Monday, October 02, 2006

Just when you think its over, ScanAlert drama

Brian Bertacini from AppSec Consulting clue me into this story. This snippet kicks off the story...

ID Thieves Turn Sights on Smaller E-Businesses
"After scanning the search results, he purchased the inexpensive item -- a USB cable used to synchronize the Treo's settings with his personal computer -- from, the first online store displayed in the results that looked like it carried the cable. The site featured a "Hackersafe" logo indicating that the site's security had been verified within the past 24 hours. Later that day, information from Cole's purchase --- including his name, address, credit card and phone numbers, and the date and exact time of the transaction --- were posted into an online forum that caters to criminals engaged in credit card and identity theft."

ScanAlert Inc., a Napa, Calif.-based company, scans over 75,000 online merchants each day for thousands of known Web site flaws. According to the story ScanAlert is investigating the breach. Of course one would think that law enforcement would be performing this task. We'll have to wait and see for sure if this was a web application hack or something else. But if you look at the published statistics, a web security attack is the smart bet.

"According to a report released this month by VISA, four-out-of-five of the top causes of card-related breaches were digital security weaknesses common at merchants large and small, including missing or outdated software security patches, misconfigured Web servers, and the use of vendor-supplied default passwords and settings, all of which are a violation of new payment card industry standards."

Several experts weighed in with their thoughts. Most of which were the normal best-practice stuff, but this one caused me to pause.

"Having one of these scanning services in place is definitely better than nothing because a lot of small and medium sized online stores don't have the staff in place to make sure their applications are secure," Jason Lam, who teaches a course on securing Web sites for the SANS Institute.

Normally I would agree doing something is better than nothing. This might be a different situation. If a scanning vendor tells you they scan for vulnerabilities which they are clearly not finding, then all you've bought is a false sense of security. The bad guys quickly figure out that any business carrying the logo probably in fact has vulnerabilities because the reports say otherwise!

My question is since ScanAlert is a certified PCI scanning vendor, what does this say about enforcement of the PCI standard? I've talked about this problem in the process before. And then also what does this say about the rest of ScanAlert's 75,000 customers? Maybe its just as the logo suggests, "safe for hackers".


Anonymous said...

Welcome to the problems with checklist based security initiatives.

PCI, as a checklist goes, is a very comprehensive standard. It makes sure that you get scans every so often from a "certified" vendor.

Having gone through the "scanning vendor" certification process in a former life, I can tell you that it is supposed to be more than just a simple Nessus scan.

However, in the year that we were certified, save for the initial "test" scan to get us certified, there was no accountability to Mastercard about how we were doing our job. In fact, Mastercard seemed more interested in failing us because our report title wasn't exactly what they wanted - rather than how much effort we put into the assessment.

So once certified, many vendors set up automated Nessus scans and then "bless" sites. In June of last year, there was even discussion on a mailing list about the subject. Some vendors were upset at stupidly low pricing ($5 per IP or less) set up by some of these automated Nessus shops. Which, of course, is an issue because 90% of the PCI sites are 1 or 2 IP shops.

So you have to wonder - even if ScanAlert is using the latest Nessus (and there's no control in place to make sure that they are) - do they *only* allow you to put up the badge on your website if you fix any issues they find - or - do they just allow you to put up a badge because you have a contract with them?

Jeremiah Grossman said...

Good points, thanks for commenting.

I think what your also talking about a bait and switch tactic. Nothing prevents a PCI scanning vendor from passing the test with one set or technology or process, then reverting back down to nessus or whatever else from then on out. Who's to know the difference? Certainly not the small mom and pop merchant. Definitely not the consumer. And not the PCI powers that be.

Personally I like the price-war competition. It forces everyone else in the industry to do better. There just needs to be more of check and balance. Maybe a 3 strikes rule. If a merchant gets hacked using a vulnerability that should have been found during a PCI scan, the PCI vendor get a warning and a requirement to re-pass the test. 3 incidents and your out of business PCI wise. Maybe that could work, devil is in the details.

To answer you questions about ScanAlert. You pay them to put a logo on your website with the expectation that your visitors will buy more. The rest is useless.

Sid Stamm said...

Scary story. This seems to be a severe case of unwarranted trust, but as you know it's not a new thing on the Internet.

SSL/TLS can be used to prevent many attacks on the 'net, including man-in-the-middle, yet how many people really know how it operates? How many people actually read the dialog box asking if they want to accept a certificate that was issued for a different domain? Probably 10%... thus the lock icon in the address bar means nothing.

Alex hits it right on the nose -- checklists are bad, since there's always a breach that's not on it. What scares me more is that this unwarranted trust "Badge of Security" checklist method carries over to real life. Look at the TSA; their employees mindlessly run physical "nessus-like" scans on airline passengers. But that's a topic for another post. ;-)

Unknown said...

Something like this, while it might be selling a false sense of security, is still good and better than nothing. Good point singling that paragraph/expert out.

If it truly is a false sense of security, those sites and services that offer it will be weeded out over time. Granted, that will still include direct costs and victims and collateral (degraded trust, etc), but I would conjecture it is still better than nothing (although if their business forces better services out of business, that is another arugment...).

Ultimately, though, always keep in mind that no solution will be universal. Even our police departments do not act with the goal of eliminating all crime.

Anonymous said...

Ooops. My bad, talking with a collegue - apparently ScanAlert stopped using Nessus a year or so ago and now have some sort of exclusive deal with Qualys.

I had old info.

So what's to keep a "bad guy" merchant from linking to someone else's "hacker safe" badge, I wonder?

FWIW: I'm fine with price wars, too. I just hope that the FSTC initiative does things correctly, and in a way that can scale to be something meaningful to "mom and pops" and web browsing Grandma's.

Anonymous said...

There appears to be a gap between the testing criteria to become a "Certified PCI Scanning Vendor" and the actual PCI DSS. For example, PCI DSS requires web applications within the PCI infrastructure be tested for OWASP Top-10 (which is somewhat vauge) and wireless network vulnerabilies. Our company was certified by MasterCard and we found problems in their test web application that they didn't know existed (probably because they were not detected by Nessus/Qualys). Additionally, there was no real wireless network component of the test.

In my opinion the certification testing process needs to be enhanced to include web applications and wireless networks.

Just my $.02.

Jeremiah Grossman said...

I'm with ya on the webappsec piece, but the wireless is going to be a bit odd. I won't pretend to know much of anything about wireless "security", but won't this require vendors to be on site 4 times a year? This will get real costly real quick. Unless of course the merchant has no physical presence.

Anonymous said...

Just wanted to comment about the HackerSafe-logo. You have 72h to fix vulnerabilities found on the site, after that the logo will be replaced with a 1x1 gif - in other words it will be removed if you have severe enough vulnerabilities.

Logo is tied to a domain name and it is stored on ScanAlert's servers - see Sonymusicstore for example:
What I don't know if they check HTTP referer headers to detect abuse.

So the logo is (at least in theory) more than just a pretty picture on the site.

I use HackerSafe service for scanning my servers but I don't use the logo on any site (I doubt I ever will).

Anonymous said...

As a clarification to a point that was made earlier in this thread, ScanAlert does not use Qualys for their scanning engine.

Heather said...

interesting blog