GuestCentric Systems- Not Really That Secure.

I ran across a press release from GuestCentric Systems dated April 20, in which they announced their partnership with McAfee to put the McAfee Secure logo on all their client's pages.

GuestCentric offers a booking management service to independent hotels, and from the looks of things, it's actually a pretty cool app. They appear to be awfully proud of that system, and the fact that it was certified as secure. Now we all know that the McAfee Secure certificaton has serious deficiencies, but that horse doesn't appear to be dead yet, so I'll keep flogging.

The video on GuestCentric's press release essentially mimics the hype from McAfee- put the logo on your website, watch your sales jump 14%. It says nothing about the actual state of security in the app, and is purely marketing fluff. This always irritates me, but it doesn't surprise me. Of course, it also should come as no surprise that GuestCentric has XSS holes on their website, or that the booking application itself contains XSS holes as well. It also has CSRF holes and more.

What is interesting to me in this instance is that the GuestCentric app is almost completely AJAX. While McAfee secure is terrible at finding XSS and CSRF holes in the first place, it certainly does not parse AJAX and does not intelligently fuzz for these vulnerabilities. Short of detecting out of date software on the server, scanning this application with McAfee Secure is particularly useless.

The really amazing thing to me is that McAfee values their brand so little. Their name and logo are put on so many websites that they have so little to do with, nobody actually trusts (or in most cases, even sees) their certification.

McAfee keeps citing their 14% number. While I have doubts about the validity of that study (and real data has never been released), I have to wonder whether those numbers would be the same today. Something tells me that the answer is a resounding "no."

Most PCI Companies Are Insecure

The McAfee XSS got slashdotted. I think that all this attention is a good thing, putting a spotlight on XSS issues, but I have to say, I'm surprised by it. It's not like XSS attacks are news anymore, and it's not as if this is the first McAfee XSS to be published. Last night, I found an XSS hole in the verification script for their SiteAdvisor service (for extra irony).



But really, focusing on these XSS holes is missing the point. I never thought I'd say this, but in my experience, McAfee is one of the better ASVs out there. This isn't a compliment to them, it's an insult to the entire industry. Here are a few examples of other ASVs.

Until last week, atsec.com was vulnerable to XSS.

Until last week, secureconnect.com was vulnerable to XSS.

Until last week, ncircle.com was still vulnerable to XSS.

sungard.com is still vulnerable to XSS.

controlcase.com is still vulnerable to XSS.

support.foundstone.com (McAfee's premium brand) is still vulnerable to Cross-site Framing.

Up until a few weeks ago, there were also open redirects on the websites of Qualys, SecurityMetrics, and others. Is it any wonder I'm not at all shocked at a few XSS holes in McAfee's web site?

Some of these companies should be commended for handling the vulnerabilities correctly- nCircle, SecureConnect, Qualys, and even McAfee responded admirably- sometimes the issue was fixed within minutes of my vulnerability report. Others- Foundstone, ControlCase, and Sungard, belong in the doghouse- none of them even responded.

However, the glaring fact is that the entire PCI scanning industry is, frankly, bad at scanning for vulnerabilities. Most of these websites use their own scanning service on their own websites. While I still hold that in-depth audits for these sites should have taken place long ago, the scanners should have caught the problems as well. Some of these domains contain the portals for customers to manage their PCI compliance scans.

People, let's take the focus off of McAfee, and put it where it belongs. The PCI scanning industry as a whole is a joke, and across the board, these Web Security companies are themselves bad at security.

Edit 5-6-2009: nCircle was one of the fast-responders.
I mistakenly listed them as one of the "doghouse" ASVs.


The New McAfee Secure Standard

Despite my vocal criticism, I really had a lot of hope for the McAfee Secure Standard. I certainly think there's a need for well-defined and comprehensive web security guidelines. The PCI-DSS is a good start, but very few website owners know when it applies to them, much less how to comply. Enforcement of PCI compliance is, let's face it, a joke. Considering that Visa, American Express, and the PCI-DSS's own FAQ have been having XSS holes lately, that's not really a surprise.

Of course, I didn't expect McAfee Secure to have any consequences for noncompliance (besides not being able to display that shiny logo on your site). What it can provide, though, is a set of guidelines for the web developer and administrator to realistically get a feel for his own security. You know, all that stuff that you can already get over at owasp.org. Those guidelines, combined with a reliable (keyword: reliable) certification system could actually be pretty helpful to the web security world. I'm of the opinion that is a project for the nonprofit sector, but I was willing to give McAfee a chance.

But, they've proven again with their newly published standard, that they either don't understand or don't care about web security. It's a shame, really.

To begin with, the published standard reads more like a sales brochure than a standard. I'm convinced that's really all it is. There's not really much on there that we haven't already seen on their website. The only real new thing is a list of security risks that are identified in the scans and, we assume, risks that would prevent one from being certified.

Interestingly, they compare their own standard with the PCI-DSS as well as... somehow, with a SSL certificate. Seeing as an SSL certificate is not a standard, this doesn't make a lot of sense. I'm really trying to wrap my head around this comparison, but I'm not getting it. According to the "Standard", either implementing SSL encryption is required to aquire a certificate (It's not), or McAfee Secure somehow provides SSL encryption (it doesn't). I guess there's a third option- they're comparing apples to oranges and hoping we don't know the difference.

In that same chart, they compare themselves directly to the PCI-DSS. They make a point of the fact that they have many things PCI doesn't, like checking for "Misuse of Personal Information". Apparently, the PCI-DSS doesn't have anything to say about that... oh, wait. That's the whole point of PCI. Here's the first full sentence of the PCI-DSS: "The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally".

Here's a thought- McAfee is a PCI Qualified Security Assessor. Shouldn't they, of all people, understand the PCI-DSS? Are they implying that their standard is superior? Under McAfee's "Required for Certification" section, the following items must be handled for PCI Compliance, but are only "Optional" for McAfee Secure:

• Error Handling
• Session Exipration
• Directory Indexing
• Client Side Vulnerabilities
• Server Misconfigurations (a broad category if I've ever seen one)
• SSL Encryption (Seriously, that's not a requirement.)

Maybe more information from McAfee is required, but they aren't providing it. This is obviously only an outline of a standard at best. No details are given about what exactly "Sever Misconfigurations" are, and I hope that a standard including actual descriptions of what is required for certification is forthcoming. The standard that they published is a joke.

I was awfully disappointed.

More McAfee Snake Oil

The McAfee Secure certification is useless.

Over at holisticinfosec.org, Russ McRee has been covering this in depth, but I've had the fortune to know the inside story.

Russ has been making snake oil vendors' deficiencies public for some time. A few weeks before Black Hat, he and I were talking about this, and he showed me a handful of "McAfee Secure" sites. All of them had XSS holes, and many had much worse- SQL injection and other serious issues. Over the next few weeks, we traded more vulnerabilities as we found them, and he amassed a pretty impressive list of weak, but certified secure sites. To top all of this off, we found XSS holes on McAfee's own domain.

We also got our hands on a PCAP dump of one of their scans, which revealed quite a bit of insight into the scanning process. We were able to prove that they do not revoke PCI compliance or McAfee Secure certifications for XSS, though the engine does indeed fuzz for (and occasionally even find) them.

While they were being awarded their Pwnie, Russ put together a paper detailing these findings. He sent the paper to McAfee before publishing, in order to give them a chance to address the issues before they were made public. They surprised us both by responding positively. Some of McAfee's top people spoke with Russ in person a few weeks later, resulting in him publishing this blog post.

That was some time ago, but we still haven't seen any progress. A published standard for what exactly "McAfee Secure" means was promised after 2-3 weeks, and we're now pushing five. The information that we have isn't encouraging- it appears that McAfee Secure will have a different set of standards for enterprise websites and the smaller "Ma and Pa" shops. The latter will not be required to fix XSS issues and the former will not have to do so until an arbitrary time period has expired. What this means is that, to a user looking for evidence that a site can be trusted, the "McAfee Secure" badge on a website will mean exactly what it does now: Absolutely nothing.

I suppose that anybody can offer their own meaningless certifications (and some people have), but as Rafal noted yesterday, calling these sites "McAfee Secure", "Hacker Safe" or anything of the sort is in poor taste at best- fraudulent on the other end of the spectrum.

This brings us to today.

It appears that McAfee intendes to leverage their brand recognition and captalize on the trust of the ill-informed. They have a new service advertised on parts of their website. Found at secureshopping.mcafee.com, it is basically a meta-search engine which will allow one to "shop with confidence at McAfee SECURE certified merchants", according to the text on the site. This actually doesn't strike me as a bad idea, provided the certification is worth something. Considering the certification isn't, the whole thing is rather laughable.

I first stumbled across this site just before Black Hat. The app was probably not intended to be public then, but I immediately (accidentally, actually) discovered an XSS hole in it (this was one of the holes on McAfee's domain mentioned above). While that hole has since been fixed, the situation really isn't any better now.

To begin with, the application doesn't use transport-layer encryption, and is therefore vulnerable to sniffing, tampering, and all the man-in-the-middle attacks that we already know and love. But who bothers with SSL these days?

The shopping application itself seems to be based on the same code as that of become.com. Actually, they appear to have partnered for this service, because when you click a link from McAfee's site to a particular product, you are given a 302 redirect to partner.become.com, then to stat.dealtime.com (whoever that is). From there you are 302-ed anywhere from one to three more times before landing on the requested product page, provided by a McAfee Secure merchant.

In theory, at least.

For the sake of breaking things, let's build a link that will take us through the McAfee Secure gateway to an uncertified website. We'll go to www.become.com, find a product, then deconstruct the link and pass its unique identifier to McAfee shopping center (which, being based on the same code, uses the same format for its links). Lo and behold, the following link will take you directly to the product on Amazon.com- which according to McAfee Secure, is not McAfee Secure.

Next, let's take a look at the app's session ID generation. Admittedly, sessions don't appear to be used for anything in the site (except maybe tracking user activity), but I have to assume that session functionality was added for some reason, and it nicely demonstrates their own lack of understanding of web application security. Can you find the pattern?

1223516988361-0-9IDB
1223516989602-0-gnpY
1223516990254-0-SZPR
1223516990913-0-F9jC

That's right folks, they're using timestamps as session IDs. Now, I've seen this practice used by banks, mortgage companies, and ecommerce sites, but I never expected to see such poor practices on the website of the "world's largest dedicated security technology company" (their boast, not mine).

Finally let's look at the partners, who we have to assume will help provides us "a secure online shopping experience with thousands of McAfee SECURE sites". The sites at become.com and dealtime.com are themselves riddled with XSS and open redirect holes (not to mention storing the answer to a CAPTCHA within the form to be submitted).

With such poor decisions being made, can we really expect McAfee Secure to live up to its name?