By Paul McNamara,

Survey says 70 percent of Web sites are begging to be hacked: My expert's $1,000 says that percentage is a crock.

02/13/2007 - 12:53pm

Put up or shut up time, Acunetix.

The security vendor today is touting its yearlong survey of 3,200 Web sites that purportedly shows 70% of them contained vulnerabilities that pose a medium- to high-level risk of an important data breach.

(Tuesday update: Acunetix sidesteps challenge)

"Without sounding apocalyptic, I believe the 70% figure should send tremors not just ripples in the market," says Kevin Vella, vice president of sales and operations, sounding apocalyptic in a press release.

I forwarded the release to my go-to guy on all security matters, Joel Snyder, a stalwart in the Network World Lab Alliance and senior partner at Opus One in Tucson, Ariz.

"This is just sensationalist nonsense, not credible on its face, and dishonest in its goal of inspiring fear," Snyder says. And he's willing put his money behind his mockery.

"When I read that (Acunetix press release), I was thinking of something I sent to a spam vendor who claimed completely ridiculous statistics about 10 days ago," he says. "I offered to bet them $1,000 that their product wouldn't actually match those statistics in a Network World test. The vendor disappeared. I'll throw down the same gauntlet with these guys. Let's get their list of 3,200 sites, pick 10 at random, and see if they can 'steal sensitive data' from those sites. They say they'll be able to hack into seven of them. I'll bet $1,000 they can't steal personal data from three of them."

Snyder tends to shoot from the lip, and he's in Singapore at the moment on business, so I sent an e-mail back looking for confirmation that he is serious. He is - as long as he gets to keep the money. Fine by me; he's putting up his own loot here, not ours.

That's if Acunetix wants to play, of course. Here's a slice from today's press release:

There is an extremely high probability of these vulnerabilities being discovered and manipulated by hackers to steal the sensitive data these organizations store.

On average 91% of these Web sites, contained some form of Web site vulnerability, ranging from the more serious such as SQL Injection and Cross Site Scripting to more minor ones such as local path disclosure or directory listing.

Approximately 66 vulnerabilities per Web site were found for a total of 210,000 vulnerabilities over the scanned population.

50% of the Web sites with instances of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.

Snyder, naturally, is not contending that there is no problem at all with insecure Web sites.

"There are a lot of sites that have potential issues with them, and many of those sites have commercial data, like credit card numbers, that they shouldn't. I'm not going to disagree with that. But is it 10% of legitimate e-commerce sites? No, not even close. Is it 10% of sites that have random crap on them? Yeah, maybe. But do those sites have data worth protecting? My 14-year-old niece is registered at (name deleted to protect the uninvolved). Can they get her profile information? Yeah, maybe. Is that an issue? Yeah, it's an issue. Is that a critical, inflammatory, 70%, the-world-is-coming-to-an-end issue? No, it's not."

As for the ground rules of the wager should Acunetix accept, we'll have to work those out - and we'll clearly need the help of a neutral third party, since my allegiances have been made clear here. But the basics would be that an employee of the company would need to get valuable personal information - like a credit card or social security number, not an e-mail or home address - from at least three of a random 10 of those 3,200 sites they tested.

I've sent Snyder's challenge to the company.

main page ATTRITION feedback