Skip Links

Hacker group defies U.S. law, defends exposing McAfee website vulnerabilities

Secretive YGN Ethical Hacker Group says its going to the "dark side" benefits IT security shops

By , Network World
March 30, 2011 11:31 AM ET

Network World - The hacker group that exposed holes in McAfee's website knows it's breaking U.S. law, but vows to continue exposing vulnerabilities, especially on security vendor websites.

"We do understand performing security testings without authorization is illegal under U.S. law," stated YGN Ethical Hacker Group, when contacted by Network World via e-mail. The outfit's own website describes YGN as a "small group of young but mature people" based in the country of Myanmar (Burma) who started working together about three years ago. Based on its website advertising, the group, which seeks to emphasize its goals are "ethical," appears to offer vulnerability-testing services while also working on security testing tools.

BACKGROUND: McAfee website full of holes, researcher says

In response to a question about why it's so secretive, YGN says, "Secrecy is very important to us that our Burmese government might not call us up to misuse our skills to attack their most hated countries including U.S., Norway...etc."

YGN sought to explain its rationale for performing what it acknowledges is unlawful testing of McAfee's website for vulnerabilities: "As for the McAfee website case, we've been seeing security holes have been popping up every year since 2008, which proves they don't have secure coding standard and proper security audit of themselves, while they do have world-renowned experts. We actually didn't perform intensively security scans on its web sites. We knew its flaws just by looking at their publicly available HTML/JavaScript source codes. This implies that deep testing might find more issues."

McAfee, which offers its "McAfee Secure" branded scan service for daily website evaluation and has Foundstone vulnerability-testing tools, earlier this week responded to Network World, which reported YGN's findings in a public security-discussion forum. A McAfee spokesperson said, "McAfee is aware of these vulnerabilities and we are working to fix them. It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities." McAfee has so far not made further comment.

QUIZ: Do you know IT security?

YGN indicates it may continue its campaign of performing vulnerability test scans on websites, particularly those of security vendors, because it feels this is the right thing to do: "As responsible netizens, we believe that YGN Ethical Hacker Group is liable to disclose security issues in high-profile web sites where thousands of users exist to rely on their security-related services/products. It is unethical by human conduct to sell security products/services while vendors don't care [about] fixing their issues."

YGN, which doesn't want to disclose the names of its members, said they want to "represent our country" and "'to do security research to contribute to the security of users in [the] digital world."

YGN also participates in security research groups, including EvilFingers, which security analyst Shyaam Sundhar Rajamadam Srinivasan indicated he started with his wife in 2006. When asked about YGN, and whether doing vulnerability tests on websites without the owner's permission is wrong or illegal, Srinivasan is direct.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News