Acunetix Website Hack And Lessons Learnt























Update: Acunetix has just released an official response about the incident, read it here.

Last night, Website of Acunetix(A Wellknown Automated Web Application Scanner) was hacked by Croatian hackers. From that point of this onward the website has been taken offline and acunetix team are reviewing the root cause for the hack. Currently the homepage is displaying a "403 Forbidden error", it might be due to the fact that either the attacker has deleted all he files or developers have deliberately taken it down in order to review the files for any possible backdoor that might had been injected.

Courtesy - http://exploitgate.com/acunetixs-website-got-hacked-croatian-hackers/

Lessons Learnt 

Up till now the cause of the hack remains unknown as Acunetix is yet to acknowledge it. However, The hack gives us the following important generic lessons:

i) Defense is more difficult than offense. For defense you have to find and close 100 doors which an attacker can use to get into the Server, For offense the attacker has to find one single way to get in.

ii) WebApplications now days have became extremely complex with new features being added on daily basis. It's almost impossible to achieve complexity and Security at the same time.

iii) Automated Scanners and Web Application Firewalls won't necessarily protect your Webapplications. As both of them do not understand Business Logic of the Application. Defense in depth principle should be followed where Security should be ensured at all layers. You can refer my article  "Secure Application Development And Modern Defenses"

iv) Security is not a one time job, it's an ongoing process, no specific requirement has to be met for 100% security.

One of the arguments that People would use is "How can their Tool ensure our Webapplication's Security, when they cannot protect themselves from getting hacked?", the answer is absolutely nothing can ensure 100% security,We have seem many Security products failing to ensure their own security, one of the examples can be found here (Imperva SecureSphere Web Application Firewall MX 9.5.6 - Blind SQL Injection), here ( So Who Hacked EC-Council Three Times This Week?) and here (Tavis Ormandy finds vulnerabilities in Sophos Anti-Virus products) and it's perfectly normal.

The problem comes when these product owner instead of acknowledging and responding to the breach wishes to remain silent and thereby loosing it's credibility even further in the eyes of customers and well as infosec community.  It is the right of  the customers to know whether their data was compromised in the breach and if yes up to what extent and if passwords were compromised, how were they storing the passwords.

With that being said, i would like to highlight the fact that they will not necessarily go out of the business after this hack. Eccouncil has been hacked multiple times and they are still in the business.