70% of Sites Hackable? $1,000 Says "No Way"

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."

I'll take that $1000 now.

I can totally believe this. Especially after some recent research that I've done into the security of one specific web hosting provider. It wasn't the users' fault, it was very poor security on the side of the provider. Of course, the provider states how good their security is on their website, but its only false security. For instfance, home directories have the permissions 711, which would make the causual unix user think that you can't view files in the person's home directory, but of course, since there is a predictable structure under that, it is trivial to get into someone's web directory which is world readable. And thus you can get access to their database passwords and so hon. And this is a very large hosting provider, over 100,000 websites are hosted with them. I can only imagine that many other hosting providers have these same types of problems.

Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.

I think I may start an anonymous blog to document these cases.

Re:I'll take that $1000 now.

[Eivind]

Having web-directories 755 or similar ain't in itself a threat. Now, if the setup is such that you can't restrict readability of config-files and have them still readable by your php (or whatever!) process, then they're seriously fucked, agreed.

My web-directory is 755 too, along with 644 for the static content there. However all my script and config-files are 640 with the group set to a group ( user_web ) that all scripts run as.

Basic idea ? If you're clueless you're screwed no-matter-what. And if your hosting-provider is sufficiently clueless, then you're screwed even if you have a clue. Unless you use that clue to find a new hosting-provider.

Re:I'll take that $1000 now.

[Tony+Hoyle]

I've seen plenty of scripts with instructions like

"Install this then chmod -R 777 so that the script can work"

Clueless noobs then go and install it and wonder why they're hacked the next week...

I always go through locking down such scripts (minimal permissions, rename all config files and, if possible, put them outside the web root. Same for writable directories if any are required). Those that can't be locked down are simply deleted.

Legal?

[Max+Romantschuk]

...seriously, this can't be? Right?

The actual hacking, not the challenge, that is.

Re:Legal?

[Karganeth]

I wouldn't be surprised if the challenge was illegal too. IANAL, but isn't putting a reward on comitting a crime seen as inciting crime? I'm pretty sure that I'd end up in lots of trouble if I said "$10,000 says you can't rob that guys house" and the person accepted the challenge then was caught.

How to do it right

I'm the original poster and I run a web hosting provider myself. The way I do it that is guaranteed to keep shell users out is to put everyone in the users group and then make home direcotires 705 and owned by the users group. That keeps users out but allows Apache in. Then I have Apache/PHP setup in a way that prevents users from accessing other user's files. I don't want to rely on hoping things are safe, I want to be sure that they are. Still, PHP has some flaws in it that can't 100% guarentee that, but I can't go into that.

Re:Their reply.

[Joebert]

Without actually hacking in & getting hold of data to begin with, they can not honestly state any statistics.
They can only speculate without actual data.
So unless they're full of shit to begin with, they've already done somthing unethical.

Re:This will end well...

[joel_snyder]

I'm sure that if they're serious about actually showing that the statistics are useful then we can find 10 random sites who are willing to be 'ethically hacked.'

The astonishing thing is that most people who will read this press release just don't get it, and the depths of their not getting it are even more astonishing...

I am challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. I suspect they have found a lot of lousy code. No surprise here. 70%, sure. I'll bite off on that number. I'm not arguing with that.

But there is a huge difference between turning a vulnerability into a breach. Let me give you an example. A lot of Cross-Site Scripting attacks let you steal cookies. So they probably found those. But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs. So the point is not that there are these vulnerabilities, but that they have done nothing to show whether these vulnerabilities are truly breachable and able to get an attacker real useful data.

Same for things like directory listing. You can do that to my web site. Is that a security problem? No, in fact, I turned it on specifically. If I didn't want people to read it, I wouldn't have put it on the friggin' web server.

Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to ... well, they could read all those posts that are on the web site. Except they wouldn't be nicely formatted, but real men write HTML with vi anyway. Maybe they could store or corrupt data with the injection, and maybe they couldn't. Maybe (and this is most likely) they could cause the script to blow up. Is that "hacking" a web site? Hell, I get script explosion errors from web sites WITHOUT hacking them.

Is being able to view a script a security vulnerability? it depends. It depends on the web site. The script. The webmaster's intentions.

What percentage web sites actually have data that's worth anything?

So the point is not that they've found a lot of theoretical issues, but whether they've actually found security issues. And the only way, in my mind, to see whether they have is to see if the issues can be exploited. If they can, I'll pay up. If they can't be exploited, then all they've done is made long lists of things that don't matter from a security point of view.

Very long lists.

I wonder

[dbmasters]

My first thought was "whats the percentage of sites run by Nuke's, Joomla's, Mambo's and such CMS systems". I mean, when PHPBB gets hacked (again) it affects a HUGE number of sites. My employer recently had a security audit and they found out what most of us developers have been telling them for a while...they had consultants build things, decrease timelines while increasing scope creep...things got fudged and now they don't understand why our sites failed. I look at some of the stuff I inherited and just look at it and say WTF? I built a little CMS for myself, a few people downloaded it and use it, it's grown and I just experienced my first real exploit in my 10 year career in web dev. it was a REAL learning experience for me. I know all the theory of security and all that, but practicing it is another matter when people want things yesterday it makes it hard resist cutting that little corner.

Re:There are two kinds of web sites:

[aug24]

there is not such thing as an unhackable site/host

This is tosh.

If you are seriously claiming that you could 'hack' any host running any software to get arbitrary permissions, or a shell session, or access an arbitrary file then you are just mad. On what basis do you say this? It's connected to a network therefore it can be hacked? Whuh?

(I can't believe you were modded informative of all things. Insightful I might have laughed off, but informative?!)

Justin.

Re:it may work

[delinear]

The problem with that is that these companies know mud sticks. If the report says they were hacked, then no amount of them saying they fixed the holes and are now more secure than ever will completely remove that taint. Not only that, if these companies cared so much about security in the first place there wouldn't be holes, the main problem is that security is often sacrificed in the name of economy, so they're unlikely to want to shell out money fixing holes if they can just carry on ignoring them for free. Unfortunately that's why a lot of sites are insecure, because it's the cheaper option to turn a blind eye and hope that you won't get hit - for the most part it works I guess.

Re:There are two kinds of web sites:

[geekoid]

It's a common thought on /.

False, but prevailant.

Dynamic vs Static?

[Odin_Tiger]

Even for as advanced as the web on the whole has become, I still suspect that most sites are static HTML. Unless they're talking about vulnerabilities in httpd's as well as vulnerabilities in site design, I think they're sunk, because unless you're doing something at least moderately complex with scripts and databases, you're site is probably very secure. The bet needs a qualifying limiter or something to clarify that it only applies to *AMP sites or some such, because the average geocities, angelfire, or similar-quality privately hosted site is just not really hackable, because everything that makes up the website is already publicly viewable...images and text, no personal data that isn't intentionally exposed, and there is nothing on the box / vm / whatever other than the site. At best, if the box is misconfigured or unpatched, they can claim that it is defaceable, but that's not nearly the same thing.

Re:There are two kinds of web sites:

[Elbowgeek]

Apologies if I'm interpreting your comment incorrectly, but if you're saying that you believe there is such a thing as an unhackable web site, then I can truly say that I'd *never* hire you in an IT capacity. Like an army general who truly believes his forces are invincible, by the very expression of that belief you are defeated before even going into battle.

*Always* assume you are vulnerable. Be paranoid. And spend time snooping and hanging around in the areas where the crackers (to use the *correct* terminology) hang out and catch all the chatter. You'll be pleasantly surprised at how those systems you thought secure really aren't.

Cheers