The last month was very active in the web application security field and at the Web Hacking Incidents Database Project we have collected numerous new incidents, listed below. It is very evident that both the rate of incidents as well the amount of information about each one is on the rise. We have also started adding more classifications to each incident. In addition to the attack method we now track for each incident its geography, the outcome of the attack and the industry sector it occured at. We are going to use this information in the our first annual Web Incidents summary report to be issued in early January. So if you know of a web hacking incident that you feel should be in the database and is not (or you could not find it), send me an e-mail at ofer at shezaf.com, so it will be there in time for the annual report. For more information and complete details of each incident refer to the Web Hacking Incidents Database at http://www.webappsec.org/projects/whid. Ofer Shezaf Work: offer at breach.com, +972-9-9560036 #212 Personal: ofer at shezaf.com, +972-54-4431119 VP Security Research, Breach Security Chair, OWASP Israel Leader, ModSecurity Core Rule Set Project Leader, WASC Web Hacking Incidents Database Project WHID 2007-71: Hacker uses Social Security numbers from Ohio court site ====================================================================== Reported: 22 December 2007, Occurred: 22 December 2007 Classifications: * Attack Method: Credential/Session Prediction * Country: USA * Outcome: Identity Theft * Vertical: Government The Secret Service has arrested at least 6 people in an investigation that involves information theft at an Ohio court web site, which is actively used for identity theft. At least one known identity theft case resulted in $40,000 loss to the victim. WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection ========================================================================= Reported: 20 December 2007, Occurred: 20 December 2007 Classifications: * Attack Method: SQL Injection * Country: USA * Outcome: Defacement * Vertical: Government The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your soul" on the Web site of the police department in Tucson, Arizona. Only unlike regular defacement, this time it is not the front page but rather the news section that was modified. WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German subsidiary ========================================================================= Reported: 19 December 2007, Occurred: 30 September 2007 Classifications: * Attack Method: Unknown * Country: Germany * Outcome: Leakage of Information * Vertical: e-commerce An unidentified group had stolen credit card numbers and billing addresses of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of Ticketmaster. Some 66,000 customers who purchased tickets with a credit card from the Kartenhaus.de web site between October 24, 2006 and September 30, 2007 were affected. WHID 2007-60: The blog of a Cambridge University security team hacked ===================================================================== Reported: 19 December 2007, Occurred: 27 October 2007 Classifications: * Attack Method: Known Vulnerability * Attack Method: Insufficient Authentication * Attack Method: SQL Injection * Country: UK * Outcome: Downtime * Software: WordPress * Vertical: Education I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they don't have the time. They made the compromise between ease of management of their web site and its security. Apart from, or actually because of the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot: * Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper. * The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup. WHID 2007-62: A security flaw in Passport Canada's website ========================================================== Reported: 19 December 2007, Occurred: 01 December 2007 Classifications: * Attack Method: Credential/Session Prediction * Country: Canada * Outcome: Disclosure Only * Vertical: Government The Web site of the Canadian passports authority enables users to access others' record by modifying a value of a parameter in the URI. WHID 2007-64: Information about Duke's Students and Applicants Stolen ===================================================================== Reported: 19 December 2007, Occurred: 01 December 2007 Classifications: * Attack Method: Unknown * Country: USA * Outcome: Leakage of Information * Vertical: Education The personal data of nearly 1,400 prospective Duke Law School students may have been stolen by a hacker from two separate databases, one including the prospective students' data and another filled with requests for information about the school. WHID 2007-65: Facebook suing a porn site over automated access ============================================================== Reported: 19 December 2007, Occurred: 28 June 2007 Classifications: * Attack Method: Insufficient Anti-automation * Country: USA * Country: Canada * Vertical: Information Services Use of robots and automated software against a web site, as long as it is not done in order to break into the site, falls into a grey area. While hard to classify as an unlawful act, it is usually harmful to the site owner and possibly to the site users. Apart from using valuable resources, such an automated access may breach the site's usage license of public information and might also indicate unlawful activity such as using a botnet. Many times it is hard to know if such a blast of requests is a denial of service attack, brute force password cracking or just a search engine crawler. Going forward we are going to add such incidents to WHID if there is a reason to believe that they are not friendly, even if the actual goal of the attack cannot be easily classified. The Facebook case at hand is a perfect example: while the details are not clear, the fact that Facebook filed a law suit implies that there is fire behind the smoke. WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site ============================================================= Reported: 19 December 2007, Occurred: 14 December 2007 Classifications: * Attack Method: Unknown * Country: France * Country: Libya * Outcome: Planting of Malware * Vertical: Government To iframe or not to iframe, this is the question. As malware becomes more popular, the number of incidents, mostly insignificant, in which malware was planted on a hacked site is rising and WHID is not the right place to list all of them. We currently report such incidents if the hacked site is of interest or if the attack method is known. WHID 2007-67: The Day My Web Site Was Hacked ============================================ Reported: 19 December 2007, Occurred: 17 December 2007 Classifications: * Attack Method: Known Vulnerability * Country: UK * Outcome: Link Spam * Software: WordPress * Vertical: Information Services In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins. WHID 2007-69: The Orkut XSS Worm ================================ Reported: 19 December 2007, Occurred: 19 December 2007 Classifications: * Attack Method: Cross Site Scripting (XSS) * Country: USA * Outcome: Worm * Vertical: Information Services A vulnerability in the social networking site Orkut that allowed users to inject HTML and JavaScript into their profiles set the stage for a persistent XSS worm that appears to have affected more than 650,000 Orkut users. WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked =================================================================== Reported: 19 December 2007, Occurred: 26 November 2007 Classifications: * Attack Method: Known Vulnerability * Country: USA * Outcome: Link Spam * Software: WordPress * Vertical: Government Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.
