Trustwave is Untrustworthy

When it comes to IT security companies, what we see over and over is that they have little to no concern for security (and also often have little to no understanding of proper security practices). So it isn’t surprising that despite billions being spent on IT security, IT security continues to be in such poor shape. This leads to situation like the massive breach of Target’s systems last year. While that was big news, what didn’t get much attention was the company who declared Target compliant with standards for handling credit card transactions shortly before the breach, Trustwave. Trustwave has a history of declaring companies compliant shortly before they suffer major breaches and for being lax in their assessments.

We recently spotted another example of their highly questionable practices of Trustwave. We were contacted about doing a migration of a Joomla-based website still running version 1.5, for which support ended in September 2012. While taking a look at the website, we noticed a seal for Trustwave Trusted Commerce:

Trustwave Trusted Commerce Logo

Considering that the website is running software that is no longer supported and therefore cannot be considered secure, we were curious to see if Trustwave was claiming it was secure. It would be quite easy for them to find that the website is running Joomla 1.5 if they wanted to as the source code of every page on the website the following line is included:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If you click on the seal you get this page:

Trustwave Trusted Commerce Statement

At the top of the page Trustwave proclaims that “Your credit card and identity information are secure.”, which they shouldn’t be saying for a website that is running unsupported software.

As we looked closer we noticed the small text disclaimer at the bottom of the page were they say “Trustwave Holdings, Inc. makes no representation or warranty as to whether [redacted] systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised.”. So they are basically telling you that despite saying “your credit card and identity information are secure”, there not actually saying that at all.

It is highly inappropriate for them to mislead the public like they are doing with this seal, but unfortunately our experience is that this kind of thing is considered acceptable in the security industry.

How the “Get Safe Online” password checker fails users—badly

An educational website that bills itself as the UK's top source for "unbiased, factual and easy-to-understand information on online safety" isn't living up to its promise. Not only is the password strength meter for Get Safe Online completely unreliable, it also transmits user-supplied candidates in address URLs, where they are vulnerable to hackers and shoulder surfers alike.

The sole exhibit in making this case is the above screenshot, showing how the Get Safe Online password checker graded the choice "Julia1984." As Ars chronicled two years ago, the password will typically fall in the first minute or so of a standard offline cracking session, because it contains an extremely common name followed by four digits, in a futile attempt to add randomness. Even worse, the digits are the year many people were born, making it more likely to be chosen than other numbers. All of that makes "Julia1984" among the worst passwords a user can choose. Despite this, Get Safe Online rates it "exceptional" and even goes on to say: "Flex those pecs, you're a Password Strongman (or woman)!" The password checker became unavailable sometime after the screenshot was captured on Wednesday morning.

In fairness, Get Safe Online isn't the only site that struggles to provide useful guidance about how susceptible a given password is to real-world cracking techniques. As Ars has reported in the past, similar services provided by both Intel and eBay have similar flaws. People who want to evaluate the strength of a password should rely on the advice provided by a reputable password manager such as 1Password or LastPass. In addition to being unreliable, online password checkers may also harvest passwords behind the scenes, making them unsuitable unless users have the skills needed to closely scrutinize the way the service works.

Read 3 remaining paragraphs | Comments

OWASP NINJA-PingU – High Performance Large Scale Network Scanner

NINJA-PingU (NINJA-PingU Is Not Just A Ping Utility) is a free open-source high performance network scanner tool for large scale analysis. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin integration. Essentially it’s a high performance, large scale network scanner, the likes of...

Read the full post at