May 20th, 2008

McAfee partner isn't McAfee secure

Posted by Nathan McFeters @ 11:16 pm

Categories: McAfee, PCI, Punditocracy

Tags: McAfee Inc., Video, Russ McRee, Corporate Communications, Marketing, Nathan McFeters

I was over reading Russ McRee’s blog today, and I’ve got to say, if McAfee’s HackerSafe (or whatever they’re calling it now) doesn’t die off soon, then he’ll be able to write a novel about their trials and tribulations.

Apparently, McAfee authorized distributor Winferno.com is not HackerSafe… not that it would’ve mattered, as that wouldn’t have helped them prevent the XSS issues that McRee exposed on his blog.  McRee says:

Shouldn’t a McAfee Partner be McAfee Secure?
Apparently not, and being one wouldn’t have cured the XSS blues anyway.
Next in our video series, a supposedly secure shopping cart that is far from.

Here’s an IFRAME.
Here’s the cookie.
As well we know, coughing up the cookie counts as a really bad thing for any shopping cart, let alone an SSL protected shopping cart that happens to be a McAfee Partner and authorized distributor of McAfee Software. But lest we forget, McAfee doesn’t count XSS as concerning.
Here’s the video. 

One thing even McAfee has to agree on, McRee has style.  I like the video documentation and ticker tape messages.  McRee covers even more details on this topic over at his blog, and I recommend you go over there and have a look for yourself.

Of course, if you’re a current HackerSafe customer and are starting to worry, I’m still offering the “Nate McFeters Safe” certification.  Don’t be the last to fall in line, others have been quick to jump on, for example, the following noted security researchers are already proudly signed up and displaying the “Nate McFeters Safe” certification:

• Jeremiah Grossman
• Russ McRee
• Rafal Los

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.