Sacure Corporation ( F - )

The Sacure Corporation, run by Todd Michael Cohan, claims to be “a leading trusted provider of Managed Security and Professional Security Consulting Services.” Their corporate website can be found at http://www.sacure.com.

According to their web page their service offerings include Managed Security Services, Professional Services, and Consulting Services. Last time we checked Professional Services and Consulting Services were synonymous, so the layout of the Sacure Website seemed a bit strange to us.

That wasn’t the only strange thing. The more we researched Sacure, the more questions we had. For example, most Managed Security Service Providers have a customer portal, especially if they are industry leaders. But when we first started to look into secure we only found a fake customer portal. Their fake portal was simple Java Script code that would display “Access Denied” every time someone tried to login. Here’s a copy of the actual code:

input name="Submit" value="Login" 
onclick="alert('Access Denied!')" ;="" type="submit"

When we asked Sacure about their fake portal, they told us it was under construction. Shortly there after they changed the customer portal and replaced it with a fake PHP based customer portal! This time when anyone tried to login they saw a mySQL error instead of a graceful Java Script error.

Sacure had similar, higher exposure issues with their news page. In fact, Google has caches of the news page and the SQL errors that were displayed when a user tried to view it. Based on our research, the Sacure news page had been broken since at least early August 2007. When we asked Sacure about it they said that they were aware of it and that it had only been broken for about a week. They also said that it was down because it was under construction.

The problem is that we know Sacure was notified about the issue on Fri Oct 26 2007 because we have a chat transcript of them being notified. Why didn’t they fix the issue then? Why did they lie about their site only being broken for a week? This wasn’t a complicated issue to fix, you’d think that they could do it quickly.

So this makes us ask, How can “a leading trusted provider of Managed Security and Professional Security Consulting Services” have so many issues with their own website and not know it without being told? How can they possibly protect their clients if they can’t detect issues on their own systems? Why does it take them so long to fix such simple issues if they have so much talent? And why do they keep on telling lies?

According to the Sacure Corporation website, Sacure has a “Security Operations Center” that is state of the art. In conjunction with this, their SOC is located in a highly secure environment. Why is it then that they host their website at GO-DADDY and not from their secure SOC? We think its because Sacure lied about their SOC.

Name: sacure.com
Address: 64.202.163.180
CIDR: 64.202.160.0/19
NetName: GO-DADDY-SOFTWARE-INC

After our conversation with Sacure yesterday, Sacure removed the link to their fake customer portal, sort of. If you browse to here and you click on the black space between “Careers” and “Live Help” you’ll see that they didn’t entirely remove the link (but they tried). You’ll see that the link to http://www.sacure.com/customerPortal.php still exists, but that the page its self has been removed.

Anyway, enough of that, lets dig into the content on their website. We won’t go through all of it because that would be overkill at this point. But we will go through enough to make our point (again).

On their first page: http://www.sacure.com, the introductory content reads:

“Sacure is dedicated to protecting its customers valued assets and resources through a combination of managed, monitored and professional security services. Our highly credentialed security experts apply security disciplines across networks, systems, applications and policies to continually improve our customers security postures. Our proprietary methodology employs a wide range of tools and third party products that can be delivered from our Security Operations Center (SOC) or anywhere in the world.”

We’re not to sure about what they are trying to say here. How does one “apply security disciplines across networks”? And when we asked Sacure about who their “highly credentialed security experts” they only had one name to give us which was “Tibi Tajts”. When we Googled Mr Tajts we couldn’t find anything that showed us that he was an expert, in fact we found the contrary.

According to the following post from Mr. Tajts, he was unable to solve basic file location issues with snort. Mr Tajts is supposed to be Sacure’s lead talent (according to what we were told by Sacure).

The last point that we will focus on with Sacure is their “Pen Test Whitepaper” which is hosted on their website. This white paper has become a source of many jokes for the hacking community. Here’s just one example of a user finding a serious, but funny issue in the Sacure Whitepaper:

From: alexandre jodoin
Date: Fri, 26 Oct 2007 10:01:15 -0400
>> How can security companies protect us if they can't even configure their shit right? 
 


More on that : 
>From their "Pen Test Whitepaper" on http://www.sacure.com/index.php 
"The Web-based authentication is exploited by using XSS (cross-site shipping) or SLQ injection or MITM (Man-in-the-Middle) attacks." 
 
WTF is cross-site shipping ??? 
:) 
_________________________________________________________________ 

Are you ready for Windows Live Messenger Beta 8.5 ? Get the latest for free today! 
http://entertainment.sympatico.msn.ca/WindowsLiveMessenger

Anyway, that’s enough about Sacure. Our job isn’t to bash companies and ruin reputations. Our job is to strip away the bullshit and expose security companies for what they really are. If they have talent and integrity, we’ll write about that. If they are chalk full of lies, we’ll write about that too.