Wednesday, February 14, 2007

Acunetix, NetworkWorld, and $1000, oh my!

Update 3: As could be predicted, the crew quickly uncovered a few XSS issues in the Network World website. Mr. McNamara and Mr. Snyder, please take some friendly advice -- don't go down the road saying you weren't vulnerable or that XSS is a non-issue. That'll just open up a whole new can o' worms, like it did for Scan Alert and F5.

Update 2:
Thomas Ptacek posted a equally hillarious parody of the situation.

: Check out RSnake's take on the challenge. Priceless. He even offers his assistance to win. :)

I love mornings like this when new and interesting things are happening. Check this out: Acunetix releases a report headlined, "70% of websites at immediate risk of being hacked!". For the last year they've been offering a free web scans of some 3,200 sites. The wording was a bit sensationalist and I had a few questions about the data, but the numbers looked about right to me (like RSnake said maybe a little low). At least I didn't think they were way off base as they were somewhat similar to my stats. Here's where it gets interesting.

Network World's Paul McNamara loops in his "go-to" security guy, Joel Snyder, "a stalwart in the Network World Lab Alliance and senior partner at Opus One in Tucson, Ariz", for an expert opinion who promptly calls the results a "crock" and issues a $1,000 challenge. Juicy.

"But the basics would be that an employee of the company (Acunetix) would need to get valuable personal information - like a credit card or social security number, not an e-mail or home address - from at least three of a random 10 of those 3,200 sites they tested."

A couple of things here beore I go on:

1) I'm not certain how wise it is to ask a "network" security guys opinion and "web application" security matters. Maybe he cross-trains.
2) There is a certainly a difference between having a vulnerability and it being exploitable. Vulnerability Assessment vs. Risk Assessment.
3) There many different types of data on websites worth protecting aside from CC's and SSN's (source code, trade secrets, insider info like unannounced press released, etc.)

So, Nick Galea (CEO) and Kevin J.Vella (VP Sales and Operations) promptly fire back at Network World accepting the challenge but changing the terms a little.

"We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World Web site, rather then - as Mr. Snyder suggested - an innocent third-party Web site. After all, making a wager with someone else's Web site would be unfair, and furthermore illegal."

So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its Web site is secure and any data it holds is unbreachable."

Woohooo, game on! Good move and I agree with their assessment of the terms. But Network World and Snyder get a bit snarky and say:

"I think that they are missing the point. I am (as you are noting) challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. But there is a huge difference between that and turning a vulnerability into a breach."

Fair enough and the story is still developing and we'll see where it leads. They're now haggling over what websites they should hack and what should consitute a hack. Obviously not every website is important, but that doesn't mean it isn't at risk of being hacked. It just doesn't matter a lot if it is. So how many "important" websites are out there out of a pool of 100 million? I dunno, I guess 500,0oo (?) and statistically I think most of them are hackable.

Interestingly enough I've hosting a webinar on this subject this morning. :)


Anonymous said...


The 70% statistic would have to include sites which have been previously tested, or it would be higher. I've done around 150 serious large scale audits over the last few years, and I've only come across two large, serious financial apps that were secure.

They are the hardest to review, as an app with no issues is like an all you can eat challenge.

The rest ranged from laughable to pretty hard. Most are in the laughable to moderate section, often with one or more serious privacy issues.

There are plenty of places that want to get reviews done - and pay for them. I bet it wouldn't be hard to get a few small and medium sized firms to agree to have their security tested for free or a reduced rate given certain ground rules in return from anonymity of results (ie the guys only reported, like this:

"We 0wned:

4 - SME shopping cart sites
3 - Medium to large corporate sites
and in the time we had, we couldn't do the other three"

Given a heads up and for free, I'm sure there would be a few takers for that as long as the T&C's of the VA could be agreed (such as indeminity and scope).

Personally, I can't imagine the insurance folks who back our industry going for it without some serious CYA T&Cs protecting them.


Jeremiah Grossman said...

Heya Andrew, we see about the same thing here, and I get the point Network World is trying to make, but sheesh. I just don't think the network sec guys understand how wide open the Web has become. It'll take hacks upon hacks I guess before they realize.