Update 3: As could be predicted, the sla.ckers.org crew quickly uncovered a few XSS issues in the Network World website. Mr. McNamara and Mr. Snyder, please take some friendly advice -- don't go down the road saying you weren't vulnerable or that XSS is a non-issue. That'll just open up a whole new can o' worms, like it did for Scan Alert and F5.
Update 2: Thomas Ptacek posted a equally hillarious parody of the situation.
Update: Check out RSnake's take on the challenge. Priceless. He even offers his assistance to win. :)
I love mornings like this when new and interesting things are happening. Check this out: Acunetix releases a report headlined, "70% of websites at immediate risk of being hacked!". For the last year they've been offering a free web scans of some 3,200 sites. The wording was a bit sensationalist and I had a few questions about the data, but the numbers looked about right to me (like RSnake said maybe a little low). At least I didn't think they were way off base as they were somewhat similar to my stats. Here's where it gets interesting.
Network World's Paul McNamara loops in his "go-to" security guy, Joel Snyder, "a stalwart in the Network World Lab Alliance and senior partner at Opus One in Tucson, Ariz", for an expert opinion who promptly calls the results a "crock" and issues a $1,000 challenge. Juicy.
"But the basics would be that an employee of the company (Acunetix) would need to get valuable personal information - like a credit card or social security number, not an e-mail or home address - from at least three of a random 10 of those 3,200 sites they tested."
A couple of things here beore I go on:
1) I'm not certain how wise it is to ask a "network" security guys opinion and "web application" security matters. Maybe he cross-trains.
2) There is a certainly a difference between having a vulnerability and it being exploitable. Vulnerability Assessment vs. Risk Assessment.
3) There many different types of data on websites worth protecting aside from CC's and SSN's (source code, trade secrets, insider info like unannounced press released, etc.)
So, Nick Galea (CEO) and Kevin J.Vella (VP Sales and Operations) promptly fire back at Network World accepting the challenge but changing the terms a little.
"We are willing to accept the challenge. However we feel that the subject of the challenge should be the Network World Web site, rather then - as Mr. Snyder suggested - an innocent third-party Web site. After all, making a wager with someone else's Web site would be unfair, and furthermore illegal."
So we will accept the wager and perform a security audit on the Network World site and attempt to breach any vulnerabilities found. This should be a fair substitute, since we are assuming that considering Mr. Snyder's comments, Network World is confident that its Web site is secure and any data it holds is unbreachable."
Woohooo, game on! Good move and I agree with their assessment of the terms. But Network World and Snyder get a bit snarky and say:
"I think that they are missing the point. I am (as you are noting) challenging the conclusion, not the data. I believe that they think that they have found vulnerabilities. But there is a huge difference between that and turning a vulnerability into a breach."
Fair enough and the story is still developing and we'll see where it leads. They're now haggling over what websites they should hack and what should consitute a hack. Obviously not every website is important, but that doesn't mean it isn't at risk of being hacked. It just doesn't matter a lot if it is. So how many "important" websites are out there out of a pool of 100 million? I dunno, I guess 500,0oo (?) and statistically I think most of them are hackable.
Interestingly enough I've hosting a webinar on this subject this morning. :)