Domain: acunetix.com
Stories and comments across the archive that link to acunetix.com.
Comments · 10
-
Acunetix
I'd venture acunetix from http://www.acunetix.com/ it does a decent job
-
Re:Ridiculous
Here is a quote from the Acunetix User Manual page 21:
NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION!
Emphasis theirs
-
Re:Ridiculous
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
This can't be stated enough.
First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.
As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.
-
Re:Ridiculous
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
-
Re:Wow!
From the blog of the guy who actually did the research, I'm deducing that those probably weren't valid password.
An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin.
...Even more, the phishing kit used most probably was badly designed, since it was one that didnâ(TM)t further authenticated the users to the Hotmail/Live website. I think it just returned an error message after grabbing the credentials.
* The list initially contained 10,028 entries.
* After I've cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
* There are 8931 (90%) unique passwords in the list.
* The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
* The shortest password was 1 char long : )In other words, the phishing scheme didn't bother to verify that the passwords were any good. Heck, it didn't even verify that a password was entered (he did say he cleared out all the username/no password entries). Not surprisingly, it also didn't make sure the password was of the proper length to be valid (this would have kicked out all the empty string passwords anyway).
tl;dr: dumb people clicked the phishing link and entered their passwords. Smart people clicked the link and entered garbage. Garbage = bad data, which is what he ended up finding. (Seriously... I'm sure there are other people here who would knowingly go to the phishing page and deliberately enter garbage just to screw with the dicks who are trying to scam accounts.)
-
Re:Where are the details?
http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/
According to security research Bogdan Calin, it seems like the passwords were gathered using phising kit, targeting the Latino community
Only 64 out of the 9843 valid passwords leaked were "12345", which indicates that it wasnt a brute force attack on stupid people. Still, the majority of the passwords leaked were weak (lower case or numeral only).
-
Static Analysis, Free Scanners, Books, Help
You should probably check out some of the open source static analysis tools:
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysisI wrote one that deals mostly with web applications:
http://www.yasca.org/You should also get your hands on Acunetix Free Edition, which scans for XSS:
http://www.acunetix.com/cross-site-scripting/scanner.htmAlso grab yourself a copy of Software Security by Gary McGraw and Secure Programming with Static Analyis by Brian Chess and Jacob West.
Finally, if you want to outsource an assessment on the cheap (really), send me an e-mail.
-
Acunetix Reveals the Data
Acunetix reveals statistical results based on one year of conducting web application scans
Kirkland, Washington - February 15, 2007 - It has been an interesting 24 hours for anybody keen on web application security. Network World Labs Alliance Security Expert Joel Snyder, played down the danger of web application security and challenged Acunetix to hack a website.
Following Acunetix publishing the results of its free web security survey (http://www.acunetix.com/news/security-audit-resul ts.htm), Network World Editor Paul Mc Namara and Network World Lab Alliance stalwart (http://www.networkworld.com/alliance/snyder.html) down-played the dangers of online web security, stating that only a minute number of commercial websites are hackable, that most websites do not have any worthwhile data on them anyway (http://www.networkworld.com/community/?q=node/114 77), and that cross site scripting and SQL security vulnerabilities are not dangerous (http://www.networkworld.com/community/?q=node/115 01 and http://it.slashdot.org/comments.pl?sid=222326&cid= 18010732).
Snyder mocked the data on which Acunetix based its press release. "First off, we definitely did write the press release in a way that it would catch attention. But hey, what's the point of a press release if you can't do that?" exclaims Galea.
"The data on which we based our report was factual and correct. We offered Network World to give a trusted third party access, but they have not responded to this", he continues "For this, we feel compelled to publish the month by month data upon which this earlier press release was based."
The link to report is found here http://www.acunetix.com/security-audit/acunetix_re port.pdf:
The initial press release stated the following facts based upon this report:
1. Acunetix has scanned 3,200 sites belonging to either businesses or non-commercial entities.
2. 70% of the websites scanned were found to contain high or medium vulnerabilities.
3. There is an extremely high probability of these vulnerabilities being discovered and manipulated by hackers to steal the sensitive data these organizations store.
4. 50% of the websites with instances (or number of times that an alert was triggered by the automated scan) of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.
In the interest of web security, Acunetix is keen to hear feedback on these findings. The company is also ready to have the data (permissions/authorizations obtained) verified by a trusted third party.
The second issue relates to the challenging of Acunetix for $1000 to hack the audited websites and obtain confidential information from at least three of ten sites chosen. Acunetix accepted the challenge, but demanded that the subject of the hack attempt should be the Network World website.
"Clearly the subject of a challenge should be one's own property, and furthermore the website is commercial and is certainly deemed to contain worthwhile information", claims Kevin J Vella, VP Sales and Operations, Acunetix. "After side-stepping our counter challenge Network World finally went mute on this topic, and seemingly its employee and associate are backing out of their claims."
"It is disappointing to see online security taken so lightly but it further confirms our view that the dangers of web attacks are simply not known." remarks Vella.
In fact, leading web security expert, Jeremiah Grossman, posted an update yesterday -
Re:Legal?
They replied, and basically stated they would accept, but wouldn't hack third party sites since its illegal.
Dear Mr. McNamara and Mr. Snyder, We read the blog published yesterday by yourself together with the subsequent comment by Joel Snyder and would like to make the following comments while also addressing the issues raised.
The point of publishing the results of the 3200-strong survey was to address the lack of awareness among organizations of the critical dangers of such web application vulnerabilities as Cross Site Scripting, SQL Injection and Cross Site Request Forgery. We are merely pointing out a trend corroborated by other published studies concluding that web security is a problem. It surprises us that Mr. Snyder is among those who do not take the present situation seriously by, indeed, making a mockery of the results through claims that these are incorrect.
This further proves our point that web application security is one of the least understood and often misconceived aspects of online security today.
Several experts in the field (for example, Jeremiah Grossman) have been stating these facts and dangers for a few years now. So we are not the only ones when it comes to web application security concerns.
I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the commercial and non-commercial entities that we scanned were seriously vulnerable to hacking during the time we scanned them. Others (for example, http://ha.ckers.org/blog/20070213/70-of-websites-u nder-immediate-risk-of...) believe that these figures are much greater.
We are available to put Mr. Snyder's doubts of the validity of our results at rest by submitting all the reports to a trusted third party with proven web security experience and knowledge. Given appropriate authorization and permission from the owners of the websites we scanned during January 2006 -7, Mr. Snyder would be able to see any of the full reports of our scans - these highlight where and when the vulnerabilities were found. Of course, we cannot vouch that these vulnerabilities have not been fixed but are willing to do this for the sake of professional correctness. And, after all, we stand behind our data.
We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World website, rather then - as Mr. Snyder suggested - an innocent third party website. After all, making a wager with someone else's website would be unfair, and furthermore illegal.
So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable.
Should Network World accept, we will start the audit immediately and point out any vulnerabilities found to the public. If we do manage to breach the Network World website, we would expect Network World to make a public statement, - published on the home page and first page of the next Network World issue - that its website was actually vulnerable and that Acunetix were able to hack it.
We do expect a response within the next 24 hours that the company authorizes us to immediately perform the security audit and that the company takes full legal responsibility and holds us harmless for any resulting outages and damages.
Our team thanks you for this opportunity and looks forward to the challenge!
Signed,
Nick Galea, CEO and Kevin J Vella, VP Sales and Operations
Acunetix Ltd Direct: +356 2316 8126 Tel: +356 2316 8000 Fax: +356 2316 8001 Web: http://www.acunetix.com/ Web: http://www.acunetix.de/ -
Re:how??
http://www.acunetix.com/websitesecurity/cross-sit
e -scripting.htm a good example of how.