8.6.05

False sense of security?

I was recently at a major electronics retail site and noticed that they had a little "Hacker Safe" tag with a shield in the top left of the page. On closer inspection, "Hacker Safe" linked to scanalert.com which is "making the web hacker safe"; according to their page. I trust they meant "safe from hackers" and not safe for the "web hacker". It seems a good thing at first; a site that's made a little extra effort to allow it self to be vetted against "the highest security scanning standards of the U.S. government". There are some problems that come to mind with this kind of site certification. Firstly, even if scanalert is a reputable company what's to stop a scam site from including a forged "hacker safe" link on their page. Also, scanalerts own disclaimer states:

"HACKER SAFE does not mean hacker proof. HACKER SAFE certification cannot and does not protect any of your data that may be shared with other servers that are not certified HACKER SAFE, such as credit card processing networks or offline data storage, nor does it protect you from other ways your data may be illegally obtained such as non-hacker "insider" access to it. While ScanAlert makes reasonable efforts to assure its certification service is functioning properly, ScanAlert makes no warranty or claim of any kind, whatsoever, about the accuracy or usefulness of any information provided herein. By using this information you agree that ScanAlert shall be held harmless in any event."

Which is fair enough but I doubt the average user would take the time explore what is really meant by "Hacker safe". The Tag used on each page also indicates the date it was last certified hacker safe on. This is also trivial to fake and only seems to deepen the misplaced trust in the tag itself. Another worrisome thing is the potential for the service itself to cause intrusion alerts on target hosts. Their FAQ claims:


Does ScanAlert need a web host's permission to scan it's client's web site?
No. Our clients (the web host's customers) not only have the right to test their web site's security, they have a legal and regulatory obligation to do so. In fact, Visa and MasterCard require all merchants who transact credit cards online to pass security audits by an accredited security service. ScanAlert is accredited to conduct these security scans on behalf of Visa, MasterCard, American Express and Discover Card.


They also explain:

To ensure hackers can't steal your private information from the web sites where you shop, ScanAlert's technology acts like a "Super Hacker," conducting daily security scans of every known way for hackers to break-in. Only when we can certify a site is HACKER SAFE will you see the certification mark appear.

which is disconcerting, "every known way.." hopefully this doesn't mean they mount bot-net based dDOS attacks on all your devices while war dialing all your lines to snatch a dialup console. I also can't help but notice that they feel free to say "To ensure hackers can't steal your private information."; I thought they were clear in the disclaimer that they couldn't ensure it.
On the "terms and conditions" in the site they also state that:

You must never use or direct the services to interact with IPs or Devices for which you are not expressly authorized to do so.

Now I'm confused I thought they were clear that they didn't need the owners permission.
I'm sure it's all well intented and most of the sites they had on their search/browse "Hacker Safe" sites looked legitimate. But there's nothing stopping some criminals from starting their own "white hat" services site with a similar certification and collecting money for "protecting" sites. It would also give them a good cover for extensive hacking.. "oh ignore brute force password scans; it's just our advanced hacking software giving you a good certification".