At least 100 New Zealand websites have security flaws, claims an Auckland-based internet security firm.
Software Creations says this includes one in five of those using version 5 of Microsoft's Internet Information Server and a third of those with version 4.
The claim follows a “friendly hack” of the sites earlier this month by owner-operator Brett Moore using a year-old “web bug”. The program enters a website and, depending on the code returned, tells a hacker if a system is at risk.
Moore has since emailed the "vulnerable" companies found, warning them hackers "can download any data from that [your] computer, which could include passwords, credit card numbers, or even your company’s biggest secrets.”
Websites can also be defaced with mindless drivel or obscenities. “It was more market research," says Moore. "We found more than 100 vulnerable sites. We targeted Microsoft web servers as they have many vulnerabilities,” he says.
Moore, a contract programmer, says his bug could assess the sites using a simple program he developed in 20 minutes. He says it is similar to those "script kiddies" can find on the internet and took two hours to test the sites.
Moore says his email and suggestion to check the company's website has received “a mixed response".
“Nobody likes being told they are vulnerable. Our aim is to protect registered companies,” he says.
The two-year-old firm is using the test to launch a security service, including port scanning to assess vulnerabilities and checking web servers for all known CGI and Perl script bugs.
One new customer says after letting Moore "poke and prod" his system, he found some "fairly alarming results, such as 'file create' access on my NT boot partition".
"I have used other products such as Shields Up to scan my system and was reasonably confident most of the loopholes were closed," he says.
However, a technical director of an Auckland software company who received one of Moore's emails from a customer branded the exercise "pretty sleazy" and "spam-based scaremongering". However, he disagrees only with the method of advertising and says such security is needed.
"Microsoft's products are full of holes and need continual patches and fixes. I have [internet security product] Black Ice on my main server and the number of attempted attacks is phenomenal. Just script kiddies doing port scans and looking for vulnerabilities," the director says.
Microsoft technical marketing manager Terry Allen says it is likely the 100 sites did not have the latest patches and "the vast majority of websites operate securely without problems using Microsoft products."
Microsoft offers free email notification to advise users of new patches and has a website looking at security issues.
"The only perfectly secure computer system is one that is turned off," says Allen. He says such uninvited testing of websites for security is illegal in the US.