There has been a lot of fuss across the 'net over Geeks.com being hacked while proudly displaying the "Hacker Safe" image from ScanAlert. I'm sure that even before this incident, people have been blogging about certified "Hacker Safe" sites which suffer from such prevalent vulnerabilities as cross-site scripting. Jeremiah Grossman has an interesting blog post where he quotes ScanAlert's Director of Enterprise services and points out some inconsistencies in ScanAlert's approach to security and XSS.
I'll spare you technical details of XSS and ScanAlert, as I'd rather describe an interesting conversation I had with my fiance a few weeks ago. My fiance, who is admittedly non-technical and HATES when I talk about computers, security and other geeky stuff, called me when she was trying to book us movie tickets on movietickets.com.
She said: "I'm trying to get us tickets. The web page is asking me for my birthday, and it has this this Hacker Safe thing - what the heck does that mean?"
The HackerSafe logo totally aroused her suspicions about something fishy going on with the site. I told her that it doesn't necessarily mean something malicious is going on, but it also proves absolutely nothing about the security of that web site and her data. She considers her birthday sensitive information, questioned it's relevance to purchasing tickets, and the Hacker Safe logo just made her feel uncomfortable. In the end, she opted NOT to book the tickets online, and we would take our chances of long lines at the box office.
I was so proud of her! What a vigilant web surfer she is. Surely, my being a security professional has gotten to her, and maybe she is getting over her abhorrence of computer speak. Excited, I went into geek over-drive and started telling to her to download Firefox, run No-Script, and how she should really start using separate web-browsers. That was followed up by a quick "WHATEVER."
Oh well. Baby steps, I guess....
Tuesday, January 22, 2008
Posted by Mike Zusman at 12:00 PM