‘Hacker Safe’ seal: Web site shield, or target‾

More than 80,000 Web sites worldwide display a small green logo that proclaims them to be ‘Hacker Safe.’ The logo is provided to them by ScanAlert Inc., a vendor that scans the sites of its clients daily in search of security vulnerabilities.

ScanAlert’s logo is the most widely used security seal of its kind on the Web, and it can be found on dozens of marquee-brand sites, including those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment Inc. Such widespread use attracted the attention of security vendor McAfee Inc., which in late October agreed to acquire ScanAlert.

But Napa, California-based ScanAlert was put on the defensive this month after online technology retailer Geeks.com warned an undisclosed number of customers that their personal and credit card data may have been compromised in a hacking incident. Geeks.com, whose formal name is Genica Corp., displays the Hacker Safe logo at the bottom of its home page.

A ScanAlert spokesman said ‘preliminary evidence’ suggests that the breach likely occurred during one of several periods last year when ScanAlert had withdrawn its certification from Geeks.com after finding vulnerabilities on the Web site.

Even so, the incident at Geeks.com has rekindled a debate about the value of security seals such as the Hacker Safe logo.

ScanAlert users say that the scanning service can sniff out at least some security problems and that the logo is a valuable marketing tool for them.

On the other hand, ScanAlert’s detractors say the service can give companies and their online customers a false sense of security. Indeed, hacker groups have claimed that they have targeted and broken into numerous Web sites displaying the Hacker Safe logo.

‘Hacker Safe seals are completely ludicrous,’ said David Kennedy, who heads SecureState LLC’s profiling and e-discovery practice. SecureState is a consulting firm in Cleveland that offers security risk assessment services and does manual penetration testing of systems and networks for its clients.

ScanAlert’s automated probes offer a ‘very basic form of vulnerability identification,’ Kennedy claimed. They focus more on spotting network vulnerabilities than on detecting harder-to-find Web application flaws, such as SQL injection and cross-site scripting vulnerabilities, he said.

‘Web applications are very dynamic and ever-changing,’ whereas vulnerability scans rely on static information to identify security issues, Kennedy said. He noted that after being asked to do security assessments by 10 companies with Hacker Safe logos on their Web sites, SecureState was able to break into nine of the sites and easily access financial and customer data.

Adriel Desautels, chief technology officer at Netragard LLC, a Mendham, New Jersey-based company that offers manual vulnerability testing services, said automated scans can be useful in ensuring that a Web site is protected against known security flaws. ‘They make sure that network security is not a complete disaster,’ he said.

But automated scans don’t work as well with customized Web applications and e-commerce environments, Desautels contended. And they do next to nothing to test Web sites against less commonly known vulnerabilities, he said, adding that those are the flaws most likely to be exploited by black-hat hackers.

‘We had a major financial institution customer that had passed an automated vulnerability scan and intrusion testing,’ Desautels said. ‘Everything appeared to be working, but then we came in and by the end of the third day, [we] had penetrated 17 of their internal systems.’

Tim Dowling, vice president of consumer growth initiatives at McAfee’s Web security group, said it’s unreasonable and naive to expect any IT security service to provide 100 percent protection against online threats.

‘Hacker Safe is not perfect,’ Dowling acknowledged. But he said that ScanAlert’s service does help users defend their Web sites against ‘thousands and thousands’ of threats. And sites that sport the seal are far more readily trusted by consumers than ones that don’t, he claimed — a contention that was backed up by several ScanAlert users.

According to Dowling, a full 90 percent of the scans that ScanAlert performs on a daily basis are automated. But in cases where sites fail the vulnerability scans, the vendor may do manual penetration testing to help its clients understand and correct security problems, Dowling said. And contrary to the claims of Kennedy and Desautels, ScanAlert does look for problems such as SQL injection and cross-site scripting flaws, Dowling said.

He added that the date-stamped Hacker Safe seal is served and controlled entirely by ScanAlert and is withdrawn any time a Web site fails to pass the daily vulnerability scan. Since new vulnerabilities arise frequently, Dowling said, it isn’t uncommon for sites to lose and regain their Hacker Safe status, as Geeks.com did last June and December.

The Hacker Safe service should be just one part of a multilayered security strategy, said Jay Greenberg, director of e-commerce at Spencer Gifts LLC, a novelty gifts retailer in Egg Harbor Township, New Jersey.

‘This is one additional tool that you can utilize to help secure your site,’ Greenberg said, adding that IT and Web site managers also ‘have to be smart and diligent about making sure your developers are monitoring and checking’ for security flaws as well.

In addition to helping secure Web sites at the back end, ScanAlert’s service can boost sales by making consumers ‘feel comfortable’ about doing business on a site, Greenberg said.

Before joining Spencer Gifts, he worked for another company that was a ScanAlert client. Greenberg said that to test how useful the Hacker Safe logo was from a marketing standpoint, the company — which he declined to identify — asked ScanAlert to make the seal visible to only about half of the visitors to its Web site. The test showed that more of the people who could see the logo bought products, he said.

Jay Cline, president of Minnesota Privacy Consultants and former chief privacy officer at hospitality industry conglomerate Carlson Companies Inc., has been a ScanAlert customer for about a year. Using the Hacker Safe service certainly doesn’t guarantee that hackers will never be able to break into a Web site, said Cline, who also is a Computerworld columnist.

‘What I’m buying is a service that keeps me safe from hackers that use known vulnerabilities,’ Cline said. ‘I’m aware that there’s still [other risks] that I need to watch out for.’

ScanAlert has helped identify security problems that might otherwise have been missed, Cline said. For example, during the initial sign-up process, a scan pointed him toward a cross-site scripting vulnerability that resulted from the way in which his site was being hosted by an external Web site developer.

A logo proclaiming that a site is safe from hackers could sometimes be seen as an open invitation for malicious attackers to try to crack the site, Cline acknowledged. But like Greenberg, he said that the Hacker Safe seal can be a valuable tool for convincing consumers to complete transactions and not be scared away by any security concerns.

‘If you’re looking for ROI, Hacker Safe on balance gives you more lift,’ Cline said.

Bill Cronin, manager of e-commerce at The Vermont Teddy Bear Co. in Shelburne, Vermont, also said that he has been able to justify the cost of the ScanAlert service from a marketing standpoint.

When it comes to actually boosting the security of a Web site, though, the benefits are somewhat less obvious, Cronin said. He added that ScanAlert can help users identify some pretty obvious flaws that most IT departments really should be finding on their own in the first place.

‘If they’re coming up with vulnerabilities on your site, you really aren’t doing your job as a security administrator,’ Cronin said. ‘The technical side of me says there is limited use here from a security perspective. The marketing guy in me says it’s a no-brainer.’

Eric Ogren, an independent consultant in Boston, said that the situation isn’t black and white, because the IT security industry has yet to develop any metrics for measuring the effectiveness of different vulnerability detection approaches.

It’s hard to say for sure how effective ScanAlert’s automated scans are, Ogren said. But he added that it’s equally hard to know if manual penetration testing and vulnerability assessments are as useful and scalable as their proponents claim.