I got this link yesterday and I thought it was worth posting. It’s a link to the Washington Posts’s article about how Cellhut.com was hacked into. That part isn’t particularly interesting. The part about it having been certified “Hackersafe” by ScanAlert is. Oops!

This is a tricky point. What exactly does that logo mean? Well it means they ran a scan and it turned up nothing. But what exactly is the value of that scan? Clearly it doesn’t stop people from hacking into you, so what’s the value? To me it is only a marketing tool. It’s a tool for people to feel like they’re transacting with a secure platform (snake-oil perhaps, but it does give them some small sense of safety).

My major problem with this type of thing is that there is no incremental value in scanning twice except in finding regression issues or new software that’s broken. Since the tool can’t keep creating accounts and testing for complex things that might break the application in doing so (like SQL-injection for instance) there’s really very little additional value in scanning twice over scanning once (after the issues that you found have been closed). There ends up being no genetic diversity in the scans so it has no hope of finding additional issues (save the extra signatures they build in against things that probably don’t effect that platform anyway).

Anyway, for marketing purposes this may provide value - if the name is synonymous with being “hackersafe”. But I think we had better save judgement and instead ask CellHut.com and the victims who had their credit card information stolen which they think it means: “Safe for Hackers” or “Safe from Hackers.” Those dangling modifiers always catch me - I never was particularly good at grammer.

This entry was posted on Tuesday, October 3rd, 2006 at 8:34 am and is filed under Webappsec. You can leave a response as well.