70% of Sites Hackable? $1,000 Says "No Way" 146
netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."
I'll take that $1000 now. (Score:5, Insightful)
Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.
I think I may start an anonymous blog to document these cases.
Re:I'll take that $1000 now. (Score:4, Insightful)
My web-directory is 755 too, along with 644 for the static content there. However all my script and config-files are 640 with the group set to a group ( user_web ) that all scripts run as.
Basic idea ? If you're clueless you're screwed no-matter-what. And if your hosting-provider is sufficiently clueless, then you're screwed even if you have a clue. Unless you use that clue to find a new hosting-provider.
How to do it right (Score:1, Insightful)
how do you do it (Score:2)
because PHP safe_mode is a joke
CGI/suexec is the only way I know about, though I gave up once I'd got it sorted so there may be another.
DB passwords - putting them in httpd.conf is a start.
Re: (Score:2)
Or maybe use the <joke> tag for those who are humor-impaired.
Re:I'll take that $1000 now. (Score:4, Insightful)
"Install this then chmod -R 777 so that the script can work"
Clueless noobs then go and install it and wonder why they're hacked the next week...
I always go through locking down such scripts (minimal permissions, rename all config files and, if possible, put them outside the web root. Same for writable directories if any are required). Those that can't be locked down are simply deleted.
Re:I'll take that $1000 now. (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Re:I'll take that $1000 now. (Score:5, Funny)
You mean there is another way?
Re: (Score:3, Funny)
Re: (Score:2)
re: due diligence (Score:2, Interesting)
Re: (Score:3, Informative)
I took one of our domains and set it up at the other ISP, and visa versa.
When I sent an e-mail on domain1 to domain2, it didn't go to domain2. It went to the fake domain2 I setup with ISP hosting domain1.
This means their DNS that holds the zone data is also the same DNS server they use for lookups. Both ISP's had this problem.
This means that someone could setup a domain ebay.com, or usbank.com, or what
Re: (Score:2)
Customer calls up and says they want to set up DNS and web hosting. You check whois; the domain is registered, but the contact info is anonymous (most registrars offer this service now, and there are several proxy registration services). Of course your own DNS servers aren't listed as authoritative, because if the customer changes that before setting up their web site on your servers, things will break.
The customer says it's their domain. It's not cnn.com or slashdot.org o
Re: (Score:2)
Careful there, fella....
True story. I know a good, sharp guy who, while doing consulting work for a small, rural ISP, downed a production system by mistake. The owners apparently sued him, and during trial, some 'expert' witness tried defend the ISPs position that my friend's cat'ing of /etc/password during the course of his work was ha
Legal? (Score:5, Insightful)
The actual hacking, not the challenge, that is.
Re:Legal? (Score:5, Funny)
Re:Legal? (Score:4, Informative)
Dear Mr. McNamara and Mr. Snyder, We read the blog published yesterday by yourself together with the subsequent comment by Joel Snyder and would like to make the following comments while also addressing the issues raised.
The point of publishing the results of the 3200-strong survey was to address the lack of awareness among organizations of the critical dangers of such web application vulnerabilities as Cross Site Scripting, SQL Injection and Cross Site Request Forgery. We are merely pointing out a trend corroborated by other published studies concluding that web security is a problem. It surprises us that Mr. Snyder is among those who do not take the present situation seriously by, indeed, making a mockery of the results through claims that these are incorrect.
This further proves our point that web application security is one of the least understood and often misconceived aspects of online security today.
Several experts in the field (for example, Jeremiah Grossman) have been stating these facts and dangers for a few years now. So we are not the only ones when it comes to web application security concerns.
I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the commercial and non-commercial entities that we scanned were seriously vulnerable to hacking during the time we scanned them. Others (for example, http://ha.ckers.org/blog/20070213/70-of-websites-
We are available to put Mr. Snyder's doubts of the validity of our results at rest by submitting all the reports to a trusted third party with proven web security experience and knowledge. Given appropriate authorization and permission from the owners of the websites we scanned during January 2006 -7, Mr. Snyder would be able to see any of the full reports of our scans - these highlight where and when the vulnerabilities were found. Of course, we cannot vouch that these vulnerabilities have not been fixed but are willing to do this for the sake of professional correctness. And, after all, we stand behind our data.
We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World website, rather then - as Mr. Snyder suggested - an innocent third party website. After all, making a wager with someone else's website would be unfair, and furthermore illegal.
So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable.
Should Network World accept, we will start the audit immediately and point out any vulnerabilities found to the public. If we do manage to breach the Network World website, we would expect Network World to make a public statement, - published on the home page and first page of the next Network World issue - that its website was actually vulnerable and that Acunetix were able to hack it.
We do expect a response within the next 24 hours that the company authorizes us to immediately perform the security audit and that the company takes full legal responsibility and holds us harmless for any resulting outages and damages.
Our team thanks you for this opportunity and looks forward to the challenge!
Signed,
Nick Galea, CEO and Kevin J Vella, VP Sales and Operations
Acunetix Ltd Direct: +356 2316 8126 Tel: +356 2316 8000 Fax: +356 2316 8001 Web: http://www.acunetix.com/ [acunetix.com] Web: http://www.acunetix.de/ [acunetix.de]
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
I'm pretty sure that I'd end up in lots of trouble if I said "$10,000 says you can't rob that guys house" and the person accepted the challenge then was caught.
Probably right. Best to stick with the "triple dog dare ya"
This will end well... (Score:4, Interesting)
=Smidge=
Re:This will end well... (Score:5, Insightful)
The astonishing thing is that most people who will read this press release just don't get it, and the depths of their not getting it are even more astonishing...
I am challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. I suspect they have found a lot of lousy code. No surprise here. 70%, sure. I'll bite off on that number. I'm not arguing with that.
But there is a huge difference between turning a vulnerability into a breach. Let me give you an example. A lot of Cross-Site Scripting attacks let you steal cookies. So they probably found those. But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs. So the point is not that there are these vulnerabilities, but that they have done nothing to show whether these vulnerabilities are truly breachable and able to get an attacker real useful data.
Same for things like directory listing. You can do that to my web site. Is that a security problem? No, in fact, I turned it on specifically. If I didn't want people to read it, I wouldn't have put it on the friggin' web server.
Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to
Is being able to view a script a security vulnerability? it depends. It depends on the web site. The script. The webmaster's intentions.
What percentage web sites actually have data that's worth anything?
So the point is not that they've found a lot of theoretical issues, but whether they've actually found security issues. And the only way, in my mind, to see whether they have is to see if the issues can be exploited. If they can, I'll pay up. If they can't be exploited, then all they've done is made long lists of things that don't matter from a security point of view.
Very long lists.
Re: (Score:2)
I work as a contractor in web-development and you'd be surprised by the number of live web-applications I see where SQL injection attacks are possible; in most cases the management doesn't see the risk so they're unwilling to fix the problem.
Re: (Score:2)
In all seriousness, you are right though. It's amazing how bad programmers can render otherwise secure servers and development methodologies (like LAMP) totally insecure. On the intranet where I work, its e
Re: (Score:2)
i had one developper tell me "they can't modify that field, it's protected by javascript!"
the same guy also sent the clear text password in the change password field. said "what, you can see the password in the source?" when i confronted him about it
so no, i'm not surprised
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If they started with TRS-80's, their answer will be very different than if they started with Winnuke...
Re: (Score:2, Interesting)
But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs.
In an aside to the main point, Good web sites take into account transparent proxies at an ISP level which might result in the user appearing to come from multiple IP Addresses (as the ISP might load balance requests to various proxies without binding a particular user to a particular proxy). This is a situation that I've come across with a website of mine.
Re: (Score:2, Interesting)
Clearly, the danger with trusting these is that the attacker can then use their own fake X-Forwarded-For header to pretend to be the original user the cookie was stolen from.
Does anyone have a good solution to this problem?
Re: (Score:1, Interesting)
Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to ... well, they could read all those posts that are on the web site.
Erhm... pardon me? To me, "injection" means that you yourself insert code into the SQL query directly without any sort of escaping. If that's your definition too, I have trouble understanding what you just said.
Re: (Score:2)
Joel, I'm afraid it is you who aren't getting it.
I think Jeremiah Grossman says it best:
He's being funny, but he has a valid point. Here's an example from your comment:
Yeah... (Score:1)
Re: (Score:2, Interesting)
Their reply. (Score:5, Informative)
While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.
I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.
Re: (Score:1)
Re: (Score:3, Insightful)
They can only speculate without actual data.
So unless they're full of shit to begin with, they've already done somthing unethical.
Re: (Score:2)
The Acunix counter-offer is ridiculous (Score:5, Informative)
You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.
Re: (Score:2)
Obligatory statistic jokes... (Score:5, Funny)
Re:Obligatory statistic jokes... (Score:5, Funny)
A statistician can have his head in an oven and his feet in ice, and he will say that on the average he feels fine.
How many statisticians does it take to change a lightbulb? 1-3, alpha = .05
Did you hear about the statistician who was thrown in jail? He now has zero degrees of freedom.
In earlier times, they had no statistics, and so they had to fall back on lies.
Smoking is a leading cause of statistics.
Statistics are like a bikini - what they reveal is suggestive, but what they conceal is vital.
Statistics in the hands of an engineer are like a lamppost to a drunk--they're used more for support than illumination.
---
All jokes borrowed from here [btinternet.com].
Digital Signal Processing (Score:2)
Qualifier (Score:1)
Re: (Score:3, Funny)
Why this particular comment? What's so special about it? This is incredibly self-centered of you, to assume that your comment will be a major target for the trolls.
There's lots of good comments out there that would make better targets. This comment, for instance, is much more interesting. Not only is it longer, it's also a lot wittier and better thought out altogether. Oh, and did I mention that it's also self-referencing? Beat that!
Re: (Score:2)
you should have seen it before I changed it.
Smart (Score:1)
1. Taunt Acunetix with 1,000 dollars cash to hack into web sites
2. Turn Acunetix into the authorities when they provide proof of their hacking
3. Profit!
Old Irish Saying (Score:1)
Re: (Score:2)
Fools and their money are easily parted.
Re: (Score:1)
Re: (Score:1)
This just in... (Score:5, Funny)
Oh boy... (Score:1)
Does 3 of 5 count? (Score:2, Interesting)
Three of five tested since we started in October threw an error when a ' was put in the login user name field. When the ' was replaced with
a' or 'a' = 'a
and no password, the three dumped us into the administrator's page (dirt-simple SQL injection). On the last one, it took us longer to find the login page than it did to get admin access. Non
Been there, done that, got the logs to prove it... (Score:5, Informative)
In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.
Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.
I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.
Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.
Re: (Score:1)
Though when the design of a system is very simple, securing is quite easy.
And when the guy who made it is as paranoid as me and has this small system locked down and filtered from each and every variable,
then the chances of it being un-hackable are pretty good.
I'd dare you to try and hack it, but, since Acunetix failed there's no point.
Re: (Score:2)
Seriously though, I've heard the unsinkable claim before...
imho, unbreakable should mean, "when it breaks, nothing is lost and restarting is trivial". Nothing else is real, so it'd just be a false sense of security.
I imagine that your way of coding leads to triple-checked user input, verified fields, proper argument quoting. At a minimum. This and much I've never heard of. But it will have flaws you've never heard of either.
I'd assume instead
I believe it (Score:4, Interesting)
My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.
Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.
And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.
If anything, 70% is low.
Re: (Score:2)
This is pretty sad on several levels. I just can't imagine them mentality of the developers who were too lazy to do things properly. And the people who use a site like yours (or your company), think their safe because a graphic reminds them they are, but e
Re: (Score:2)
I agree totally. That's why they're my EX-employer. I was sick of getting told that I didn't have enough time to do things the right way. And I was also afraid that if the site did get hacked, they'd pass the blame on to me.
One of the developers I worked with never tested in Firefox. He said "Since IE is predominant, testing in Firefox isn't important." He also said some of his best work was in MS Access and that MySQL wasn't a "real database." Also, he "hacked" Mapquest by posting a for to the same place
Re: (Score:2)
This is wrong. I *can* code a rails hack that looks a lot like the final app pretty quickly, sure. But that's a lot different than the million little checks that go into writing a real project, properly.
Trust me, I *am* an expert software developer. The quick back-of-napkin hacks I do as a proof of concept as as stable as a building an architect would sketch in similar conditions.
Re: (Score:2)
I'm totally with you on the back-of-the-napkin type apps that technically work as illustrations of functionality. I do them all the time. However, my beef with my boss was that he was trying to sell these things as actual applications. And the unsuspecting clients didn't know what they were getting into.
This was the same boss who didn't understand why we shouldn't be hosting development applications on our production server, or that a testing suite does not consist of one guy trying to break an application
Re: (Score:2)
But yes, I do agree. A lackluster test does not guarantee a hack project is high quality.
So let me guess.... (Score:3, Funny)
Ok then..."70% of Girls cannot reach orgasm!". I can prove it to you free of charge!
Kudos to Joel for putting it to them!
Re:So let me guess.... (Score:4, Funny)
Re: (Score:1, Funny)
Re: (Score:1)
it may work (Score:2)
However, $1000 isn't going to draw anyone else into the fray, I don't think... No rogue hacker will offer up a solution to open doors, or even acknowledge them for $1000, its not economically feasible for them to do so when the gains they can realize from NOT accepting the challenge outweigh the
Re: (Score:2)
In fact, Snyder could easily be fined more than that $1000 for inciting Acunetix to perform data theft; he is basically asking them to provide him private data of atleast 3 websites.
Re: (Score:3, Interesting)
I know, companies don't like being hacked even if it's for the un-noble cause of "demonstrating the hole in their security" so that it can be fixed; but if the company in que
Re: (Score:2, Insightful)
Re: (Score:2)
BTW, slashdot, what is the recommended distro for hosting websites? Is there one, or does every company that wants to host their own site have to go th
There are two kinds of web sites: (Score:1, Interesting)
Fact is that there is not such thing as an unhackable site/host, however one can at least make a network more trouble than it's worth to try to hack.
What's that old saw: Anything that the human mind can build another human mind can figure out. Or something like that...
Re:There are two kinds of web sites: (Score:5, Insightful)
This is tosh.
If you are seriously claiming that you could 'hack' any host running any software to get arbitrary permissions, or a shell session, or access an arbitrary file then you are just mad. On what basis do you say this? It's connected to a network therefore it can be hacked? Whuh?
(I can't believe you were modded informative of all things. Insightful I might have laughed off, but informative?!)
Justin.
Re: (Score:2, Insightful)
False, but prevailant.
Re: (Score:2, Insightful)
*Always* assume you are vulnerable. Be paranoid. And spend time snooping and hanging around in the areas where the crackers (to use the *correct* te
Re: (Score:2)
In theory, I agree with the grandparent post. In theory, there are always bugs in software, services, or something somewhere.
My work got broken into via a silly code injection thing a few months ago, and we run a pretty tight ship, but we also allow many users to run unaudited code that is accessable via the web, and that is what happened.
The thing that saved us and that saves others that really care about security is the layering of security. This person effectivly got in as the httpd user,
Re: (Score:1)
On the other hand. If you consider social engineering a form of hacking, I'll agree %100. Whether it's by trickery or drugging the lead programmer, there'd always be a way to get access to files and information you're not supposed to.
Re: (Score:2)
To borrow a quote from Eugene Spafford:
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
This, and other Spaf quotes, and where they came from, can be found here. [purdue.edu]
having dealt with quite a few owned sites (Score:2)
a very low figure. I would also say that 90% of these tools the security vendors
are throwing around are also trash. The point out obvious flaws in some cases
but the tools are no where near as crafty as the human brain at exploiting
web sites. Script kiddies using known vulnerabilities are one thing but stopping
somebody hell bent on getting in is much, much tougher.
Re: (Score:1)
More Brilliant Ideas (Score:1)
Misleading, but maybe not incorrect (Score:2)
For the first point, although big websites certainly have had their share of vulnrabilities, the number is certainly less than 70% (I would venture a guess that it's in the are of 25%, which is still way more than it should be) - but if you start adding in things like peoples home boxes running q
Re: (Score:1)
Anything that requires physical access to the target computer is outside the realms of computer security. (the assumed topic of discussion) The computer responds to requests, and if the computer responds inappropriately to a request, responding with inappropriate data, or performing an action (deleti
Re: (Score:2)
There are also considerations for t
Re: (Score:2)
No it isn't. Physical security of computer system is but one part of computer security. The aim of computer security is to protect the following three things: confidentiality, integrity, and availability. If somebody nicks your computer then you've just lost two of these. Why do you think that datacenters are mini-fortresses? It is to give physical security. Personel security isn't outside the scope eith
I wonder (Score:4, Insightful)
put in other words (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Now that's entertainment!
ground rules (Score:3, Interesting)
According to the article, the ground rules (in particular, what kinds of sites are fair game) are still up in the air. So this whole thing is still lacking in some pretty basic parameters, which makes use of such a definitive range of percentages kind of silly. It's like saying, "70% percent of some people are redheads." That sounds like a lot of redheads, but without defining the "some people" part, it's just wind.
It's an interesting thought and gets people talking about it, which is certainly not a bad thing. But it's little more than that at this point.
A "Security Vendor" (Score:1)
Here's the response Acunetix sent to us (Score:2)
http://www.networkworld.com/community/?q=node/115
I'm surprised (Score:3, Interesting)
Dynamic vs Static? (Score:4, Insightful)
$1000 and free room and board for 16 months? (Score:2)
If any story deserved an "itsatrap" [slashdot.org] tag, this is one!
only need to hack one (Score:1)