When you can't trust your own company

The 'Net is just one hack away for disaster

Online security is tricky. That's such an understatement: I probably should have said "impossible." And not just impossible for run of the mill organizations, we now know it's impossible for the companies that provide computer security products and services.

Consider McAfee, the enormous vendor of security products for everyone from small office/home office through to enterprises and ranging from anti-virus subsystems through to risk and compliance management software. The company offers products such as McAfee Email & Web Security Appliance, McAfee SaaS Web Protection, and McAfee Web Gateway. Given this line up you'd think it would know a thing or two about Web site security.

Alas, McAfee's expertise was apparently lacking when it came to securing its own Web site. Last week the YGN Ethical Hacker Group, a group of ethical hackers based in Yangon, Burma (that seems about as odd as having vegetarian Eskimo butchers, but I digress) publicly announced that McAfee's website was vulnerable to serious cross-site scripting attacks and other risks.

When you visit a website with a cross-site scripting flaw, bad guys can make content from a third-party website appear to come from the site you're visiting. This allows the bad guys to conduct phishing attacks, try to load malware on your computer, and attempt other activities that will ruin your day. Or your week. Or your business.

This is serious stuff. Now you might be saying, "Ohhh, YGN could have given McAfee a chance to fix what must have been a simple oversight." Well in fact YGN did notify McAfee about the issues more than a month ago yet the site still has problems! Obviously, these are not simple oversights.

Of course McAfee is not alone here and you can find plenty of other security vendors guilty of similar problems. The trouble is that as each year passes the stakes are getting higher and more and more bad guys are getting into the act.

The most worrying security problem so far occurred on March 15 when Comodo, when one of the biggest Internet certificate authorities, was reported to have been seriously compromised by an Iranian hacker.

A certificate authority is a service that provides digital certificates used to confirm a website or service is, in fact, who they claim to be, so issuing a false certificate is a big deal. False website certificates make any transaction, whether it is buying a $0.99 track from iTunes or using your bank's online services, highly suspect and very unsafe.

And in this case, the hacker generated fake certificates not just for any old sites but for Yahoo, Windows Live, Skype, Gmail, and addons.mozilla.org!

The magnitude of this exploit is hard to overstate. If these fake credentials were in use on the Internet, the network of trust that underpins pretty much everything we do online would be wiped out and hackers could do digital damage on a global scale.

What I'm wondering is how prepared is your organization? If these expert vendors of security products have trouble getting it right, what's going to happen if (and some might argue "when") they get it completely wrong? There's a good chance that some significant, central player in the online security market will get toasted one day soon so what will you do when you can't trust, say, your bank? Or maybe, not even your own company?

Gibbs can be trusted in Ventura, Calif. Your plans for disaster to backspin@gibbs.com.

Learn more about this topic

McAfee's website full of security holes, researcher says

Hacker group defies U.S. law, defends exposing McAfee website

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT