These days it's tough to find an online merchant that doesn't display either a McAfee Secure or Trust Guard logo somewhere. The marks indicate that the websites undergo vigorous daily security scans. We consumers are then meant to feel safe to shop away in confidence that our credit card details won't end up in the wrong hands. Now, a pair of security consultants is arguing that the programs may inadvertently place websites at greater risk.
The problem isn't McAfee or Trust Guard per se.
Rather, it's the ability of nefarious types to discover whether a site has had its security seal revoked— information that's provided in “almost real-time.” Shane MacDougall, a security researcher at Tactical Intelligence, told Ars Technica:
It's basically McAfee, Trust Guard, and all these other guys raising the flag, saying, 'Hey guys, these sites are vulnerable to attack. Go after them.' They all suffer from this fatal design flaw, which is you're raising a flag over your castle and you're pulling the flag down when you're vulnerable to attack. Who in their right mind would do that?
A site can lose its security seal for several reasons. It may simply be that it was inaccessible for an extended period of time or that that someone forgot to pay a bill. Or, it could be that the site failed a security test. Obviously, in order for this to become a security concern, there would need to be a centralized location where people could access such information. Simply monitoring sites until they have their seal revoked isn't a productive way to misspend one’s time. That's where MacDougall and colleague Jay James come in. At last month's DerbyCon security conference in Louisville, Ky., MacDougall and James lifted the lid on Oizys, a tool that automatically populates a list of websites that have recently had their security seals removed. Oizys works by parsing the sites, looking for a transparent 1x1 pixel image that's used to replace the seal when it's revoked. In the event that domain names are obscured, Oizys uses optical character recognition to pull it from a corresponding business card.
The flaw presents an interesting conundrum for the folks at McAfee and Trust Guard. While pulling certification as soon as a scan fails places the site in question at enormous risk, giving the site operator time to address security concerns raises the possibility that breaches could occur while the seal is still on the site, harming the seal provider's reputation. I am reminded of a tour that I took of a U.S. Embassy when I was about 12 years old. Our guide was the Marine Corps lieutenant colonel in charge of security. Someone asked what measures they had in place in the event that someone came over the walls. His answer was politely abrupt: “Sorry, we can’t talk about that.” The inference was that in the world of physical security, discussing your countermeasures allows potential enemies to plan their way around them. The time seems to have come to adopt a similar approach to virtual security.