Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

70% of Sites Hackable? $1,000 Says "No Way"

kdawson posted more than 7 years ago | from the money-where-mouth-is dept.

Security 146

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."

Sorry! There are no comments related to the filter you selected.

I'll take that $1000 now. (5, Insightful)

Anonymous Coward | more than 7 years ago | (#18010364)

I can totally believe this. Especially after some recent research that I've done into the security of one specific web hosting provider. It wasn't the users' fault, it was very poor security on the side of the provider. Of course, the provider states how good their security is on their website, but its only false security. For instfance, home directories have the permissions 711, which would make the causual unix user think that you can't view files in the person's home directory, but of course, since there is a predictable structure under that, it is trivial to get into someone's web directory which is world readable. And thus you can get access to their database passwords and so hon. And this is a very large hosting provider, over 100,000 websites are hosted with them. I can only imagine that many other hosting providers have these same types of problems.

Actually, I am wanting to release my findings publically and name the hosting providerf, but I'm worried about getting sued or being investigated. I would think that as long as I only state factual information that can be obtained in a trivial and public manner that it would be alright. I mean I'm not smashing the stack or anything to get this information, I'm talking about all I have to do is use commands like cd, cat and find. Real hackers tools, eh? With how many users and servers this place has, I'm amazed they havben't had all their user's accounts wiped out. It would be trivial to do.

I think I may start an anonymous blog to document these cases.

Re:I'll take that $1000 now. (3, Insightful)

Eivind (15695) | more than 7 years ago | (#18010552)

Having web-directories 755 or similar ain't in itself a threat. Now, if the setup is such that you can't restrict readability of config-files and have them still readable by your php (or whatever!) process, then they're seriously fucked, agreed.

My web-directory is 755 too, along with 644 for the static content there. However all my script and config-files are 640 with the group set to a group ( user_web ) that all scripts run as.

Basic idea ? If you're clueless you're screwed no-matter-what. And if your hosting-provider is sufficiently clueless, then you're screwed even if you have a clue. Unless you use that clue to find a new hosting-provider.

How to do it right (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18010602)

I'm the original poster and I run a web hosting provider myself. The way I do it that is guaranteed to keep shell users out is to put everyone in the users group and then make home direcotires 705 and owned by the users group. That keeps users out but allows Apache in. Then I have Apache/PHP setup in a way that prevents users from accessing other user's files. I don't want to rely on hoping things are safe, I want to be sure that they are. Still, PHP has some flaws in it that can't 100% guarentee that, but I can't go into that.

how do you do it (1)

DrSkwid (118965) | more than 7 years ago | (#18013964)

with mod_php ?

because PHP safe_mode is a joke

CGI/suexec is the only way I know about, though I gave up once I'd got it sorted so there may be another.

DB passwords - putting them in httpd.conf is a start.

Re:I'll take that $1000 now. (3, Insightful)

Tony Hoyle (11698) | more than 7 years ago | (#18010764)

I've seen plenty of scripts with instructions like

"Install this then chmod -R 777 so that the script can work"

Clueless noobs then go and install it and wonder why they're hacked the next week...

I always go through locking down such scripts (minimal permissions, rename all config files and, if possible, put them outside the web root. Same for writable directories if any are required). Those that can't be locked down are simply deleted.

Re:I'll take that $1000 now. (4, Funny)

cortana (588495) | more than 7 years ago | (#18011262)

GOD. There should be some code in chmod that activates when the user does that. The code should punch the user in the face.

Re:I'll take that $1000 now. (1)

systemeng (998953) | more than 7 years ago | (#18013456)

I can sympathize. A default SuSE linux 10.0 install uses umask 022. The number of places where the umask has to be changed to 027 to meet the NSA's requirements is annoying. Out of the box security is one thing but one would think a big hosting provider would know better.

Re:I'll take that $1000 now. (1)

soft_guy (534437) | more than 7 years ago | (#18012932)

This is because most people just dick with things randomly until they work. Then they walk away and don't think about it again until it stops working. This is the way most people use computers.

Re:I'll take that $1000 now. (1)

DrSkwid (118965) | more than 7 years ago | (#18010848)

Sorry, but that's the user's fault for not performing due diligence when choosing a provider.

re: due diligence (2, Interesting)

theBeak (1003038) | more than 7 years ago | (#18012222)

True, due diligence is the customer's responsibility. But how many customers REALLY know what to check for when it comes to security, infrastructure or otherwise? Let's face it, even those who bother to pick up the phone and call a provider will at most ask "are you secure" etc., and naturally the rep will say "absolutely". I mean, look at the whole Blackboard course management system mess. Do you really think any techie would choose them over Angel, the myriad open source solutuions, et al? Of course not. But the techies don't get asked questions until the question is "what can we do to fix this situation/save our ass/cut our losses?".

It would be nice if there were recognized standards out there with a "seal of approval" of sorts, akin to the ISO 9000/9001 etc. assuring customers of reasonable security, adequate infrastructure, etc.

At least then the clueless stuffed-shirts that make the decisions would have *some* inkling if a provider was up to snuff.

Re:I'll take that $1000 now. (3, Informative)

ACMENEWSLLC (940904) | more than 7 years ago | (#18012256)

Security at ISP's generally suck. We own multiple domains. We have multiple ISP's providing websites.

I took one of our domains and set it up at the other ISP, and visa versa.

When I sent an e-mail on domain1 to domain2, it didn't go to domain2. It went to the fake domain2 I setup with ISP hosting domain1.

This means their DNS that holds the zone data is also the same DNS server they use for lookups. Both ISP's had this problem.

This means that someone could setup a domain ebay.com, or usbank.com, or whatever - setup a catch all e-mail account. Any replies to these domains from people using that same server would go to my faked domain, not the real e-mail server.

I've actually caught someone doing this with an ISP we don't use. All e-mails to us from this ISP's users were going to a 3rd party. I don't think it was intentional, as all e-mail addresses were being rejected. But I am not 100% certain.

The fix is that these ISP's should use a DNS cache server with no local zone data. It should hit the root servers for lookup. It's a simple fix, but it cost a few bucks so many ISP's don't do this.

Um, what? (0)

Anonymous Coward | more than 7 years ago | (#18012410)

Any ISP that lets you setup zone files for domains that already exist is just blatantly out of line. What you are describing is unlikely to happen. And if it was an ISP that let you do that, you could do a lot worse things than redirect someone's email. You could register cnn.com and make all users on that ISP think that it is the end of the world by making your own news stories.

Their money is safe (0)

Anonymous Coward | more than 7 years ago | (#18013146)

Seeing how many Lunix servers are on the net, this is a pretty reasonable claim.

Lunix: got r00t? [securitytracker.com]

55 'sploits in 2007, and dis pauty iz jus gettin stauted in hea!

Legal? (4, Insightful)

Max Romantschuk (132276) | more than 7 years ago | (#18010380)

...seriously, this can't be? Right?

The actual hacking, not the challenge, that is.

Re:Legal? (4, Funny)

bad_fx (493443) | more than 7 years ago | (#18010508)

Perhaps that's what Joel is counting on... Seems like Acunetix is screwed either way. Still, it's probably what they deserve for making the claims in the first place. ;) I had to laugh at this:

"Without sounding apocalyptic, I believe the 70% figure should send tremors not just ripples in the market," says Kevin Vella, vice president of sales and operations, sounding apocalyptic in a press release.

Re:Legal? (3, Informative)

varmittang (849469) | more than 7 years ago | (#18013028)

They replied, and basically stated they would accept, but wouldn't hack third party sites since its illegal.

Dear Mr. McNamara and Mr. Snyder, We read the blog published yesterday by yourself together with the subsequent comment by Joel Snyder and would like to make the following comments while also addressing the issues raised.

The point of publishing the results of the 3200-strong survey was to address the lack of awareness among organizations of the critical dangers of such web application vulnerabilities as Cross Site Scripting, SQL Injection and Cross Site Request Forgery. We are merely pointing out a trend corroborated by other published studies concluding that web security is a problem. It surprises us that Mr. Snyder is among those who do not take the present situation seriously by, indeed, making a mockery of the results through claims that these are incorrect.

This further proves our point that web application security is one of the least understood and often misconceived aspects of online security today.

Several experts in the field (for example, Jeremiah Grossman) have been stating these facts and dangers for a few years now. So we are not the only ones when it comes to web application security concerns.

I do concede sounding apocalyptic with my comment and, for this I apologize. The fact remains, however, that 70% out of the commercial and non-commercial entities that we scanned were seriously vulnerable to hacking during the time we scanned them. Others (for example, http://ha.ckers.org/blog/20070213/70-of-websites-u nder-immediate-risk-of... [ckers.org] ) believe that these figures are much greater.

We are available to put Mr. Snyder's doubts of the validity of our results at rest by submitting all the reports to a trusted third party with proven web security experience and knowledge. Given appropriate authorization and permission from the owners of the websites we scanned during January 2006 -7, Mr. Snyder would be able to see any of the full reports of our scans - these highlight where and when the vulnerabilities were found. Of course, we cannot vouch that these vulnerabilities have not been fixed but are willing to do this for the sake of professional correctness. And, after all, we stand behind our data.

We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World website, rather then - as Mr. Snyder suggested - an innocent third party website. After all, making a wager with someone else's website would be unfair, and furthermore illegal.

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable.

Should Network World accept, we will start the audit immediately and point out any vulnerabilities found to the public. If we do manage to breach the Network World website, we would expect Network World to make a public statement, - published on the home page and first page of the next Network World issue - that its website was actually vulnerable and that Acunetix were able to hack it.

We do expect a response within the next 24 hours that the company authorizes us to immediately perform the security audit and that the company takes full legal responsibility and holds us harmless for any resulting outages and damages.

Our team thanks you for this opportunity and looks forward to the challenge!

Signed,
Nick Galea, CEO and Kevin J Vella, VP Sales and Operations

Acunetix Ltd Direct: +356 2316 8126 Tel: +356 2316 8000 Fax: +356 2316 8001 Web: http://www.acunetix.com/ [acunetix.com] Web: http://www.acunetix.de/ [acunetix.de]

Re:Legal? (3, Insightful)

Karganeth (1017580) | more than 7 years ago | (#18010646)

I wouldn't be surprised if the challenge was illegal too. IANAL, but isn't putting a reward on comitting a crime seen as inciting crime? I'm pretty sure that I'd end up in lots of trouble if I said "$10,000 says you can't rob that guys house" and the person accepted the challenge then was caught.

Re:Legal? (2, Funny)

MarkGriz (520778) | more than 7 years ago | (#18011900)


I'm pretty sure that I'd end up in lots of trouble if I said "$10,000 says you can't rob that guys house" and the person accepted the challenge then was caught.

Probably right. Best to stick with the "triple dog dare ya"

This will end well... (3, Interesting)

Smidge204 (605297) | more than 7 years ago | (#18010388)

At least he's not offering $1000 per site hacked, unlike the shmuck [kotaku.com] who offered a $1,200 bounty on every unsold PS3 [penny-arcade.com] .

=Smidge=

Re:This will end well... (0)

Anonymous Coward | more than 7 years ago | (#18010718)

At least he's not offering $1000 per site hacked, unlike the shmuck who offered a $1,200 bounty on every unsold PS3.

Fantasy and reality; know the difference, motherfucker.

Re:This will end well... (5, Insightful)

joel_snyder (561706) | more than 7 years ago | (#18010732)

I'm sure that if they're serious about actually showing that the statistics are useful then we can find 10 random sites who are willing to be 'ethically hacked.'

The astonishing thing is that most people who will read this press release just don't get it, and the depths of their not getting it are even more astonishing...

I am challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. I suspect they have found a lot of lousy code. No surprise here. 70%, sure. I'll bite off on that number. I'm not arguing with that.

But there is a huge difference between turning a vulnerability into a breach. Let me give you an example. A lot of Cross-Site Scripting attacks let you steal cookies. So they probably found those. But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs. So the point is not that there are these vulnerabilities, but that they have done nothing to show whether these vulnerabilities are truly breachable and able to get an attacker real useful data.

Same for things like directory listing. You can do that to my web site. Is that a security problem? No, in fact, I turned it on specifically. If I didn't want people to read it, I wouldn't have put it on the friggin' web server.

Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to ... well, they could read all those posts that are on the web site. Except they wouldn't be nicely formatted, but real men write HTML with vi anyway. Maybe they could store or corrupt data with the injection, and maybe they couldn't. Maybe (and this is most likely) they could cause the script to blow up. Is that "hacking" a web site? Hell, I get script explosion errors from web sites WITHOUT hacking them.

Is being able to view a script a security vulnerability? it depends. It depends on the web site. The script. The webmaster's intentions.

What percentage web sites actually have data that's worth anything?

So the point is not that they've found a lot of theoretical issues, but whether they've actually found security issues. And the only way, in my mind, to see whether they have is to see if the issues can be exploited. If they can, I'll pay up. If they can't be exploited, then all they've done is made long lists of things that don't matter from a security point of view.

Very long lists.

Re:This will end well... (1)

HappySqurriel (1010623) | more than 7 years ago | (#18011322)

Actually it wouldn't surprise me either way ...

I work as a contractor in web-development and you'd be surprised by the number of live web-applications I see where SQL injection attacks are possible; in most cases the management doesn't see the risk so they're unwilling to fix the problem.

Re:This will end well... (1)

hobo sapiens (893427) | more than 7 years ago | (#18013024)

Funny...I work for a large company and you'd be surprised by the number of live web-applications developed by overpaid contractors which are rife with holes for SQL injection and XSS attacks. Present company excluded, certainly ;). And that's not even the ones developed by internal employees (yuck).

In all seriousness, you are right though. It's amazing how bad programmers can render otherwise secure servers and development methodologies (like LAMP) totally insecure. On the intranet where I work, its even worse. You'd just shudder at some of this stuff.

I'd say the claim that 70% of all sites are hackable is not far off.

Re:This will end well... (1)

Feyr (449684) | more than 7 years ago | (#18013476)


i had one developper tell me "they can't modify that field, it's protected by javascript!"

the same guy also sent the clear text password in the change password field. said "what, you can see the password in the source?" when i confronted him about it

so no, i'm not surprised

Re:This will end well... (1)

IamGarageGuy 2 (687655) | more than 7 years ago | (#18011332)

It seems to me like they are exploiting the term "hacking". Don't know if this is a silly question or not. But...Is there a way to quantify the use of the term? Is there a line in the sand that qualifies for hacking past the social norm?

Re:This will end well... (1)

Pojut (1027544) | more than 7 years ago | (#18013262)

Depends on how long the person that you ask has been with it...

If they started with TRS-80's, their answer will be very different than if they started with Winnuke...

Re:This will end well... (2, Interesting)

GroovinWithMrBloe (832127) | more than 7 years ago | (#18012438)

But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach? Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs.
In an aside to the main point, Good web sites take into account transparent proxies at an ISP level which might result in the user appearing to come from multiple IP Addresses (as the ISP might load balance requests to various proxies without binding a particular user to a particular proxy). This is a situation that I've come across with a website of mine.

Re:This will end well... (2, Interesting)

0xygen (595606) | more than 7 years ago | (#18012862)

Almost all load balancing proxies running across multiple IPs add the X-Forwarded-For http header, which many of the large sites take into account when looking for a "real" source IP. (IRL, many are SQUID or SQUID-based, which can add this header)

Clearly, the danger with trusting these is that the attacker can then use their own fake X-Forwarded-For header to pretend to be the original user the cookie was stolen from.

Does anyone have a good solution to this problem?

Re:This will end well... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18013208)

Is a web site that's susceptible to an SQL injection attack hackable? Depends on where you get to inject the code. I'm sure that someone who put their mind to it could take a web site like, say, slashdot, and inject some SQL. Then they might be able to ... well, they could read all those posts that are on the web site.
Erhm... pardon me? To me, "injection" means that you yourself insert code into the SQL query directly without any sort of escaping. If that's your definition too, I have trouble understanding what you just said.

Re:This will end well... (1)

shiflett (151538) | more than 7 years ago | (#18013780)

Joel, I'm afraid it is you who aren't getting it.

I think Jeremiah Grossman says it best:

I'm not certain how wise it is to ask a network security guy's opinion about web application security matters. Maybe he cross-trains.

He's being funny, but he has a valid point. Here's an example from your comment:

A lot of Cross-Site Scripting attacks let you steal cookies. So they probably found those. But the question is: when you have a cookie, what can you do with it? Can you steal important data? Can you turn that cookie into a breach?

You shouldn't have to ask these questions, nor should you be suggesting that the worst thing XSS attacks can do is steal cookies. Show any competent web application security specialist a XSS vulnerability, and there is almost no limit to what he can do. I discuss some possibilities here:

Using CSRF for Browser Hijacking [shiflett.org]

Another example of "not getting it" is thinking IP addresses are unique and/or static among a large userbase:

Good web sites that use them also tie cookies to your IP address, which means that if you steal my cookie, you got nothing but crumbs.

Good web sites? You can't be serious.

If you are serious and want to really put your money where your mouth is, I'm sure you'll find no shortage of people to take it. Here's one:

$1000 to Steal Data From 30% of Sites [ckers.org]

Snyder is not Insightful (0)

Anonymous Coward | more than 7 years ago | (#18014086)

Yeah... (1)

Mizled (1000175) | more than 7 years ago | (#18010424)

...I'm sure he'll be shelling out $1,000 by the end of the day...

Their reply. (4, Informative)

Aladrin (926209) | more than 7 years ago | (#18010426)

For those who didn't notice, Acunetix replied on TFA and basically claimed his challenge would be unfair to the third-party websites. They offered to attempt to hack his own website instead and demanded that he post a notice saying he had vulnerabilities, if they find and exploit any.

While I admit this is an interesting idea, it does nothing to prove or disprove their 70% claim.

I have to agree with them that hacking websites is illegal and ethically wrong for them, though. Good call on their part.

Re:Their reply. (1)

mfh (56) | more than 7 years ago | (#18010458)

Yeah but without knowing for certain, 70% was a number clearly pulled from their nether-region. In fact 70% of all statistics are pulled from that same source of inspiration!

Re:Their reply. (3, Insightful)

Joebert (946227) | more than 7 years ago | (#18010622)

Without actually hacking in & getting hold of data to begin with, they can not honestly state any statistics.
They can only speculate without actual data.
So unless they're full of shit to begin with, they've already done somthing unethical.

The Acunix counter-offer is ridiculous (4, Informative)

giafly (926567) | more than 7 years ago | (#18010782)

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its website is secure and any data it holds is unbreachable. - Network World [networkworld.com]
My company has been through several security audits and they require several days of management time, plus telling the auditors all about your IT infrastructure and data compliance. Security audits are not about hacking - they check that you've hardened your infrastructure, have appropriate policies for e.g. 'phone queries, and avoid client data being unnecessarily exposed. They're similar to a VAT (sales tax) inspection.

You should only agree an audit by totally trustworthy auditors, working for a major client, which is not the case here.

Obligatory statistic jokes... (5, Funny)

Neme$y$ (700253) | more than 7 years ago | (#18010434)

Reminds me of: "Three statisticians went out hunting, and came across a large deer. The first statistician fired, but missed, by a meter to the left. The second statistician fired, but also missed, by a meter to the right. The third statistician didn't fire, but shouted in triumph, "On the average we got it!"

Re:Obligatory statistic jokes... (4, Funny)

spellraiser (764337) | more than 7 years ago | (#18010546)

A statistician can have his head in an oven and his feet in ice, and he will say that on the average he feels fine.

How many statisticians does it take to change a lightbulb? 1-3, alpha = .05

Did you hear about the statistician who was thrown in jail? He now has zero degrees of freedom.

In earlier times, they had no statistics, and so they had to fall back on lies.

Smoking is a leading cause of statistics.

Statistics are like a bikini - what they reveal is suggestive, but what they conceal is vital.

Statistics in the hands of an engineer are like a lamppost to a drunk--they're used more for support than illumination.

---

All jokes borrowed from here [btinternet.com] .

Re:Obligatory statistic jokes... (0)

Anonymous Coward | more than 7 years ago | (#18010670)

In earlier times, they had no statistics, and so they had to fall back on lies.

In my day, we only had damn lies. In the snow.

Digital Signal Processing (1)

flyingfsck (986395) | more than 7 years ago | (#18012812)

Note that DSP is a real world application of statistics. Without it, Cellphones and the like would be impossible.

Qualifier (1)

mfh (56) | more than 7 years ago | (#18010436)

Great, as all the trolls attempt to hack into Slashdot and change this comment to something funnier.

Re:Qualifier (2, Funny)

spellraiser (764337) | more than 7 years ago | (#18010612)

Why this particular comment? What's so special about it? This is incredibly self-centered of you, to assume that your comment will be a major target for the trolls.

There's lots of good comments out there that would make better targets. This comment, for instance, is much more interesting. Not only is it longer, it's also a lot wittier and better thought out altogether. Oh, and did I mention that it's also self-referencing? Beat that!

Re:Qualifier (0)

Anonymous Coward | more than 7 years ago | (#18010778)

You're replying to #56! are you sure you want to do that? Such numbers have been feared for ages..

Re:Qualifier (0)

Anonymous Coward | more than 7 years ago | (#18012280)

You're replying to #56! are you sure you want to do that? Such numbers have been feared for ages..
No, he bought the account on eBay [slashdot.org] ...

Re:Qualifier (0)

Anonymous Coward | more than 7 years ago | (#18011554)

Firstly, his comment is now self-referential as well. Secondly, it was much funnier than yours, but I toned it down. Now quiet down or I'll change every one of your posts to include the phrase "that begs the question" and the word "loose". Used incorrectly, of course. Hmmm... it seems I'll only have to change half of your postings.

Re:Qualifier (1)

SnarfQuest (469614) | more than 7 years ago | (#18013458)

Why this particular comment? What's so special about it?

you should have seen it before I changed it.

Smart (1)

toupsie (88295) | more than 7 years ago | (#18010462)

Then he can turn in Acunetix for a cash reward. We finally know what #2 is!

1. Taunt Acunetix with 1,000 dollars cash to hack into web sites
2. Turn Acunetix into the authorities when they provide proof of their hacking
3. Profit!

Old Irish Saying (1)

Frequently_Asked_Ans (1063654) | more than 7 years ago | (#18010496)

Fools and there money are easily parted

Re:Old Irish Saying (1)

smooth wombat (796938) | more than 7 years ago | (#18010752)

Too bad the real saying is:


Fools and their money are easily parted.

Re:Old Irish Saying (1)

Frequently_Asked_Ans (1063654) | more than 7 years ago | (#18010788)

i can't spell

Re:Old Irish Saying (1)

boston2251 (1033620) | more than 7 years ago | (#18011204)

Thank you for doing this. People need to learn how to spell

Re:Old Irish Saying (0)

Anonymous Coward | more than 7 years ago | (#18013018)

Especially the Irish

This just in... (5, Funny)

Funkcikle (630170) | more than 7 years ago | (#18010498)

Acunetix have just HACKED into Snyder's bank account and helped themselves to the $1000.

Oh boy... (1)

radu.stanca (857153) | more than 7 years ago | (#18010506)

Acunetix accepts the challenge and they want to audit networkworld.com, they`ll find something for sure. That guy really has no ideea how unsecure web is.

Re:Oh boy... average insecurity (0)

Anonymous Coward | more than 7 years ago | (#18011700)

I worked for a time fixing other websites security when they were hacked...

It's amazing how all you really need to do though is simple things like using
parameterized queries instead of string concatenations, converting 's to <'s
from a post and checking what cookies are stored and what can be done with them.

* Fix these
* patch your runtime (IIS/Apache/scripting platform)
* chmod files appropriately
* add a firewall with snort ..and you've removed 90% of holes.

It's not rocket science? is it? why people don't do it.. I don't know.

Does 3 of 5 count? (2, Interesting)

Anonymous Coward | more than 7 years ago | (#18010510)

We've begun basic testing vendor and supplier web sites that we do business with (they are required to let us poke around as long as we notify them if we find anything).

Three of five tested since we started in October threw an error when a ' was put in the login user name field. When the ' was replaced with

a' or 'a' = 'a

and no password, the three dumped us into the administrator's page (dirt-simple SQL injection). On the last one, it took us longer to find the login page than it did to get admin access. None of them knew we did it.

Take one custom-written web application, add programmers that are just happy to get it working, leave out the web application firewall and you get in.

Not true! (0)

Anonymous Coward | more than 7 years ago | (#18010518)

They'll never prove this claim! 100% will never equal 70%.

Been there, done that, got the logs to prove it... (5, Informative)

Zapotek (1032314) | more than 7 years ago | (#18010522)

I'll put $10k on the table with Snyder.

In fact I had my site checked with Acunetix when I requested a trial.
And as a crazy geek I have coded a WebIDS for my CMS and a security system so tight that's close to, I dare say, un-hackable.
So I had them scan my site just for kicks and to see the HTTP requests they were using.

Needless to say ALL I got were false positives, well I did have an e-mail address on the site for submitions of papers, code etc and they reported it as a personal data.

I replied to them explaining that the site is perfectly safe, they checked again and I got a "We're sorry for the inconvenience." styled e-mail admitting the results were wrong.

Anw, Acunetix can find vulnerabilities, but it's not *THAT* accurate, its good enough though.

Re:Been there, done that, got the logs to prove it (0)

Anonymous Coward | more than 7 years ago | (#18010916)

>> I dare say, un-hackable

100 Percent of websites are hackable with enough time and resources.

Oh, and check your filesystem for the tag file I just placed there. ;)

Re:Been there, done that, got the logs to prove it (1)

Zapotek (1032314) | more than 7 years ago | (#18011050)

Yeah, I know, that's why I said "*close to* un-hackable" .
Though when the design of a system is very simple, securing is quite easy.

And when the guy who made it is as paranoid as me and has this small system locked down and filtered from each and every variable,
then the chances of it being un-hackable are pretty good.

I'd dare you to try and hack it, but, since Acunetix failed there's no point. :P

Re:Been there, done that, got the logs to prove it (0)

Anonymous Coward | more than 7 years ago | (#18011578)

Your site would be an exception in my experience. I perform web application penetration testing as a part of my job. I test mostly Fortune 500 sites, banking industry, etc. I have discovered anything from low to high risk items on big "mega" bank sites. Almost every one of them had some sort of medium risk data leakage issues. And the banking industry sites fare better than most. Outside of the banking sector web application security is in a pitiful state, even though XSS and SQL injection are two of the most well known security issues out there I can still nail most applications with it. Some of the time its not trivial, but then I have a good bit of time to test these sites. Of the 50-ish sites I tested last year there were a few that stand out as having been medium and high risk defect free. I would say almost all of them had medium risk issues or worse. A few (as in 3 or 4) had no medium risk issues or worse. The number is pulled from my memory.. but these are all directly tested sites and its pretty close. Its the exception to find a secure site. These are clients with a lot of money that can afford to do security and they just don't get it right.

That is black box testing. On code reviews the situation is almost always worse. I can find things that no automated tool can dream about (source analysis or app testing tools). I can probe business logic and find hidden test pages. I haven't done a code review for a web application yet that didn't have high risk issues. .NET and Java apps tend to do a little better. Classic ASP and PHP apps always fare much, much worse.

I believe it (3, Interesting)

Paulrothrock (685079) | more than 7 years ago | (#18010530)

My I used to work as a web developer for a small company that did a lot of other small company's web sites. The amount of corners we cut in order to get the sites out in the time that the salesman stated was scary.

Passwords were often stored in the database in plain text. Credit cards, too. Data was taken directly from $_POST and put into SQL queries and curl calls to payment systems.

And if, in the future, we found these vulnerabilities and wanted to fix them, we had to escalate them to the CEO (did I mention the CEO is also the sales guy) before we could do any work on them.

If anything, 70% is low.

Re:I believe it (1)

AutopsyReport (856852) | more than 7 years ago | (#18010844)

Come on, man. We've all been under pressure of deadlines, but mistakes like this are intentional or just plain sloppy. It takes absolutely minimal effort to encrypt passwords. And let's not even get into credit card numbers being stored as plain text...

This is pretty sad on several levels. I just can't imagine them mentality of the developers who were too lazy to do things properly. And the people who use a site like yours (or your company), think their safe because a graphic reminds them they are, but end up with their private information exposed.

Re:I believe it (1)

Paulrothrock (685079) | more than 7 years ago | (#18011660)

I agree totally. That's why they're my EX-employer. I was sick of getting told that I didn't have enough time to do things the right way. And I was also afraid that if the site did get hacked, they'd pass the blame on to me.

One of the developers I worked with never tested in Firefox. He said "Since IE is predominant, testing in Firefox isn't important." He also said some of his best work was in MS Access and that MySQL wasn't a "real database." Also, he "hacked" Mapquest by posting a for to the same place as the form on Mapquest's site.

I asked whether he used the API and he said "What's an API?"

Thankfully, I'm not surrounded by tech school grads anymore.

So let me guess.... (3, Funny)

blankoboy (719577) | more than 7 years ago | (#18010536)

...if we hire Acunetix, they will make our sites completely "non-hackable"?

Ok then..."70% of Girls cannot reach orgasm!". I can prove it to you free of charge!

Kudos to Joel for putting it to them!

Re:So let me guess.... (3, Funny)

Opportunist (166417) | more than 7 years ago | (#18010604)

You, sir, are one crappy lover if you can prove that!

Re:So let me guess.... (1, Funny)

Anonymous Coward | more than 7 years ago | (#18010694)

You forgot that this is /.

Re:So let me guess.... (1)

ps236 (965675) | more than 7 years ago | (#18011962)

The point is - he won't mind if he's proved wrong...

it may work (1)

um... Lucas (13147) | more than 7 years ago | (#18010548)

If Acunetix is legit, then maybe they should take up the challenge without requesting funds if they succeed. That'd be the right thing to do, after consulting with lawyers to find out what the ramifications would be.

However, $1000 isn't going to draw anyone else into the fray, I don't think... No rogue hacker will offer up a solution to open doors, or even acknowledge them for $1000, its not economically feasible for them to do so when the gains they can realize from NOT accepting the challenge outweigh the $1,000 they can make by doing so....

Re:it may work (1)

mwvdlee (775178) | more than 7 years ago | (#18010606)

Acunetix cannot legally take this challenge, regardless of the accuracy of their claims.

In fact, Snyder could easily be fined more than that $1000 for inciting Acunetix to perform data theft; he is basically asking them to provide him private data of atleast 3 websites.

Re:it may work (2, Interesting)

um... Lucas (13147) | more than 7 years ago | (#18010700)

Well they could contact the 3 selected website operators, explain the situation and that it's for their own good, and offer to do all work onsite under their eyes or at least offer to share their results with the company in question and see those security holes closed before any acknowledgement of a result from the contest is announced.

I know, companies don't like being hacked even if it's for the un-noble cause of "demonstrating the hole in their security" so that it can be fixed; but if the company in question is approached before hand, and offered assurance that they will not be caused to be a laughing stock, i'm sure a CTO could explain that "while we followed the best practices in the security industry, we felt it prudent to reassure ourselves and our customers that these practices would protect them. What we found was they aren't, and we're happy to say that we have taken several steps to protect them, steps above and beyond what our competition is doing" or something like that....

Re:it may work (2, Insightful)

delinear (991444) | more than 7 years ago | (#18011232)

The problem with that is that these companies know mud sticks. If the report says they were hacked, then no amount of them saying they fixed the holes and are now more secure than ever will completely remove that taint. Not only that, if these companies cared so much about security in the first place there wouldn't be holes, the main problem is that security is often sacrificed in the name of economy, so they're unlikely to want to shell out money fixing holes if they can just carry on ignoring them for free. Unfortunately that's why a lot of sites are insecure, because it's the cheaper option to turn a blind eye and hope that you won't get hit - for the most part it works I guess.

Re:it may work (1)

um... Lucas (13147) | more than 7 years ago | (#18012672)

I dont' think they "don't care" about security as so much that they haven't been informed of it. Their sites are probably outsourced, or even hosted inhouse on a default Linux or Windows installation. It "works" so no ones thought to turn off unneeded services and daemons, let alone configure their firewall to block unwanted traffic from reaching the servers.

BTW, slashdot, what is the recommended distro for hosting websites? Is there one, or does every company that wants to host their own site have to go through the task of locking down their systems individually?

There are two kinds of web sites: (1, Interesting)

Elbowgeek (633324) | more than 7 years ago | (#18010576)

Those that have been hacked and those that can be but no-one's bothered to do so yet.

Fact is that there is not such thing as an unhackable site/host, however one can at least make a network more trouble than it's worth to try to hack.

What's that old saw: Anything that the human mind can build another human mind can figure out. Or something like that...

Re:There are two kinds of web sites: (0)

Anonymous Coward | more than 7 years ago | (#18010684)

The day Microsoft markets a product that doesn't suck will be the day they market a vacuum cleaner. haha that gave me a good kickstart~ nice sig.

Re:There are two kinds of web sites: (5, Insightful)

aug24 (38229) | more than 7 years ago | (#18011220)

there is not such thing as an unhackable site/host

This is tosh.

If you are seriously claiming that you could 'hack' any host running any software to get arbitrary permissions, or a shell session, or access an arbitrary file then you are just mad. On what basis do you say this? It's connected to a network therefore it can be hacked? Whuh?

(I can't believe you were modded informative of all things. Insightful I might have laughed off, but informative?!)

Justin.

Re:There are two kinds of web sites: (1, Insightful)

geekoid (135745) | more than 7 years ago | (#18011344)

It's a common thought on /.

False, but prevailant.

Re:There are two kinds of web sites: (1)

hackstraw (262471) | more than 7 years ago | (#18013520)

This is tosh.

In theory, I agree with the grandparent post. In theory, there are always bugs in software, services, or something somewhere.

My work got broken into via a silly code injection thing a few months ago, and we run a pretty tight ship, but we also allow many users to run unaudited code that is accessable via the web, and that is what happened.

The thing that saved us and that saves others that really care about security is the layering of security. This person effectivly got in as the httpd user, but that is as far as they got. We didn't have our payroll and other stuff on a database on the same machine that the user could just access w/o a password. Anyone worth a grain of salt in the biz knows what I'm talking about.

The sad thing is that still in 2007 there are internet applications that blindly take user information as is and combine that w/o any checks into a SQL statement or some other kind of interpreted language, and that is bad.

First rule of network programming, always either restrict your input by type (phone numbers should always be numbers, etc) and/or always quote the input into something that cannot be evaluated as code.

Other basic things are to put your database 1 or more layers from your application server. Don't store sensitive information in human readable format.

Blah blah. Most of this is common sense or just by paying attention to how breakins happen.

mod $Up (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18010654)

is perhaps 200 running NT EFNet servers. :Dying. All major everyday...Redefine Guests. Some people Softwaree lawyers

having dealt with quite a few owned sites (1)

codepunk (167897) | more than 7 years ago | (#18010682)

Having dealt with tons of owned sites over the years I would say that 70% is
a very low figure. I would also say that 90% of these tools the security vendors
are throwing around are also trash. The point out obvious flaws in some cases
but the tools are no where near as crafty as the human brain at exploiting
web sites. Script kiddies using known vulnerabilities are one thing but stopping
somebody hell bent on getting in is much, much tougher.

Re:having dealt with quite a few owned sites (1)

AvitarX (172628) | more than 7 years ago | (#18011236)

Do 70% of sites of even have "personal data"?

More Brilliant Ideas (1)

madsheep (984404) | more than 7 years ago | (#18010766)

First this is a load of crap and they sound like morons. But second, I will pay them $50,000 if they can rob 3 banks chosen at random! Maybe we can get them in jail by the end of attempt #1? :D

Misleading, but maybe not incorrect (1)

miyako (632510) | more than 7 years ago | (#18010824)

I think that the numbers might be a little misleading, but I'm not sure that 70% is entirely incorrect. I think that it depends heavily on what sites are included in the sample, and how you define "can be hacked".
For the first point, although big websites certainly have had their share of vulnrabilities, the number is certainly less than 70% (I would venture a guess that it's in the are of 25%, which is still way more than it should be) - but if you start adding in things like peoples home boxes running quick and dirty PHP sites, things out there for testing purposes, various boards and such, I wouldn't be surprised if the numbers start reaching 70%.
The other point of course is how you define hackable. Anything is hackable, given a sufficient amount of time and desire on the part of an intruder. Even if a machine storing personal data was disconnected from any sort of network and locked up in a safe, someone could always break into the safe and steal the computer.
The question really should be: What percent of websites which contain a significant amount of personal data have vulnrabilities which are easily enough exploited to be a viable target for: A: script kiddies/etc. B: moderately skilled and determined intruders, and C: highly skilled and determined intruders.

Re:Misleading, but maybe not incorrect (1)

MajinBlayze (942250) | more than 7 years ago | (#18012442)

This is a misconception that really bothers me, and I've seen it a few times in this discussion already. Walking into a building with guns blazing Matrix-style, and swiping a server does NOT count as hacking.
Anything that requires physical access to the target computer is outside the realms of computer security. (the assumed topic of discussion) The computer responds to requests, and if the computer responds inappropriately to a request, responding with inappropriate data, or performing an action (deleting/changing a database) outside what is intentionally allowed, is hacking. This mind-set of "Anything is hackable" is a mindset only made true by Windows.

Please, please stop saying anything is hackable. Computers respond to a set of inputs. Short of guessing passwords or accounts, this simply isn't true.

Re:Misleading, but maybe not incorrect (1)

miyako (632510) | more than 7 years ago | (#18012636)

I agree that at some point computer security is no longer the issue, and physical security is. I was using hyperbole to demonstrate a point however. The point I was trying to make is that there are levels of security, and there are almost certainly instances where something "could, potentially" be exploited, but for which there is no known exploit, or where it's something like a brute force attack where it could be done, but it's highly unlikely to be done successfully.
There are also considerations for things like social engineering, and to some limited extent, physical security. These things my be outside the strict limits of computer security, but they are things that any competent admin should think about.

I wonder (4, Insightful)

dbmasters (796248) | more than 7 years ago | (#18010862)

My first thought was "whats the percentage of sites run by Nuke's, Joomla's, Mambo's and such CMS systems". I mean, when PHPBB gets hacked (again) it affects a HUGE number of sites. My employer recently had a security audit and they found out what most of us developers have been telling them for a while...they had consultants build things, decrease timelines while increasing scope creep...things got fudged and now they don't understand why our sites failed. I look at some of the stuff I inherited and just look at it and say WTF? I built a little CMS for myself, a few people downloaded it and use it, it's grown and I just experienced my first real exploit in my 10 year career in web dev. it was a REAL learning experience for me. I know all the theory of security and all that, but practicing it is another matter when people want things yesterday it makes it hard resist cutting that little corner.

Re:I wonder (0)

Anonymous Coward | more than 7 years ago | (#18013094)

I am sure there are a lot of people here who now wish to call you brother, esp the ones who have been around long enough to know it is chance that protects most web apps, not design. :) All it takes is one quicky little non escaped variable combined with too high of a privilege level for the DB user. And then there are the other dozen or so major ways to compromise a web app :)

put in other words (4, Funny)

teslar (706653) | more than 7 years ago | (#18010942)

Professional Hitman Mr Smith is flogging a survey that claims 7 out 10 people he has checked have a lack of police protection posing a medium- to high-level risk of getting them murdered. The police's go-to security guy, Mr Doe, says that percentage is 'sensationalist nonsense' -- and he's willing to back that judgment with $1,000 of his own money. In fact Mr Doe will pay up if Mr Smith can whack 3 of 10 people chosen at random from his survey list."

Re:put in other words (1)

Penguinoflight (517245) | more than 7 years ago | (#18011132)

Ah, but the police will outsmart him once he has become mentally unstable enough to turn himself in!

Re:put in other words (1)

trongey (21550) | more than 7 years ago | (#18011936)

Professional Hitman Mr Smith is flogging a survey that claims 7 out 10 people he has checked have a lack of police protection posing a medium- to high-level risk of getting them murdered. The police's go-to security guy, Mr Doe, says that percentage is 'sensationalist nonsense' -- and he's willing to back that judgment with $1,000 of his own money. In fact Mr Doe will pay up if Mr Smith can whack 3 of 10 people chosen at random from his survey list."

Now that's entertainment!

ground rules (2, Interesting)

eck011219 (851729) | more than 7 years ago | (#18011156)

I was about to post something spouting off an opinion before reading the article, but figured I'd better check it first. I was GOING to say, "but do that many sites contain information worth stealing?" But I then wimped out and read the article.

According to the article, the ground rules (in particular, what kinds of sites are fair game) are still up in the air. So this whole thing is still lacking in some pretty basic parameters, which makes use of such a definitive range of percentages kind of silly. It's like saying, "70% percent of some people are redheads." That sounds like a lot of redheads, but without defining the "some people" part, it's just wind.

It's an interesting thought and gets people talking about it, which is certainly not a bad thing. But it's little more than that at this point.

I call bullshit on this. (0)

Anonymous Coward | more than 7 years ago | (#18011500)

If someone wants to prove something like this then they should state a particular O/S / serverware is hackable else they should show they know what they are on about by not picking on systems that are subjected to admin error and should go and hack some hardened systems so they can offer up some security advice to those who realy need it in industry like Sun, SELinux, Hp etc etc.

What's the big deal of acting from a plethora of undisclosed vulnrabilities, this could have a rather negative impact on whatever they are trying to prove.

Better to state that % do not use application firewalls, % set permissions wrong, % use O/S subject to so many problems so % is potentialy hackable, etc etc.

About as unscientific as my last fart.

A "Security Vendor" (1)

pooh666 (624584) | more than 7 years ago | (#18011876)

Yeah, trust them, we have had people in Russia doing scans of our sites with cracked versions of their software. When we contacted them about it, they basically said they gave up trying to protect their OWN SOFTWARE. As far as their software goes, it does ok in terms of giving them a layout a host's website, and looking for possible SQL injection variables. I have NO respect for this kind of fear mongering and therefore it is pretty hard to trust them with something so important, just because it does ONE thing well.

Here's the response Acunetix sent to us (1)

netbuzz (955038) | more than 7 years ago | (#18011910)

The subject line of their e-mail reads - "Acunetix Accepts the Network World Challenge" - but, as you'll see, that claim isn't any more supportable than the company's press release, which they at least have the good graces to concede was "apocalyptic."

http://www.networkworld.com/community/?q=node/1150 1 [networkworld.com]

Re:Here's the response Acunetix sent to us (0)

Anonymous Coward | more than 7 years ago | (#18013104)

Network World? Oh yeah, they were the ones with the front page article last week where they quoted two health care CIO's as saying that all you need to fix this US Daylight Saving Time problem are some NTP servers. The Network World technical staff must have thought NTP stands for Neat Time Patch or something.

I say Acunetix should go after the sites of those two health care CIO's as well.

I'm surprised (2, Interesting)

Nom du Keyboard (633989) | more than 7 years ago | (#18012460)

I'm surprised that 7 of 10 sites even contain personal data. Just what sites was he checking?

Smart move (1)

dramenbejs (817956) | more than 7 years ago | (#18012484)

For FBI, thousand bucks is no big money for getting info about some of the finest hackers around, I guess...

--
This message was sent using 100% recyclable electrons.

Dynamic vs Static? (3, Insightful)

Odin_Tiger (585113) | more than 7 years ago | (#18012544)

Even for as advanced as the web on the whole has become, I still suspect that most sites are static HTML. Unless they're talking about vulnerabilities in httpd's as well as vulnerabilities in site design, I think they're sunk, because unless you're doing something at least moderately complex with scripts and databases, you're site is probably very secure. The bet needs a qualifying limiter or something to clarify that it only applies to *AMP sites or some such, because the average geocities, angelfire, or similar-quality privately hosted site is just not really hackable, because everything that makes up the website is already publicly viewable...images and text, no personal data that isn't intentionally exposed, and there is nothing on the box / vm / whatever other than the site. At best, if the box is misconfigured or unpatched, they can claim that it is defaceable, but that's not nearly the same thing.

$1000 and free room and board for 16 months? (1)

HTH NE1 (675604) | more than 7 years ago | (#18013372)

In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list.

If any story deserved an "itsatrap" [slashdot.org] tag, this is one!

only need to hack one (1)

Train0987 (1059246) | more than 7 years ago | (#18014022)

www.voterlistsonline.com Don't even need to see it, and it already scares you, right? ;_)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?