Slashdot Mirror
70% of Sites Hackable? $1,000 Says "No Way"
netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."
I can totally believe this. Especially after some recent research that I've done into the security of one specific web hosting provider. It wasn't the users' fault, it was very poor security on the side of the provider. Of course, the provider states how good their security is on their website, but its only false security. For instfance, home directories have the permissions 711, which would make the causual unix user think that you can't view files in the person's home directory, but of course, since there is a predictable structure under that, it is trivial to get into someone's web directory which is world readable. And thus you can get access to their database passwords and so hon. And this is a very large hosting provider, over 100,000 websites are hosted with them. I can only imagine that many other hosting providers have these same types of problems.
Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.
I think I may start an anonymous blog to document these cases.
...seriously, this can't be? Right?
The actual hacking, not the challenge, that is.
.: Max Romantschuk
At least he's not offering $1000 per site hacked, unlike the shmuck who offered a $1,200 bounty on every unsold PS3.
=Smidge=
...I'm sure he'll be shelling out $1,000 by the end of the day...
Bite my shiny metal ass.
For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.
While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.
I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Reminds me of: "Three statisticians went out hunting, and came across a large deer. The first statistician fired, but missed, by a meter to the left. The second statistician fired, but also missed, by a meter to the right. The third statistician didn't fire, but shouted in triumph, "On the average we got it!"
"I've got a plan so cunning you could put a tail on it and call it a weasel"
Great, as all the trolls attempt to hack into Slashdot and change this comment to something funnier.
The dangers of knowledge trigger emotional distress in human beings.
1. Taunt Acunetix with 1,000 dollars cash to hack into web sites
2. Turn Acunetix into the authorities when they provide proof of their hacking
3. Profit!
Strange women lying in ponds distributing swords is no basis for a system of government.
Fools and there money are easily parted
"Stallman says add to this code and you are one of us. Gates says use this code and you belong to us."
Acunetix have just HACKED into Snyder's bank account and helped themselves to the $1000.
Acunetix accepts the challenge and they want to audit networkworld.com, they`ll find something for sure. That guy really has no ideea how unsecure web is.
We've begun basic testing vendor and supplier web sites that we do business with (they are required to let us poke around as long as we notify them if we find anything).
Three of five tested since we started in October threw an error when a ' was put in the login user name field. When the ' was replaced with
a' or 'a' = 'a
and no password, the three dumped us into the administrator's page (dirt-simple SQL injection). On the last one, it took us longer to find the login page than it did to get admin access. None of them knew we did it.
Take one custom-written web application, add programmers that are just happy to get it working, leave out the web application firewall and you get in.
I'll put $10k on the table with Snyder.
In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.
Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.
I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.
Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.
My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.
Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.
And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.
If anything, 70% is low.
I'm in the hole of the broadband donut.
Ok then..."70% of Girls cannot reach orgasm!". I can prove it to you free of charge!
Kudos to Joel for putting it to them!
If Acunetix is legit, then maybe they should take up the challenge without requesting funds if they succeed. That'd be the right thing to do, after consulting with lawyers to find out what the ramifications would be.
However, $1000 isn't going to draw anyone else into the fray, I don't think... No rogue hacker will offer up a solution to open doors, or even acknowledge them for $1000, its not economically feasible for them to do so when the gains they can realize from NOT accepting the challenge outweigh the $1,000 they can make by doing so....
Those that have been hacked and those that can be but no-one's bothered to do so yet.
Fact is that there is not such thing as an unhackable site/host, however one can at least make a network more trouble than it's worth to try to hack.
What's that old saw: Anything that the human mind can build another human mind can figure out. Or something like that...
Who is this delectable creature with an insatiable love of the dead?
I'm the original poster and I run a web hosting provider myself. The way I do it that is guaranteed to keep shell users out is to put everyone in the users group and then make home direcotires 705 and owned by the users group. That keeps users out but allows Apache in. Then I have Apache/PHP setup in a way that prevents users from accessing other user's files. I don't want to rely on hoping things are safe, I want to be sure that they are. Still, PHP has some flaws in it that can't 100% guarentee that, but I can't go into that.
Having dealt with tons of owned sites over the years I would say that 70% is
a very low figure. I would also say that 90% of these tools the security vendors
are throwing around are also trash. The point out obvious flaws in some cases
but the tools are no where near as crafty as the human brain at exploiting
web sites. Script kiddies using known vulnerabilities are one thing but stopping
somebody hell bent on getting in is much, much tougher.
Got Code?
First this is a load of crap and they sound like morons. But second, I will pay them $50,000 if they can rob 3 banks chosen at random! Maybe we can get them in jail by the end of attempt #1? :D
You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.
Reduce, reuse, cycle
I think that the numbers might be a little misleading, but I'm not sure that 70% is entirely incorrect. I think that it depends heavily on what sites are included in the sample, and how you define "can be hacked".
For the first point, although big websites certainly have had their share of vulnrabilities, the number is certainly less than 70% (I would venture a guess that it's in the are of 25%, which is still way more than it should be) - but if you start adding in things like peoples home boxes running quick and dirty PHP sites, things out there for testing purposes, various boards and such, I wouldn't be surprised if the numbers start reaching 70%.
The other point of course is how you define hackable. Anything is hackable, given a sufficient amount of time and desire on the part of an intruder. Even if a machine storing personal data was disconnected from any sort of network and locked up in a safe, someone could always break into the safe and steal the computer.
The question really should be: What percent of websites which contain a significant amount of personal data have vulnrabilities which are easily enough exploited to be a viable target for: A: script kiddies/etc. B: moderately skilled and determined intruders, and C: highly skilled and determined intruders.
Famous Last Words: "hmm...wikipedia says it's edible"
My first thought was "whats the percentage of sites run by Nuke's, Joomla's, Mambo's and such CMS systems". I mean, when PHPBB gets hacked (again) it affects a HUGE number of sites. My employer recently had a security audit and they found out what most of us developers have been telling them for a while...they had consultants build things, decrease timelines while increasing scope creep...things got fudged and now they don't understand why our sites failed. I look at some of the stuff I inherited and just look at it and say WTF? I built a little CMS for myself, a few people downloaded it and use it, it's grown and I just experienced my first real exploit in my 10 year career in web dev. it was a REAL learning experience for me. I know all the theory of security and all that, but practicing it is another matter when people want things yesterday it makes it hard resist cutting that little corner.
dB Masters
Professional Hitman Mr Smith is flogging a survey that claims 7 out 10 people he has checked have a lack of police protection posing a medium- to high-level risk of getting them murdered. The police's go-to security guy, Mr Doe, says that percentage is 'sensationalist nonsense' -- and he's willing to back that judgment with $1,000 of his own money. In fact Mr Doe will pay up if Mr Smith can whack 3 of 10 people chosen at random from his survey list."
Yeah, I know, that's why I said "*close to* un-hackable" .
:P
Though when the design of a system is very simple, securing is quite easy.
And when the guy who made it is as paranoid as me and has this small system locked down and filtered from each and every variable,
then the chances of it being un-hackable are pretty good.
I'd dare you to try and hack it, but, since Acunetix failed there's no point.
I was about to post something spouting off an opinion before reading the article, but figured I'd better check it first. I was GOING to say, "but do that many sites contain information worth stealing?" But I then wimped out and read the article.
According to the article, the ground rules (in particular, what kinds of sites are fair game) are still up in the air. So this whole thing is still lacking in some pretty basic parameters, which makes use of such a definitive range of percentages kind of silly. It's like saying, "70% percent of some people are redheads." That sounds like a lot of redheads, but without defining the "some people" part, it's just wind.
It's an interesting thought and gets people talking about it, which is certainly not a bad thing. But it's little more than that at this point.
It is pitch black. You are likely to be eaten by a grue.
Yeah, trust them, we have had people in Russia doing scans of our sites with cracked versions of their software. When we contacted them about it, they basically said they gave up trying to protect their OWN SOFTWARE. As far as their software goes, it does ok in terms of giving them a layout a host's website, and looking for possible SQL injection variables. I have NO respect for this kind of fear mongering and therefore it is pretty hard to trust them with something so important, just because it does ONE thing well.
The subject line of their e-mail reads - "Acunetix Accepts the Network World Challenge" - but, as you'll see, that claim isn't any more supportable than the company's press release, which they at least have the good graces to concede was "apocalyptic."
0 1
http://www.networkworld.com/community/?q=node/115
True, due diligence is the customer's responsibility. But how many customers REALLY know what to check for when it comes to security, infrastructure or otherwise? Let's face it, even those who bother to pick up the phone and call a provider will at most ask "are you secure" etc., and naturally the rep will say "absolutely". I mean, look at the whole Blackboard course management system mess. Do you really think any techie would choose them over Angel, the myriad open source solutuions, et al? Of course not. But the techies don't get asked questions until the question is "what can we do to fix this situation/save our ass/cut our losses?".
It would be nice if there were recognized standards out there with a "seal of approval" of sorts, akin to the ISO 9000/9001 etc. assuring customers of reasonable security, adequate infrastructure, etc.
At least then the clueless stuffed-shirts that make the decisions would have *some* inkling if a provider was up to snuff.
I'm surprised that 7 of 10 sites even contain personal data. Just what sites was he checking?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Even for as advanced as the web on the whole has become, I still suspect that most sites are static HTML. Unless they're talking about vulnerabilities in httpd's as well as vulnerabilities in site design, I think they're sunk, because unless you're doing something at least moderately complex with scripts and databases, you're site is probably very secure. The bet needs a qualifying limiter or something to clarify that it only applies to *AMP sites or some such, because the average geocities, angelfire, or similar-quality privately hosted site is just not really hackable, because everything that makes up the website is already publicly viewable...images and text, no personal data that isn't intentionally exposed, and there is nothing on the box / vm / whatever other than the site. At best, if the box is misconfigured or unpatched, they can claim that it is defaceable, but that's not nearly the same thing.
Unpleasantries.
Note that DSP is a real world application of statistics. Without it, Cellphones and the like would be impossible.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list.
If any story deserved an "itsatrap" tag, this is one!
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
with mod_php ?
because PHP safe_mode is a joke
CGI/suexec is the only way I know about, though I gave up once I'd got it sorted so there may be another.
DB passwords - putting them in httpd.conf is a start.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
www.voterlistsonline.com Don't even need to see it, and it already scares you, right? ;_)
"I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the people that we checked were seriously vulnerable to murder during the time we checked them them. Others believe that these figures are much greater. We are willing to accept the challenge. However we feel that the subject of the challenge should be Mr. Doe rather then - as Mr. Doe suggested - an innocent third party victim. After all, making a wager with someone else's life would be unfair, and furthermore illegal. So we will accept the wager and perform a check on Mr. Doe and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Doe's comments, he is confident that he is secure."
Do you want to hire a tester? I'm good, and I will find problems.
Seriously though, I've heard the unsinkable claim before...
imho, unbreakable should mean, "when it breaks, nothing is lost and restarting is trivial". Nothing else is real, so it'd just be a false sense of security.
I imagine that your way of coding leads to triple-checked user input, verified fields, proper argument quoting. At a minimum. This and much I've never heard of. But it will have flaws you've never heard of either.
I'd assume instead that the system was swiss cheese and I'd concentrate on making sure I didn't actually put the customer's CC # on disk, ever, cache or anything, so that when a hack happened I didn't lose every CC I'd ever processed.
Then I'd go through and secure it as best as I could. But only by understanding the inherent insecurity of every line of code written and that failures happen. Maybe internal, maybe with 0-day bugs in the kernel, maybe just because I forgot to validate input yet again on the hundredth similar, yet not quite close enough to be the same, code that I've written. Just maybe.
Acunetix reveals statistical results based on one year of conducting web application scans
Kirkland, Washington - February 15, 2007 - It has been an interesting 24 hours for anybody keen on web application security. Network World Labs Alliance Security Expert Joel Snyder, played down the danger of web application security and challenged Acunetix to hack a website.
Following Acunetix publishing the results of its free web security survey (http://www.acunetix.com/news/security-audit-resul ts.htm), Network World Editor Paul Mc Namara and Network World Lab Alliance stalwart (http://www.networkworld.com/alliance/snyder.html) down-played the dangers of online web security, stating that only a minute number of commercial websites are hackable, that most websites do not have any worthwhile data on them anyway (http://www.networkworld.com/community/?q=node/114 77), and that cross site scripting and SQL security vulnerabilities are not dangerous (http://www.networkworld.com/community/?q=node/115 01 and http://it.slashdot.org/comments.pl?sid=222326&cid= 18010732).
Snyder mocked the data on which Acunetix based its press release. "First off, we definitely did write the press release in a way that it would catch attention. But hey, what's the point of a press release if you can't do that?" exclaims Galea.
"The data on which we based our report was factual and correct. We offered Network World to give a trusted third party access, but they have not responded to this", he continues "For this, we feel compelled to publish the month by month data upon which this earlier press release was based."
The link to report is found here http://www.acunetix.com/security-audit/acunetix_re port.pdf:
The initial press release stated the following facts based upon this report:
1. Acunetix has scanned 3,200 sites belonging to either businesses or non-commercial entities.
2. 70% of the websites scanned were found to contain high or medium vulnerabilities.
3. There is an extremely high probability of these vulnerabilities being discovered and manipulated by hackers to steal the sensitive data these organizations store.
4. 50% of the websites with instances (or number of times that an alert was triggered by the automated scan) of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.
In the interest of web security, Acunetix is keen to hear feedback on these findings. The company is also ready to have the data (permissions/authorizations obtained) verified by a trusted third party.
The second issue relates to the challenging of Acunetix for $1000 to hack the audited websites and obtain confidential information from at least three of ten sites chosen. Acunetix accepted the challenge, but demanded that the subject of the hack attempt should be the Network World website.
"Clearly the subject of a challenge should be one's own property, and furthermore the website is commercial and is certainly deemed to contain worthwhile information", claims Kevin J Vella, VP Sales and Operations, Acunetix. "After side-stepping our counter challenge Network World finally went mute on this topic, and seemingly its employee and associate are backing out of their claims."
"It is disappointing to see online security taken so lightly but it further confirms our view that the dangers of web attacks are simply not known." remarks Vella.
In fact, leading web security expert, Jeremiah Grossman, posted an update yesterday
It's not as simple as you think.
Customer calls up and says they want to set up DNS and web hosting. You check whois; the domain is registered, but the contact info is anonymous (most registrars offer this service now, and there are several proxy registration services). Of course your own DNS servers aren't listed as authoritative, because if the customer changes that before setting up their web site on your servers, things will break.
The customer says it's their domain. It's not cnn.com or slashdot.org or bankofamerica.com, it's something you've never heard of.
If you take the customer's word for it, it's possible it was somebody else's site and they're trying to phish personal data. But if you don't take the customer's word for it, you're making the customer jump through hoops that the customer doesn't see the need for, and which your competition won't make them jump through.
I agree that using different DNS servers for hosting and for ISP lookups is the right solution. To make sure there's no confusion, recursive queries should be disabled on the servers used for hosting.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Unlikely to happen? I tested and it happened at 2 different ISPs. I saw it occur at a 3rd. It happened to us.
/real/ e-mail server. The key is that you send the e-mail from the same server hosting your faked domain.
If you purchase a reseller account, many ISP's will let you setup new domains via scripts without any checks that you mention. It's all automated. There's no-one in the loop to question this.
Don't believe me? Get a trial account at a few ISPs. Setup one of your domain names at said ISPs and then try to send e-mail using the SMTP/webmail server at this ISP to your domain name. In other words, if you own domain.com then setup a new version of domain.com at this new ISP and see where the e-mail goes when you send it via their servers. It will likely go to their e-mail server, and not your
I was not speaking theory, I was speaking from experience in my initial post.