McAfeee Secure (nee ScanAlert) and other “trust mark” vendors are site security “certification” tools designed to assist e-commerce websites in creating a sense of consumer confidence in the security of the website they are visiting. To accomplish this, they run a daily scan of the site, and if the scan turns up no serious issues, a symbol is displayed on the website, letting the site visitor know the site has been scanned and is “compliant”.

Unfortunately, McAfee Secure (and every other security seal vendor) suffer from the same critical issues that allow attackers to use their tools as a one stop shop for network reconnaissance and turn the tools from a defensive tool into the ultimate attack tool.

In this presentation we will illustrate the ease with which an attacker can enumerate all the sites protected by the various services, using simple SEO crawls and OCR to defeat graphic-based providers, and use the collected information to reveal vulnerable sites without sending a single packet to the sites themselves.

We then analyze the McAfee Secure and TrustGuard scans to determine which vulnerabilities are, and are not being enumerated, and by using this data determine what new vulnerabilities are being scanned for since the prior scan(s). This delta in turn is used to attack newly failed sites first in order to both reduce the attack footprint, and maximize attack efficiency.

Finally, we will demonstrate Oizys, a seal harvesting tool, which automates the process and essentially turns HackerSafe and Trust Guard into a near realtime alerting tool for hackers.

Jay James / Shane MacDougall

Jay James is a principal partner at Tactical Intelligence Inc, and is a recovering system administrator and an outspoken critic of the IT audit and compliance procedure. His presentations last year at BSidesLV and ToorCon resulted in an unceremonious firing from LPL Financial because of the subversive subject matter (how IT audit sucks). He was barred by his new employer from presenting this talk at BSidesLV – so he is looking forward to a chance to actually speak on this topic in Kentucky.

Shane MacDougall is a principal partner at Tactical Intelligence Inc, and has been active in the computer security industry since 1989. He has been an associate editor of PenTest Magazine, and has presented at BlackHat EU, BSidesLV, ToorCon, and LASCON. He holds two Defcon Black Badges for winning the Defcon 19 and 20 Social Engineering CTF competitions.
 

Back to Derbycon 2012 video list