70% of Sites Hackable? $1,000 Says "No Way"

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."

Their reply.

[Aladrin]

For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.

While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.

I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.

Been there, done that, got the logs to prove it...

[Zapotek]

I'll put $10k on the table with Snyder.

In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.

Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.

I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.

Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.

The Acunix counter-offer is ridiculous

[giafly]

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable. - Network World

My company has been through several security audits and they require several days of management time, plus telling the auditors all about your IT infrastructure and data compliance. Security audits are not about hacking - they check that you've hardened your infrastructure, have appropriate policies for e.g. 'phone queries, and avoid client data being unnecessarily exposed. They're similar to a VAT (sales tax) inspection.

You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.

Re:I'll take that $1000 now.

[ACMENEWSLLC]

Security at ISP's generally suck. We own multiple domains. We have multiple ISP's providing websites.

I took one of our domains and set it up at the other ISP, and visa versa.

When I sent an e-mail on domain1 to domain2, it didn't go to domain2. It went to the fake domain2 I setup with ISP hosting domain1.

This means their DNS that holds the zone data is also the same DNS server they use for lookups. Both ISP's had this problem.

This means that someone could setup a domain ebay.com, or usbank.com, or whatever - setup a catch all e-mail account. Any replies to these domains from people using that same server would go to my faked domain, not the real e-mail server.

I've actually caught someone doing this with an ISP we don't use. All e-mails to us from this ISP's users were going to a 3rd party. I don't think it was intentional, as all e-mail addresses were being rejected. But I am not 100% certain.

The fix is that these ISP's should use a DNS cache server with no local zone data. It should hit the root servers for lookup. It's a simple fix, but it cost a few bucks so many ISP's don't do this.

Re:Legal?

[varmittang]

They replied, and basically stated they would accept, but wouldn't hack third party sites since its illegal.

Dear Mr. McNamara and Mr. Snyder, We read the blog published yesterday by yourself together with the subsequent comment by Joel Snyder and would like to make the following comments while also addressing the issues raised.

The point of publishing the results of the 3200-strong survey was to address the lack of awareness among organizations of the critical dangers of such web application vulnerabilities as Cross Site Scripting, SQL Injection and Cross Site Request Forgery. We are merely pointing out a trend corroborated by other published studies concluding that web security is a problem. It surprises us that Mr. Snyder is among those who do not take the present situation seriously by, indeed, making a mockery of the results through claims that these are incorrect.

This further proves our point that web application security is one of the least understood and often misconceived aspects of online security today.

Several experts in the field (for example, Jeremiah Grossman) have been stating these facts and dangers for a few years now. So we are not the only ones when it comes to web application security concerns.

I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the commercial and non-commercial entities that we scanned were seriously vulnerable to hacking during the time we scanned them. Others (for example, http://ha.ckers.org/blog/20070213/70-of-websites-u nder-immediate-risk-of...) believe that these figures are much greater.

We are available to put Mr. Snyder's doubts of the validity of our results at rest by submitting all the reports to a trusted third party with proven web security experience and knowledge. Given appropriate authorization and permission from the owners of the websites we scanned during January 2006 -7, Mr. Snyder would be able to see any of the full reports of our scans - these highlight where and when the vulnerabilities were found. Of course, we cannot vouch that these vulnerabilities have not been fixed but are willing to do this for the sake of professional correctness. And, after all, we stand behind our data.

We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World website, rather then - as Mr. Snyder suggested - an innocent third party website. After all, making a wager with someone else's website would be unfair, and furthermore illegal.

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable.

Should Network World accept, we will start the audit immediately and point out any vulnerabilities found to the public. If we do manage to breach the Network World website, we would expect Network World to make a public statement, - published on the home page and first page of the next Network World issue - that its website was actually vulnerable and that Acunetix were able to hack it.

We do expect a response within the next 24 hours that the company authorizes us to immediately perform the security audit and that the company takes full legal responsibility and holds us harmless for any resulting outages and damages.

Our team thanks you for this opportunity and looks forward to the challenge!

Signed,
Nick Galea, CEO and Kevin J Vella, VP Sales and Operations

Acunetix Ltd Direct: +356 2316 8126 Tel: +356 2316 8000 Fax: +356 2316 8001 Web: http://www.acunetix.com/ Web: http://www.acunetix.de/