Posted on Thursday, 12th August 2010 by Michael

Is your site truly secure if the little box says it is?

Site verified secure! You see this on many sites out there. They all proudly display an image from a company saying that their site is scanned daily and has been determined secure. How many of these sites truly verify your site is secure? Have you checked your site lately?

While doing some research on a product I was interested in, I stumbled upon a cross site scripting vulnerability in the search box of the vendor’s website.  I was not to concern, as many search boxes on the internet are vulnerable to XSS.  I was about to move on until I noticed this iamge at the bottom of the page:

Interesting! According to McAfee, this site is Secure, but I have just proven it is not. So the first question that popped into my head is, what does McAfee consider secure and what is actually checked when using their service.

According to their service offering, they do the following to each site they monitor:

“* Network Security Audits are audits conducted to ascertain the compliance of network Devices with certain published security standards and to disclose security vulnerabilities and may include, but are not limited to, port scanning and port connections, evaluating services by checking versions and responses to certain requests, and crawling a website to perform testing of forms, application responses, or the confirm the existence of certain files.”

My understanding of the above is that they “do” provide the ability to readily check for cross site scripting vulnerabilities. Though for some reason they did not pick this up on the site I reviewed. So, I continued reading their user agreement to see what their responsibility is. Under the section that says: “No Guarantee” They basically state they do not offer any guarantee your site is secure and are not responsible for the security of your site.

On average the McAfee Secure service costs between a few hundred to a few thousand dollars, depending on the amount of traffic your website generates. The question is what are you paying for if they provide no assurance of the security of your site? In my honest opinion this is just a huge marketing ploy. You are paying large sums of money to display an “AD” on your site to say that your site is secure and promote their service, even if it may not be.  McAfee itself pushes this service saying it will “Increase your sales conversions by 12% with McAfee SECURE”.

I wonder how many companies that buy this service have a clue what they are truly buying.  I wonder how many of them actually run an audit themselves on their site to assure the safety of the data and clients. I wonder how many people have setup rules in their firewalls or IPS devices to alert them when these scans initiate to assure they are even getting scanned.

In defense of McAfee, I believe they probably do run a low end scan against the sites using a tool like Nessus or Nmap (probably actually something custom since they bought Foundstone, but still along the same line) that will check for ports and banners. I don’t think they are truly doing application level checking of sites as this is still not 100% reliable via automation. From my reading about their service since I do not have it, it seems that the end user has a lot of control in the setup and administration of their accounts. They can define the IP’s to scan as well as the policies to scan with. So the above issue and the issues I found on several of the sites displaying the “McAfee Secure” image could also be due to end users.

After all this research, I decided to contact McAfee and tell them about the issue. So I did a online chat session with a McAfee Secure tech. This is where I lost all respect for their service offering and what has caused me to write this article.

I started off asking them what they verify the site is secure against and the agent could not tell me. Next I told the agent that I found a site that displays their image, yet it contains a vulnerability. He asked for the sites info and I gave it to him. He then asked what the issue was and I told him I was able to execute cross site scripting on the site and redirect users to other sites and content. He had no idea what cross site scripting was. I gave him a example piece of JavaScript that would pop up a msg box saying “1”. He pasted the code in the box and his browser did not do anything or at least he said it did not. I told him I verified this issue on IE and Firefox. He could not tell me what browser he was using. I am expecting he was using something to block cross site scripting on the client side or McAfee was blocking it at the enterprise. At this point he told me my computer had issues and that site is secure if it is displaying the image. Below is a screen shot of the final part of our conversation.

To wrap this up make sure you know what you are buying. Don’t ever put full faith into any one security product or solution, everything out there has a hole or weakness. The age old saying "defense in depth" is still alive today.

I also contacted the sites that were vulnerable to XSS and included the response I got from McAfee. I told them to follow up with McAfee to have their issues resolved.

Posted in Papers | Comments (0)

Leave a Reply

*