
These days it's tough to find an online merchant that doesn't display either a McAfee Secure or Trust Guard logo somewhere. The marks indicate that the websites undergo vigorous daily security scans. We consumers are then meant to feel safe to shop away in confidence that our credit card details won't end up in the wrong hands. Now, a pair of security consultants is arguing that the programs may inadvertently place websites at greater risk.
Unintended Consequences
The problem isn't McAfee or Trust Guard per se. Rather, it's the ability of nefarious types to discover whether a site has had its security seal revoked— information that's provided in “almost real-time.” Shane MacDougall, a security researcher at Tactical Intelligence, told Ars Technica:It's basically McAfee, Trust Guard, and all these other guys raising the flag, saying, 'Hey guys, these sites are vulnerable to attack. Go after them.' They all suffer from this fatal design flaw, which is you're raising a flag over your castle and you're pulling the flag down when you're vulnerable to attack. Who in their right mind would do that?A site can lose its security seal for several reasons. It may simply be that it was inaccessible for an extended period of time or that that someone forgot to pay a bill. Or, it could be that the site failed a security test. Obviously, in order for this to become a security concern, there would need to be a centralized location where people could access such information. Simply monitoring sites until they have their seal revoked isn't a productive way to misspend one’s time. That's where MacDougall and colleague Jay James come in. At last month's DerbyCon security conference in Louisville, Ky., MacDougall and James lifted the lid on Oizys, a tool that automatically populates a list of websites that have recently had their security seals removed. Oizys works by parsing the sites, looking for a transparent 1x1 pixel image that's used to replace the seal when it's revoked. In the event that domain names are obscured, Oizys uses optical character recognition to pull it from a corresponding business card.