Five Dollar Security; You Get What You Pay For

Mon Jan 2 03:00:32 CST 2012


The old phrase "If it looks too good to be true, it probably is" is very common, and usually well founded. After seeing an offer for a $5 "security status" of a website, we just had to test it out. Since the service is being offered by a Certified Ethical Hacker (C|EH) with 13 years of experience, who has "wrote professional tools for the job", we expected the results of a commercial vulnerability scanner such as Nessus, Nexpose, or OpenVAS at the very least.

Consider what "vick2011" is offering: a comprehensive report, recommendations and information on how to keep your site secure, and information on keeping your site updated. All of this will typically take less than 24 hours, and it's only five bucks!

I will use my professional skills as a Certified Ethical Hacker to provide you with a professional report of the security status of your website for $5

Certified Ethical Hacker, with over 13 years experience. Will provide you with a comprehensive report stating the security issues and weak points on your website. You will be provided with a report regarding this information. You will also receive recommendations and information on how to keep your website safe and secure, and keeping it updated. This service should take less than 24 hours as I have wrote professional tools for the job.

Given how good of a deal this is, we were willing to look past vick2011's 67% approval rating for this service. Looking at vick2011's profile, s/he certainly seemed to have plenty of technical experience!

However, we were a little hesitant about parting with this money after we saw that vick2011 also offered a wide variety of other services. How could such an all-around technical master afford to give away such valuable services for five bucks?!

One more look at vick2011's busty avatar and we were convinced. Without further hesitation, we retained his/her services:

Not a day later, our report was ready. vick2011 was a consummate professional, delivering the report in Microsoft Word format (download at your own risk!), rather than PDF. For our loyal readers, we have converted it into a PDF file for your peace of mind. As you can see, attrition.org passed with flying colors! Look at all those green checkmarks and suppress your jealousy. With such a comprehensive list of URLs that were scanned, we are confident this report is as thorough as he promised. We'll ignore the fact that there are some 16,000 HTML pages spread across more than 2,000 directories, that couldn't really matter. The web server details are spot on! Well, as far as relying on what the web server returns in the Server string; you can always trust that.

Suspiciously lacking in the report was the information on how to keep the web site more secure and updated properly. Perhaps since vick2011 found no vulnerabilities, we are magically secure today and for the rest of eternity! Out of morbid curiosity, we watched the web server logs during the period where vick2011 tested the server. We'd share with you those logs, but there were none. No probing for vulnerabilities, no IP address hit the list of URLs provided in the report, no requests for CGI programs, nothing. Rather than actually testing the server, vick2011 instead just relied on third-party utilities like sucuri.net's scanner, the Phish Tank, and Google's Safe Browsing site.

By this point, we were feeling pretty robbed of our hard earned five dollars. It takes a good ten to fifteen minutes to panhandle that much on Colfax! Needless to say, vick2011 ended up getting pretty negative feedback. A few days later, we checked back on our friend only to find the $5 security test now said this gig was deleted by the seller. In its place is what we assume to be the real vick2011:

Shockingly enough, he is only a "Freelance PHP Developer, with over 5 years experience." Gone is the 13 year veteran Certified Ethical Hacker. Frowny face.




Copyright 2012 by attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included.

Should you feel generous, please donate a couple of bucks to any 501(c)(3) non-profit that benefits animals or computer security on our behalf.


main page ATTRITION feedback