July 1st, 2008
McAfee S.P.A.M. experiment and more ridiculous HackerSafe failures
Stay with me here readers, I’m stringing two stories about McAfee together here, a little out of the ordinary, so I hope it makes sense. If you aren’t interested in the tech details (of which there are very little), please do read for a good laugh.
Network World reported that McAfee conducted an experiment into what would happen if computer users really did respond to all those spam emails and click all those free virus scan popups. The experiment, called S.P.A.M. (Spam Persistently All Month) took 50 volunteers, both male and female, from numerous countries and tried to determine what would really happen. Of course, the end result will be exactly what you’d expect, but hey, I’m game for an experiment, and the volunteers get free computers, so let’s read on!
The article states:
By the time it was all over, after every bank-account phishing scam, Nigerian bank scheme, and offer for medication, adult content and just plain free stuff had been pursued. “I was horrified,” says Mooney, a realtor by profession. “It’s all snake oil. I’m amazed at what true junk is out there when you’re clicking through on e-mail.”
Holy crap… so, what this article is telling me is that McAfee is actually pointing out snake oil to end users? Whoa, this goes against all their marketing campaigns for HackerSafe certifications and their PCI solutions, but hey, that’s cool I guess. Oh wait, sorry, they’re not pointing out their OWN snake oil.
[Author's Note: Sorry guys and gals, this was like a slow-pitch Softball... I couldn't help myself]
The article goes on:
McAfee is releasing the results Tuesday of its free-wheeling month-long S.P.A.M. experiment, done largely to illustrate — if you didn’t know already — how spam is connected to malware and criminal activity, not to mention some of the slimiest marketing ever devised.
Holy haberdashery, Batman! Can you believe it? Spam, popups, phishing, etc. actually lead to malware and criminal activity? Not to mention some of the slimiest marketing ever devised?
Yeah, so about that slimy marketing… HackerSafe is popping up on my news radar again, as once again fearless friends of the people Russ McRee and Rafal Los have posted some very interesting comments on HackerSafe issues. From McRee’s newest blog entry, entitled “XSS Comedy at McAfee Secure’s Expense“:
In celebration of the deadline for PCI Requirement 6.6 compliance as of June 30, 2008, I thought I’d share a little web app sec comedy at McAfee Secure’s expense. As well you should know by know, the existence of XSS vulnerabilities in a site that is required to meet PCI DSS standards means that the site IS NOT PCI COMPLIANT. Very simple, right?
Let’s consider the McAfee Secure/Hacker Safe-branded site for Organize-It.
A seemingly handy site, perfect for your HGTV types, likely with healthy credit card limits. Uh-oh, here it comes. Oh yes, Organize-It handles credit cards and is thus beholden to PCI DSS. Organize-It is also proudly displaying a current McAfee Secure badge, indicating that it’s tested daily. Given the focus of many a recent discussion it shouldn’t shock you that Organize-It is vulnerable to XSS.
By the way, Russ as always has included video evidence, but yeah, it would seem that the McAfee Secure badge has failed us again. It sort of reminds me of when children play peek-a-boo and hide behind their hands and actually believe that you can’t see them… except that, yeah, they’re children, so you can’t blame them. Oh and about that slimy marketing that they do? Yeah, just check out that blog posting by Russ.
I will continue to say, you’re better off with the cheaper “Nate McFeters Secure” certification, and I mean, come on, who doesn’t want this picture proudly displayed on their site:
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
