Slashdot Mirror

← Back to Stories (view on slashdot.org)

70% of Sites Hackable? $1,000 Says "No Way"

Posted by kdawson on from the money-where-mouth-is dept.

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."

3 of 146 comments (clear)

  1. Their reply. by Aladrin · · Score: 4, Informative

    For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.

    While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.

    I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  2. Been there, done that, got the logs to prove it... by Zapotek · · Score: 5, Informative

    I'll put $10k on the table with Snyder.

    In fact I had my site checked with Acunetix when I requested a trial.
    And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
    So I had them scan my site just for kicks and to see the HTTP requests they were using.

    Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.

    I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.

    Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.

  3. The Acunix counter-offer is ridiculous by giafly · · Score: 4, Informative

    So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable. - Network World
    My company has been through several security audits and they require several days of management time, plus telling the auditors all about your IT infrastructure and data compliance. Security audits are not about hacking - they check that you've hardened your infrastructure, have appropriate policies for e.g. 'phone queries, and avoid client data being unnecessarily exposed. They're similar to a VAT (sales tax) inspection.

    You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.
    --
    Reduce, reuse, cycle