Slashdot Mirror
70% of Sites Hackable? $1,000 Says "No Way"
netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."
I can totally believe this. Especially after some recent research that I've done into the security of one specific web hosting provider. It wasn't the users' fault, it was very poor security on the side of the provider. Of course, the provider states how good their security is on their website, but its only false security. For instfance, home directories have the permissions 711, which would make the causual unix user think that you can't view files in the person's home directory, but of course, since there is a predictable structure under that, it is trivial to get into someone's web directory which is world readable. And thus you can get access to their database passwords and so hon. And this is a very large hosting provider, over 100,000 websites are hosted with them. I can only imagine that many other hosting providers have these same types of problems.
Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.
I think I may start an anonymous blog to document these cases.
...seriously, this can't be? Right?
The actual hacking, not the challenge, that is.
.: Max Romantschuk
At least he's not offering $1000 per site hacked, unlike the shmuck who offered a $1,200 bounty on every unsold PS3.
=Smidge=
...I'm sure he'll be shelling out $1,000 by the end of the day...
Bite my shiny metal ass.
For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.
While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.
I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Reminds me of: "Three statisticians went out hunting, and came across a large deer. The first statistician fired, but missed, by a meter to the left. The second statistician fired, but also missed, by a meter to the right. The third statistician didn't fire, but shouted in triumph, "On the average we got it!"
"I've got a plan so cunning you could put a tail on it and call it a weasel"
Great, as all the trolls attempt to hack into Slashdot and change this comment to something funnier.
The dangers of knowledge trigger emotional distress in human beings.
1. Taunt Acunetix with 1,000 dollars cash to hack into web sites
2. Turn Acunetix into the authorities when they provide proof of their hacking
3. Profit!
Strange women lying in ponds distributing swords is no basis for a system of government.
Fools and there money are easily parted
"Stallman says add to this code and you are one of us. Gates says use this code and you belong to us."
Acunetix have just HACKED into Snyder's bank account and helped themselves to the $1000.
Acunetix accepts the challenge and they want to audit networkworld.com, they`ll find something for sure. That guy really has no ideea how unsecure web is.
We've begun basic testing vendor and supplier web sites that we do business with (they are required to let us poke around as long as we notify them if we find anything).
Three of five tested since we started in October threw an error when a ' was put in the login user name field. When the ' was replaced with
a' or 'a' = 'a
and no password, the three dumped us into the administrator's page (dirt-simple SQL injection). On the last one, it took us longer to find the login page than it did to get admin access. None of them knew we did it.
Take one custom-written web application, add programmers that are just happy to get it working, leave out the web application firewall and you get in.
They'll never prove this claim! 100% will never equal 70%.
I'll put $10k on the table with Snyder.
In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.
Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.
I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.
Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.
My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.
Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.
And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.
If anything, 70% is low.
I'm in the hole of the broadband donut.
Ok then..."70% of Girls cannot reach orgasm!". I can prove it to you free of charge!
Kudos to Joel for putting it to them!
If Acunetix is legit, then maybe they should take up the challenge without requesting funds if they succeed. That'd be the right thing to do, after consulting with lawyers to find out what the ramifications would be.
However, $1000 isn't going to draw anyone else into the fray, I don't think... No rogue hacker will offer up a solution to open doors, or even acknowledge them for $1000, its not economically feasible for them to do so when the gains they can realize from NOT accepting the challenge outweigh the $1,000 they can make by doing so....
Those that have been hacked and those that can be but no-one's bothered to do so yet.
Fact is that there is not such thing as an unhackable site/host, however one can at least make a network more trouble than it's worth to try to hack.
What's that old saw: Anything that the human mind can build another human mind can figure out. Or something like that...
Who is this delectable creature with an insatiable love of the dead?
I'm the original poster and I run a web hosting provider myself. The way I do it that is guaranteed to keep shell users out is to put everyone in the users group and then make home direcotires 705 and owned by the users group. That keeps users out but allows Apache in. Then I have Apache/PHP setup in a way that prevents users from accessing other user's files. I don't want to rely on hoping things are safe, I want to be sure that they are. Still, PHP has some flaws in it that can't 100% guarentee that, but I can't go into that.
Having dealt with tons of owned sites over the years I would say that 70% is
a very low figure. I would also say that 90% of these tools the security vendors
are throwing around are also trash. The point out obvious flaws in some cases
but the tools are no where near as crafty as the human brain at exploiting
web sites. Script kiddies using known vulnerabilities are one thing but stopping
somebody hell bent on getting in is much, much tougher.
Got Code?
First this is a load of crap and they sound like morons. But second, I will pay them $50,000 if they can rob 3 banks chosen at random! Maybe we can get them in jail by the end of attempt #1? :D
You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.
Reduce, reuse, cycle
I think that the numbers might be a little misleading, but I'm not sure that 70% is entirely incorrect. I think that it depends heavily on what sites are included in the sample, and how you define "can be hacked".
For the first point, although big websites certainly have had their share of vulnrabilities, the number is certainly less than 70% (I would venture a guess that it's in the are of 25%, which is still way more than it should be) - but if you start adding in things like peoples home boxes running quick and dirty PHP sites, things out there for testing purposes, various boards and such, I wouldn't be surprised if the numbers start reaching 70%.
The other point of course is how you define hackable. Anything is hackable, given a sufficient amount of time and desire on the part of an intruder. Even if a machine storing personal data was disconnected from any sort of network and locked up in a safe, someone could always break into the safe and steal the computer.
The question really should be: What percent of websites which contain a significant amount of personal data have vulnrabilities which are easily enough exploited to be a viable target for: A: script kiddies/etc. B: moderately skilled and determined intruders, and C: highly skilled and determined intruders.
Famous Last Words: "hmm...wikipedia says it's edible"
My first thought was "whats the percentage of sites run by Nuke's, Joomla's, Mambo's and such CMS systems". I mean, when PHPBB gets hacked (again) it affects a HUGE number of sites. My employer recently had a security audit and they found out what most of us developers have been telling them for a while...they had consultants build things, decrease timelines while increasing scope creep...things got fudged and now they don't understand why our sites failed. I look at some of the stuff I inherited and just look at it and say WTF? I built a little CMS for myself, a few people downloaded it and use it, it's grown and I just experienced my first real exploit in my 10 year career in web dev. it was a REAL learning experience for me. I know all the theory of security and all that, but practicing it is another matter when people want things yesterday it makes it hard resist cutting that little corner.
dB Masters
>> I dare say, un-hackable
;)
100 Percent of websites are hackable with enough time and resources.
Oh, and check your filesystem for the tag file I just placed there.
Professional Hitman Mr Smith is flogging a survey that claims 7 out 10 people he has checked have a lack of police protection posing a medium- to high-level risk of getting them murdered. The police's go-to security guy, Mr Doe, says that percentage is 'sensationalist nonsense' -- and he's willing to back that judgment with $1,000 of his own money. In fact Mr Doe will pay up if Mr Smith can whack 3 of 10 people chosen at random from his survey list."
Yeah, I know, that's why I said "*close to* un-hackable" .
:P
Though when the design of a system is very simple, securing is quite easy.
And when the guy who made it is as paranoid as me and has this small system locked down and filtered from each and every variable,
then the chances of it being un-hackable are pretty good.
I'd dare you to try and hack it, but, since Acunetix failed there's no point.
I was about to post something spouting off an opinion before reading the article, but figured I'd better check it first. I was GOING to say, "but do that many sites contain information worth stealing?" But I then wimped out and read the article.
According to the article, the ground rules (in particular, what kinds of sites are fair game) are still up in the air. So this whole thing is still lacking in some pretty basic parameters, which makes use of such a definitive range of percentages kind of silly. It's like saying, "70% percent of some people are redheads." That sounds like a lot of redheads, but without defining the "some people" part, it's just wind.
It's an interesting thought and gets people talking about it, which is certainly not a bad thing. But it's little more than that at this point.
It is pitch black. You are likely to be eaten by a grue.
If someone wants to prove something like this then they should state a particular O/S / serverware is hackable else they should show they know what they are on about by not picking on systems that are subjected to admin error and should go and hack some hardened systems so they can offer up some security advice to those who realy need it in industry like Sun, SELinux, Hp etc etc.
What's the big deal of acting from a plethora of undisclosed vulnrabilities, this could have a rather negative impact on whatever they are trying to prove.
Better to state that % do not use application firewalls, % set permissions wrong, % use O/S subject to so many problems so % is potentialy hackable, etc etc.
About as unscientific as my last fart.
Your site would be an exception in my experience. I perform web application penetration testing as a part of my job. I test mostly Fortune 500 sites, banking industry, etc. I have discovered anything from low to high risk items on big "mega" bank sites. Almost every one of them had some sort of medium risk data leakage issues. And the banking industry sites fare better than most. Outside of the banking sector web application security is in a pitiful state, even though XSS and SQL injection are two of the most well known security issues out there I can still nail most applications with it. Some of the time its not trivial, but then I have a good bit of time to test these sites. Of the 50-ish sites I tested last year there were a few that stand out as having been medium and high risk defect free. I would say almost all of them had medium risk issues or worse. A few (as in 3 or 4) had no medium risk issues or worse. The number is pulled from my memory.. but these are all directly tested sites and its pretty close. Its the exception to find a secure site. These are clients with a lot of money that can afford to do security and they just don't get it right.
.NET and Java apps tend to do a little better. Classic ASP and PHP apps always fare much, much worse.
That is black box testing. On code reviews the situation is almost always worse. I can find things that no automated tool can dream about (source analysis or app testing tools). I can probe business logic and find hidden test pages. I haven't done a code review for a web application yet that didn't have high risk issues.
I worked for a time fixing other websites security when they were hacked...
..and you've removed 90% of holes.
It's amazing how all you really need to do though is simple things like using
parameterized queries instead of string concatenations, converting 's to <'s
from a post and checking what cookies are stored and what can be done with them.
* Fix these
* patch your runtime (IIS/Apache/scripting platform)
* chmod files appropriately
* add a firewall with snort
It's not rocket science? is it? why people don't do it.. I don't know.
Yeah, trust them, we have had people in Russia doing scans of our sites with cracked versions of their software. When we contacted them about it, they basically said they gave up trying to protect their OWN SOFTWARE. As far as their software goes, it does ok in terms of giving them a layout a host's website, and looking for possible SQL injection variables. I have NO respect for this kind of fear mongering and therefore it is pretty hard to trust them with something so important, just because it does ONE thing well.
The subject line of their e-mail reads - "Acunetix Accepts the Network World Challenge" - but, as you'll see, that claim isn't any more supportable than the company's press release, which they at least have the good graces to concede was "apocalyptic."
0 1
http://www.networkworld.com/community/?q=node/115
True, due diligence is the customer's responsibility. But how many customers REALLY know what to check for when it comes to security, infrastructure or otherwise? Let's face it, even those who bother to pick up the phone and call a provider will at most ask "are you secure" etc., and naturally the rep will say "absolutely". I mean, look at the whole Blackboard course management system mess. Do you really think any techie would choose them over Angel, the myriad open source solutuions, et al? Of course not. But the techies don't get asked questions until the question is "what can we do to fix this situation/save our ass/cut our losses?".
It would be nice if there were recognized standards out there with a "seal of approval" of sorts, akin to the ISO 9000/9001 etc. assuring customers of reasonable security, adequate infrastructure, etc.
At least then the clueless stuffed-shirts that make the decisions would have *some* inkling if a provider was up to snuff.
Any ISP that lets you setup zone files for domains that already exist is just blatantly out of line. What you are describing is unlikely to happen. And if it was an ISP that let you do that, you could do a lot worse things than redirect someone's email. You could register cnn.com and make all users on that ISP think that it is the end of the world by making your own news stories.
I'm surprised that 7 of 10 sites even contain personal data. Just what sites was he checking?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
For FBI, thousand bucks is no big money for getting info about some of the finest hackers around, I guess...
--
This message was sent using 100% recyclable electrons.
Even for as advanced as the web on the whole has become, I still suspect that most sites are static HTML. Unless they're talking about vulnerabilities in httpd's as well as vulnerabilities in site design, I think they're sunk, because unless you're doing something at least moderately complex with scripts and databases, you're site is probably very secure. The bet needs a qualifying limiter or something to clarify that it only applies to *AMP sites or some such, because the average geocities, angelfire, or similar-quality privately hosted site is just not really hackable, because everything that makes up the website is already publicly viewable...images and text, no personal data that isn't intentionally exposed, and there is nothing on the box / vm / whatever other than the site. At best, if the box is misconfigured or unpatched, they can claim that it is defaceable, but that's not nearly the same thing.
Unpleasantries.
Note that DSP is a real world application of statistics. Without it, Cellphones and the like would be impossible.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Seeing how many Lunix servers are on the net, this is a pretty reasonable claim.
Lunix: got r00t?
55 'sploits in 2007, and dis pauty iz jus gettin stauted in hea!
In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list.
If any story deserved an "itsatrap" tag, this is one!
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
with mod_php ?
because PHP safe_mode is a joke
CGI/suexec is the only way I know about, though I gave up once I'd got it sorted so there may be another.
DB passwords - putting them in httpd.conf is a start.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
www.voterlistsonline.com Don't even need to see it, and it already scares you, right? ;_)
Check the leading gurus - Jeremiah Grossman and RSnake - they put this dude to shame http://www.matasano.com/log/699/did-idg-bet-1000-t hat-acunetix-cant-steal-credit-cards-from-random-w ebsites/
http://jeremiahgrossman.blogspot.com/2007/02/acune tix-networkworld-and-1000-oh-my.html
http://ha.ckers.org/blog/20070214/1000-to-steal-da ta-from-30-of-sites/
white house.
Save America!! http://impeachforpeace.org/"
If you believe that ANYTHING besides the US Military can get us peace, then you are sadly mistaken, somewhat like Jimmy Carter. he believed if we were "nice" to everyone, they would love us. They hated us before, they hate us now, and they will hate us in the future. If you believe that being "nice" to them will change that, I suggest you look at the 19 hijackers, and what their neighbors said about them.
"I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the people that we checked were seriously vulnerable to murder during the time we checked them them. Others believe that these figures are much greater. We are willing to accept the challenge. However we feel that the subject of the challenge should be Mr. Doe rather then - as Mr. Doe suggested - an innocent third party victim. After all, making a wager with someone else's life would be unfair, and furthermore illegal. So we will accept the wager and perform a check on Mr. Doe and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Doe's comments, he is confident that he is secure."
Do you want to hire a tester? I'm good, and I will find problems.
Seriously though, I've heard the unsinkable claim before...
imho, unbreakable should mean, "when it breaks, nothing is lost and restarting is trivial". Nothing else is real, so it'd just be a false sense of security.
I imagine that your way of coding leads to triple-checked user input, verified fields, proper argument quoting. At a minimum. This and much I've never heard of. But it will have flaws you've never heard of either.
I'd assume instead that the system was swiss cheese and I'd concentrate on making sure I didn't actually put the customer's CC # on disk, ever, cache or anything, so that when a hack happened I didn't lose every CC I'd ever processed.
Then I'd go through and secure it as best as I could. But only by understanding the inherent insecurity of every line of code written and that failures happen. Maybe internal, maybe with 0-day bugs in the kernel, maybe just because I forgot to validate input yet again on the hundredth similar, yet not quite close enough to be the same, code that I've written. Just maybe.
Acunetix reveals statistical results based on one year of conducting web application scans
Kirkland, Washington - February 15, 2007 - It has been an interesting 24 hours for anybody keen on web application security. Network World Labs Alliance Security Expert Joel Snyder, played down the danger of web application security and challenged Acunetix to hack a website.
Following Acunetix publishing the results of its free web security survey (http://www.acunetix.com/news/security-audit-resul ts.htm), Network World Editor Paul Mc Namara and Network World Lab Alliance stalwart (http://www.networkworld.com/alliance/snyder.html) down-played the dangers of online web security, stating that only a minute number of commercial websites are hackable, that most websites do not have any worthwhile data on them anyway (http://www.networkworld.com/community/?q=node/114 77), and that cross site scripting and SQL security vulnerabilities are not dangerous (http://www.networkworld.com/community/?q=node/115 01 and http://it.slashdot.org/comments.pl?sid=222326&cid= 18010732).
Snyder mocked the data on which Acunetix based its press release. "First off, we definitely did write the press release in a way that it would catch attention. But hey, what's the point of a press release if you can't do that?" exclaims Galea.
"The data on which we based our report was factual and correct. We offered Network World to give a trusted third party access, but they have not responded to this", he continues "For this, we feel compelled to publish the month by month data upon which this earlier press release was based."
The link to report is found here http://www.acunetix.com/security-audit/acunetix_re port.pdf:
The initial press release stated the following facts based upon this report:
1. Acunetix has scanned 3,200 sites belonging to either businesses or non-commercial entities.
2. 70% of the websites scanned were found to contain high or medium vulnerabilities.
3. There is an extremely high probability of these vulnerabilities being discovered and manipulated by hackers to steal the sensitive data these organizations store.
4. 50% of the websites with instances (or number of times that an alert was triggered by the automated scan) of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.
In the interest of web security, Acunetix is keen to hear feedback on these findings. The company is also ready to have the data (permissions/authorizations obtained) verified by a trusted third party.
The second issue relates to the challenging of Acunetix for $1000 to hack the audited websites and obtain confidential information from at least three of ten sites chosen. Acunetix accepted the challenge, but demanded that the subject of the hack attempt should be the Network World website.
"Clearly the subject of a challenge should be one's own property, and furthermore the website is commercial and is certainly deemed to contain worthwhile information", claims Kevin J Vella, VP Sales and Operations, Acunetix. "After side-stepping our counter challenge Network World finally went mute on this topic, and seemingly its employee and associate are backing out of their claims."
"It is disappointing to see online security taken so lightly but it further confirms our view that the dangers of web attacks are simply not known." remarks Vella.
In fact, leading web security expert, Jeremiah Grossman, posted an update yesterday