Hacker Safe... Are you joking me?

[bubbles]

I was browsing the forums today and noticed that wickedfire now sports the the hackersafe button at the bottom of the index page... Protecting all of us from 99.9% of hackers.

In case you don't know companies like these are a huge joke. They scan mostly for vulnerabilities that have to with out dated apache versions and similar stuff. They do NOT protect against XSS at all, which in my opinion is the greatest web application security threat today.

They charge huge monthly fees and don't even provide real protection.

Who cares if they prevent 99.9% of hacker attacks (which they don't), if I can get in through the .1% then the whole system isn't secure.

A while back a bunch of guys on sla.ckers.org found TONS of XSS vulnerabilities in "HackerSafe" protected sites.

sla.ckers.org web application security forum :: Full Disclosure :: Hacker safe!

HackerSafe even failed to protect wickedfire:
NEOHAPSIS - Peace of Mind Through Integrity and Insight
WickedFire Admin CP XSS #1
WickedFire Admin CP XSS #2

I found that on the first page of google searching for "XSS in vbulletin 3.6.4". I wasn't able to test it since the code has to be executed by an admin, but I'm fairly certain it works. Even if it doesn't there are many, many more XSS flaws for vbulletin that come out with each new release.


So can we take them off? </rant>

 

[Jay]

I do think those buttons are a bit silly.

 

[neumann]

I'm actually waiting for one of my competitors running vB 3.6.4 logs in as admin so I can run my own XSS. I have a funnel waiting until he does which will launch the XSS by itself and notify me after it causes the damage e.g. dropping all tables. The only problem is that the forum is run like a bureaucracy and the admin almost never gets on, sipping coronas on St. Martins while the 30 mods dish it out.

I made the injection funnel myself but I'd say 3.6.4 is the last real security threat. If you don't want to update, just keep Admin as citizen 1 and give yourself, user 2, smod rights to everything. No injection funnels scan for smods with privileges. Outside of a few big functions e.g. updating (which is where most injectors want to nab admins), you never need to log onto Admin.

Of course 3.6.4 users should install the patch and it's easy to tell what forums have the patch installed without waiting for Admin to log on.

 

[Romestar]

I said wtf? when I saw them there this morning

 

[gino]

Scanalert fees are ridic but ever since I added the button on my order page, conversion have been up almost 5%.

 

[bubbles]

And I can see adding a button like that for conversions... But it doesn't have to be scan alert. I bet you could make your own HackerSafe type button yourself and it would be just as effective. Save yourself some money in the process.

 

[Drake]

And I can see adding a button like that for conversions... But it doesn't have to be scan alert. I bet you could make your own HackerSafe type button yourself and it would be just as effective. Save yourself some money in the process.

I am in a group that the affiliate manager did just that. And it works. The only people that use that button are on his affiliate program. Hehe