Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Labeling a Website 'safe' is just asking for it to be hacked
Dark Reading Staff
January 22, 2008
2 Min Read
5:05 PM -- Would you be comfortable putting a banner on your Website that says your site is safe just because a vulnerability scanning service said so?
Geeks.com felt confident that the service provided by McAfee’s ScanAlert service protected them from attack, yet in December, they sent emails to customers saying that their personal data (name, address, email address, and credit card information) may have been compromised on their site.
According to ScanAlert, Geeks.com had their “Hacker Safe” seal revoked several times due to vulnerabilities which were then quickly fixed in order for them to re-qualify for the seal. That still doesn’t make me to want to buy anything from Geeks.com -- even though, as of today, the “Hacker Safe” seal is back on the site.
ScanAlert received yet another black eye last week when InformationWeek reported that 62 Websites carrying the Hacker Safe label had cross-site scripting (XSS) vulnerabilities, which have been tracked by the crew over at XSSed.com since February of 2007. Sla.ckers.org, meanwhile, early last year began exposing unsafe Hacker Safe sites. (See 'Hacker Safe': Safe for Hackers.)
Putting a banner on site that says you’re "Hacker Safe” ranks up there with Larry Ellison saying Oracle 9i was unbreakable. It’s the equivalent of laughing in the face a bully, which simply eggs him on to give you more of a pounding than you would have gotten if you’d kept your mouth shut. Claiming something can’t be hacked is irresponsible, and basically just poses a challenge to malicious hackers to take a whack at you.
It's practically impossible to eradicate all vulnerabilities. You can detect most known vulnerabilities with a combination of scanning and manual testing, but there may be new attack techniques out there that exploit some functionality that was previously believed to be secure.
– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading
About the Author(s)
You May Also Like
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics