During tests this weekend, we discovered the company who claims to "keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams," has several cross-site scripting (XSS) vulnerabilities and provides the bad guys with a brilliant - albeit ironic - launching pad from which to unleash their attacks.

It can't get much worse than this. This is not "yet another embarrassing incident on the Web;" not by a long shot.

Lance James, co-founder of Secure Science Corporation and author of Phishing Exposed, noted that when a criminal locates an XSS vulnerability within a well-known Anti-Virus site, it only makes the attack more effective. "It generates misplaced trust (being that computer users trust AV companies) and is paradise for miscreants involved in Scareware (Rogue Anti-Virus) distribution, as they can infect a legit copy of MacAfee's product and distribute it under their name." James said. "A win for the bad guys through the power of branding; a major loss of trust for McAfee," he added.

Not only do security vulnerabilities harm a company's brand, they can also ultimately harm its bottom line, particularly when the company in point has made millions from the software it produces to protect you online; this will surely injure the McAfee brand.

It all began when we came across a post that described some of the issues facing McAfee. Very quickly, we realized the potential for phishing on one of McAfee's sites, the McAfee Rebate Center, which allows you to inject HTML code into one of the fields it provides on its site.

If you've never seen an HTML injection in action, try this out, it's an interesting experiment.

How To: HTML Injection

1. Go to the McAfee Rebate Center
2. Click on Get Rebate
3. Include this line of code into the 'Date Purchased' field:
   
4. Click on continue

This is a very basic redirect that will take you to ReadWriteWeb.

And voila - you've just effected your first HTML injection.

Although our example is extremely simple; a no-brainer for clever coders, it illustrates a significant and more sinister point: McAfee is clearly vulnerable to XSS attacks. Much like the recent Mikeey worm on Twitter, this XSS issue is a result of poor output filtering. And while Twitter can be forgiven for not laying down the correct foundation in the beginning, the same cannot be said of McAfee, which has built its entire business around its knowledge and expertise in the field of information security.

McAfee Secure May be Providing Incorrect Information to Users

And it gets worse. McAfee has a product called McAfee Secure which helps corporations determine whether their sites are open to malicious attack. The way it works is that sites participating in the McAfee Secure program are checked daily, and if they pass muster, they receive a McAfee Secure badge which is branded with the day of testing.

Unfortunately, it appears McAfee either doesn't run McAfee Secure across all of its sites, or if it does, the product is missing the bleeding obvious.

From the https, to the McAfee domain, this phish site that James created even includes a valid and dated McAfee Secure certificate.

To demonstrate how easily the exploit can be used, James created a phishing site to give ReadWriteWeb readers a real-time example. Go ahead, follow this link, and click on the "add to cart" button (we promise it won't hurt you).

What you are seeing is a cross-site scripting exploit in action. "Imagine," James said, "just how easy it would be to exploit home computers with Trojans that cause harm or steal information." A phishing site, like the one he created, could easily ask you to click a link for more information. "Or," he said, "imagine the e-mail: 'you're eligible for a McAfee rebate on your products, just click here!'" "Basically, the main use I see it for is to spread malware as McAfee."

What he's describing is ominous. The bad guys can create a modified version of a McAfee product or a bogus McAfee update that installs a Trojan, or whatever they like, and it arrives on your home machine, special delivery. You'd never know.

In creating the fake site, James points out that he didn't need to spoof the McAfee Secure logo. "We're using their certificate to validate our attack," he said.

Go ahead. Look up at the URL on the phishing site. See that https://?

Secure right?

Note: We've created a screencast (embedded below) of the redirection exploit for when McAfee fixes this; we hope it's soon.

Update May 5, 2009

It appears the vulnerability on McAfee's rebate site has been fixed; however, the test phishing site is still going strong. James gave us an update: My assumption is that remote referrers are blocking it based on firewall rules but a refresh locally shows it's still vulnerable. An attacker can simply do a meta refresh to redirect to it since that scrubs referrers.

Currently, national information security responsibilities are divided between the Department of Homeland Security, the Department of Defense, and the National Security Agency. The new National Office for Cyberspace would involve cooperation between all these agencies as well as from the private sector. Potential costs of the new office and related initiatives are as yet unknown.

Areas of federal concern span government agencies and private enterprise, from ISPs to oil and power companies.

Alexander Howard, associate editor of SearchCompliance.com at TechTarget, cited the Joint Strike Fighters Program attack as an example of national susceptibility.

"National security organizations are aware of the risk to our infrastructure," he said, "and our defense is currently not well coordinated."

Both Howard and Gourley named Russia and China as having coordinated cyber espionage efforts and the ability to launch attacks with the potential for costly results. And no one is overlooking the possibility of attack from extranational terrorist groups.

So, How Much Is This Going to Cost?

Will the government subsidize any information security measure in the private sector? Howard said, "It's not clear who is going to get how much of the budget, but the lack of security is costing us all as it is."

By way of example, Howard noted that 10 million people had their identities stolen in 2008; he continued that such measures can be thought of as preventative health care for information security.

Fortunately, there are relatively inexpensive steps private organizations can take to improve their security; Gourley hopes Common Audit Guideline compliance will be part of new security measures.

He also cited cloud computing and open-source software as being "less expensive and more secure" and cited certain commercially available processors as having "capabilities that information security professionals have dreamed about for years."

The Big Brother Question

Although the creation of a national information security office will mean more regulation, oversight, and filtering of Internet traffic, Howard said, "There is a palpable feeling of excitement about national cyber defense."

So, Who's the Lucky Fella... Or Lady?

Gourley imagines the position will call for "an information security superstar... with the national stature of a Colin Powell, someone who can really get things done."

Howard raises the point that the need for top-level security clearance might necessitate a candidate from inside the intelligence community.

The ICE Act will be presented before the Senate tomorrow; full text of the Act should be available through the Library of Congress' THOMAS page or through Sen. Carper's site.