McAfeee Secure (nee ScanAlert) and other “trust mark” vendors are site security “certification” tools designed to assist e-commerce websites in creating a sense of consumer confidence in the security of the website they are visiting. To accomplish this, they run a daily scan of the site, and if the scan turns up no serious issues, a symbol is displayed on the website, letting the site visitor know the site has been scanned and is “compliant”.
Unfortunately, McAfee Secure (and every other security seal vendor) suffer from the same critical issues that allow attackers to use their tools as a one stop shop for network reconnaissance and turn the tools from a defensive tool into the ultimate attack tool.
In this presentation we will illustrate the ease with which an attacker can enumerate all the sites protected by the various services, using simple SEO crawls and OCR to defeat graphic-based providers, and use the collected information to reveal vulnerable sites without sending a single packet to the sites themselves.
We then analyze the McAfee Secure and TrustGuard scans to determine which vulnerabilities are, and are not being enumerated, and by using this data determine what new vulnerabilities are being scanned for since the prior scan(s). This delta in turn is used to attack newly failed sites first in order to both reduce the attack footprint, and maximize attack efficiency.
Finally, we will demonstrate Oizys, a seal harvesting tool, which automates the process and essentially turns HackerSafe and Trust Guard into a near realtime alerting tool for hackers.