I know a lot of people are just tired of the same old PCI ASV rant that really surfaced last year, but I got an email today and I thought it was worth a re-post. Mike Bailey sent this over and I re-printed it with his permission:
I’m hoping you’re interested in this, seeing as your sites were the source of a lot of the original Hacker Safe/McAfee Secure drama. Russ McRee and I have been doing a lot of research about the certifications over the last few months and have come up with a huge amount of new material.
The main points:
* We have found new XSS exploits on McAfee’s on websites
* We have a long list of more sites with XSS, CSRF, SQLi, RFI, and other holes that are supposedly “McAfee Secure”.
* We got a PCAP of a scan and discovered that they do indeed fuzz for XSS (there was a lot of speculation about this on the sla.ckers.org forums a while back)
* McAfee is beta-testing a meta-shopping service where one can shop on “McAfee Secure” sites to ensure that they can be trusted
* This service is itself full of holes
* McAfee promised to publish the standards that they use for certification several weeks ago. They haven’t, and from what I’ve heard (Russ has seen a draft), what they have is extremely broken
I’m starting to release details on my blog (shameless plug, I know, but hear me out). The first post can be found at: http://skeptikal.org/index.php?entry=entry081009-213000
Honestly, I wouldn’t care if you reposted the details on your own site-I’m just trying to get the word out about this. I frankly think we have enough concrete evidence to put serious doubt on their abilities as a PCI ASV, and to expose the McAfee Secure certification for what it is. I just don’t have the level of exposure that will be necessary to do so.
I’ve been talking with a few other people about it, and decided that you were the first place to go for that.
Being someone who is constantly fighting against snake oil, I’m happy to repost any rants people have about snake oil. For the record, I understand the business reasons behind going to the low cost ASVs - because that’s all the PCI requires. I just happen to think you should do a good job, even if you are going to try to undercut everyone else.
I heard a rumor from a friend of mine who took another ASV and put up a website with exactly three links from the main page. One to an XSS vuln, one to a SQL injection vuln and the last to a command injection vuln. The scanner didn’t find anything, even though that’s the only thing you could even do on the site. Completely safe. He asked me not to mention their name, but I certainly wouldn’t stop someone else if they wanted to do their own research and happen to find the same thing. That is all.