Wednesday, December 3, 2014

Yet More Trouble in Toyland

The spasm of Point-of-Sale exploits this year and last (Target, Home Depot, Subway, Dairy Queen, Jimmy John's, and recently even car parking and washing facilities, etc.) has been enough to do some damage to consumer confidence.

Though these were Point-of-Sale issues, they were network attacks. So if any consumer was frustrated enough to decide that it was probably just as safe doing their holiday shopping online... Oops. And now we have more evidence, if any were needed, that those security seals commonly seen on eCommerce web sites offer less surety than a shopper might be led to expect. In some cases, they can even assist an attacker.

The paper is Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals
Tom Van Goethem, Frank Piessens, Wouter Joosen, Nick Nikiforakis
in Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS 2014). 

It is available to the public at It's only eight pages, a nice piece of work, and one example (see page 6) is jaw-droppingly funny. Which is good, because the news is pretty grim, and you will need your sense of humor.

Give it a read. If you are a consumer, quit trusting security seals on Web sites, to whatever extent that you ever did. If you are a site operator, be advised that you may not be getting what you thought you were paying for, if these scans were intended as a component of continuous audit.
Here's the abstract.
In the current web of distrust, malware, and server compromises, convincing an online consumer that a website is secure, can make the difference between a visitor and a buyer. Third-party security seals position themselves as a solution to this problem, where a trusted external company vouches for the security of a website, and communicates it to visitors through a security seal which the certified website can embed in its pages.
In this paper, we explore the ecosystem of third-party security seals focusing on their security claims, in an attempt to quantify the difference between the advertised guarantees of security seals, and reality. Through a series of automated and manual experiments, we discover a real lack of thoroughness from the side of the seal providers, which results in obviously insecure websites being certified as secure. Next to the incomplete protection, we demonstrate how malware can trivially evade detection by seal providers and detail a series of attacks that are actually facilitated by seal providers. Among other things, we show how seals can give more credence to phishing attacks, and how the current architecture of third-party security seals can be used as a completely passive vulnerability oracle, allowing attackers to focus their energy on websites with known vulnerabilities.
The paper also notes that it would be trivial for a shady shopping site operator to dodge the scans these vendors perform, either to outright save themselves mitigation expense, or to give themselves a longer grace period, while still presenting the seal to the public.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.