By Dan Morrill
Expert Author
Article Date: 2008-05-21
And with cause, if XSS is not a security issue, then there are at least 62 doomed sites carrying the HackerSafe/McAfee logo that could seriously damage someone's day.
More than three months after security bugs were documented in more than 60 ecommerce sites certified by McAfee as "Hacker Safe," a security researcher has unveiled a fresh batch of vulnerable websites. Russ McRee, a security consultant for HolisticInfoSec.org, documented cross-site scripting (XSS) errors in five sites that prominently carry a logo declaring them to be Hacker Safe. As McRee documented in a blog post and accompanying video, the bugs make it possible for attackers to steal authentication credentials and redirect visitors to malicious websites. Source: Register
But this story gets stranger, ala Hans Reiser, computer geek gone bad, seems that the VP in charge of the HackerSafe program is also under indictment for a few things, like security fraud.
The real issue though is not that Brett M. Oliphant is not clean (this is a classic issue of trusted person in a security position), but that the program that he ran, HackerSafe is now coming out as fundamentally flawed.
A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," she said. "When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities." Source: ZDNet
For anyone in the computer security business that gets XSS and the follow on fun things that can happen when someone truly exploits and XSS error in a system (see this article here) you pretty much so know that the spokes person's comment was one that is going to keep people up at night. While they do report back to the company running the program, a sever XSS flaw can seriously ruin a customers day, let alone their identity, computer, and anything else associated with that.
Here is a video on that exact subject, will make you wonder when you realize just how bad this can be.
The idea here that you can not be certified as anything if you have a glaring hole in your web site that a hacker can drive a bus through. It is an issue, and not a trivial issue either. Brushing off an attack, telling someone it is ok, this is just bad bushiness. It also provides a false sense of security for people, people who trust the companies that carry the HackerSafe logo.
Comments About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.
By Dan Morrill