Assuming "Hacker Safe" is intending to suggest the site is safe from hackers; nevertheless, security professionals know, as should the general public, that perfect security and perfect safety are not possible in an imperfect world populated with error prone people.

Scanning a site and finding no known vulnerabilities has never meant the site was safe, and it never really showed a completely accurate view of risk. Although five or ten years ago this type of scan offered more assurance than it does today. Why? The growth of criminal hacking activity, 0-day attacks, targeted attacks, and the increase in browser- and malware-based attacks means the other attack vectors and unknown attacks are more likely to be used now than they used to be.

So what gives an accurate picture, other certifications like TRUSTe? Maybe. Any certification, whether of website's security or a security professional's skills and experience, or a Jeep's off-road capability, are a shortcut to highly detailed, long term, careful, knowledgeable evaluation of real world performance. Certifications are, in a sense, a mechanism for transferring trust (or, call it confidence), from the certifier in the subject under scrutiny to the individual evaluating the subject. If the individual trusts (has confidence in) the certification, then they can transfer their trust (confidence) to the certified subject.

The key question is how much trust you have in the certification. The hacker doesn't care if you're certified, she just finds a vulnerability and uses it. A person can have an alphabet soup after their name but what matters is whether they can do a good job as a security pro. The rocks that you hang up your Jeep on probably knocked the Trail Rated badge off already.

But if the certification is objective, considers enough factors, and tests thoroughly enough, then the certification more closely approaches a measure of real world performance without taking the time necessary for each person to evaluate the subject in depth. All we have to do is evaluate the evaluation.

Some type of certification is usually better than nothing at all but in the case of "Hacker Safe" it appears to be more focused on marketing than on a useful, objective evaluation. Combined with the name of the program itself, trust in this certification probably should be fairly low. Perhaps McAfee will improve it as ScanAlert, looking for XSS, and denying use of the banner to sites that don't pass the tests.

Meanwhile we continue to rely on personal methods for risk mitigation: watching our bank and credit card statements, checking credit ratings periodically, etc.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.