Online security testing.

[phishphreek]

I found a pretty cool site, but then I got to thinking...

The site I found is www.securitystats.com

They have several "security awareness " tools on their page.

These are web based pages that test the strength of your password and such.

Well, if they wanted, couldn't they just use the info you submit to them and your ip address that is easily found in their logs to gain access to your computer/network?

Call me parinoid, but I don't completely trust sites like this or programs that "test your security". All someone would have to do is write a program/page to send back your ip and your test results and they would almost have instant access to a pc without permission. Just because someone wanted to "test their security".

So, my question...

Do you think that the chances are high that someone/some company would take advantage of the information that a user submits while testing their systems?

[Tiger Shark]

Phish: While you are right to be wary I would suggest the following thoughts.

If you see a site that proposes to "test your security" etc. go take a look around the site to see if it is selling any products. Financial gain is a wonderful way of ensuring the site is honest. But don't stop just there unless you recognize the product name. If you don't - Google it. What do people have to say about it and it's creators? If it is positive and there is a a feeeling amongst those comments that the organization is trustworthy then all the better. If you already recognize the product name then you have your own opinion of the company/product already - use that to make your determination.

It's always handy to have a few "outside" systems run over your own systems just to see if they see something you forgot.

[r3b00+]

You're right, you're best to be paranoid these days to stay secure!

Quote taken from the site you just posted

Please note that although we will not store the password you enter, it's never a good idea to send your password to someone you don't know. Instead, we recommend testing a password which is *similar* to one you might use.

So for this site they're not asking you to input your actual passwords, but only a *similar* password to one you MIGHT use.

But im sure there are sites out there doing just what youve suggested phishphreek80, so you just gotta be careful!

Cheers

r3b00+

[Spyder32]

I'm also pretty sure most Online Security testing website's have a term's of service or conditions in which they can get in legal trouble if they exploit anything they find or use it in a manner that they said they wouldn't do. If no legal action can be taken against that (I'm not sure if there can) then you might want to be paranoid about how you check your security or which testing site's you go to.

[Networker]

Read all of you guys,

it seems that the safest is to check/audit its own ourselves!

That's nessus purposes I guess. Dynamic auditing!

[SittingDuck]

From looking at the web site they don't really offer any online security testing, yes they have a tools for passwords and what looks like a port scanner. I would stick clear of their tools they are not going to tell you much. But from what I read on the site they do know what they are talking about (and it's uptodate!), so I would give it a good read

SittingDuck

[JagFire19]

My opinion is, if you are really looking for a security defense program. Go to CompUSA and buy a program. I would recommend a couple(Nortan and McAffee), however I think you have your eye on a downloadable version.

[SittingDuck]

A security program is only any good if it's set up correctly

[Spyder32]

Originally posted here by SittingDuck
A security program is only any good if it's set up correctly

That's very true. Another thing I sometimes do is set up a box or webserver, secure it, and try to hack it. Either that, or try using common methods that people use against those servers/machines and that would be a good way to test security of the box or server.