Slashdot Mirror
70% of Sites Hackable? $1,000 Says "No Way"
netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."
I can totally believe this. Especially after some recent research that I've done into the security of one specific web hosting provider. It wasn't the users' fault, it was very poor security on the side of the provider. Of course, the provider states how good their security is on their website, but its only false security. For instfance, home directories have the permissions 711, which would make the causual unix user think that you can't view files in the person's home directory, but of course, since there is a predictable structure under that, it is trivial to get into someone's web directory which is world readable. And thus you can get access to their database passwords and so hon. And this is a very large hosting provider, over 100,000 websites are hosted with them. I can only imagine that many other hosting providers have these same types of problems.
Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.
I think I may start an anonymous blog to document these cases.
...seriously, this can't be? Right?
The actual hacking, not the challenge, that is.
.: Max Romantschuk
At least he's not offering $1000 per site hacked, unlike the shmuck who offered a $1,200 bounty on every unsold PS3.
=Smidge=
For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.
While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.
I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Reminds me of: "Three statisticians went out hunting, and came across a large deer. The first statistician fired, but missed, by a meter to the left. The second statistician fired, but also missed, by a meter to the right. The third statistician didn't fire, but shouted in triumph, "On the average we got it!"
"I've got a plan so cunning you could put a tail on it and call it a weasel"
Acunetix have just HACKED into Snyder's bank account and helped themselves to the $1000.
We've begun basic testing vendor and supplier web sites that we do business with (they are required to let us poke around as long as we notify them if we find anything).
Three of five tested since we started in October threw an error when a ' was put in the login user name field. When the ' was replaced with
a' or 'a' = 'a
and no password, the three dumped us into the administrator's page (dirt-simple SQL injection). On the last one, it took us longer to find the login page than it did to get admin access. None of them knew we did it.
Take one custom-written web application, add programmers that are just happy to get it working, leave out the web application firewall and you get in.
I'll put $10k on the table with Snyder.
In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.
Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.
I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.
Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.
My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.
Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.
And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.
If anything, 70% is low.
I'm in the hole of the broadband donut.
Ok then..."70% of Girls cannot reach orgasm!". I can prove it to you free of charge!
Kudos to Joel for putting it to them!
Why this particular comment? What's so special about it? This is incredibly self-centered of you, to assume that your comment will be a major target for the trolls.
There's lots of good comments out there that would make better targets. This comment, for instance, is much more interesting. Not only is it longer, it's also a lot wittier and better thought out altogether. Oh, and did I mention that it's also self-referencing? Beat that!
I hear there's rumors on the Slashdots
Well they could contact the 3 selected website operators, explain the situation and that it's for their own good, and offer to do all work onsite under their eyes or at least offer to share their results with the company in question and see those security holes closed before any acknowledgement of a result from the contest is announced.
I know, companies don't like being hacked even if it's for the un-noble cause of "demonstrating the hole in their security" so that it can be fixed; but if the company in question is approached before hand, and offered assurance that they will not be caused to be a laughing stock, i'm sure a CTO could explain that "while we followed the best practices in the security industry, we felt it prudent to reassure ourselves and our customers that these practices would protect them. What we found was they aren't, and we're happy to say that we have taken several steps to protect them, steps above and beyond what our competition is doing" or something like that....
You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.
Reduce, reuse, cycle
My first thought was "whats the percentage of sites run by Nuke's, Joomla's, Mambo's and such CMS systems". I mean, when PHPBB gets hacked (again) it affects a HUGE number of sites. My employer recently had a security audit and they found out what most of us developers have been telling them for a while...they had consultants build things, decrease timelines while increasing scope creep...things got fudged and now they don't understand why our sites failed. I look at some of the stuff I inherited and just look at it and say WTF? I built a little CMS for myself, a few people downloaded it and use it, it's grown and I just experienced my first real exploit in my 10 year career in web dev. it was a REAL learning experience for me. I know all the theory of security and all that, but practicing it is another matter when people want things yesterday it makes it hard resist cutting that little corner.
dB Masters
Professional Hitman Mr Smith is flogging a survey that claims 7 out 10 people he has checked have a lack of police protection posing a medium- to high-level risk of getting them murdered. The police's go-to security guy, Mr Doe, says that percentage is 'sensationalist nonsense' -- and he's willing to back that judgment with $1,000 of his own money. In fact Mr Doe will pay up if Mr Smith can whack 3 of 10 people chosen at random from his survey list."
I was about to post something spouting off an opinion before reading the article, but figured I'd better check it first. I was GOING to say, "but do that many sites contain information worth stealing?" But I then wimped out and read the article.
According to the article, the ground rules (in particular, what kinds of sites are fair game) are still up in the air. So this whole thing is still lacking in some pretty basic parameters, which makes use of such a definitive range of percentages kind of silly. It's like saying, "70% percent of some people are redheads." That sounds like a lot of redheads, but without defining the "some people" part, it's just wind.
It's an interesting thought and gets people talking about it, which is certainly not a bad thing. But it's little more than that at this point.
It is pitch black. You are likely to be eaten by a grue.
This is tosh.
If you are seriously claiming that you could 'hack' any host running any software to get arbitrary permissions, or a shell session, or access an arbitrary file then you are just mad. On what basis do you say this? It's connected to a network therefore it can be hacked? Whuh?
(I can't believe you were modded informative of all things. Insightful I might have laughed off, but informative?!)
Justin.
You're only jealous cos the little penguins are talking to me.
The problem with that is that these companies know mud sticks. If the report says they were hacked, then no amount of them saying they fixed the holes and are now more secure than ever will completely remove that taint. Not only that, if these companies cared so much about security in the first place there wouldn't be holes, the main problem is that security is often sacrificed in the name of economy, so they're unlikely to want to shell out money fixing holes if they can just carry on ignoring them for free. Unfortunately that's why a lot of sites are insecure, because it's the cheaper option to turn a blind eye and hope that you won't get hit - for the most part it works I guess.
True, due diligence is the customer's responsibility. But how many customers REALLY know what to check for when it comes to security, infrastructure or otherwise? Let's face it, even those who bother to pick up the phone and call a provider will at most ask "are you secure" etc., and naturally the rep will say "absolutely". I mean, look at the whole Blackboard course management system mess. Do you really think any techie would choose them over Angel, the myriad open source solutuions, et al? Of course not. But the techies don't get asked questions until the question is "what can we do to fix this situation/save our ass/cut our losses?".
It would be nice if there were recognized standards out there with a "seal of approval" of sorts, akin to the ISO 9000/9001 etc. assuring customers of reasonable security, adequate infrastructure, etc.
At least then the clueless stuffed-shirts that make the decisions would have *some* inkling if a provider was up to snuff.
I'm surprised that 7 of 10 sites even contain personal data. Just what sites was he checking?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Even for as advanced as the web on the whole has become, I still suspect that most sites are static HTML. Unless they're talking about vulnerabilities in httpd's as well as vulnerabilities in site design, I think they're sunk, because unless you're doing something at least moderately complex with scripts and databases, you're site is probably very secure. The bet needs a qualifying limiter or something to clarify that it only applies to *AMP sites or some such, because the average geocities, angelfire, or similar-quality privately hosted site is just not really hackable, because everything that makes up the website is already publicly viewable...images and text, no personal data that isn't intentionally exposed, and there is nothing on the box / vm / whatever other than the site. At best, if the box is misconfigured or unpatched, they can claim that it is defaceable, but that's not nearly the same thing.
Unpleasantries.
Apologies if I'm interpreting your comment incorrectly, but if you're saying that you believe there is such a thing as an unhackable web site, then I can truly say that I'd *never* hire you in an IT capacity. Like an army general who truly believes his forces are invincible, by the very expression of that belief you are defeated before even going into battle.
*Always* assume you are vulnerable. Be paranoid. And spend time snooping and hanging around in the areas where the crackers (to use the *correct* terminology) hang out and catch all the chatter. You'll be pleasantly surprised at how those systems you thought secure really aren't.
Cheers
Who is this delectable creature with an insatiable love of the dead?
I'd doubt that. I recently had a scan done on a development site I am working on, and got a high vulnerability rating. Based on the weblogs, some simple correlation, and the fact that I quietly remove invalid characters rather than printing an error, my "High" rating of in-security is in fact a low... these guys don't read their work, its just like running Nessus or Nmap without checking your answers, if you don't look hard enough your not going to find the answer.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...