We're Hacked... But it's a secret....

[Tiger Shark]

Source

As Advertised on AO's main page right now.....

Let's think about this.... The product hides the fact that the content is compromised.... Why would you purchase such a system?

1. You are incompetent and you know it?
2. When you think you might have been compromised you check your site in your browser because that's the only way you know how - but you'll be lied to.... but it doesn't matter.... It looks good?
3. You hold customer confidential infomation and you don't want to deal with the lawsuits?
4. Etc. etc. etc.....

C'mon.... IMO, this is crap... I'm unsure why a "security" site would even accept this kind of advert.... What are JupM saying about the quality of their own site? Don't worry about security - now you can hide your inadequate admin's work from the world. The most laughable thing is, and I quote from their site....

Hackers have proven they can gain access to even the best protected corporate and government web servers. Conventional security solutions were designed to detect and prevent attacks from trespassing across the organization's network perimeter; but they do not offer a remedy in case the attack was originated from within the perimeter. Nor do they limit the public damage if and when hackers get in – a highly probable event.

In response, BreachGate Sitegrity offers a solution that fills in this dangerous gap by controlling and securing the data as it leaves the organizations' application and perimeter.

They freely admit that they lie about the compromise to the users of their customers sites..... I'll be telling my bank that if they purchase this crap I want to know.....

[rapier57]

I don't think this would pass muster in California. It kinda boggles the mind that someone thinks it is better to set up a duplicate of the web content and install this filter system to check the authenticity of the data, in case you get hacked.

Hey, Tiger, maybe this is the current version of the old Vietnam "plausible deniability" thing. Whaddaya think? Pay no attention to the man behind the curtain.

If the system gets hacked or defaced, and data gets damaged, don't you think it could happen to the duplicate system, too? If your core system is potentially that vulnerable, what confidence is there in the duplicate data? Don't see the logic.

As for Jupitermedia Corp., they are just in it for the bottom line. That was a paying advertiser.

[Maestr0]

I'll admit the advert sucks, but I think this is targeted at web based businesses who make a living off their traffic and content, but who are not entirely responsible the security of some of the content they recieve and distribute. How do you know if your content is being poisioned up the stream? The idea is to not pass on the polution to your clients (in a networking and business sense), which may not be such a bad idea since we are seeing more exploits using compromised servers to distribute malware to clients. This merely verifies content you are distributing based on a digital signature before passing it, otherwise replaces it with a 'known good' copy. This might have helped someone like the UK's The Regsiter in this recent attack on FALKs load balancers. Business is Business, how do make sure this doesnt happen?

-Maestr0



EDIT: Some of you may remember a similar attack on *gasp* SecurityFocus by Fluffi Bunni.
http://www.securityfocus.com/news/4320

[KorpDeath]

Kind of like a home security system that only checks the integrity of the people that LEAVE the house......interesting concept, duh.

[nihil]

Yes, it's a bit like those online backup facilities in a way?

But this bit is quite true:

Hackers have proven they can gain access to even the best protected corporate and government web servers

I most certainly have, and been paid for it.............I did need MoD, DoD and NATO security clearance though

[Vorlin]

Interesting concept...especially considering that if your customer information is held inside a database and all the hacker's trying to do is STEAL the information, then it wouldn't matter about what's "shown". The best hacker leaves behind no definable trace that he was there, that nothing was blatantly deleted in a show of skiddy-ism, and that there's a few backdoors to ensure his return.

If the hacker is to steal your information and use it at his whim, then there's nothing you can do about it and this product completely fails in that arena. I mean, based on their claim of signature-based authentication for HTML/GIF/JPG files, how're you going to validate PHP-driven content, especially if it's database-retrieved? Their product only works upon defaced website and the like, not when you're dealing with altered database schemas and the like, if I read it correctly. Good concept, but horribly executed and definitely not something I'd EVER support.

[nightcat]

Shouldn't it be runing along with all the other securtiy measures?

[mohaughn]

Bravo nightcat. The only person who can look at the usefulness of this kind of application. This is not the first company to push this type of product, and they won't be the last.. I think it is a great way to insure that the proper data is presented to the end user.

Look at it this way.. Your main page is hacked and you get an alarm telling you it has been changed, and it will take about 30-45 minutes for the alarm to get generated, for you to login and switch it back.. Meanwhile the hole is still in your system and the attacker is still changing other sites.. But you know what? For your end users reading whatever you are publishing everything still looks the same and you have not incurred any downtime on your internet portal. This software combined with a good security plan and practices is a great way to insure high availability of content on a web site.

It has nothing to do with not disclosing to the end user that you were hacked... You can always publish that somewhere else. No law in the world says you have to leave a hacked webpage up so that your users can see that the site was hacked. You just have to notify a user if there is reasonable belief that their private information was hacked. How does the main page or a news article apply to that law??? It doesn't. This is more for static content, not dynamic content such as user information. This is for places such as cnn.com or msn.com where they can make sure that the article people are reading is the article that they signed and approved.

If the hacker is to steal your information and use it at his whim, then there's nothing you can do about it and this product completely fails in that arena. I mean, based on their claim of signature-based authentication for HTML/GIF/JPG files, how're you going to validate PHP-driven content, especially if it's database-retrieved? Their product only works upon defaced website and the like, not when you're dealing with altered database schemas and the like, if I read it correctly. Good concept, but horribly executed and definitely not something I'd EVER support.

It's not intended to protect dynamic data such as that coming from a database or PHP scripts. It is for published static data that where there is a limited number of authorized publishers and the data does not change frequently. I can think of a ton of uses for this type of product. State government publishing laws and minutes from meetings, universities publishing scientific studies, authors publishing works of fiction/nonfiction, etc... You can't say that this product sucks because it won't secure dynamic data because it isn't intended to. That is like saying that MS Exchange sucks as a network management tool.

[Tiger Shark]

mohaughn:

And what percentage of the installed base this company has do you think will use it in the utopian manner you describe?

[gore]

By the busload: