RE: Latest round of web hacking incidents for 2007 & Project news
>>The researchers found that they can use Google to retrieve the hashed
>>password of the hacker. Google has become so big that it actually allows
>>efficient encrypted passwords lookup.
Could you please be more specific? Do you mean, Google had crawled an entire
MySQL DB and had access to the contents of the password field in encrypted
form? Or had the contents of a /etc/shadow file? Or has a huge rainbow table
repo. to compare hashes against? Or... ?
Sincerely,
Aras "Russ" Memisyazici
IT Specialist II
Virginia Tech -- OIS
-----Original Message-----
From: "Ofer Shezaf" <ofers@xxxxxxxxxx>
To: "Bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: 12/27/07 11:01 AM
Subject: Latest round of web hacking incidents for 2007 & Project news
The last month was very active in the web application security field and at
the Web Hacking Incidents Database Project we have collected numerous new
incidents, listed below. It is very evident that both the rate of incidents
as well the amount of information about each one is on the rise.
We have also started adding more classifications to each incident. In
addition to the attack method we now track for each incident its geography,
the outcome of the attack and the industry sector it occured at. We are
going to use this information in the our first annual Web Incidents summary
report to be issued in early January.
So if you know of a web hacking incident that you feel should be in the
database and is not (or you could not find it), send me an e-mail at ofer at
shezaf.com, so it will be there in time for the annual report.
For more information and complete details of each incident refer to the Web
Hacking Incidents Database at http://www.webappsec.org/projects/whid.
Ofer Shezaf
Work: offer at breach.com, +972-9-9560036 #212
Personal: ofer at shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Classifications:
* Attack Method: Credential/Session Prediction
* Country: USA
* Outcome: Identity Theft
* Vertical: Government
The Secret Service has arrested at least 6 people in an investigation that
involves information theft at an Ohio court web site, which is actively used
for identity theft. At least one known identity theft case resulted in
$40,000 loss to the victim.
WHID 2007-70: Tucson, Arizona police web site defaced using SQL injection
=========================================================================
Reported: 20 December 2007, Occurred: 20 December 2007
Classifications:
* Attack Method: SQL Injection
* Country: USA
* Outcome: Defacement
* Vertical: Government
The Indonesian hacker Hmei7 has left the message "Hmei7 has touched your
soul" on the Web site of the police department in Tucson, Arizona. Only
unlike regular defacement, this time it is not the front page but rather the
news section that was modified.
WHID 2007-63: Credit card data theft at Kartenhaus, a Ticketmaster German
subsidiary
=========================================================================
Reported: 19 December 2007, Occurred: 30 September 2007
Classifications:
* Attack Method: Unknown
* Country: Germany
* Outcome: Leakage of Information
* Vertical: e-commerce
An unidentified group had stolen credit card numbers and billing addresses
of the Hamburg, Germany ticket sales office Kartenhaus, a subsidiary of
Ticketmaster. Some 66,000 customers who purchased tickets with a credit card
from the Kartenhaus.de web site between October 24, 2006 and September 30,
2007 were affected.
WHID 2007-60: The blog of a Cambridge University security team hacked
=====================================================================
Reported: 19 December 2007, Occurred: 27 October 2007
Classifications:
* Attack Method: Known Vulnerability
* Attack Method: Insufficient Authentication
* Attack Method: SQL Injection
* Country: UK
* Outcome: Downtime
* Software: WordPress
* Vertical: Education
I am sure that the guys at Light Blue Touchpaper have the expertise to
protect their WordPress installation, but they don't have the time. They
made the compromise between ease of management of their web site and its
security.
Apart from, or actually because of the fact that the victims are security
experts, this story is noteworthy due to two additional twists in the plot:
* Zero day exploit in the wild - the attacker penetrated twice, once
using a known SQL injection vulnerability, but the second time using a yet
unknown vulnerability in WordPress, which was reverse engineered and
published for the first time by the people at Light Blue Touchpaper.
* The researchers found that they can use Google to retrieve the hashed
password of the hacker. Google has become so big that it actually allows
efficient encrypted passwords lookup.
WHID 2007-62: A security flaw in Passport Canada's website
==========================================================
Reported: 19 December 2007, Occurred: 01 December 2007
Classifications:
* Attack Method: Credential/Session Prediction
* Country: Canada
* Outcome: Disclosure Only
* Vertical: Government
The Web site of the Canadian passports authority enables users to access
others' record by modifying a value of a parameter in the URI.
WHID 2007-64: Information about Duke's Students and Applicants Stolen
=====================================================================
Reported: 19 December 2007, Occurred: 01 December 2007
Classifications:
* Attack Method: Unknown
* Country: USA
* Outcome: Leakage of Information
* Vertical: Education
The personal data of nearly 1,400 prospective Duke Law School students may
have been stolen by a hacker from two separate databases, one including the
prospective students' data and another filled with requests for information
about the school.
WHID 2007-65: Facebook suing a porn site over automated access
==============================================================
Reported: 19 December 2007, Occurred: 28 June 2007
Classifications:
* Attack Method: Insufficient Anti-automation
* Country: USA
* Country: Canada
* Vertical: Information Services
Use of robots and automated software against a web site, as long as it is
not done in order to break into the site, falls into a grey area. While hard
to classify as an unlawful act, it is usually harmful to the site owner and
possibly to the site users. Apart from using valuable resources, such an
automated access may breach the site's usage license of public information
and might also indicate unlawful activity such as using a botnet. Many times
it is hard to know if such a blast of requests is a denial of service
attack, brute force password cracking or just a search engine crawler.
Going forward we are going to add such incidents to WHID if there is a
reason to believe that they are not friendly, even if the actual goal of the
attack cannot be easily classified. The Facebook case at hand is a perfect
example: while the details are not clear, the fact that Facebook filed a law
suit implies that there is fire behind the smoke.
WHID 2007-66: Hacker Conquer French Embassy In Libya Web Site
=============================================================
Reported: 19 December 2007, Occurred: 14 December 2007
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
all of them. We currently report such incidents if the hacked site is of
interest or if the attack method is known.
WHID 2007-67: The Day My Web Site Was Hacked
============================================
Reported: 19 December 2007, Occurred: 17 December 2007
Classifications:
* Attack Method: Known Vulnerability
* Country: UK
* Outcome: Link Spam
* Software: WordPress
* Vertical: Information Services
In an incident very similar to the Al Gore Hack, the personal blog of IT
journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the
breach and its origins.
WHID 2007-69: The Orkut XSS Worm
================================
Reported: 19 December 2007, Occurred: 19 December 2007
Classifications:
* Attack Method: Cross Site Scripting (XSS)
* Country: USA
* Outcome: Worm
* Vertical: Information Services
A vulnerability in the social networking site Orkut that allowed users to
inject HTML and JavaScript into their profiles set the stage for a
persistent XSS worm that appears to have affected more than 650,000 Orkut
users.
WHID 2007-61: Another inconvenient truth: Al Gore's Web site hacked
===================================================================
Reported: 19 December 2007, Occurred: 26 November 2007
Classifications:
* Attack Method: Known Vulnerability
* Country: USA
* Outcome: Link Spam
* Software: WordPress
* Vertical: Government
Whether comment spam by itself is an application failure or a necessary evil
for site allowing rich comments is an open question. However it is reported
that in this case vulnerability in WordPress allowed the spammers to
actually penetrate the site and modify pages and not just abuse comments.