6Scan Breaks Stealth with its Proactive Website Security Startup
Interview with 6Scan founders Nitzan Miron and Yaron Tal.
6Scan Auto-Fix Feature
6Scan suite empowers itself to scan your code, and alter it as well.
6Scan Terms of Service
6Scan disclaims any responsibility for inaccuracy, errors, or loss of data. Will not guarantee non-infringement of intellectual property rights.
On August 27, 2013 my web host emailed me to say my website had been scanned by a new software company called 6 Scan with this result:
“Your sites are currently free from vulnerable and malicious code.”
“Your sites were not currently found on any search engine blacklist.”
Of course, I am a white-hat designer, but still I was stunned. What is 6Scan? No test was authorized by me. The test proceeded in stealth mode, apparently the stock-in-trade of the 6Scan founders.
My sites passed the test. Still, I was flummoxed that an unknown, untested startup company should be given full – in fact any – access to my code without my prior knowledge or consent.
6Scan founders Nitzan Miron and Yaron Tal say they both worked for the Israeli Defence Force in a branch informally known as the ‘Israeli NSA.’ Their new company 6Scan has an edict to ‘especially target SQL databases.’
This may mean nothing; or a lot.
My web host set this company loose to roll through our websites and databases, yet our hosting package never mentioned or sought permission for such intrusion.
6Scan asks customers to place on their webpages a security seal bearing the company name and logo. But that would provide a blatant free advertisement for 6Scan. Tuum Est feels it would be appropriate to affix the seal only if we were paid for the advertising space.
6Scan Targets Web Hosting Channel reveals: The model for partnering with hosting providers is a direct revenue share, where the web host receives 40 percent of the monthly fee. 6Scan has three pricing plans: Basic for $9.99/month, Professional for $29.99/month, and Enterprise for $49.99/month.
To list a few concerns: What if the 6Scan company has a hidden agenda? We would never know until it is too late. Even if the agenda is legitimate, what happens if errors or bugs exist in their software? Why should we be subject to unknown risks?
The 6Scan company especially targets SQL databases. My own website is educational, and does not have a database. But many sites do. Search engines such as Bing, Google, and Yahoo all make a firm point of respecting the Robots Exclusion Protocol which prevents search bots from indexing any page that carries the ‘no-index’ command. There are good reasons why some pages should not be broadly accessible. This is especially true for databases. For example:
6Scan founders Nitzan Miron and Yaron Tal say: “Until now, 6Scan was in a very quiet, stealth mode while it put final touches on two security products called Patrol and Bodyguard. The two products work in conjunction. Patrol scans for threats constantly, then calls in Bodyguard to automatically fix the problem.” Bodyguard is an automatic repair agent that sits installed on the customer's system. Make no mistake: 6Scan not only reads your code, it can alter it as well.
Some background appears in 6Scan Breaks Stealth with its Proactive Website Security Startup:
Anyone who contemplates involvement with 6Scan should read their Terms of Service. Three paragraphs are quoted verbatim below. Vague, convoluted language – deliberate obfuscation – surrounds any mention of customer rights. This goal is to gain wriggle-room if the company is ever challenged by a complaint.
In the Terms of Service, clarity emerges only when the company disclaims responsibility. For example, 6Scan refuses any liability for accuracy, errors, or loss of data. Founders Nitzan Miron and Yaron Tal expressly will not guarantee non-infringement of intellectual property rights.
Excerpt from ‘6Scan Terms of Service’
(points numbered 3 to 5)
Stuxnet is a computer worm devised to decimate Iran's nuclear facility. Edward Snowden confirmed the worm was conceived by the NSA and co-written by Israel.
Stuxnet was to cause sporadic damage while sowing confusion among Iranian scientists about the cause of mishaps at the nuclear plant. Iran was meant to believe its engineers were incapable of running an enrichment facility. If wholesale destruction occured right away, scientists could pinpoint the cause and rule out incompetence. The plan therefore was to string it out. Stuxnet was a weapon against morale.
But Stuxnet did not do a marksman's job. A programming error in the worm allowed it to escape Iran's nuclear facility. It popped up in Indonesia, India, Pakistan, America, and other countries. Soon Stuxnet was common knowledge.
Flame is a worm designed to secretly map and monitor Iran's computer networks, sending back a steady stream of intelligence to prepare for a sustained cyberwarfare campaign. But this worm, too, exceeded its bounds.
Flame masqueraded as a routine Microsoft update. Flame then replicated across even highly secure networks, and took control of routine computer functions to send data back to its creator. The worm could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geolocation data from images, and send and receive commands and data through Bluetooth wireless technology. The media cried foul.
Tuum Est - It Is Up To You
The internet has become the equivalent of an electronic shopping mall for identity thieves.
Frank W. Abagnale
The Art of the Steal
The first mode is virtual patching. This doesn't modify a website, but instead intercepts user requests and modifies them to prevent a known vulnerability from being exploited.
The second mode calls on the Bodyguard repair agent. This is a script installed on your web server. It can and does alter a website's original pages and files.
Iranian President Mahmoud Ahmadinejad walks in the center of the visiting group.
The banks of tall metal cylinders are gas centrifuges, designed to enrich uranium.
Inside each centrifuge is an aluminum rotor which spins uranium gas, to gradually separate and collect the rare isotope uranium-235, while discarding uranium-238.
Uranium-235 comprises 0.7% of natural uranium. Unlike other isotopes, it can sustain a fission chain reaction. It can therefore fuel reactors and bombs.
The computer worm Stuxnet was created by America and Israel in a covert race to disrupt Iran's nuclear capability. The worm exploited flaws in the Siemens controller.
German company Siemens built controller P.C.S.-7 (Process Control System 7) whose complex software can run an entire series of industrial instruments and sensors.
Siemens controllers can run groups of spinning centrifuges (uranium enrichment cascades) to separate and collect the rare isotope uranium-235 which fuels reactors and bombs.
Countries familiar with the technology:
USA - The Idaho National Laboratory is part of the U.S. Energy Department, whose mandate includes American nuclear arms. In 2008, in a routine effort to secure its products against cyber-attack, Siemens shipped a controller to Idaho for testing. There, flaws in the Siemens systems were identified. Next year, the same flaws were exploited by the Stuxnet worm.
IRAN - CIA agents observed Siemens controllers at Iran's nuclear enrichment facility in Natanz. According to cables published on WikiLeaks, in April 2009 the U.S. State Department urgently tried to halt a new shipment of Siemens controllers from reaching Iran.
ISRAEL - Behind barbed wire at Dimona in the Negev desert, Israel began to operate row upon row of spinning centrifuges, all controlled by Siemens systems. This was the proving ground for Stuxnet, a field test before launch.
Mechanical: This code lies dormant until it detects a configuration of controllers running processes characteristic of a centrifuge plant. Then it kicks in, spinning each centrifuge erratically until the rotors wobble and shatter.
Surveillance: records the daily routine at the nuclear plant. False sensor signals are later fed back to plant operators to create the illusion everything is normal. This overrides the safety systems until the centrifuges self-destruct.
The worm primarily hit Iran. In June-July 2009 about 1,000 centrifuges of 9,000 were ruined at Natanz Fuel Enrichment Plant. This rattled the Iranians and delayed plant expansion.
Mechanism: Stuxnet was programmed with rotational frequencies that exactly matched the spin rates of Natanz centrifuges.
Meir Dagan (retiring chief of Israel's Mossad) and Hillary Clinton (U.S. Secretary of State) both agreed that Iran's nuclear arms program was set back several years.
Stuxnet was not a marksman with military precision. Due to a programming error, the worm escaped Iran's nuclear plant and popped up around the globe. In June 2009 Symantec snared the worm in a global malware net.
A long investigation raised suspicions that Stuxnet was jointly developed by the American NSA and the Israel military. Officials admitted this after a challenge in the New York Times:
Copyright © 2008-2019 Georgena Sil. All Rights Reserved.