70% of Sites Hackable? $1,000 Says "No Way"

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."

I'll take that $1000 now.

I can totally believe this. Especially after some recent research that I've done into the security of one specific web hosting provider. It wasn't the users' fault, it was very poor security on the side of the provider. Of course, the provider states how good their security is on their website, but its only false security. For instfance, home directories have the permissions 711, which would make the causual unix user think that you can't view files in the person's home directory, but of course, since there is a predictable structure under that, it is trivial to get into someone's web directory which is world readable. And thus you can get access to their database passwords and so hon. And this is a very large hosting provider, over 100,000 websites are hosted with them. I can only imagine that many other hosting providers have these same types of problems.

Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.

I think I may start an anonymous blog to document these cases.

Re:I'll take that $1000 now.

[Eivind]

Having web-directories 755 or similar ain't in itself a threat. Now, if the setup is such that you can't restrict readability of config-files and have them still readable by your php (or whatever!) process, then they're seriously fucked, agreed.

My web-directory is 755 too, along with 644 for the static content there. However all my script and config-files are 640 with the group set to a group ( user_web ) that all scripts run as.

Basic idea ? If you're clueless you're screwed no-matter-what. And if your hosting-provider is sufficiently clueless, then you're screwed even if you have a clue. Unless you use that clue to find a new hosting-provider.

Re:I'll take that $1000 now.

[Tony+Hoyle]

I've seen plenty of scripts with instructions like

"Install this then chmod -R 777 so that the script can work"

Clueless noobs then go and install it and wonder why they're hacked the next week...

I always go through locking down such scripts (minimal permissions, rename all config files and, if possible, put them outside the web root. Same for writable directories if any are required). Those that can't be locked down are simply deleted.

Re:I'll take that $1000 now.

[cortana]

GOD. There should be some code in chmod that activates when the user does that. The code should punch the user in the face.

Re:I'll take that $1000 now.

[ACMENEWSLLC]

Security at ISP's generally suck. We own multiple domains. We have multiple ISP's providing websites.

I took one of our domains and set it up at the other ISP, and visa versa.

When I sent an e-mail on domain1 to domain2, it didn't go to domain2. It went to the fake domain2 I setup with ISP hosting domain1.

This means their DNS that holds the zone data is also the same DNS server they use for lookups. Both ISP's had this problem.

This means that someone could setup a domain ebay.com, or usbank.com, or whatever - setup a catch all e-mail account. Any replies to these domains from people using that same server would go to my faked domain, not the real e-mail server.

I've actually caught someone doing this with an ISP we don't use. All e-mails to us from this ISP's users were going to a 3rd party. I don't think it was intentional, as all e-mail addresses were being rejected. But I am not 100% certain.

The fix is that these ISP's should use a DNS cache server with no local zone data. It should hit the root servers for lookup. It's a simple fix, but it cost a few bucks so many ISP's don't do this.

Re:I'll take that $1000 now.

[the_womble]

This is because most people just dick with things randomly until they work. Then they walk away and don't think about it again until it stops working. This is the way most people use computers.

You mean there is another way?

Re:I'll take that $1000 now.

[Torvaun]

Yes, it's known as 'Amish-style' computing. Here, a computer may be used as a boat anchor or paperweight.

Legal?

[Max+Romantschuk]

...seriously, this can't be? Right?

The actual hacking, not the challenge, that is.

Re:Legal?

[bad_fx]

Perhaps that's what Joel is counting on... Seems like Acunetix is screwed either way. Still, it's probably what they deserve for making the claims in the first place. ;) I had to laugh at this:

"Without sounding apocalyptic, I believe the 70% figure should send tremors not just ripples in the market," says Kevin Vella, vice president of sales and operations, sounding apocalyptic in a press release.

Re:Legal?

[Karganeth]

I wouldn't be surprised if the challenge was illegal too. IANAL, but isn't putting a reward on comitting a crime seen as inciting crime? I'm pretty sure that I'd end up in lots of trouble if I said "$10,000 says you can't rob that guys house" and the person accepted the challenge then was caught.

Re:Legal?

[varmittang]

They replied, and basically stated they would accept, but wouldn't hack third party sites since its illegal.

Dear Mr. McNamara and Mr. Snyder, We read the blog published yesterday by yourself together with the subsequent comment by Joel Snyder and would like to make the following comments while also addressing the issues raised.

The point of publishing the results of the 3200-strong survey was to address the lack of awareness among organizations of the critical dangers of such web application vulnerabilities as Cross Site Scripting, SQL Injection and Cross Site Request Forgery. We are merely pointing out a trend corroborated by other published studies concluding that web security is a problem. It surprises us that Mr. Snyder is among those who do not take the present situation seriously by, indeed, making a mockery of the results through claims that these are incorrect.

This further proves our point that web application security is one of the least understood and often misconceived aspects of online security today.

Several experts in the field (for example, Jeremiah Grossman) have been stating these facts and dangers for a few years now. So we are not the only ones when it comes to web application security concerns.

I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the commercial and non-commercial entities that we scanned were seriously vulnerable to hacking during the time we scanned them. Others (for example, http://ha.ckers.org/blog/20070213/70-of-websites-u nder-immediate-risk-of...) believe that these figures are much greater.

We are available to put Mr. Snyder's doubts of the validity of our results at rest by submitting all the reports to a trusted third party with proven web security experience and knowledge. Given appropriate authorization and permission from the owners of the websites we scanned during January 2006 -7, Mr. Snyder would be able to see any of the full reports of our scans - these highlight where and when the vulnerabilities were found. Of course, we cannot vouch that these vulnerabilities have not been fixed but are willing to do this for the sake of professional correctness. And, after all, we stand behind our data.

We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World website, rather then - as Mr. Snyder suggested - an innocent third party website. After all, making a wager with someone else's website would be unfair, and furthermore illegal.

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable.

Should Network World accept, we will start the audit immediately and point out any vulnerabilities found to the public. If we do manage to breach the Network World website, we would expect Network World to make a public statement, - published on the home page and first page of the next Network World issue - that its website was actually vulnerable and that Acunetix were able to hack it.

We do expect a response within the next 24 hours that the company authorizes us to immediately perform the security audit and that the company takes full legal responsibility and holds us harmless for any resulting outages and damages.

Our team thanks you for this opportunity and looks forward to the challenge!

Signed,
Nick Galea, CEO and Kevin J Vella, VP Sales and Operations

Acunetix Ltd Direct: +356 2316 8126 Tel: +356 2316 8000 Fax: +356 2316 8001 Web: http://www.acunetix.com/ Web: http://www.acunetix.de/

This will end well...

[Smidge204]

At least he's not offering $1000 per site hacked, unlike the shmuck who offered a $1,200 bounty on every unsold PS3.

=Smidge=

Re:This will end well...

[joel_snyder]

I'm sure that if they're serious about actually showing that the statistics are useful then we can find 10 random sites who are willing to be 'ethically hacked.'

The astonishing thing is that most people who will read this press release just don't get it, and the depths of their not getting it are even more astonishing...

I am challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. I suspect they have found a lot of lousy code. No surprise here. 70%, sure. I'll bite off on that number. I'm not arguing with that.

But there is a huge difference between turning a vulnerability into a breach. Let me give you an example. A lot of Cross-Site Scripting attacks let you steal cookies. So they probably found those. But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs. So the point is not that there are these vulnerabilities, but that they have done nothing to show whether these vulnerabilities are truly breachable and able to get an attacker real useful data.

Same for things like directory listing. You can do that to my web site. Is that a security problem? No, in fact, I turned it on specifically. If I didn't want people to read it, I wouldn't have put it on the friggin' web server.

Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to ... well, they could read all those posts that are on the web site. Except they wouldn't be nicely formatted, but real men write HTML with vi anyway. Maybe they could store or corrupt data with the injection, and maybe they couldn't. Maybe (and this is most likely) they could cause the script to blow up. Is that "hacking" a web site? Hell, I get script explosion errors from web sites WITHOUT hacking them.

Is being able to view a script a security vulnerability? it depends. It depends on the web site. The script. The webmaster's intentions.

What percentage web sites actually have data that's worth anything?

So the point is not that they've found a lot of theoretical issues, but whether they've actually found security issues. And the only way, in my mind, to see whether they have is to see if the issues can be exploited. If they can, I'll pay up. If they can't be exploited, then all they've done is made long lists of things that don't matter from a security point of view.

Very long lists.

Their reply.

[Aladrin]

For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.

While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.

I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.

Re:Their reply.

[Joebert]

Without actually hacking in & getting hold of data to begin with, they can not honestly state any statistics.
They can only speculate without actual data.
So unless they're full of shit to begin with, they've already done somthing unethical.

Obligatory statistic jokes...

[Neme$y$]

Reminds me of: "Three statisticians went out hunting, and came across a large deer. The first statistician fired, but missed, by a meter to the left. The second statistician fired, but also missed, by a meter to the right. The third statistician didn't fire, but shouted in triumph, "On the average we got it!"

Re:Obligatory statistic jokes...

[spellraiser]

A statistician can have his head in an oven and his feet in ice, and he will say that on the average he feels fine.

How many statisticians does it take to change a lightbulb? 1-3, alpha = .05

Did you hear about the statistician who was thrown in jail? He now has zero degrees of freedom.

In earlier times, they had no statistics, and so they had to fall back on lies.

Smoking is a leading cause of statistics.

Statistics are like a bikini - what they reveal is suggestive, but what they conceal is vital.

Statistics in the hands of an engineer are like a lamppost to a drunk--they're used more for support than illumination.

---

All jokes borrowed from here.

This just in...

[Funkcikle]

Acunetix have just HACKED into Snyder's bank account and helped themselves to the $1000.

Been there, done that, got the logs to prove it...

[Zapotek]

I'll put $10k on the table with Snyder.

In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.

Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.

I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.

Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.

I believe it

[Paulrothrock]

My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.

Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.

And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.

If anything, 70% is low.

So let me guess....

[blankoboy]

...if we hire Acunetix, they will make our sites completely "non-hackable"?

Ok then..."70% of Girls cannot reach orgasm!". I can prove it to you free of charge!

Kudos to Joel for putting it to them!

Re:So let me guess....

[Opportunist]

You, sir, are one crappy lover if you can prove that!

The Acunix counter-offer is ridiculous

[giafly]

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable. - Network World

My company has been through several security audits and they require several days of management time, plus telling the auditors all about your IT infrastructure and data compliance. Security audits are not about hacking - they check that you've hardened your infrastructure, have appropriate policies for e.g. 'phone queries, and avoid client data being unnecessarily exposed. They're similar to a VAT (sales tax) inspection.

You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.

I wonder

[dbmasters]

My first thought was "whats the percentage of sites run by Nuke's, Joomla's, Mambo's and such CMS systems". I mean, when PHPBB gets hacked (again) it affects a HUGE number of sites. My employer recently had a security audit and they found out what most of us developers have been telling them for a while...they had consultants build things, decrease timelines while increasing scope creep...things got fudged and now they don't understand why our sites failed. I look at some of the stuff I inherited and just look at it and say WTF? I built a little CMS for myself, a few people downloaded it and use it, it's grown and I just experienced my first real exploit in my 10 year career in web dev. it was a REAL learning experience for me. I know all the theory of security and all that, but practicing it is another matter when people want things yesterday it makes it hard resist cutting that little corner.

put in other words

[teslar]

Professional Hitman Mr Smith is flogging a survey that claims 7 out 10 people he has checked have a lack of police protection posing a medium- to high-level risk of getting them murdered. The police's go-to security guy, Mr Doe, says that percentage is 'sensationalist nonsense' -- and he's willing to back that judgment with $1,000 of his own money. In fact Mr Doe will pay up if Mr Smith can whack 3 of 10 people chosen at random from his survey list."

Re:There are two kinds of web sites:

[aug24]

there is not such thing as an unhackable site/host

This is tosh.

If you are seriously claiming that you could 'hack' any host running any software to get arbitrary permissions, or a shell session, or access an arbitrary file then you are just mad. On what basis do you say this? It's connected to a network therefore it can be hacked? Whuh?

(I can't believe you were modded informative of all things. Insightful I might have laughed off, but informative?!)

Justin.

Dynamic vs Static?

[Odin_Tiger]

Even for as advanced as the web on the whole has become, I still suspect that most sites are static HTML. Unless they're talking about vulnerabilities in httpd's as well as vulnerabilities in site design, I think they're sunk, because unless you're doing something at least moderately complex with scripts and databases, you're site is probably very secure. The bet needs a qualifying limiter or something to clarify that it only applies to *AMP sites or some such, because the average geocities, angelfire, or similar-quality privately hosted site is just not really hackable, because everything that makes up the website is already publicly viewable...images and text, no personal data that isn't intentionally exposed, and there is nothing on the box / vm / whatever other than the site. At best, if the box is misconfigured or unpatched, they can claim that it is defaceable, but that's not nearly the same thing.