The Great Yaquis.

Publicated on : 1211035549




Seth Godin wasn't lying when he said that all marketers are liars. It's their job. The one who can do it the best will earn the most. But since when does operating a business means that you have a license to steal money from people and deceive the other end by not delivering what you sell? Where did it change from helping customers with a solid product, to a conglomerating soulless machine of perpetual thieves? For one, it's greed. But you always have a choice. To sellout or not to sellout, that's the real question.



If you kept a close eye on the security news lately, you'll noticed that HackerSafe is back again. This story mostly begun when I posted a message on the slackers forum in late 2006, and we ended up with numerous contributes from hackers that pentested HackerSafe websites[0] back in early 2007. Since then, the story flares up every now and then, which is important because the new research shows that ScanAlert became a sellout when McAfee bought HackerSafe and they didn't changed their strategy or scanning methodology in any sense, they only lined the product up next to McAfee's other snake-oil products.



Today I saw an interesting post by Nathan McFeters who posted a new story plus a video of a ScanAlert sales person bluntly admitting they are in it for the false customers trust, and to market your security[2]. I have nothing against McAfee, they are running a business to make a living as well, but they are on very slippery ice here. Just a moment ago I visted the HackerSafe website[1] and saw that they changed the HackerSafe logo into McAfee Secure. Now, that is odd. Because you now destroyed your own brand, plus the marketable brand that was called HackerSafe to whom people look for on a website in order to "feel" secure. Besides the utter laughable content of this very video, I also want to point out the dangers of their security scanning methodology. The first thing I look for when dealing with possible snake-oil, is to notice the buzzwords like ROI, SSL, IDS, IPS, Honeypots and such. The runner up is usually the guarantee of their product, in which HackerSafe miserably fails.



But the biggest sign off all is when their product only works on systems that are insecure in the first place. I mean, doesn't that sound plausible? You can't say that a server is secure if you are not allowed to pentest it, or when the server blocks your pentest scans. Proper protection just ignores these scans instead of turning up as positives. The other problem with this, is that the server is now getting used to pentesting. So, what are the chances of a hacker undetectably pentest that server also by copying the HackerSafe scanning methodology? If the system administrators -if there are any- are used to the daily HackerSafe scam, they should have a hard time determining non-legitimate attacks. So this learns me that the servers firewall allows for these scans. They allow portscanning? why should you portscan in the first place. Almost any webserver of the shelf comes with only 2 a 3 ports open these days. Portscanning is really redundant to many servers actually, and I don't see much value in it as well. Sure, a onetime scan ensures you all ports are safe. But scanning all ports on a daily basis seems like you lost your mind.



The next issues they are scanning for, are concerning the webapplication vulnerabilities which is their biggest lie so far. I mean even I have a hard time protecting all of them on servers that has thousands of webapplications and scripts all programmed differently, and this really only involves manual code analysis e.g. scanning the x,y and z axis instead of the x axis solely what HackerSafe is presumably doing. I am sure that you can build a script that catches around 70 percent of them, but HackerSafe doesn't seem to catch them based on our findings in 2006. of course, they will downplay them by saying: You can't hack a server with them. Which is a ridiculous statement especially when you say in your scanning manual that the webapplication layer "is probably the most important of all". Besides the downplaying, you can hack a server through webapllications easily. How else would it be possible to infect half a million of servers through SQL injection? If you say you want to protect the customer, the first thing you do is to ensure that their privacy is being respected and that phishing or session stealing possibilities through XSS are eliminated before you even start talking about scanning for open ports.



Customers and owners from certified McAfee Secure websites are being mocked on a daily basis. Not a chance they can certify your security without a manual pentesting done by a true certified pentester, or experienced hacker. I wait for the day that they will be held liable for not being able to ensure security when a couple of sites that are certified are being hacked. Security has become a business since 2000, it has become a rogue marketing scheme that is ignorant about itself, and undermines it's own integrity. But most off all, they forget what hackers are. A hacker will find a way to get into your system, because that is what he/she does best. Despite all your security, he/she will approach it in a way your scanners or protection scheme never anticipated on.



[0] http://www.0x000000.com/?i=40

[1] http://www.mcafeesecure.com

[2] http://blogs.zdnet.com/security/?p=1114



Bonus material: http://www.youtube.com/watch?v=ZwppWpZEii8



Guess how deep the rabbit hole goes? A reader of beastorbuddha.com called killajc explained more about a person called Brett Oliphant, which seems to be the owner of ScanAlert. He submitted a couple of interesting links about fraudulant acts:



Yahoo stock info

http://www.etruth.com/Know/News/Story.aspx?id=449232

http://bc219.blogspot.com/2008/03/8-days-left-part-2.html



Resource:

http://beastorbuddha.com/forums/index.php?action=vthread&forum=1&topic=4