This is precious and points out that no site is safe no matter how hard you try.
Back when I had a hosting company I always told customers that the best Hacker Safe could do was let us know if we weren't up-to-date with the OS patches and such, and we always were current, so having that extra sticker on your site doesn't mean squat because you can still get hacked.
I'm sure all of those customers from Geeks.com have a nice and warm fuzzy feeling from that "Hacker Safe" logo about now.
FYI, What I find most interesting is that it's a Microsoft server and not the run of the mill Linux box which one would expect if they were true geeks ;)
those kiddie script hackers usually go for press so telling them you are "Hacker Proof" is pretty stupid unless you are. And who is hacker proof?
No site is hacker proof. According to the website, the "Hacker Safe" logo prevents 99% of hacker crime in English, French and Japanese and 99.9% of hacker crime in Chinese, Dutch and Portuguese.
According to these figures, translating their site to Chinese might have prevented this attack as that language gives 10 times more protection ;)
What this example shows us is that storing really sensitive information on a web server can give serious problems. One thing what comes up in my mind is to use encryption to store sensitive information. There are encryption schemes with public and private keys which make it possible to encrypt information with one key and decrypt it with an other.
If the payment processing of the credit cards is done via another more secured computer system, the website could just encrypt the information and store that encrypted version in the on-line database. A readable text field could be added to the database which contains a verification version of the credit card number, for example "****-****-****-1234". All the hacker will find are the encrypted credit card numbers and the useless **** versions.
When a payment is processed, the encrypted credit card number is sent to the payment processing computer (ultimately this is the computer system of the credit card company, but it could also be an offline computer at the merchants office) and the second key is used to decrypt the number and process the payment.
With such a scheme you do not prevent that a hacker enters the system, but you make his visit rather worthless. It would need another logo though. Something like "This site is hacker transparant".
Actually I see little reason to go through all the expense and risk to process credit card information on a (business) website itself - at least for a smaller business - as banks and payment processing companies invest in highly-secure, certified websites just to that end.
It seems the logo attracts the attention of unsavoury types.
It was only ever going to be a matter of time.
It astounds me that people placed that logo on their site. It like an open invitation to the hackers.
Putting that logo on your site is like walking around the savannah with a tbone steak tied around your neck, sooner or later somethings going to take you out...
Maybe they should have made their sites CRACKER proof ;)
P.S. What kind of fool stores credit card data in their servers? Isn't it illegal anyway?
Nothing is "hack safe". I always chuckle when I see those official seals on a site... ;-)
The "hacker safe" logo is nothing but a picture. When I talked to them they told me there will be nothing installed on a server. Only small html will need to be placed in each page to display the logo. All they do is scanning well known ports for vulnerability and that is it. They would not even know if i have all patches installed or not. No test made for SQL injection or any other types of security holes.
And they wanted a lot of money for it. Something around 2000 a year. I knew that any kind of "hacker safe" logo is a joke. The only thing that matters if customers trust it or not.
--- No test made for SQL injection ---
George2006, you are not correct, they do test for SQL Injections. I am 100% positive on this.
|The "hacker safe" logo is nothing but a picture. When I talked to them they told me there will be nothing installed on a server. Only small html will need to be placed in each page to display the logo. All they do is scanning well known ports for vulnerability and that is it. They would not even know if i have all patches installed or not. No test made for SQL injection or any other types of security holes. |
I beg to differ. "Hacker Safe" is a LOGO PROGRAM but it is *NOT* just a logo. If you call and get a good deal (which you can) you can get scanning & auditing for 3-400/year which is a BARGAIN for "self auditing" vs paying a 3rd party to do it.
I say its a bargain because the scanning itself is so-so, it will find immediate known concerns and report them but the self-audit report that you use for PCI compliance is worth every penny because it gets the right people involved in knowing what aspects of the business they need to secure (and how) to accept credit card payments.
My guess is "geeks.com" simply took it for granted and didn't keep up with the audits nor the provisions they accepted in self audit and let some loose ends slide.
Yes, in many ways "Hacker Safe" is sort of like falling for DNB "Credit Builder" - you can do without it and in itself it doesn't guarantee anything however if you get an affordable deal on it and actually use the plethora of information and resources they provide it *IS* a good value.
Of course with a little intuition you can lower your fees to nill by using your credit card processor or gateway to get PCI compliance self audit checks and they will low-ball a rate for hacker safe as well.
When ever they try to sell the Hacker Safe logo to me or my clients, there selling point is not that it will make your site more "Hacker Proof", but that by seeing the logo, customers will trust your site more therefore increasing your conversion rates...
|When ever they try to sell the Hacker Safe logo to me or my clients, there selling point is not that it will make your site more "Hacker Proof", but that by seeing the logo, customers will trust your site more therefore increasing your conversion rates... |
That is true - they sell it as a logo program to make your customers feel more secure and frankly it is all about making it more secure. So they're not entirely wrong ;)
If you pass all of the audits and do the self compliance check for PCI then its a pretty good bet that you are secure. Have you SEEN the audit? I mean they go down to what router/network/firewall/IDS systems you use, how you lock down your accounts, how you rotate passwords, how you separate business process es and then the automatically check your applications against known vulnerabilities.
I think the problem with the sales pitch is they sell the concept because most decision makers interested in the product know squat about the technical aspects.
There is no such thing as "Hacker Safe".
|There is no such thing as "Hacker Safe". |
There is being safe and there is being ignorant. If you do everything that the company "Hacker Safe" does on your own then you are "hacker safe" - ignoring security risks and not following best practices is NOT hacker safe.
You're right, in the exact sense of the word nothing is safe, but by the same logic by following the hacker safe compliance you are "affording yourself protection from hackers" thus HACKER SAFE.
|My guess is "geeks.com" simply took it for granted and didn't keep up with the audits nor the provisions they accepted in self audit and let some loose ends slide. |
You would guess incorrectly because you lose the Hacker Safe logo if you don't fix what they find within a few days.
As our UK government has found out, data is only as safe as all, repeat all, employees, contractors, partners and suppliers are trustworthy and competent. It only takes one lemon to sour the whole barrel.
|You would guess incorrectly because you lose the Hacker Safe logo if you don't fix what they find within a few days. |
I think that's only for "critical" or serious issues that they find.
It's hard to find an ecommerce site that *doesn't* have the hacker safe seal these days. They seem to have a great marketing department :)
I think of it more as a logo program to help build customer confidence rather than a certification that your server is impenetrable.
You would guess incorrectly because you lose the Hacker Safe logo if you don't fix what they find within a few days.
According to other discussions i've read the President of Hacker Safe has stated that Geeks.com failed the audit and lost logo certification several times and that the "hack" happened during this period.
I'll see if i can't find the statement.
|But that by seeing the logo, customers will trust your site more therefore increasing your conversion rates. |
|According to other discussions i've read the President of Hacker Safe has stated that Geeks.com failed the audit and lost logo certification several times and that the "hack" happened during this period. |
Either way, the "damage snowball" has already started. If Geeks.com failed the audit and the hack happened during that time, then Hacker Safe is safe (pun intended).
But, it is too late now for a certain percentage of people who have already read the current stories. That Hacker Safe logo just became tarnished.
Some time ago I found XSS security bug in scanalert.com site :)
Basically i was able to make "hacker safe" sign to be sertified on any site ...
This service is useful, so that clients believe that your e-commerce site is secure. It's like SSL - most of the hacks are possible with or without SSL, anyway having SSL in use will raise client's trust to website. It's more like psychological factor.
And my suggestion to website owners - let someone to do the pentest or source code audit. It's much more effective then "hacker safe" nonsense.
Hacker Safe isn't a source audit and you won't find a source audit for the 399-1200.00 that Hacker Safe costs.
Have any of you that love to hate on it actually used it? I'm not defending it in any shape/form/fashion because i too was leary of it and didn't buy it but i DO use the Hacker Safe PCI Compliance because it allowed me to do a self-audit for my credit card processor and in doing that self audit the "Hacker Safe" is more of a methodology and test process than it is a logo.
Its entirely sales-force driven so they try and sell you the "% of sales growth" that is possible using it and to business managers that is all they care for.
But when a tech head/project manager gets into a hackers safe audit/scanning report its really invaluable in knowledge that you gain from it.
For example Amazon.com doesn't have to bother, they have billions to spend on their platform but the average mid-small market ecommerce site that doesn't have the advantage of a full on security team they can leverage the hacker safe compliance/audit to catch the "low hanging fruit" and get a grasp of what PCI compliance/auditing/security auditing is all about.
Its just a shame that they sell it and other people conceptualize it as a "Selling tool" vs the auditing tool it really is invaluable for.
I'm sure it may help increase sales (at least prior to this fiasco) but then if its true the CEO can prove that geeks.com was in violation during the "hack" then its more power to them and a selling point to do daily audits and stick to the service.
Most "hack" attempts are script kiddies using known vulnerabilities and hacker-safe catches that pretty easily and if you can pass the PCI compliance audits then your on the way to safeguarding your consumers which in a way protects the IP of the brand.
it IS stupid to sell it as "Hacker Safe" and they should have branded it as "Compliance Secure" or something to show that they're PCI compliant and have daily security audits to meet that compliance.
HOWEVER i hope this doesn't turn into any mandates by credit card processors to purchase daily audits vs the ones require now.
the title of this post should be changed as it's horribly misleading. Hacker Safe did not get hacked and they never guarantee to stop all hacker crime. They mainly make sure you don't have any large gaping holes in your security. Even the BEST sites can still get hacked although with Hacker Safe you'll be safe against the bulk of automated script attacks. (provided you keep your OS updated and take Hacker Safe's advice). You should changes the title to geeks.com got hacked - tell the truth!
I've always had a problem with the "Hacker Safe" name. It's just such a negative sounding term and to me seems like your waving a flag in the face of actual hackers.
(grin) Now that I think of it, the only site/server "hacker safe" is one... with nothing on it. One question though: is bare-bones Apache "hackable"? How about bare-bones Debian?
I had a recent thousand-fold bout of attacks (er, queries rather) targeting any-everything php, mysql, ms, phpmyadmin, horde, and even "random" common-name files with a .php extention. It taught me a lesson or two, but I wouldn't (dare to) say at all that my site is "hacker safe".
I did manage to come up with a site "architecture" that keeps all (externally-inaccessible) scripting separate from my (accessible, server-generated) html content - will share if it interests any - have battened down all ports but those needed, and make sure to obfuscate my dynamic urls/real hierarchy/website technology. Even then, all I can say is that it's worked until now.
[edited by: Josefu at 10:26 pm (utc) on Jan. 9, 2008]
So where can I read up about security? Maybe there should be a thread about it? ;)
the only safe one is the server still in the box :) The idea is that when you claim x and y, you look like a TOTAL idiot when you fail. Having one of the many 1000's of independent sites hacked is just a matter of time. Frankly, I am surprised it took so long (unless others did not publicize it)
We received a cold call from "Hacker Safe" today.
I mentioned that I read on Webmasterworld that a site using Hacker Safe was hacked. The telemarketer snarkily retorted that they had notified the website owner about some unspecified security issue and website owner took no action or responded. The rep stated that they had remove the "Hacker Safe" seal prior to the website being hacked.
I told them no thanks and I am kind of irritated by the cold calling. Not a good way to market.
| This 32 message thread spans 2 pages: 32 (  2 ) > > |