THE CENZIC BLOG
Subscribe to the "McAfee HackerSafe: Not Safe. Not PCI Compliant." web feed.Subscription options
Read more articles in  Web Application Security Insights
.
July 11, 2008

McAfee HackerSafe: Not Safe. Not PCI Compliant.

Are you a user of HackerSafe (re-branded to McAfee Secure)? Then you are not secure or PCI compliant.

HackerSafe: Not so safeMultple McAfee domains are vulnerable to XSS attacks that can be used in various ways, not to mention phishing or doing drive by malware installs.  Plainly stated, if you are vulnerable to XSS attacks, then you are NOT PCI compliant

McAfee is a trusted name in computing and the presence of XSS vulnerabilities in their corporate Web applications is a case-in-point of the highly vulnerable nature of production applications.

Check out this HackerSafe video that illustrates:

  1. Sites that are vulnerable to XSS are not PCI compliant. All of the sites in this video take credit card payments and store customer information.
  2. The sites in this video have been vulnerable for months. Additionally, some have been advised multiple times and have simply ignored my notices. Their Hacker Safe branding is active and has not been removed at any time.
  3. The ScanAlert Hacker Safe service claims XSS as part of its vulnerability checks; sites that are vulnerable to it should not be showing the Hacker Safe label in perpetuity.

Here’s another scathing article by ZDNet entitled, "McAfee's HackerSafe:  When all esle fails, rebrand it." 

by
Tom Stracener
TStracener@cenzic.com

.
PermalinkHackerSafe Video showing how vulnerable their software is to attacks
.Watch the video showing how unsafe HackerSafe really is
.http://holisticinfosec.org/video/HS_ISSA/ISSA_Regional_HackerSafe.html
.
PermalinkMcAfee's HackerSafe: When all else fails, rebrand it!
.A pig is a pig when it comes to the safety of McAfee HackerSafe
.http://blogs.zdnet.com/security/?p=1092
Topic Tags:  
by Erin Swanson | ↑top | link to this#
Comments
.

hackersafe

Hey Tom, I posted something similar about hacker safe on my blog (http://securityninja.blogspot.com) about a site I had come across that had the hackersafe approval and was hosting a phising site for a UK bank.

I wonder if they get the irony of these things?
by David Rook | July 11, 2008 | ↑top | link to this#
.
.

We go in like a superhacker

@ Dave.

haha yes there is a lot of irony there. I thought about going off onto a rant after I read the rather funny article on zdnet by Dave McFeter's quoting Cresta Pillsbury of Hacker Safe. "We go in like a Super Hacker!" is how she described ScanAlert's style. 1:26 seconds into the interview it really gets thick. lol

by Tom Stracener | July 14, 2008 | ↑top | link to this#
.
Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription