Hackersafe Standards.
Publicated on :
1204829263
Let me tell you a little story.
I've been on a non-disclosure spin lately. I've submitted numerous holes to companies the last week. XSS, SQL injection etcetera. All confidential, I won't say which companies but I can assure you it are influential companies. Back in 2007 I publicly talked about hacker safe and the websites that carry the hacker safe seal [1]. I showed numerous websites with holes in them, and yes they tested positive by hacker safe. While this story is known, I like to speak out on the security aspect and how McAfee -which is the owner of hacker safe- is scamming everyone. Yesterday I found a couple of holes on the website of footlocker which sells popular shoes. Yes, they carry the hacker safe seal. So, I contacted them about a hole I found.
The reply I got was:
=== %< ===
Thank you for your e-mail.
As per our website:
WEBSITE: www.footlocker.com
STATUS: HACKER SAFE HACKER SAFE CERTIFICATION 06-MAR-2008
This site is tested and certified daily to pass the HACKER SAFE Security Scan. To help address concerns about hacker access to confidential data, the "live" HACKER SAFE mark appears only when a web site meets the HACKER SAFE standard. Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime.
Gwen.
Customer Service
=== >% ===
The Hacker safe seal says so, right?
The poor, poor girl. Can you imagine my rage at McAfee and their Hacker safe snake-oil scheme? I mean, footlocker is convinced that whatever McAfee says is true. They truly believe that they are safe. But hey, they paid for it! McAfee doesn't care a damn thing about security or their customers. They are in it for the money, because these serious issues are not scanned for and yet they claim they do. I will not disclose the holes I found anymore. My advise to anyone who carries a Hacker safe seal is to sue McAfee, on not living up to their end of the contract. I am willing to bet hands down that 80% of all hacker safe websites have holes, the exact same holes McAfee presumably scans for. I am really tired of the corporate security crap, because it not only hurts their customers, it also hurts the surfers who use their website in thinking it is alright, let alone the mockery of the real meaning of security.
It is my duty to share and spread hacking/security awareness. I guess the old sayings still holds water: Information is power, knowledge creates security, it defeats ignorance and it is our only weapon, a truth that shall set you free.
Shame on McAfee, another bat out of hell.
[1]
http://www.0x000000.com/index.php?i=40