Cenzic 232 Patent
Paid Advertising
web application security lab

More McAfee Snakeoil Ranting

I know a lot of people are just tired of the same old PCI ASV rant that really surfaced last year, but I got an email today and I thought it was worth a re-post. Mike Bailey sent this over and I re-printed it with his permission:

I’m hoping you’re interested in this, seeing as your sites were the source of a lot of the original Hacker Safe/McAfee Secure drama. Russ McRee and I have been doing a lot of research about the certifications over the last few months and have come up with a huge amount of new material.

The main points:

* We have found new XSS exploits on McAfee’s on websites
* We have a long list of more sites with XSS, CSRF, SQLi, RFI, and other holes that are supposedly “McAfee Secure”.
* We got a PCAP of a scan and discovered that they do indeed fuzz for XSS (there was a lot of speculation about this on the sla.ckers.org forums a while back)
* McAfee is beta-testing a meta-shopping service where one can shop on “McAfee Secure” sites to ensure that they can be trusted
* This service is itself full of holes
* McAfee promised to publish the standards that they use for certification several weeks ago. They haven’t, and from what I’ve heard (Russ has seen a draft), what they have is extremely broken

I’m starting to release details on my blog (shameless plug, I know, but hear me out). The first post can be found at: http://skeptikal.org/index.php?entry=entry081009-213000

Honestly, I wouldn’t care if you reposted the details on your own site-I’m just trying to get the word out about this. I frankly think we have enough concrete evidence to put serious doubt on their abilities as a PCI ASV, and to expose the McAfee Secure certification for what it is. I just don’t have the level of exposure that will be necessary to do so.

I’ve been talking with a few other people about it, and decided that you were the first place to go for that.

Being someone who is constantly fighting against snake oil, I’m happy to repost any rants people have about snake oil. For the record, I understand the business reasons behind going to the low cost ASVs - because that’s all the PCI requires. I just happen to think you should do a good job, even if you are going to try to undercut everyone else.

I heard a rumor from a friend of mine who took another ASV and put up a website with exactly three links from the main page. One to an XSS vuln, one to a SQL injection vuln and the last to a command injection vuln. The scanner didn’t find anything, even though that’s the only thing you could even do on the site. Completely safe. He asked me not to mention their name, but I certainly wouldn’t stop someone else if they wanted to do their own research and happen to find the same thing. That is all.

7 Responses to “More McAfee Snakeoil Ranting”

  1. yawnmoth Says:

    Seems like you’re preaching to the choir, here. I mean, seriously, I have a hard time believing that anyone who frequents this site would buy into the whole “Hacker Safe”-line, anyway (your earlier post not withstanding).

  2. gozami Says:

    @yawnmouth

    yeah, but in practice most merchants run for the McAfee Secure logo in order to drive more buyer traffic to their website. This is in spite of the fact that the McAfee service costs them 2.5 times more than others !!

  3. Cagekicker Says:

    The “Hacker Safe” logo isn’t meant to “fool” security professionals. It’s meant as a marketing tactic for the end user’s that more than likely know absolutely nothing about the technologies they use on a near daily basis and then “trust the system” to keep their information out of bad guy’s hands. I, for one, think that any company that attempts to market the fact that hackers can not penetrate their site should be in violation of false-advertising or something to that effect.

  4. Matthew Wollenweber Says:

    Cagekicker, I agree with you, but what I don’t get is why their software is so bad. Even Paros’ “Analyze” feature finds XSS and SQL Injection that McAfee misses.

  5. Cagekicker Says:

    How many times has a company released something that was “bad” and had people wonder, “Why did they release something so bad?” McAfee already has consumer’s attention since they are one of the bigger names in consumer and business AntiVirus. So, they know they’ll automatically have the attention of their “fan boys”. That, and they get rushed to push a product or service out when it’s not ready and/or they haven’t fully thought things out during R&D, etc. Either that, or their peeps are just craptastic. :D

  6. Lunitic Says:

    This just further explains that old adage of “Consumer Beware”.

    I always base my decisions on factless advertisments and lowest price I mean after all, if its good enough for the federal government, why shouldn’t it be ok for me?!

  7. Lawrence Pingree Says:

    Well, I can’t really debate whether or not the hackersafe name is appropriate or not since I am a security professional and know that there are always new vulnerabilities in the lurch. I do think that there is definitely a place for services like these otherwise you’d have almost no vulnerability assessment of smaller retailers. I disagree that the Hackersafe is only marketing fluff, it does do accurate and comprehensive scanning and its not like XSS has been “missed” somehow by the scanning engine, the engine DOES detect and report the XSS vulns, it just isn’t a prerequisite for a downgrade of their certification of a site (don’t wanna debate this). I would still choose a Hackersafe site over a non-hackersafe site any day since I know they are being required to fix many many many vulnerabilities that a non-certified site you’d have no idea about unless of course you hand over a vulnerability scanner to your grandpa so he can buy stuff online. Anyhow, its one thing to talk trash, but its another to say something is completely worthless which is how this gets portrayed. The hacker safe service is still a wonderful thing for many retailers. Stop discounting the effort guys.