Slashdot Mirror

← Back to Stories (view on slashdot.org)

70% of Sites Hackable? $1,000 Says "No Way"

Posted by kdawson on from the money-where-mouth-is dept.

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."

12 of 146 comments (clear)

  1. This will end well... by Smidge204 · · Score: 3, Interesting

    At least he's not offering $1000 per site hacked, unlike the shmuck who offered a $1,200 bounty on every unsold PS3.

    =Smidge=

    1. Re:This will end well... by GroovinWithMrBloe · · Score: 2, Interesting

      But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs. In an aside to the main point, Good web sites take into account transparent proxies at an ISP level which might result in the user appearing to come from multiple IP Addresses (as the ISP might load balance requests to various proxies without binding a particular user to a particular proxy). This is a situation that I've come across with a website of mine.
    2. Re:This will end well... by 0xygen · · Score: 2, Interesting

      Almost all load balancing proxies running across multiple IPs add the X-Forwarded-For http header, which many of the large sites take into account when looking for a "real" source IP. (IRL, many are SQUID or SQUID-based, which can add this header)

      Clearly, the danger with trusting these is that the attacker can then use their own fake X-Forwarded-For header to pretend to be the original user the cookie was stolen from.

      Does anyone have a good solution to this problem?

    3. Re:This will end well... by Anonymous Coward · · Score: 1, Interesting

      Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to ... well, they could read all those posts that are on the web site. Erhm... pardon me? To me, "injection" means that you yourself insert code into the SQL query directly without any sort of escaping. If that's your definition too, I have trouble understanding what you just said.
  2. Does 3 of 5 count? by Anonymous Coward · · Score: 2, Interesting

    We've begun basic testing vendor and supplier web sites that we do business with (they are required to let us poke around as long as we notify them if we find anything).

    Three of five tested since we started in October threw an error when a ' was put in the login user name field. When the ' was replaced with

    a' or 'a' = 'a

    and no password, the three dumped us into the administrator's page (dirt-simple SQL injection). On the last one, it took us longer to find the login page than it did to get admin access. None of them knew we did it.

    Take one custom-written web application, add programmers that are just happy to get it working, leave out the web application firewall and you get in.

  3. I believe it by Paulrothrock · · Score: 3, Interesting

    My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.

    Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.

    And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.

    If anything, 70% is low.

    --
    I'm in the hole of the broadband donut.
  4. There are two kinds of web sites: by Elbowgeek · · Score: 1, Interesting

    Those that have been hacked and those that can be but no-one's bothered to do so yet.

    Fact is that there is not such thing as an unhackable site/host, however one can at least make a network more trouble than it's worth to try to hack.

    What's that old saw: Anything that the human mind can build another human mind can figure out. Or something like that...

    --
    Who is this delectable creature with an insatiable love of the dead?
  5. Re:it may work by um...+Lucas · · Score: 2, Interesting

    Well they could contact the 3 selected website operators, explain the situation and that it's for their own good, and offer to do all work onsite under their eyes or at least offer to share their results with the company in question and see those security holes closed before any acknowledgement of a result from the contest is announced.

    I know, companies don't like being hacked even if it's for the un-noble cause of "demonstrating the hole in their security" so that it can be fixed; but if the company in question is approached before hand, and offered assurance that they will not be caused to be a laughing stock, i'm sure a CTO could explain that "while we followed the best practices in the security industry, we felt it prudent to reassure ourselves and our customers that these practices would protect them. What we found was they aren't, and we're happy to say that we have taken several steps to protect them, steps above and beyond what our competition is doing" or something like that....

  6. ground rules by eck011219 · · Score: 2, Interesting

    I was about to post something spouting off an opinion before reading the article, but figured I'd better check it first. I was GOING to say, "but do that many sites contain information worth stealing?" But I then wimped out and read the article.

    According to the article, the ground rules (in particular, what kinds of sites are fair game) are still up in the air. So this whole thing is still lacking in some pretty basic parameters, which makes use of such a definitive range of percentages kind of silly. It's like saying, "70% percent of some people are redheads." That sounds like a lot of redheads, but without defining the "some people" part, it's just wind.

    It's an interesting thought and gets people talking about it, which is certainly not a bad thing. But it's little more than that at this point.

    --
    It is pitch black. You are likely to be eaten by a grue.
  7. re: due diligence by theBeak · · Score: 2, Interesting

    True, due diligence is the customer's responsibility. But how many customers REALLY know what to check for when it comes to security, infrastructure or otherwise? Let's face it, even those who bother to pick up the phone and call a provider will at most ask "are you secure" etc., and naturally the rep will say "absolutely". I mean, look at the whole Blackboard course management system mess. Do you really think any techie would choose them over Angel, the myriad open source solutuions, et al? Of course not. But the techies don't get asked questions until the question is "what can we do to fix this situation/save our ass/cut our losses?".

    It would be nice if there were recognized standards out there with a "seal of approval" of sorts, akin to the ISO 9000/9001 etc. assuring customers of reasonable security, adequate infrastructure, etc.

    At least then the clueless stuffed-shirts that make the decisions would have *some* inkling if a provider was up to snuff.

  8. I'm surprised by Nom+du+Keyboard · · Score: 2, Interesting

    I'm surprised that 7 of 10 sites even contain personal data. Just what sites was he checking?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  9. Re:Yeah... by Architect_sasyr · · Score: 2, Interesting

    I'd doubt that. I recently had a scan done on a development site I am working on, and got a high vulnerability rating. Based on the weblogs, some simple correlation, and the fact that I quietly remove invalid characters rather than printing an error, my "High" rating of in-security is in fact a low... these guys don't read their work, its just like running Nessus or Nmap without checking your answers, if you don't look hard enough your not going to find the answer.

    --
    Me failed English...
    FreeBSD over Linux. If my comments seem odd, this may explain...